Microsoft Defender ATP Azure Sentinel Connector omits lot of important Alert information
Hi It is sad to see Microsoft defender ATP Connector at Azure Sentinel does not get all the required alert information as compared to Graph API. Details like User information, IP Information, Threat Category & Threat Family are omitted. Building any custom playbook to get these data is additionally charged although ingestion of Microsoft data is free. Connector needs improvement. ThanksLocal IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs?
Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some 10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can't be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention. To make sure this also wasn't some kind of correlation to device, I checked the logs further and it's happening where IsManagedDevice == false and even anonymous file access. Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream? Sample KQL: // Query 1 OfficeActivity | where TimeGenerated >=ago(30d) | where ipv4_is_private( ClientIP ) | where IsManagedDevice == false | summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP // Query 2 OfficeActivity | where TimeGenerated >=ago(60d) | where isnotempty( ClientIP ) and ipv4_is_private( ClientIP ) | summarize count() by bin(TimeGenerated, 1d)
IIS Logs for Data Collection Rules - No x-forwarded-for
Hi, I use IIS logs in AMA to collect webserver logs in Sentinel. This rule do not collect the field x-forwarded-for and I need this. I read on github that the MS team is working on adding support for the extensions fields but not sure when it happens. Any of you solved this and how?
ASIM built-in functions in Sentinel, are they updated automatically?
Are the ASIM built-in functions in Sentinel automatically updated? For example, the built-in parsers such for DNS, NetworkSession, and WebSession. Do the built-in ones receive automatic updates or will the workspace-deployed versions of these parsers be the most up-to-date? And if true, would it be recommended to use workspace-deployed version of parsers that already come built-in?
Single Rule for No logs receiving (Global + Per-device Thresholds)
Hi everyone, I currently maintain one Analytics rule per table to detect when logs stop coming in. Some tables receive data from multiple sources, each with a different expected interval (for example, some sources send every 10 minutes, others every 30 minutes). In other SIEM platforms there’s usually: A global threshold (e.g., 60 minutes) for all sources. Optional per-device/per-table thresholds that override the global value. Is there a recommended way to implement one global rule that uses a default threshold but allows per-source overrides when a particular device or log table has a different expected frequency? Also, if there are other approaches you use to manage “logs not received” detection, I’d love to hear your suggestions as well. This is a sample of my current rule let threshold = 1h; AzureActivity | summarize LastHeartBeat = max(TimeGenerated) | where LastHeartBeat < ago(threshold)
I have no Microsoft Office 365 logs.
First of all, thanks in advance. In one tenant, I've configured Sentinel with several data sources, but the Microsoft 365 connector isn't logging events. I've done this about 20 times for different clients. The connector appears connected. I disconnected the connector and deleted the resource from the content center. Of course, I've waited; it's been a month since I did it the first time. I've tried checking Exchante, Teams, etc., to test combinations. I don't know if you know of any way to troubleshoot, see why the logs aren't arriving? Do I need to do something in Microsoft 365? Auditing is enabled, because when I go to Purview, audit, I can search for logs. I can't think of anything else. Thanks!!!
Trend Micro Vision One Connector Not working
Hi All, Before I get nuked in the comments to raise an issue on the Sentinel Repo. Here me out 😇 Around a month ago, the logs stopped ingesting. A quick snoop around revealed the reason. But I'm not sure if I should raise an issue, or try to fix the issue, risking voiding any future support I can get, since the connector and the app that comes with it are market solutions. Function app was not running due to a dependency issue. Spotted this on the diagnostic logs, under the "exceptions" table. "module named _cffi_backend not found" a python package google tells me, thats used to interact with C code. So logically, I need to find the requirement.txt and make sure the dependency is there. Also make sure the python version on the runtime and Azure matches, The logs were initially flowing as usual . I had completed integrating Trend Micro using Azure Functions based connector around 7 months ago. Worked like a toyota helix until now. So once again, would like to know the community's thoughts on it. ThxxFetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !
Sentinel and Amazon Web Services S3 WAF
Hello, I'm using Sentinel to fetch AWS WAF logs using the new collector Amazon Web Services S3 WAF . I setup a first collection using the ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-central-1.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinell I then add new collection using ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-central-1.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinell Adding the second collection erase the first one !! Is it a bug ?? Regards, HA
