User Profile
cklonger
Copper Contributor
Joined Dec 03, 2020
User Widgets
Recent Discussions
Multiple Log analytic workspace and rules
Good morning: I am a newbie of Azure Sentinel. Our env has setup multiple subscriptions and Log analytic workspaces for different productions. I would like to trigger some rules (from template) in Log analytic workspaces to monitor all our productions. Should I setup rules in every Log analytic workspace or only one of them ? To view all incidents in one workbook, should I forward the logs from different resources (different subscriptions) to one special Log analytic workspaces?6.2KViews0likes3CommentsHow to enable Azure Firewall Data connector by ARM template or power shell?
Hello, I would like to use code to create a data connector for Azure Firewall. However, Azure Firewall is not in https://github.com/javiersoriano/sentinel-all-in-one And I found DataConnectorKinds API doesn't support Azure firewall. https://docs.microsoft.com/en-us/rest/api/securityinsights/data-connectors/create-or-update#dataconnectorkind Is it possible to use powershell or ARM to enable Azure Firewall Data connector?918Views0likes0CommentsAutomatically create incidents from Microsoft security alerts and send notification
Hello, we have trigger the rule "Automatically create incidents from Microsoft security alerts" and generate incidents successfully. However, we have no idea how to connect these kind of incidents (from security center) with notification email playbook of other sentinel rules. We know there is a notification setting in Security center. Is it possible to set the auto playbook for the incidents from Microsoft security alerts?2KViews0likes3CommentsHow to make Rule "Explicit MFA Deny" better?
Hello, We turned on this rules for weeks. But all the incidents from the rule seem to benign. The query is as follows: SigninLogs | where ResultType == 500121 | where Status has "MFA Denied; user declined the authentication" | extend AccountCustomEntity = AlternateSignInName | extend IPCustomEntity = IPAddress | extend URLCustomEntity = ClientAppUsed Our idea is check the previous login IP or deviceid of devicedetail. Is there any other suggestion or comment? Thanks a lot10KViews0likes2Comments
Recent Blog Articles
No content to show