Microsoft Defender for Cloud
19 TopicsDataConnector throws error and can't be deleted
The DataConnector (from "Microsoft Defender for Cloud solution") "Tenant-based Microsoft Defender for Cloud (Preview )" could not be found anymore and just get Errors. The Problem is, the Connector can't be deleted, because it could not be found in the Dataconnectors.... ! There is an Error Massage every Time I open Sentinel, and it can't be deleted because the Connector is not displayed. Is there anaother way to delete this connector? --- The following codeless connectors are not valid, and will not be displayed: Connector display name: Tenant-based Microsoft Defender for Cloud (Preview ), ConnectorID: ..., ConnectorKind: StaticUI, Error: Error: staticConnectorModel for microsoftdefenderforcloudtenantbased was not found in static connectors list. Try to update the solution, if there is an update available. ---963Views0likes1CommentMicrosoft Defender XDR / Defender for Endpoint data connectors inconsistent failures
Hello, We are deploying our SOC (Sentinel) environments via Bicep. Now the Defender XDR ( MicrosoftThreatProtection) and Defender for Endpoint ( MicrosoftDefenderAdvancedThreatProtection) data connectors are failing to deploy inconsistantly. It seems to be a known issue due to the following posts: -https://github.com/Azure/SimuLand/issues/23 -https://techcommunity.microsoft.com/t5/microsoft-sentinel/quot-missing-consent-invalid-license-quot-defender-for-endpoint/m-p/3027212 -https://github.com/Azure/Azure-Sentinel/issues/5007 Next to this issue I see almost no development on the data connectors API, is there some news to be spread how to enable data connectors automated in the future, since it seems to be moving to Content Hub. It is hard to find any docs about how to deploy this for example via Bicep!? Also I have a question regarding 'Tenant-based Microsoft Defender for Cloud (Preview)' data connector. We deploy this now via GenericUI data connector kind, but this has no option to enable it via automation. Same as the question in the previous paragraph, how would this be made possible?967Views0likes0CommentsAKS Sentinel analytics rules
Hello, I have enabled diagnostic settings on AKS clusters and are sending data to a Sentinel workspace according to article here:Monitoring Azure Kubernetes Service (AKS) with Microsoft Sentinel - Microsoft Community Hub I can see that there are some query rules examples in the article, but obviously we need more than those examples. I have tried searching around different Github repositories for some examples, but I am not able to find anything. From the same article, I can see that there is a possibility to enable container defender plans and then stream Defender for Cloud security alerts into Sentinel. This also certinately seem like a good option. Do any of you have AKS connector enabled? If so, can you share some rules that you have running? Also, please let me know if best practice is to use container defender plans.Solved1.4KViews0likes1CommentMicrosoft 365 defender alerts not capturing fields (entities) in azure sentinel
We got an alert from 365 defenders to azure sentinel (A potentially malicious URL click was detected). To investigate this alert we have to check in the 365 defender portal. We noticed that entities are not capturing (user, host, IP). How can we resolve this issue? Note: This is not a custom rule.2.4KViews0likes2CommentsSubsequent alerts with different AlertName in Analytical Rule
Hi all, I would like to ask if there is a way to create an alert when 2 events that were specified, alerted at within 1 hour of each other. ie. When AlertName == "Suspicious administrative activity" alerted then within 10-15mins AlertName == "Disabling of auditd logging" alerted Regards, drinrin849Views0likes2CommentsAzure Defender - AWS Account OnBoarding
Hi all, I need some help withAzure Defenderand the Process ofOnBoardinga newAWS Accountinside Defender. We are trying to automate the whole onboarding process inside Azure Defender while a new AWS Account is created inside our Organization. right now we managed to automate the creation of all the required resources by Azure Defender inside the newly created AWS Accounts using Terraform (for example:IAM RolesandIdentity Provider) but there is a missing part which should be done on Azure Side to add the new Account. there is a way to automate the rest of the process using Lambda or Function App calling the Azure Defender API ? any help would be greatly appreciated Thanks907Views0likes1CommentSentinel workspace
Hello, If all the Virtual machines are connected to a Sentinel workspace and at the same time I have enabled Defender for Cloud for Virtual Machines, will this make the mma agent in the VMs report to two workspaces and store logs on both Sentinel workspace and Defender for cloud workspace? Thanks in Adv.1.6KViews0likes4CommentsMicrosoft 365 Defender for Business logs into Microsoft Sentinel
Hi Community, One of our customers raised the below query: Is there a way we can include Microsoft 365 Defender for Business logs into Microsoft Sentinel? Do we have any connectors? Any pointers would be of great help. Thanks!2.6KViews0likes1Comment