Log Analytics
33 TopicsIngesting Purview compliance DLP logs to Splunk
We are in the process of enabling Microsoft purview MIP DLP for a large-scale enterprise, and there is a requirement to push MIP DLP related alerts, incidents and data to Splunk SIEM. Could not find any specific documentation for the same. researched on this and found below solutions however not sure which could work to fit in our requirement: Splunk add on for Microsoft security is available:The Splunk Add-on for Microsoft Security is now available - Microsoft Community Hubbut this does not talk about Purview DLP logs. This add-on is available for Splunk but only says MIP can be integrated however does not talk about DLP logs:Microsoft Graph Security API Add-On for Splunk | Splunkbase As per few articles we can also ingest Defender logs to Azure event hub then event hub can be connected to splunk. Above mentioned steps do not explain much about Ingestion of MIP DLP raw data or incidents. If anyone has done it in the past I will appreciate any input.Programatically retrieve Secure Score Activities
Hi there, I am wondering if it is possible to retrieve a list of activities taken to increase/decrease a tenant's Secure Score. I can see that it is possible to export to CSV from the frontend, but we are looking to do this programatically. Is there a way to export these events to another Azure service, or retrieve them from the Graph API/another service?Kusto Query for troubleshooting the Network Security Group
Hi Team, i need some help on Kusto Query for troubleshooting the Network Security Group connectivity between source IP and Destination IP, can someone please help in Kusto Query to check the NSG logs for source and destination to check connectivity is allowed between source and destination. I'm very new to Kusto Query so posted here, appreciate for help Source Ip :10.226.16.165 destination : 159.123.12.31.5KViews0likes2CommentsNew Blog Post | Data Connectors for Azure Log Analytics and Data Explorer Now in Public Preview
Data Connectors for Azure Log Analytics and Data Explorer Now in Public Preview - Microsoft Community Hub The Microsoft Defender EASM (Defender EASM) team is excited to share that new Data Connectors for Azure Log Analytics and Azure Data Explorer are now available in public preview. Defender EASM continuously discovers an incredible amount of up-to-the-minute Attack Surface Data, so connecting and automating this data flow to all our customers’ mission-critical systems that keep their organizations secure is essential. The new Data Connectors for Log Analytics and Azure Data Explorer can easilyaugment existing workflows by automating recurring exports of all asset inventory data and the set of potential security issues flagged as insights to specified destinations to keep other tools continually updated with the latest findings from Defender EASM. Original Post:New Blog Post | Data Connectors for Azure Log Analytics and Data Explorer Now in Public Preview - Microsoft Community HubNew Blog Post | How to configure Security Events collection with Azure Monitor Agent
How to configure Security Events collection with Azure Monitor Agent - Microsoft Community Hub AlthoughMicrosoft Defender for Servers(part of the Microsoft Defender for Cloud suite) does not rely on security events collection to provide its protection capabilities, customers may want to collect this valuable data to bring additional context to their server security investigations or alerts. For this reason, Defender for Servers Plan 2 users benefit from a500-MB free data ingestion allowance(per day, per server) into Log Analytics, as long as theDefender for Servers Plan 2 is also enabled at the Log Analytics Workspace level. Security events collection (for Windows systems only) is done with the help of a guest agent. This has been possible so far with thelegacy Log Analytics agent and the Defender for Servers auto-provisioning experience, and is also possible for Microsoft Sentinel users, via theLog Analytics and Azure Monitor Agent (AMA) data connectors. However, if you are not a Sentinel user yet and you are using Defender for Servers with the new AMA experience, it is still possible to collect security events, as you will learn next. Original post:New Blog Post | How to configure Security Events collection with Azure Monitor Agent - Microsoft Community HubDoagnostic settings vs Log export feature for archiving
In Azure Active Directory, you can enable Diagnostic Settings, select Logs and configure them for archive in a Storage Account. In Azure Log Analytics, you can select Data Export, select Logs and configure them for archive in a Storage Account. Can someone describe the pros/cons/differences, right/wrong, when to use one over the other, how to decide which one to configure etc?Audit logging for OneDrive - No records returned
Hi everyone, I'm runnning into some unexpected behaviour when running an Audit Log search in our tenant. The logging settings on both tenant level and OneDrive level are set to record actions, but the logging remains empty, across all users. Get-AdminAuditLogConfig | FL UnifiedAuditLogIngestionEnabled UnifiedAuditLogIngestionEnabled : True I am able to see audit log records for other platforms such as SharePoint and Azure, and I am Global Admin to our tenant. Does anyone know what my issue might be? Any help would be greatly appreciated! Cheers, MatthijsNew Blog Post | Create and delete incidents in Microsoft Sentinel
Create and delete incidents in Microsoft Sentinel - Microsoft Tech Community During the everyday work of the SOC, suspicious and malicious events surface from many sources. Events which are identified by SIEM and XDR systems are aggregated into alerts, and those alerts become incidents. However, at times a possible security breach is reported by other means - such as a phone call, an email, hunting results or a customer request. Those incidents need to be documented when it has been reported, partially investigated, or even resolved. As part of our journey to build better incident management capabilities in Microsoft Sentinel,we would like to announce the "Manual incident creation" feature, along with the "delete incident" capability. With the "manual incident creation" feature, analysts can now create an incident manually in the Sentinel portal and also by using the new "Create incident (preview)" LogicApp action (joining the already existing ability to create an incident through the API). If an incident was mistakenly logged, or is an exact duplicate of another incident, it can now be deleted from the grid using the new "delete" option or using an API - leaving only audit information in the Log Analytics table. Two playbooks templated are available in the template gallery, allowing out of the box incident creation using email template and Microsoft Forms - thus reducing the time between the SOC learning about the incident and the time the incident is logged in Sentinel.