KQL query to detect the disablement and deletion of Automation Rules
Hi Community, We want to create a KQL-query that detects whether an automation rule has been disabled. The only way to partially do that at the moment is the AzureActivity table. The problem with that table is that is does not specify whether a rule has been ENABLED or DISABLED. As far as we can see, it does not have a unique identifier for disable or enable. Both log outputs are the same: Does anyone of you have a solution for this problem? Thanks in advance 🙂 Greetings, Kevin
log via syslog server agent to Azure Sentinel (list of IPs?) & dual agent to two Log Analytics space
Hi, I am currently looking at setting up something like this: Security devices > syslog server > Microsoft Sentinel In order to tie down/restrict somewhat the access this syslog server has, is there a list of known IPs for Microsoft Sentinel? Another bonus question please 😄 For one of the firewalls (one of the security devices mentioned above) we are looking to send a full set to Sentinel via this syslog server, PLUS a smaller subset of the SAME log (but with only selected columns/fields) to another Log Analytics workspace. This might be outside of scope of the syslog server agent but is there a guide on how to get this setup please? Many thanks. JT
Trouble importing analytic rules that has been exported using powershell/api
Hello! Trying import analytic rules to sentinel using repository and azure devops as source. If I manually export trough gui it is working. Pipeline and everything. Issue is if I export it using powershell with Get-AzSentinelAlertRule or with api and converting it to json the fun stops. Creating repository "connections" from sentinel creates a default ps1 script (azure-sentinel-deploy-XXXX) where I suspect the mismatch is happening. it failes with the error: "The file contains resources for content that was not selected for deployment". (yes I have selcted analytic rules in the options when connecting to repository) Clearly I am doing something wrong in the converting to json and missing something that identify the json as an analytic rule. If I manually try to import it with gui, nothing happens So, is there someone out there that has managed to create an export to json using powershell/api that works with import/repository in azuredevopsQuery All Logs/sources for Credit Card Numbers
We thought this might be something that Microsoft Sentinel could have some built in functionality for but seems we cannot find it. We are looking to be able to query all of our log sources for any credit card numbers but I cannot seem to think of a great way to do this and I don't believe union is possible in an analytics rule. Has anyone else created logic in KQL to potentially solve this gap in the solution? Happy to post our regex here as well: (.*)((?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12}))(.*) Common Goal: 1. Query the log source(s) for the specific regex 2. Parse the field identified as matching the regex so we can capture where it matches and go from there, not just that a "match exists" This seems rather easy but also....struggling to think of a good way to make this happen especially across all log sources rather than querying one table at a time.
Analytic Rules are not Deployed as part of a solution from Content Hub
I am trying to deploy "Azure Active Directory" solution from Content hub, non of the 59 Analytic rules that are part of the solution is deployed. The deployment is showing success and all the components are showing "created" But in Sentinel Analytic rules non is created, only the connectors and two workbooks, but no Analytic rules. Any idea why the analytic rules are not deployed as part of the solution? When I look into the resource group , where the solution is deployed, I saw some template objects as in the screen shotHow to determine where an alert rule comes from?
Okay, I'm getting incidents with the description "Sign-in from an atypical location based on the user's recent sign-ins". In the incident, I can see that the Analytics rule is "Create incidents based on Azure Active Directory Identity Protection". I then went to Analytics where I can see the rule under "Active rules" and it's listed twice - once as Gallery Content and once as Custom Content. But I can't tell how either of these rules got into Sentinel. Is there a way to track where they came from? Especially the one labelled "Gallery content" seems like I should be able to tell the content source or find it in the Content Hub. TIA ~dgm~
