Integration of Microsoft Sentinel & Microsoft TEAMS for integration of alerts
What are some of the best methods and strategies to start implementing an integration between Sentinel and TEAMS where when there are certain instances or alerts occurring, said alerts can be pinged to certain members on Microsoft TEAMS like through the use of playbooks, automations and setting up a API connection to integrate the two.
Sentinel permissions for playbook
Can someone advice me what permissions are needed to be able authorize Sentinel to run playbooks here? I currently have on the whole resource group where are playbooks as well as Sentinel workspace. I dont see anything to chose from though. Logic app controbutor Microsoft Sentinel Automation Contributor Microsoft sentinel Contributor Moreover Despite the access when creating automation rule I got following error Do you please know 1) what permissions additional I need toGive Sentinel permissions to run playbooks Microsoft Sentinel requires explicit permissions for automation rules to automatically run playbooks 2) what permissions additionally I need to be able to create automation rule with playbook in it? Thank you
OfficeActivity - Rare and potentially high-risk Office operations and automation
Hi, We are receiving a number of "OfficeActivity - Rare and potentially high-risk Office operations" alerts for users who are setting up mailbox GrantSendOnBehaveOf and creating mail moving rules. Wondered what modifications to the analytic rule people have made to reduce the noise or any automation to ask the end user if they made the reported change (maybe with some verification to confirm the end user). Regards Mike
Send Alert When File in SharePoint is Being Accessed
Hi all, Is there a way to get the list of files which users are accessing or trying to access if they don't have permission inside a specific SharePoint site? And in addition to that is there a way for Sentinel to send alerts only for those users that don't have permission to access files? At the moment I am able to generate a list of users with number of accessed files on that specific SharePoint site: // Users accessing files // Users sorted by number of OneDrive and SharePoint files they accessed. OfficeActivity | where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed") | summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId | sort by AccessedFilesCount desc nulls last
Block-AADUser - Azure Sentinel Playbook
Hi, I am a security Engineer and I have just started using Sentinel and Logic Apps for the first time. I have been adding various out of the box playbooks etc and triggering them in my lab. One playbook I am keen to see working isBlock-AADUser/ This is available on githubhttps://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/Block-AADUser I have followed the post deployment steps 1. Assign Microsoft Sentinel Responder role to the Playbook's managed identity - 2. Assign API permissions to the managed identity so that we can search for user's manager. You can find the managed identity object ID on the Identity blade under Settings for the Logic App. If you don't have Azure AD PowerShell module, you will have to install it and connect to Azure AD PowerShell module. I am confused at part 3 instruction 3. Open the playbook in the Logic App Designer and authorize Azure AD and Office 365 Outlook Logic App connections Does this simply mean within the login app that I need to connect using an account that has permissions in both Azure and Office365 or do I need to ad additional steps into the playbook to connect this playbook to office365 or azure?Not able to connect DevOps repository to Sentinel
Hello folks, I am trying to connect my DevOps repository to my Sentinel environment as part of an automation. I was able to connect 'GitHub' successfully though. But, I am getting the error {"Error while performing Azure DevOps repository fetch. Details: [TF400813: The user [redacted tenant admin] is not authorized to access this resource"} even after my URL getting accepted. I have made sure that I have 'Owner' access for Sentinel's RG and I am the 'Owner'and 'Project Administrator' of the organization for my DevOps account. Strangely, I never get to see my 'Organization' in the drop down menu. I also tried to 'Authorize' in the incognito window to make sure I am getting the correct account connection. Can anyone please help me out?Logic Apps error: "Newer version of resource 'xxxxxx' exists. Data was not saved"
Hi, We have a logic app which is used to lookup domain in VirusTotal and close the ticket if the returned score is >10. However majority of the run history is failed. The error message is "Newerversionofresource'xxxxxx'exists.Datawasnotsaved". I see the post which recommends to tune theConcurrency Control and i set it to max value as below. However it did not solve the issue. Could anyone help please? Thanks.
