Microsoft Sentinel
335 TopicsNew Blog | How to use Log Analytics log data exported to Storage Accounts
BySimone Oor Introduction Exporting your logs from Sentinel or Log Analytics to Azure storage account blobs gives you low-cost long-term retention, as well as benefits such as immutability for legal hold, and geographical redundancy. But in the event of an incident, or perhaps a legal case, you may need the data archived away in those storage account blobs to help the investigation. Team during investigation How do you go about retrieving and analyzing that data?This blog will answer exactly that question. Hint, it does involve an Azure Data Explorer cluster. I will also briefly explain how data ends up in those blobs in the first place. Read the full post here:How to use Log Analytics log data exported to Storage AccountsAzure Lighthouse: Updated Entra ID Group used for Authorization with new Users
With Azure Lighthouse and the managed tenant, when applying additional users to a related Entra ID group used for authorization, how do you identify the issues when those users show they do not have access to valid customer tenants and their resources, such as Log Analytics Workspaces?SolvedMigrate MS Sentinel from one tenant to another tenant
I need to migrate Microsoft Sentinel with all its resources (playbooks, workbook, connectors, analytics rules), I would need a step by step, since I see that among the documentation that Microsoft has, it does not have it. I would like to know if there is any tool or functionality that allows me to do this, without having to rebuild everythingNew Blog Post | How to Locate the Microsoft Sentinel Free Benefit in Cost Management + Billing
How to Locate the Microsoft Sentinel Free Benefit in Cost Management + Billing – Azure Cloud & AI Domain Blog (azurecloudai.blog) There are a couple ways to identify that the free benefit (https://aka.ms/SentinelOffer) for Microsoft 365 E5, A5, F5 and G5 customers has kicked in. The first is the most obvious. We’ve included a Microsoft Sentinel Cost Workbook in the Microsoft Sentinel console that shows the applicable data flow.New Blog Post | The Revoke Action for Threat Indicators in Microsoft Sentinel
The Revoke Action for Threat Indicators in Microsoft Sentinel – Azure Cloud & AI Domain Blog (azurecloudai.blog) Someone asked a great question today about what exactly marking a Threat Indicator in the Threat Intelligence blade in Microsoft Sentinel does. We don’t currently have a good explanation in the docs, so I’ll add an explanation here and submit it for inclusion in the docs.Missing data from the Office Activity logs
I run a query on a daily basis that uses the OfficeActivity table and filters the term Send within the operation field. I started to notice that my results were decreasing so I ran a summary for the past month and noticed a huge decrease in OfiiceActivity capturing the send activity. Any thoughts on what would be the cause of this? PS it is not sentinel missing data, because when I check the activity in Defender for cloud, the results are the same. Here is the query I ran: OfficeActivity | where TimeGenerated > ago(30d) | where Operation contains "Send" | summarize count() by bin(TimeGenerated, 1d) And here are the results: TimeGenerated [UTC] count_ 8/25/2023 417 8/24/2023 66 8/23/2023 93 8/22/2023 77 8/21/2023 73 8/20/2023 16 8/19/2023 17 8/18/2023 326 8/17/2023 2978 8/16/2023 3175 8/15/2023 4106 8/14/2023 3632 8/13/2023 466 8/12/2023 527 8/11/2023 2516 8/10/2023 3187 8/9/2023 3143 8/8/2023 3289 Now today it is looking like it is starting to climb back but I need to rely on this data so I wouldn't mind knowing why it stopped for almost a week. (no changes that would impact our environment were made btw)1.3KViews0likes2CommentsHow to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, an
How to create Playbook and automation rules for M365 Defender for Identity, Endpoint, Cloud Apps, and Data as we wanted to do some automation around it to let SOAR work on the alerts which are on "Low", "Medium" severity alerts? For example: if we have many alerts those should be verified by that respective automation rule and take the appropriate actions like close those alerts or mark as no action needed.azure activity connector not working
Hi there, The Azure Activity Connector from the Sentinel Content Hub is not working for me. I launched the Azure Policy Assignment wizard and created the Azure Policy as instructed. For testing, I created and deleted a resource group. The Azure Activity Log shows entries for the creation/deletion of the resource group. Azure Policy shows the new collection policy - the scope is set at the subscription level, so no filtering, and it's Compliance state is 'compliant'. Has anyone recently configure the Azure Activity connector? Any surprises? Thanks.Solved2.7KViews0likes5CommentsNRT Rules & Regular Analytics Rules in Sentinel Checklist
This table serves as a handy checklist for cyber analysts when creating KQL analytic rules. It provides a clear comparison between Near Real-Time (NRT) and Regular Analytic rules, highlighting key considerations such as query interval, ingestion delay, alert generation, event grouping, rule creation, and limitations. By referring to this table, analysts can make an informed decision on whether to use an NRT or a Regular Analytic rule based on their specific needs and constraints. This can help streamline the rule creation process and ensure effective and efficient threat detection. Remember, the choice between NRT and Regular Analytic rules ultimately depends on the specific requirements of your security operations center. Link:KQL/NRTchecklist. at main · guys1444/KQL (github.com)New Blog | Enable your key business needs within Microsoft Sentinel with step-by-step guidance
Modernize your security operations center (SOC) with Microsoft Sentinel. Uncover sophisticated threats and respond decisively with an intelligent, comprehensive security information and event management (SIEM) solution for proactive threat detection, investigation, and response. Read the full blog for the lightweight guide:Enable your key business needs within Microsoft Sentinel with step-by-step guidance - Microsoft Community Hub