Trend Micro Vision One Connector Not working
Hi All, Before I get nuked in the comments to raise an issue on the Sentinel Repo. Here me out π Around a month ago, the logs stopped ingesting. A quick snoop around revealed the reason. But I'm not sure if I should raise an issue, or try to fix the issue, risking voiding any future support I can get, since the connector and the app that comes with it are market solutions. Function app was not running due to a dependency issue. Spotted this on the diagnostic logs, under the "exceptions" table. "module named _cffi_backend not found" a python package google tells me, thats used to interact with C code. So logically, I need to find the requirement.txt and make sure the dependency is there. Also make sure the python version on the runtime and Azure matches, The logs were initially flowing as usual . I had completed integrating Trend Micro using Azure Functions based connector around 7 months ago. Worked like a toyota helix until now. So once again, would like to know the community's thoughts on it. Thxx
[DevOps] dps.sentinel.azure.com no longer responds
Hello, Ive been using Repository connections in sentinel to a central DevOps for almost two years now. Today i got my first automated email on error for a webhook related to my last commit from the central repo to my Sentinel intances. Its a webhook that is automticly created in connections that are made the last year (the once from 2 years ago dont have this webhook automaticly created). The hook is found in devops -> service hooks -> webhooks "run state change" for each connected sentinel However, after todays run (which was successfull, all content deployed) this hook generates alerts. It says it cant reach: (EU in my case) eu.prod.dps.sentinel.azure.com full url: https://eu.prod.dps.sentinel.azure.com/webhooks/ado/workspaces/[REDACTED]/sourceControls/[REDACTED] So, what happened to this domain? why is it no longer responding and when was it going offline? I THINK this is the hook that sets the status under Sentinel -> Repositories in the GUI. this success status in screenshoot is from 2025/02/06, no new success has been registered in the receiving Sentinel instance. For the Sentinel that is 2 year old and dont have a hook in my DevOps that last deployment status says "Unknown" - so im fairly sure thats what the webhook is doing. So a second question would be, how can i set up a new webhook ? (it want ID and password of the "Azure Sentinel Content Deployment App" - i will never know that password....) so i cant manually add ieather (if the URL ever comes back online or if a new one exists?). please let me know.
Sentinel and Amazon Web Services S3 WAF
Hello, I'm using Sentinel to fetch AWS WAF logs using the new collector Amazon Web Services S3 WAF . I setup a first collection using the ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-central-1.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinell I then add new collection using ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-central-1.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinell Adding the second collection erase the first one !! Is it a bug ?? Regards, HACan we deploy Bicep through Sentinel repo
Hi there, Im new here, but π .... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this π My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI π I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. π Thanks, mal_sec
Help us plan our upcoming "Mastering API Integration with Sentinel and USOP" public webinar
Hello on behalf of the Microsoft SIEM & XDR Engineering organization! On December 5th, 2024, we will host a public webinar on how to effectively integrate APIs with Microsoft Sentinel and the Unified Security Platform. This session will cover when to use APIs, how to set them up, and potential challenges. We will present live demos to guide you through the process. To ensure this webinar is as engaging and relevant as possible for you, weβd love your input to help us create its agenda! Help us plan this webinar Do you have any use cases you think we should feature? Or have you encountered any blockers that you'd like us to address? Weβre eager to find out what content matches your needs the most! Please answer this survey to help us with your input. It will remain open until October 31st, 2024. Take the survey here: https://forms.office.com/r/hrWtm34WFu Join the webinar on December 5th! In addition to helping us plan it, we hope to count on your participation. Register at Register for this webinar at https://aka.ms/MasteringAPISentinelUSOPWebinar. Thank you for your contributions! Naomi Chistis and Jeremey Tan - Microsoft SIEM & XDR Team
Threat Monitoring for GitHub Connector broken - 403 error
Hello, I can deploy successfully the connector and all the other components, but when I put the Org name and the API key I get this error: The permission in Github is the one requested and I even added +80 Azure IPs to our allowlist. Still get the same error. Appreciate any help.Sending IIS logs to sentinel
Hi everyone, We have multiple on-prem windows application servers to forward IIS logs to sentinel. Can we go with WEF and install AMA in WEF to send IIS logs to sentinel or do I need to onboard each windows server to Azure through Azure arc for AMA installation? Any suggestions would be highly appreciated. ThanksCEF Collector ingesting logs to 'Syslog' table instead of 'CommonSecurityLog'
I am forwarding Palo Alto and Fortinet Firewall logs to the CEF Collector but in Sentinel it is showing logs in 'Syslog' table instead of 'CommonSecurityLog'. What could be the issue? Everything is in place including DCR as well.
Microsoft 365 Defender data connector and error ('AdvancedHunting-CloudAppEvents are not supported')
Hello, I have a client who has set up the Microsoft 365 Defender data connector, and on selecting the 'connect events' for Microsoft Defender for Cloud Apps and saving the configuration, the following error is generated... The exact error is: 'AdvancedHunting-CloudAppEvents are not supported'. I have not checked the configurations in the Microsoft 365 Defender portal under Cloud Apps yet, but has anyone come across this error and is it likely to be related to a configuration issue?
Best way to unify a user identity
Greetings I have a firewall that's feeding our Log Analyrics workspace with events. URL blocks, spyware and such. I then have a Sentinel NRT analytics rule that use these events to create alerts which are gathered into incidents later. The firewall is able to gather the user identity of the device generating the event and include the UPN of the user in the form for the mailto:email address removed for privacy reasons format. I've been fiddling with this for a while trying to parse this into something Sentinel will accept as a user AND at the same time tie this user to the identities being sent from our different Microsoft products like Defender 365 and AAD. It feels like nomatter what I do Sentinel will always generate two users, one for the AAD and Defender events and one from the firewall events. The attached image from an incident investigation show the effect of this, the same user is shown twice only tied together by the device and reports from Defender EDP. Of course this is was investigation is, tieing together information but it feels "redundant" to have the same user/identity show up like this. Does anyone have any tips? Regards Fredrik
