Sentinel IP for WEST EUROPE
Hi. I have this issue, where I have Sentinel and need the data connector setup for accessing Github. If my github Org do have IP Allow list enabled this do not work. So I need to find the IP's that the Connector talks out from Azure / Sentinel with when hitting the github service so I can whitelist those. If I take the IP scopes for Sentinel they are quite extensive and it cannot be that I need to whitelist every single Azure monitor/sentinel IP just to get those that Sentinel uses to talk to an API, but how can I find the needed IP's Or is there another way to get Audit logs from Github when there is IP restrictions enabled on the Github organization (in a github cloud enterprice setup)
Microsoft Defender Vulnerability Management Data in Sentinel
Anyone know when Microsoft Defender Vulnerability Management data will be available in Microsoft Defender XDR connector in Sentinel? If it won't be available soon, what is the best way to collect Vulnerability Management data to Sentinel? Thanks
Using the New-AzSentinelDataConnector cmdlet
I have tried using the New-AzSentinelDataConnector cmdlet to create or update a data connector. I have not fully gotten this solution working, trying to enable the Microsoft Entra ID data connector. To emphasise this point, these were the PowerShell commands I ran... $ResourceGroup = "rg-sentinel" $WorkspaceName = "ingested-data-sentinel" # Connect to Azure and return Tenant ID $Connection = Connect-AzAccount $TenantId = $Connection.Context.Tenant.Id # Create Data Connector (AAD/Entra ID) New-AzSentinelDataConnector -ResourceGroupName $ResourceGroup -WorkspaceName $WorkspaceName -kind AzureActiveDirectory -TenantId $TenantID -Alerts Enabled The error output can be seen in the screenshot attached. Has anyone successfully deployed a data connector with this PowerShell cmdlet?
Cannot access aka.ms/lademo
Hello team, I am Nikolas. I am learning KQL for Microsoft Sentinel. As far as I know, we can access the aka.ms/lademo for demo data. However I cannot access the demo. I tried using VPN, access page from many other devices with different IP address different account. But it does not work. Can you help to confirm if this link is still accessible. I can access the resource last week, but not this week. I am looking forward to hearing from you.Local IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs?
Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can't be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention. To make sure this also wasn't some kind of correlation to device, I checked the logs further and it's happening where IsManagedDevice == false and even anonymous file access. Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream? Sample KQL: // Query 1 OfficeActivity | where TimeGenerated >=ago(30d) | where ipv4_is_private( ClientIP ) | where IsManagedDevice == false | summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP // Query 2 OfficeActivity | where TimeGenerated >=ago(60d) | where isnotempty( ClientIP ) and ipv4_is_private( ClientIP ) | summarize count() by bin(TimeGenerated, 1d)Questions about ingestion-time data transformation
Hi, We are building a custom collector which collects several sources like ETW, Event Logs, TCP Activities etc (yes, yet another filebeat :)) and normalize the output into ASIM format, by the target schemas of the ASIM tables. But I see that ingesting directly into the ASIM tables are not allowed via Log Analytics API. In one of the Youtube videos, I heard that support will be there (video is from 3 years ago) but still it's something not supported? I am a simple minded person. My idea was, if I normalize the data in the same way of ASIM suggest, I can ingest the data into the ASIM tables, so Sentinel can start doing it's magic out-of-box. But from the documentations, I see that normalized data should go into a custom table or (or maybe a standard table) and from there, via unifying parsers, it should go into the ASIM tables? Is that how it works today? Why adding another parser on top of the normalized data? Thanks in advance.
Azure-related events in a separate Log Analytics workspaces
Hi all, I have question about collecting Azure-related events (Entra ID, Office365, Microsoft Defender and etc.) in a separateLog Analytics workspaces. Architecture: - One Azure tenant - Four subscriptions - Log analytics workspace in every subscription - Microsoft Sentinel enabled on everyLog analytics workspace My question is: what is the best practice or the best way to collect specific Entra ID events (e.g., events related to accounts used by the finance department) in a specific Log Analytics Workspace (LAW) dedicated to the finance department? Also,how can I collect other events for Office 365 and Microsoft Defender (related to the finance department) and store in (LAW) dedicated to the finance department? I want to store those events in the default tables for Entra ID, Office 365, and Defender within the LAW. I do not want to store the filtered data in custom tables within the LAWs.Mitre information missing from incident
Greetings I have a tough time getting the MITRE parsing to work for one of my integrations. It's a security platform that's sending incidents to Sentinel using CEF and they arrive into Log Analytics looking like this, it's been truncated for clarity etc. Now, in the analytics rule under Alert Details I've tried different settings for the tactics and/or techniques using either the mitre_id column or mitre_name but none of those ever show up in the incident. Does anyone have any pointers on how to get this to work? /Fredrik"DeviceTvmSoftwareVulnerabilities" Log Mirroring from Microsoft 365 Defender to Microsoft Sentinel
Hello, We are trying to get the logs of Threat and Vulnerability management section Tables (Like: "DeviceTvmSoftwareVulnerabilities") that is exist in Microsoft 365 Defender and display it in Log section in Microsoft sentinel. Is there a way to do that? Thank you,
