Automation
116 TopicsUsing the New-AzSentinelDataConnector cmdlet
I have tried using the New-AzSentinelDataConnector cmdlet to create or update a data connector. I have not fully gotten this solution working, trying to enable the Microsoft Entra ID data connector. To emphasise this point, these were the PowerShell commands I ran... $ResourceGroup = "rg-sentinel" $WorkspaceName = "ingested-data-sentinel" # Connect to Azure and return Tenant ID $Connection = Connect-AzAccount $TenantId = $Connection.Context.Tenant.Id # Create Data Connector (AAD/Entra ID) New-AzSentinelDataConnector -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -kind AzureActiveDirectory -TenantId $TenantID -Alerts Enabled The error output can be seen in the screenshot attached. Has anyone successfully deployed a data connector with this PowerShell cmdlet?13Views0likes0CommentsIntegrating Jira with Sentinel via HTTP connector
Hello Community, I am having issues integrating Jira with Sentinel. I am connecting Sentinel incidents with Jira via the HTTP connector. The Jira V3 connector was not working due to an error regarding the reporter field, which I have no control over. My question is, why is the HTTP Connector not posting the incident when I manually run the playbook with an incident? It shows the run was successful, but the incident is not posted in the Jira queue.209Views0likes1CommentLogic app to close adminstrative tasks
I am trying to create a logic app that closes adminstrative tasks in sentinel after checking Userprincipalname and IPaddress. It will also check if the userprincipalname exists in a watchlist at the same time. But this didn't seem to work, can i get any help here?215Views0likes1CommentAutomating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD attribute). The thinking is, the manager is more likely to know if the files that are being downgraded are sensitive, personal or inconsequential and can alert us if they are sensitive and we need to investigate further. I have a KQL query that provides the results, I have created an analytics rule that runs the query every 24 hours and generates an alert, but when it comes to the Playbook i'm not sure how/if I can extract the fields/attributes from the results so I can use them to generate the email(s). I want the manager to only get the results for the people in their team/department, not the results for everyone in the company, so I would expect separate emails will be sent to each manager daily, rather than the same email going to multiple managers. Is what I am trying to do feasible, and if so, am I going about it the right way? Any advice appreciated.Solved162Views0likes5CommentsNot able to connect DevOps repository to Sentinel
Hello folks, I am trying to connect my DevOps repository to my Sentinel environment as part of an automation. I was able to connect 'GitHub' successfully though. But, I am getting the error {"Error while performing Azure DevOps repository fetch. Details: [TF400813: The user [redacted tenant admin] is not authorized to access this resource"} even after my URL getting accepted. I have made sure that I have 'Owner' access for Sentinel's RG and I am the 'Owner'and 'Project Administrator' of the organization for my DevOps account. Strangely, I never get to see my 'Organization' in the drop down menu. I also tried to 'Authorize' in the incognito window to make sure I am getting the correct account connection. Can anyone please help me out?3.6KViews0likes6CommentsAutomation rule based on a specific Security Alert
Dear Community, is it possible to apply automation rules on particular Security Alerts? I have created an automation flow that disable a compromised User on Azure AD /onPrem AD and send a mail to Helpdesk. I want to apply this automation on these kind of events since I know 100% that the user was compromised: User compromised in AiTM phishing attack User compromised via a known AitM phishing kit BEC-related authentication Thank you Luca469Views0likes4CommentsSentinel - Phishing automation
Hello, I would like to know how to process an automation related to phishing. When a user marks an email as phishing or spam, it should be automatically verified. If it is phishing, it will perform a query to check if it has reached other inboxes, and if so, delete those as well. If, after analysis, no malicious indications are found, the email should be placed back in the user's inbox. Can anyone give me some tips? Thank you.554Views0likes2CommentsHow to Include Custom Details from an Alert in Email Generated by a Playbook
I have created an analytics rule that queries Sentinel for security events pertaining to group membership additions, and triggers an alert for each event found. The rule does not create an incident. Within the rule logic, I have created three "custom details" for specific fields within the event (TargetAccount, MemberName, SubjectAccount). I have also created a corresponding playbook for the purpose of sending an email to me when an alert is triggered. The associated automation rule has been configured and is triggered in the analytics rule. All of this is working as expected - when a member is added to a security group, I receive an email. The one remaining piece is to populate the email message with the custom details that I've identified in the rule. However, I'm not sure how to do this. Essentially, I would like the values of the three custom details shown in the first screenshot below to show up in the body of the email, shown in the second screenshot, next to their corresponding names. So, for example, say Joe Smith is added to the group "Admin" by Tom Jones. These are the fields and values in the event that I want to pull out. TargetAccount = Admin MemberName = Joe Smith Subject Account = Tom Jones The custom details would then be populated as such: Security_Group = Admin Member_Added = Joe Smith Added_By = Tom Jones and then, the body of the email would contain: Group: Admin Member Added: Joe Smith Added By: Tom Jones787Views0likes4CommentsSentinel Solution Deployment via GitHub
Over the past couple years I have been working exclusively with LogRhythm and while I have deployed Sentinel a few times in the past, I have never attempted to do so using GitHub Actions. I seem to be relatively close to getting it deployed but have been struggling for the last couple days and have been unable to find (or overlooked) documentation to guide me in the right direction, so I thought I'd reach out to find out if anyone can help me out. Goals Central management of Sentinel across multiple tenants using Lighthouse Content such as Analytic Rules, Hunting Queries, Playbooks, Workbooks.. must be centrally managed across each tenant. I will have limited access to tenants and need a simple templated deployment process to handle the majority of the Sentinel deployment in tenants, ideally, I will provide the client with a deployment template and once deployed, it will have the the same content as the central management tenant. I have not yet decided whether to use Workspace manager, however, I will need to protect intellectual property so this will likely be a requirement (MSSP) I have been trying out the GitHub deployment and have mostly been running into issues with the solution deployment since the ARM Templates I have been creating don't seem to work. I get "Failed to check valid resource type." errors followed by "The file contains resources for content that was not selected for deployment. Please add content type to connection if you want this file to be deployed." warnings for most content. I have been able to get some working, specifically the Analytic Rules and Playbooks, and have not spent time on the Hunting Queries or Workbooks yet since I have rather been focused on the Solutions and while I make a bit of progress each day, I still feel like I am missing something simple, most likely related to the deployment script which Sentinel generates when connected to GitHub? Perhaps I am not deploying the required resources in the correct order? Now I am in the very early stages of planning and may very well not need to deploy solutions via GitHub if using the workspace manager (still to be verified), but it is killing me because I have not been able to figure it out in the last couple days! Does anyone know of a document that explains the process for those of us that don't spend a considerable amount of time using GitHub/DevOps?548Views1like1Comment