Sentinel IP for WEST EUROPE
Hi. I have this issue, where I have Sentinel and need the data connector setup for accessing Github. If my github Org do have IP Allow list enabled this do not work. So I need to find the IP's that the Connector talks out from Azure / Sentinel with when hitting the github service so I can whitelist those. If I take the IP scopes for Sentinel they are quite extensive and it cannot be that I need to whitelist every single Azure monitor/sentinel IP just to get those that Sentinel uses to talk to an API, but how can I find the needed IP's Or is there another way to get Audit logs from Github when there is IP restrictions enabled on the Github organization (in a github cloud enterprice setup)
Using the New-AzSentinelDataConnector cmdlet
I have tried using the New-AzSentinelDataConnector cmdlet to create or update a data connector. I have not fully gotten this solution working, trying to enable the Microsoft Entra ID data connector. To emphasise this point, these were the PowerShell commands I ran... $ResourceGroup = "rg-sentinel" $WorkspaceName = "ingested-data-sentinel" # Connect to Azure and return Tenant ID $Connection = Connect-AzAccount $TenantId = $Connection.Context.Tenant.Id # Create Data Connector (AAD/Entra ID) New-AzSentinelDataConnector -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -kind AzureActiveDirectory -TenantId $TenantID -Alerts Enabled The error output can be seen in the screenshot attached. Has anyone successfully deployed a data connector with this PowerShell cmdlet?DCR xPath - Nomenclature modification?
Hello, I have a question regarding the custom (xPath) configuration when creating a DCR for Windows Security Events via AMA Below is the xPath I was using until now to exclude the following EventIDs 4689, 5449 and 5145. It was working perfectly fine: Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145)]] Today I wanted to modify it to exclude another EventID, but got an error mentionning that "the event log you have specified is not a valid xPath": Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] I tried to remove the "Security" channel from the xPath as below: *[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] But this throws an error: Did the xPath nomenclature update or is there a new way to exclude specific Event IDs that I missed? Is anyone facing the same issue? Thanks in advance.Local IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs?
Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can't be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention. To make sure this also wasn't some kind of correlation to device, I checked the logs further and it's happening where IsManagedDevice == false and even anonymous file access. Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream? Sample KQL: // Query 1 OfficeActivity | where TimeGenerated >=ago(30d) | where ipv4_is_private( ClientIP ) | where IsManagedDevice == false | summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP // Query 2 OfficeActivity | where TimeGenerated >=ago(60d) | where isnotempty( ClientIP ) and ipv4_is_private( ClientIP ) | summarize count() by bin(TimeGenerated, 1d)
RestApiPoller Paging Question
Hi, RestApiPoller Paging question from setting up a new Codeless Connector against one API. I'm currently polling this API with an Azure function and would like to cut it over to CCP. The API supports iterating through pages via querying it with pageNumber and pageSize parameters. For example, I can query pageNumber=1, pageNumber=2 and so forth. The API returns a pageCount value as part of a successful response. There is no next page or next link in the response. I can't see anything in the NextPageToken section of the API on how to handle this. Any suggestions? API is called by sending a POST with the following in the body. { "interval": "", "pageNumber": 0, "pageSize": 0 } Successful response received is: { "data": [ ], "pageSize": 0, "pageNumber": 0, "total": 0, "pageCount": 0 }
Issue in Uninstallation of AMA for Arc Enabled Windows server
Dear Community, As a troubleshooting, I want to uninstall the AMA agent from Azure arc enabled server, I tried "Uninstall" from Azure arc machine - Extension - Uninstall but it went into "Deleting" state for 2 days. Then i tried uninstallation using the Powershell but again it went to "deleting" state. I tried removing and adding the Machine to and from DCR and Azure Arc again and then tried again still it shows deleting state only. So, i tried uninstallation direct from server using command azcmagent extension remove --name AzureMonitorWindowsAgent the got the below error, From my test machine i copied the "HandlerManifest.json" file and put in the same folder where error is showing above, Json file has this content as shown below Now after this i tried "azcmagent extension remove --name AzureMonitorWindowsAgent" command again and got the error, Please help in uninstalling this AMA agent. Thanks, MaheshAzure-related events in a separate Log Analytics workspaces
Hi all, I have question about collecting Azure-related events (Entra ID, Office365, Microsoft Defender and etc.) in a separateLog Analytics workspaces. Architecture: - One Azure tenant - Four subscriptions - Log analytics workspace in every subscription - Microsoft Sentinel enabled on everyLog analytics workspace My question is: what is the best practice or the best way to collect specific Entra ID events (e.g., events related to accounts used by the finance department) in a specific Log Analytics Workspace (LAW) dedicated to the finance department? Also,how can I collect other events for Office 365 and Microsoft Defender (related to the finance department) and store in (LAW) dedicated to the finance department? I want to store those events in the default tables for Entra ID, Office 365, and Defender within the LAW. I do not want to store the filtered data in custom tables within the LAWs.
What to do with Syslog Forwarder data connectors that are still built on the OMS Agent?
Hello, I'm currently working on deploying the VMware vCenter data connector to a Sentinel workspace. The issue is that, according to the documentation, the data connector will make use of a Syslog Forwarder that is still built upon the OMS agent instead of the AMA agent. An AMA version has now been created for most other firewall data connectors to deprecate the legacy connectors. As far as I can tell, the data connector documentation makes no note of this data connector being deprecated or legacy. My question is then: Should I be concerned about deploying a syslog forwarder with the OMS agent? And if so, what alternatives do I have? I've previously built a custom solution for ingesting Cisco Meraki logs via an AMA agent, since the out of the box solution with the OMS agent wasn't working optimally. But ideally, I would like to not have to build a custom solution.
