Can we deploy Bicep through Sentinel repo
Hi there, Im new here,but π .... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this π My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI π I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. π Thanks, mal_sec
Is it possible to set up this playbook for a specific rule incident alarm?
I was wondering if a specific playbook setting is possible for the rules below RuleName : New Azure Sentinel incident - Authentication Attempt from New Country Read UserPrincipalName, set_IPAddress value when alarm occurs Automatically send mail to each user by identifying the user-specific mail address with UserPrincipalName and changing the recipient, ip value according to the specified mail form
DCR xPath - Nomenclature modification?
Hello, I have a question regarding the custom (xPath) configuration when creating a DCR for Windows Security Events via AMA Below is the xPath I was using until now to exclude the following EventIDs 4689, 5449 and 5145. It was working perfectly fine: Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145)]] Today I wanted to modify it to exclude another EventID, but got an error mentionning that "the event log you have specified is not a valid xPath": Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] I tried to remove the "Security" channel from the xPath as below: *[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] But this throws an error: Did the xPath nomenclature update or is there a new way to exclude specific Event IDs that I missed? Is anyone facing the same issue? Thanks in advance.
Issue in Uninstallation of AMA for Arc Enabled Windows server
Dear Community, As a troubleshooting, I want to uninstall the AMA agent from Azure arc enabled server, I tried "Uninstall" from Azure arc machine - Extension - Uninstall but it went into "Deleting" state for 2 days. Then i tried uninstallation using the Powershell but again it went to "deleting" state. I tried removing and adding the Machine to and from DCR and Azure Arc again and then tried again still it shows deleting state only. So, i tried uninstallation direct from server using command azcmagent extension remove --name AzureMonitorWindowsAgent the got the below error, From my test machine i copied the "HandlerManifest.json" file and put in the same folder where error is showing above, Json file has this content as shown below Now after this i tried "azcmagent extension remove --name AzureMonitorWindowsAgent" command again and got the error, Please help in uninstalling this AMA agent. Thanks, MaheshSentinel query KQL with variables
Hello! I need to use variables as parameters of functions in Sentinel Logs. I have: let t = "Syslog"; let name = "my-Sentinel"; let id = "abc123"; Well, if do this, it works fine: table("Syslog") table(t) workspace("my-Sentinel").table("Syslog") workspace("my-Sentinel").Syslog But i need to work this: worskpace(name).table(t) or let x=strcat("workspace('", name, "')"); let y=strcat("table('", t, "')"); x.y In general seems that the function workspace() doesent work with a variable as parameter, but the function table() if alone it works: workspace("my-Sentinel") -> YES workspace(n) -> NO table("Syslog") -> OK table(t) -> OK Any idea how to make it works? In particulary to do this: workspace(name).table(t) Thanks!!!
Backing up Sentinel and the Security subscription
A lot of people ask about how Security Operations can effectively back up all of the Sentinel related objects. One option is to use GitHub or Azure DevOps pipelines to get a daily backup. I've been doing this for a very long time and it seems like a good forum to share that code. The trick behind it has been to use PowerShell to derive the current API versions for Azure objects. Once you do that, you can recursively download the whole subscription to a repo and then scripts can renerate reports using markdown and yaml. I've been backing up my subscription reliably since 2021. The default project creates reports for all the Sentinel related elements. Markdown lets the object reports be drilled down into... And KQL is presented as YAML for readability. It's actually easy to deploy all the backedup JSON files through REST if needed but for most of us, being able to have readable KQL and Git History of changes in files is probably all we need. This project is completely written in PowerShell with no compiled modules & anyone is freely welcome to it. I've written more about it here: Daily Azure / Sentinel Backup (and Reporting) with GitHub ... and the source code and install documentation can be found here: https://github.com/LaurieRhodes/PUBLIC-Subscription-Backup I hope this is of use to the community! π Best Regards LaurieQuestions about ingestion-time data transformation
Hi, We are building a custom collector which collects several sources like ETW, Event Logs, TCP Activities etc (yes, yet another filebeat :)) and normalize the output into ASIM format, by the target schemas of the ASIM tables. But I see that ingesting directly into the ASIM tables are not allowed via Log Analytics API. In one of the Youtube videos, I heard that support will be there (video is from 3 years ago) but still it's something not supported? I am a simple minded person. My idea was, if I normalize the data in the same way of ASIM suggest, I can ingest the data into the ASIM tables, so Sentinel can start doing it's magic out-of-box. But from the documentations, I see that normalized data should go into a custom table or (or maybe a standard table) and from there, via unifying parsers, it should go into the ASIM tables? Is that how it works today? Why adding another parser on top of the normalized data? Thanks in advance.
