Zoom logs into Sentinel
Hi I am reaching out to community member because facing a hustle while integrating the Zoom with Sentinel. while following the document provided inside the Zoom data connector, deployed an App over the zoom extracted the required information, create function app on Azure and provided the account ID, client ID, Client secret everything but facing one error that the account has not audio conference plan function app is running successfully but in the invocation logs its showing this audio conference plan to make sure we have purchased the zoom audio conference plan but still its giving us the same error. If anyone has done this please please share your experience with us how did you integrate zoom with sentinel because from last two months we are struggle with it.
Sentinel and Chinese branches
Hi, is it possible to send logs from servers located in China to a Sentinel workspace in EU or to manage from a single pane of glass 2 istances, one of which is in China? i am trying to figure out the best way to accomplish it given that the great chinese firewall could block DCR communications and that using a VPN to send logs to a log forwarder via VPN is very expensive (for the government license). Is anyone aware if the multi workspace incident views is working with Lighthouse for a global tenant and a chinese one? Or the multitenant solution? Thank you
Sentinel WorkDay connector won't work w/ Entra SSO/SAML
We're using MS Entra SSO/SAML to login to our WorkDay instance. After configuring the Sentinel WorkDay Data connector and hitting "connect" , we are prompted for a username/password. We raised a support ticket but were told that we need to remove SSO from the WorkDay Enterprise application - not an option. These are 2 Microsoft products Entra SSO and Sentinel - is there a way to make them compatible?CCP ProofPoint and Zscaler
Hi, I have ProofPoint and Zscaler Data Connector which appear to show as Deprecated. Logs are still flowing via native Azure Function uninterrupted. Per PP - CCP is suggested approach to replace Zscaler - No replacement method but I assume this will also require CCP Has anyone created CCP for these and successfully deployed these solutions?
Log Analytics Workspace - ThreatIntelIndicators
Morning! I have been working on migrating some of our tenant analytic rules to use the new TI ThreatIntelIndicators table. However, I noticed the following: When querying against the new table, I get these values in a tenant log workspace When I do the same query in another tenant logs workspace, I get this result back If I expand the query to grab last 7 days, I get results back but they are wildly different from what I see from one tenant to another. I can find big and small discrepancies in the logs I see. I still can't find the connector on the connectors page (When I filter them out by data type). I can see the one that is being used for the soon to be decommissioned table. As far as I understand, the connector is not going to be changed per se, just how we access the logs from any given log analytics workspace. I'm expecting to see the same values across my log workspaces since it comes from the same connector, and provided by MS, or is this ingestion of TI logs tenant scope and each one has different settings? I couldn't find something that tells me this in the docs. Or is this part of the rollout problems we are expecting to see? Thanks!ARC Server disappear after less than 10 days
Hi all, I have several servers (Linux or Windows) using ARC. Some of these servers are sometimes in shutdown state for several days (less than 30 days or even sometimes less like 10 days). Once up again, these servers are not visible into the ARC console and I need to use "azcmagent connect" command to see them again. According to the documentation, the disconnected time is 45 days... Any idea to change this behaviour ? Regards, HA
Cannot stop CEF duplication to syslog when both processed by same Linux VM
We have a situation where we are sending CEF records from FortiGate firewall to Microsoft Sentinel via Common Event Format (CEF) via AMA Data connector and we also use Syslog via AMA Data connector (both on the same Ubuntu Linux VM using rsyslog) and result is that we are getting duplicates of the CEF records in the syslog. I've read a lot of articles about the duplication and possible ways to fix however I've had not success. My most recent attempt is to create a file /etc/rsyslog.d/05-filter-CEF.conf with the following entries: if ($programname == "CEF") then @@127.0.0.1:28330 & stop Unfortunately we still get duplicates. One article I read said to use @@127.0.0.1:25226 however then we don't get CEF records in a CommonSecurityLog or Syslog. Is there anyone that can help?Cribl o Logstash vs AMA CEF: What’s the Best Choice for Ingesting Firewall Logs?
Hi everyone, what are the advantages of using Cribl or Logstash over a CEF log collector via AMA for ingesting firewall logs such as Palo Alto for example into Microsoft Sentinel? In a typical scenario, how would you configure the ingestion to optimize performance, scalability, and cost? What do you think? Let’s discuss and share experiences!
Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !
