Sentinel Data Connector: Google Workspace (G Suite) (using Azure Functions)
I'm encountering a problem when attempting to run the GWorkspace_Report workbook in Azure Sentinel. The query is throwing this error related to the union operator: 'union' operator: Failed to resolve table expression named 'GWorkspace_ReportsAPI_gcp_CL' I've double-checked, and the GoogleWorkspaceReports connector is installed and updated to version 3.0.2. Has anyone seen this or know what might be causing the table GWorkspace_ReportsAPI_gcp_CL to be unresolved? Thanks!
Sentinel Data Connector for Azure Virtual Desktop
Hello, I have a customer planning to deploy Azure Virtual Desktop (AVD). They are currently using Microsoft Sentinel for their SecOps. However, there is no AVD Data Connector available. The customer is not interested in building a custom data connector. Does anyone know if there are plans to add a data connector for AVD in the near future? Thanks.
Workbook with multiple visualizations using lowest number of queries
Coming from Splunk world and didn't found answer to this in the workbook documentation. Is it possible to chains searches, like in Splunk, explained here: https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/dsChain Trying to explain in KQL terms: suppose there are 3 very similar queries, like same base search | condition 1 same base search | condition 2 same base search | condition 3 feeding 3 vizualizations. Goal is to execute the "same base search" part only once in the workbook. Defining a new function for "same base search" still means 3 executions, I guess. Your response is appreciated. Thank you.
Cross-workspace incident management
Hello Techcommunity, We are looking for a solution to manage incidents in several Sentinel workspaces within the same tenant. 1. We reviewed Azure Lighthouse and it seems to be working only for cross-tenant management 2. We saw the option to mark the workspaces we want to monitor and click on "View incidents" 3. We also considered building the dashboard in a Workbook Could you please say if there is any other option to have a unified dashboard for managing incidents from several Sentinels within the same tenant?
Sentinel Log Sources or asset list Information
In Sentinel as like any other SIEM, how do we get the complete list of log sources which are integrated along with some required fields like Device Vendor, Device Product, Host name/Computer, IP address. Is there any workbook or KQL which provides this information.
Need guidance in designing a workbook and function app with api keys
My requirement is to have a workbook that calls our product's apis and visualizes the data. The data to be visualized is divided into many widgets about 6-8 in total. Hence, I am thinking of creating a http trigger function app when the workbook is loaded. This function app will be provided the context of our product's url, api key, api secret, org_id as environment variables. These params will be provided by customer who deploys the solution. Then, the function app uses the api key, api secret to make a GET call to the product URL. Note this is an outbound connection to a URL. The api call is to fetch objects from an endpoint, il store this response in a _CL table. But I dont want this table to grow in size with each call to the custom endpoint defined by function app. Instead, I want the row to be updated with new response when workbook is loaded again. I don't know if a custom table is ideal for this or maybe there is a different solution? Do please let me know your opinion.
User location in Security Alerts/Incidents logs
Dear Community, I´ve been struggling to find a way to pull out location information for user in security incidents logs. The idea is to have this details on alerts and incidents to generate dashboards (workbooks) and reports. Would you be able to enlight me with ideas/insights? Thanks in advance for your help.
