MDE DeviceNetworkEvents missing full URL for HTTPS traffic
Hiall , I've integrated Sentinel with some external TI feeds (like Phishtank, etc) and collected MDEDeviceNetworkEvents. It seems that most (if not all) HTTPS traffic (URL) is not fully logged. Example:https://cloudflare-ipfs.cominstead ofhttps://cloudflare-ipfs.com/xxx.dat. PS: with HTTP traffic I got the full URL with path, etc. It means that the URL doesn't match when trying to compare URL TI source (full URL) and URL (partial) generated by the browser. The goal is to push the IOC (in this case the URL) into the Indicators list. I don't want to populate the indicator with domain list because it can blacklist a full domain. Example : https://docs.google.com/presentation/d/e/2 It could be a phishing URL, but don't want to blacklist docs.google.com domain because it can contains valid URL... Any idea ? Regards, HA
I am trying to implement a Logic App - playbook with incident trigger.
Hello I am trying to implement a Logic App - playbook with incident trigger. logic app fails with error Failed to trigger playbook Caller is missing required playbook triggering permissions on playbook resource /resourceGroups/Test/providers/Microsoft.Logic/workflows/test2', or Microsoft Sentinel is missing required permissions to verify the caller has permissions As i validated all the parameters and permissions seem correct i dont know what i am doing wrong. - Sentinel settings are correct - I give Microsoft Sentinel permissions to run playbooks. -addedMicrosoft Sentinel Responder (Identity playbook) please see screenshots not to sure, why its says incident arm id missing? Many thanks for any ideas!
Microsoft Defender XDR / Defender for Endpoint data connectors inconsistent failures
Hello, We are deploying our SOC (Sentinel) environments via Bicep. Now the Defender XDR ( MicrosoftThreatProtection) and Defender for Endpoint ( MicrosoftDefenderAdvancedThreatProtection) data connectors are failing to deploy inconsistantly. It seems to be a known issue due to the following posts: -https://github.com/Azure/SimuLand/issues/23 -https://techcommunity.microsoft.com/t5/microsoft-sentinel/quot-missing-consent-invalid-license-quot-defender-for-endpoint/m-p/3027212 -https://github.com/Azure/Azure-Sentinel/issues/5007 Next to this issue I see almost no development on the data connectors API, is there some news to be spread how to enable data connectors automated in the future, since it seems to be moving to Content Hub. It is hard to find any docs about how to deploy this for example via Bicep!? Also I have a question regarding 'Tenant-based Microsoft Defender for Cloud (Preview)' data connector. We deploy this now via GenericUI data connector kind, but this has no option to enable it via automation. Same as the question in the previous paragraph, how would this be made possible?Defender TVM Logs - "Coming Soon!", it has been over 12 months
Has anyone seen or heard anything about the Defender Advanced Hunting TVM integration with Sentinel? I would quite like to use it to create workbooks, but the Defender connector has displayed "Coming Soon!" for over a year now. Is this still on the roadmap, or is this a low priority.
Block Computer Object / Azure Sentinel Playbook "Named Pipes Privilege escalation"
Hello MS Community, I have a question about the following Use Case. If some Hosts (Server / Clients) use the "Named Pipes privilege escalation", I would like to response automatically via Sentinel. I think to isolate / lock the coomputer object would be an good idea. Maybe someone had the same use case and have an solution for that toppic. Thanks a lot & best regards Kevin
Entities
Hi, I use the Microsoft 365 Defender data connector to forward security incidents to Sentinel. The incident contains a lot of entities like host/username and process information. I need the local ip address from the host (type IP) - how can I add this entity every time I get an incident? Jan
