Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

detection

82 Topics

Unified Security Operations Platform - Technical FAQ!
In this blog, we dive into some of the most common questions and share best practices to expedite resolution, bring more clarity, and save valuable troubleshooting time.
chi_nguyen26
Apr 21, 2025 Place Microsoft Sentinel Blog
24KViews
7likes
5Comments
Microsoft Sentinel & Cyberint Threat Intel Integration Guide
Explore comprehensive guide on "Microsoft Sentinel & Cyberint Threat Intel Integration Guide," to learn how to integrate Cyberint's advanced threat intelligence with Microsoft Sentinel. This detailed resource will walk you through the integration process, enabling you to leverage enriched threat data for improved detection and response. Elevate your security posture and ensure robust protection against emerging threats. Read the guide to streamline your threat management and enhance your security capabilities.
VipulDabhi
Mar 27, 2025 Place Microsoft Sentinel Blog
9.4KViews
1like
1Comment
Using Cribl Stream to ingest logs into Microsoft Sentinel
How to ingest syslog data into Sentinel using Cribl Stream
mahmoudmsft
Nov 19, 2024 Place Microsoft Sentinel Blog
8.6KViews
2likes
3Comments
What’s New: Exciting new Microsoft Sentinel Connectors Announcement - Ignite 2024
Microsoft Sentinel continues to be a leading cloud-native security information and event management (SIEM) solution, empowering organizations to detect, investigate, and respond to threats across their digital ecosystem at scale. Microsoft Sentinel offers robust out of the box (OOTB) content, allowing seamless connections with a wide array of data sources from both Microsoft and third-party providers. This enables comprehensive collection and analysis of security signals across multicloud, multiplatform environments, enhancing your overall security posture. In this Ignite 2024 blog post, we are thrilled to present the latest integrations contributed by our esteemed Partners. These new integrations further expand the capabilities of Microsoft Sentinel, enabling you to connect your existing security solutions and leverage Microsoft Sentinel’s powerful analytics and automation capabilities to fortify your defenses against evolving cyber threats. Featured ISV 1Password for Microsoft Sentinel The integration between 1Password Extended Access Management and Microsoft Sentinel provides businesses with real-time visibility and alerts for login attempts and account changes. It enables quick detection of security threats and streamlines reporting by monitoring both managed and unmanaged apps from a single, centralized platform, ensuring faster response times and enhanced security. Cisco Secure Email Threat Defense Sentinel Application This application collects threat information from Cisco Secure Email Threat Defense and ingests it into Microsoft Sentinel for visualization and analysis. It enhances email security by detecting and blocking advanced threats, providing comprehensive visibility and fast remediation. Cribl Stream Solution for Microsoft Sentinel Cribl Stream accelerates SIEM migrations by ingesting, transforming, and enriching third party data into Microsoft Sentinel. It simplifies data onboarding, optimizes data in various formats, and helps maintain compliance, enhancing security operations and threat detection. FortiNDR Cloud FortiNDR Cloud integrates Fortinet’s network detection and response capabilities with Microsoft Sentinel, providing advanced threat detection and automated response. Fortinet FortiNDR Cloud enhances network security by helping to identify and mitigate threats in real-time. Pure Storage Solution for Microsoft Sentinel This solution integrates Pure Storage’s data storage capabilities with Sentinel, providing enhanced data protection and performance. It helps optimize storage infrastructure and improve data security. New and Notable CyberArk Audit for Microsoft Sentinel This solution extracts audit trail data from CyberArk and integrates it with Microsoft Sentinel, providing a comprehensive view of system and user activities. It enhances incident response with automated workflows and real-time threat detection. Cybersixgill Actionable Alerts for Microsoft Sentinel Cybersixgill provides contextual and actionable alerts based on data from the deep and dark web. It helps SOC analysts detect phishing, data leaks, and vulnerabilities, enhancing incident response and threat remediation. Cyware For Microsoft Sentinel Cyware integrates with Microsoft Sentinel to automate incident response and enhance threat hunting. It uses Logic Apps and hunting queries to streamline security operations and provides contextual threat intelligence. Ermes Browser Security for Microsoft Sentinel Ermes Browser Security ingests security and audit events into Microsoft Sentinel, providing enhanced visibility and reporting. It helps monitor and respond to web threats, improving the organization’s security posture. Gigamon Data Connector for Microsoft Sentinel This solution integrates Gigamon GigaVUE Cloud Suite, including Application Metadata Intelligence, with Microsoft Sentinel, providing comprehensive network traffic visibility and insights. It helps detect anomalies and optimize network performance, enhancing overall security. Illumio Sentinel Integration Illumio integrates its micro-segmentation capabilities with Microsoft Sentinel, providing real-time visibility and control over network traffic. It helps prevent lateral movement of threats and enhances overall network security. Infoblox App for Microsoft Sentinel The Infoblox solution enhances SecOps capabilities by seamlessly integrating Infoblox's AI-driven analytics, providing actionable insights, dashboards, and playbooks derived from DNS intelligence. These insights empower SecOps teams to achieve rapid incident response and remediation, all within the familiar Microsoft Sentinel user interface. LUMINAR Threat Intelligence for Microsoft Sentinel LUMINAR integrates threat intelligence and leaked credentials data into Microsoft Sentinel, helping organizations maintain visibility of their threat landscape. It provides timely, actionable insights to help detect and respond to threats before they impact the organization. Prancer PenSuite AI Prancer PenSuite AI now supercharges Microsoft Sentinel by injecting pentesting and real-time AppSec data into SOC operations. With powerful red teaming simulations, it empowers teams to detect vulnerabilities earlier, respond faster, and stay ahead of evolving threats. Phosphorus Connector for Microsoft Sentinel Phosphorus Cybersecurity’s Intelligent Active Discovery provides in-depth context for xIoT assets, that enhances threat detection and allows for targeted responses, enabling organizations to isolate or secure specific devices based on their criticality. Silverfort for Microsoft Sentinel Silverfort integrates its Unified Identity Protection Platform with Microsoft Sentinel, securing authentication and access to sensitive systems, both on-premises and in the cloud without requiring agents or proxies. Transmit Security Data Connector for Sentinel Transmit Security integrates its identity and access management capabilities with Sentinel, providing real-time monitoring and threat detection for user activities. It helps secure identities and prevent unauthorized access. In addition to commercially supported integrations, Microsoft Sentinel Content Hub also connects you to hundreds of community-based solutions as well as thousands of practitioner contributions. For more details and instructions on how to set up these integrations see Microsoft Sentinel data connectors | Microsoft Learn. To our partners: Thank you for your unwavering partnership and invaluable contributions on this journey to deliver the most comprehensive, timely insights and security value to our mutual customers. Security is indeed a team sport, and we are grateful to be working together to enhance the security landscape. Your dedication and innovation are instrumental in our collective success. We hope you find these new partner solutions useful, and we look forward to hearing your feedback and suggestions. Stay tuned for more updates and announcements on Microsoft Sentinel and its partner ecosystem. Learn More Microsoft’s commitment to Security Microsoft’s Secure Future Initiative Unified SecOps | SIEM and XDR Solutions Unified Platform documentation | Microsoft Defender XDR What else is new with Microsoft Sentinel? Microsoft Sentinel product home Schema Mapping Microsoft Sentinel Partner Solution Contributions Update – Ignite 2023 Additional resources: Sentinel Ignite 2024 Blog Latest Microsoft Tech Community Sentinel blog announcements Microsoft Sentinel solution for SAP Microsoft Sentinel solution for Power Platform Microsoft Sentinel pricing Microsoft Sentinel customer stories Microsoft Sentinel documentation
JesseKopavi
Nov 18, 2024 Place Microsoft Sentinel Blog
2.9KViews
0likes
0Comments
Integrating open source threat feeds with MISP and Sentinel
I show how to import TI feeds into Sentinel using MISP. As an example we'll be using Microsoft's COVID-19 TI feed.
robeving
Nov 16, 2024 Place Microsoft Sentinel Blog
54KViews
6likes
27Comments
What's new: Microsoft Sentinel Ninja Training Knowledge Check
Announcing the Microsoft Sentinel Ninja Training knowledge check! Think you're a true Sentinel Ninja? Take the knowledge check and find out.
Sarah_Young
Oct 25, 2024 Place Microsoft Sentinel Blog
13KViews
8likes
4Comments
Unified Operation Platform features released at public preview
Get deeper using Unified Security Operations Platform with Microsoft Sentinel and Defender XDR!
Josefa_Sepulveda
Jul 16, 2024 Place Microsoft Sentinel Blog
34KViews
11likes
9Comments
Querying WHOIS/Registration Data Access Protocol (RDAP) with Azure Sentinel and Azure Functions
With the amazing increase in domains and top-level domains (TLD's) on the Internet, it's difficult to know just where our users are going. Newly registered domains, domain generation algorithms, and typo-squatting are all tactics used by adversaries to compromise users. By researching the domains our users are accessing and generating alerts on potentially suspicious activity, we can be more aware of the risks and hopefully get ahead of the problem. This blog post covers and example of extending Azure Sentinel using Azure Functions to call the Registration Data Access Protocol (RDAP) to gather information on the domains that are being accessed in an environment.
Matt Egen
Jun 18, 2024 Place Microsoft Sentinel Blog
14KViews
2likes
4Comments
Monitoring Azure Kubernetes Service (AKS) with Microsoft Sentinel
In this blog post we explore how to use Microsoft Sentinel to monitor your Azure Kubernetes Service (AKS) environments.
Sarah_Young
Feb 26, 2024 Place Microsoft Sentinel Blog
27KViews
8likes
2Comments
Using the new built-in URL detonation in Azure Sentinel
Learn how to setup and use the new built-in URL detonation in Azure Sentinel.
Amar Patel (C AND E)
Feb 16, 2024 Place Microsoft Sentinel Blog
24KViews
7likes
4Comments

"}},"componentScriptGroups({\"componentId\":\"custom.widget.MicrosoftFooter\"})":{"__typename":"ComponentScriptGroups","scriptGroups":{"__typename":"ComponentScriptGroupsDefinition","afterInteractive":{"__typename":"PageScriptGroupDefinition","group":"AFTER_INTERACTIVE","scriptIds":[]},"lazyOnLoad":{"__typename":"PageScriptGroupDefinition","group":"LAZY_ON_LOAD","scriptIds":[]}},"componentScripts":[]},"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/community/NavbarDropdownToggle\"]})":[{"__ref":"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageListTabs\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageListTabs-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageView/MessageViewInline\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageView/MessageViewInline-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/Pager/PagerLoadMore\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMore-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/common/OverflowNav\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/common/OverflowNav-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/users/UserLink\"]})":[{"__ref":"CachedAsset:text:en_US-components/users/UserLink-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageSubject\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageSubject-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageTime\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageTime-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/nodes/NodeIcon\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageUnreadCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageUnreadCount-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageViewCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageViewCount-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/kudos/KudosCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/kudos/KudosCount-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageRepliesCount\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageRepliesCount-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"components/messages/MessageBody\"]})":[{"__ref":"CachedAsset:text:en_US-components/messages/MessageBody-1745505307000"}],"cachedText({\"lastModified\":\"1745505307000\",\"locale\":\"en-US\",\"namespaces\":[\"shared/client/components/users/UserAvatar\"]})":[{"__ref":"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745505307000"}]},"Theme:customTheme1":{"__typename":"Theme","id":"customTheme1"},"User:user:-1":{"__typename":"User","id":"user:-1","uid":-1,"login":"Deleted","email":"","avatar":null,"rank":null,"kudosWeight":1,"registrationData":{"__typename":"RegistrationData","status":"ANONYMOUS","registrationTime":null,"confirmEmailStatus":false,"registrationAccessLevel":"VIEW","ssoRegistrationFields":[]},"ssoId":null,"profileSettings":{"__typename":"ProfileSettings","dateDisplayStyle":{"__typename":"InheritableStringSettingWithPossibleValues","key":"layout.friendly_dates_enabled","value":"false","localValue":"true","possibleValues":["true","false"]},"dateDisplayFormat":{"__typename":"InheritableStringSetting","key":"layout.format_pattern_date","value":"MMM dd yyyy","localValue":"MM-dd-yyyy"},"language":{"__typename":"InheritableStringSettingWithPossibleValues","key":"profile.language","value":"en-US","localValue":null,"possibleValues":["en-US","es-ES"]},"repliesSortOrder":{"__typename":"InheritableStringSettingWithPossibleValues","key":"config.user_replies_sort_order","value":"DEFAULT","localValue":"DEFAULT","possibleValues":["DEFAULT","LIKES","PUBLISH_TIME","REVERSE_PUBLISH_TIME"]}},"deleted":false},"CachedAsset:pages-1746564133449":{"__typename":"CachedAsset","id":"pages-1746564133449","value":[{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"BlogViewAllPostsPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"CasePortalPage","type":"CASE_PORTAL","urlPath":"/caseportal","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"CreateGroupHubPage","type":"GROUP_HUB","urlPath":"/groups/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"CaseViewPage","type":"CASE_DETAILS","urlPath":"/case/:caseId/:caseNumber","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"InboxPage","type":"COMMUNITY","urlPath":"/inbox","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"HelpFAQPage","type":"COMMUNITY","urlPath":"/help","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"IdeaMessagePage","type":"IDEA_POST","urlPath":"/idea/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"IdeaViewAllIdeasPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"LoginPage","type":"USER","urlPath":"/signin","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"BlogPostPage","type":"BLOG","urlPath":"/category/:categoryId/blogs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"UserBlogPermissions.Page","type":"COMMUNITY","urlPath":"/c/user-blog-permissions/page","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ThemeEditorPage","type":"COMMUNITY","urlPath":"/designer/themes","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"TkbViewAllArticlesPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllEvents","type":"CUSTOM","urlPath":"/Events","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"OccasionEditPage","type":"EVENT","urlPath":"/event/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"OAuthAuthorizationAllowPage","type":"USER","urlPath":"/auth/authorize/allow","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"PageEditorPage","type":"COMMUNITY","urlPath":"/designer/pages","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"PostPage","type":"COMMUNITY","urlPath":"/category/:categoryId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ForumBoardPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"TkbBoardPage","type":"TKB","urlPath":"/category/:categoryId/kb/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"EventPostPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"UserBadgesPage","type":"COMMUNITY","urlPath":"/users/:login/:userId/badges","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"GroupHubMembershipAction","type":"GROUP_HUB","urlPath":"/membership/join/:nodeId/:membershipType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"MaintenancePage","type":"COMMUNITY","urlPath":"/maintenance","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"IdeaReplyPage","type":"IDEA_REPLY","urlPath":"/idea/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"UserSettingsPage","type":"USER","urlPath":"/mysettings/:userSettingsTab","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"GroupHubsPage","type":"GROUP_HUB","urlPath":"/groups","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ForumPostPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"OccasionRsvpActionPage","type":"OCCASION","urlPath":"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"VerifyUserEmailPage","type":"USER","urlPath":"/verifyemail/:userId/:verifyEmailToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"AllOccasionsPage","type":"OCCASION","urlPath":"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"EventBoardPage","type":"EVENT","urlPath":"/category/:categoryId/events/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"TkbReplyPage","type":"TKB_REPLY","urlPath":"/kb/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"IdeaBoardPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"CommunityGuideLinesPage","type":"COMMUNITY","urlPath":"/communityguidelines","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"CaseCreatePage","type":"SALESFORCE_CASE_CREATION","urlPath":"/caseportal/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"TkbEditPage","type":"TKB","urlPath":"/kb/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ForgotPasswordPage","type":"USER","urlPath":"/forgotpassword","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"IdeaEditPage","type":"IDEA","urlPath":"/idea/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"TagPage","type":"COMMUNITY","urlPath":"/tag/:tagName","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"BlogBoardPage","type":"BLOG","urlPath":"/category/:categoryId/blog/:boardId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"OccasionMessagePage","type":"OCCASION_TOPIC","urlPath":"/event/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ManageContentPage","type":"COMMUNITY","urlPath":"/managecontent","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ClosedMembershipNodeNonMembersPage","type":"GROUP_HUB","urlPath":"/closedgroup/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"CommunityPage","type":"COMMUNITY","urlPath":"/","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ForumMessagePage","type":"FORUM_TOPIC","urlPath":"/discussions/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"IdeaPostPage","type":"IDEA","urlPath":"/category/:categoryId/ideas/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"CommunityHub.Page","type":"CUSTOM","urlPath":"/Directory","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"BlogMessagePage","type":"BLOG_ARTICLE","urlPath":"/blog/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"RegistrationPage","type":"USER","urlPath":"/register","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"EditGroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ForumEditPage","type":"FORUM","urlPath":"/discussions/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ResetPasswordPage","type":"USER","urlPath":"/resetpassword/:userId/:resetPasswordToken","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1730819800000,"localOverride":null,"page":{"id":"AllBlogs.Page","type":"CUSTOM","urlPath":"/blogs","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"TkbMessagePage","type":"TKB_ARTICLE","urlPath":"/kb/:boardId/:messageSubject/:messageId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"BlogEditPage","type":"BLOG","urlPath":"/blog/:boardId/:messageSubject/:messageId/edit","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ManageUsersPage","type":"USER","urlPath":"/users/manage/:tab?/:manageUsersTab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ForumReplyPage","type":"FORUM_REPLY","urlPath":"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"PrivacyPolicyPage","type":"COMMUNITY","urlPath":"/privacypolicy","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"NotificationPage","type":"COMMUNITY","urlPath":"/notifications","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"UserPage","type":"USER","urlPath":"/users/:login/:userId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"HealthCheckPage","type":"COMMUNITY","urlPath":"/health","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"OccasionReplyPage","type":"OCCASION_REPLY","urlPath":"/event/:boardId/:messageSubject/:messageId/comments/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ManageMembersPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/manage/:tab?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"SearchResultsPage","type":"COMMUNITY","urlPath":"/search","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"BlogReplyPage","type":"BLOG_REPLY","urlPath":"/blog/:boardId/:messageSubject/:messageId/replies/:replyId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"GroupHubPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"TermsOfServicePage","type":"COMMUNITY","urlPath":"/termsofservice","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"CategoryPage","type":"CATEGORY","urlPath":"/category/:categoryId","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"ForumViewAllTopicsPage","type":"FORUM","urlPath":"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"TkbPostPage","type":"TKB","urlPath":"/category/:categoryId/kbs/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"},{"lastUpdatedTime":1746564133449,"localOverride":null,"page":{"id":"GroupHubPostPage","type":"GROUP_HUB","urlPath":"/group/:groupHubId/:boardId/create","__typename":"PageDescriptor"},"__typename":"PageResource"}],"localOverride":false},"CachedAsset:text:en_US-components/context/AppContext/AppContextProvider-0":{"__typename":"CachedAsset","id":"text:en_US-components/context/AppContext/AppContextProvider-0","value":{"noCommunity":"Cannot find community","noUser":"Cannot find current user","noNode":"Cannot find node with id {nodeId}","noMessage":"Cannot find message with id {messageId}","userBanned":"We're sorry, but you have been banned from using this site.","userBannedReason":"You have been banned for the following reason: {reason}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-0","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:theme:customTheme1-1746564132887":{"__typename":"CachedAsset","id":"theme:customTheme1-1746564132887","value":{"id":"customTheme1","animation":{"fast":"150ms","normal":"250ms","slow":"500ms","slowest":"750ms","function":"cubic-bezier(0.07, 0.91, 0.51, 1)","__typename":"AnimationThemeSettings"},"avatar":{"borderRadius":"50%","collections":["default"],"__typename":"AvatarThemeSettings"},"basics":{"browserIcon":{"imageAssetName":"favicon-1730836283320.png","imageLastModified":"1730836286415","__typename":"ThemeAsset"},"customerLogo":{"imageAssetName":"favicon-1730836271365.png","imageLastModified":"1730836274203","__typename":"ThemeAsset"},"maximumWidthOfPageContent":"1300px","oneColumnNarrowWidth":"800px","gridGutterWidthMd":"30px","gridGutterWidthXs":"10px","pageWidthStyle":"WIDTH_OF_BROWSER","__typename":"BasicsThemeSettings"},"buttons":{"borderRadiusSm":"3px","borderRadius":"3px","borderRadiusLg":"5px","paddingY":"5px","paddingYLg":"7px","paddingYHero":"var(--lia-bs-btn-padding-y-lg)","paddingX":"12px","paddingXLg":"16px","paddingXHero":"60px","fontStyle":"NORMAL","fontWeight":"700","textTransform":"NONE","disabledOpacity":0.5,"primaryTextColor":"var(--lia-bs-white)","primaryTextHoverColor":"var(--lia-bs-white)","primaryTextActiveColor":"var(--lia-bs-white)","primaryBgColor":"var(--lia-bs-primary)","primaryBgHoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))","primaryBgActiveColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","primaryBorderActive":"1px solid transparent","primaryBorderFocus":"1px solid var(--lia-bs-white)","primaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","secondaryTextColor":"var(--lia-bs-gray-900)","secondaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","secondaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","secondaryBgColor":"var(--lia-bs-gray-200)","secondaryBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","secondaryBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","secondaryBorder":"1px solid transparent","secondaryBorderHover":"1px solid transparent","secondaryBorderActive":"1px solid transparent","secondaryBorderFocus":"1px solid transparent","secondaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","tertiaryTextColor":"var(--lia-bs-gray-900)","tertiaryTextHoverColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))","tertiaryTextActiveColor":"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.9))","tertiaryBgColor":"transparent","tertiaryBgHoverColor":"transparent","tertiaryBgActiveColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)","tertiaryBorder":"1px solid transparent","tertiaryBorderHover":"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","tertiaryBorderActive":"1px solid transparent","tertiaryBorderFocus":"1px solid transparent","tertiaryBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","destructiveTextColor":"var(--lia-bs-danger)","destructiveTextHoverColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.95))","destructiveTextActiveColor":"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) * 0.9))","destructiveBgColor":"var(--lia-bs-gray-200)","destructiveBgHoverColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))","destructiveBgActiveColor":"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))","destructiveBorder":"1px solid transparent","destructiveBorderHover":"1px solid transparent","destructiveBorderActive":"1px solid transparent","destructiveBorderFocus":"1px solid transparent","destructiveBoxShadowFocus":"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","__typename":"ButtonsThemeSettings"},"border":{"color":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","mainContent":"NONE","sideContent":"LIGHT","radiusSm":"3px","radius":"5px","radiusLg":"9px","radius50":"100vw","__typename":"BorderThemeSettings"},"boxShadow":{"xs":"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)","sm":"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)","md":"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","lg":"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)","__typename":"BoxShadowThemeSettings"},"cards":{"bgColor":"var(--lia-panel-bg-color)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":"var(--lia-box-shadow-xs)","__typename":"CardsThemeSettings"},"chip":{"maxWidth":"300px","height":"30px","__typename":"ChipThemeSettings"},"coreTypes":{"defaultMessageLinkColor":"var(--lia-bs-link-color)","defaultMessageLinkDecoration":"none","defaultMessageLinkFontStyle":"NORMAL","defaultMessageLinkFontWeight":"400","defaultMessageFontStyle":"NORMAL","defaultMessageFontWeight":"400","defaultMessageFontFamily":"var(--lia-bs-font-family-base)","forumColor":"#4099E2","forumFontFamily":"var(--lia-bs-font-family-base)","forumFontWeight":"var(--lia-default-message-font-weight)","forumLineHeight":"var(--lia-bs-line-height-base)","forumFontStyle":"var(--lia-default-message-font-style)","forumMessageLinkColor":"var(--lia-default-message-link-color)","forumMessageLinkDecoration":"var(--lia-default-message-link-decoration)","forumMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","forumMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","forumSolvedColor":"#148563","blogColor":"#1CBAA0","blogFontFamily":"var(--lia-bs-font-family-base)","blogFontWeight":"var(--lia-default-message-font-weight)","blogLineHeight":"1.75","blogFontStyle":"var(--lia-default-message-font-style)","blogMessageLinkColor":"var(--lia-default-message-link-color)","blogMessageLinkDecoration":"var(--lia-default-message-link-decoration)","blogMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","blogMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","tkbColor":"#4C6B90","tkbFontFamily":"var(--lia-bs-font-family-base)","tkbFontWeight":"var(--lia-default-message-font-weight)","tkbLineHeight":"1.75","tkbFontStyle":"var(--lia-default-message-font-style)","tkbMessageLinkColor":"var(--lia-default-message-link-color)","tkbMessageLinkDecoration":"var(--lia-default-message-link-decoration)","tkbMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","tkbMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaColor":"#4099E2","qandaFontFamily":"var(--lia-bs-font-family-base)","qandaFontWeight":"var(--lia-default-message-font-weight)","qandaLineHeight":"var(--lia-bs-line-height-base)","qandaFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkColor":"var(--lia-default-message-link-color)","qandaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","qandaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","qandaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","qandaSolvedColor":"#3FA023","ideaColor":"#FF8000","ideaFontFamily":"var(--lia-bs-font-family-base)","ideaFontWeight":"var(--lia-default-message-font-weight)","ideaLineHeight":"var(--lia-bs-line-height-base)","ideaFontStyle":"var(--lia-default-message-font-style)","ideaMessageLinkColor":"var(--lia-default-message-link-color)","ideaMessageLinkDecoration":"var(--lia-default-message-link-decoration)","ideaMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","ideaMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","contestColor":"#FCC845","contestFontFamily":"var(--lia-bs-font-family-base)","contestFontWeight":"var(--lia-default-message-font-weight)","contestLineHeight":"var(--lia-bs-line-height-base)","contestFontStyle":"var(--lia-default-message-link-font-style)","contestMessageLinkColor":"var(--lia-default-message-link-color)","contestMessageLinkDecoration":"var(--lia-default-message-link-decoration)","contestMessageLinkFontStyle":"ITALIC","contestMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","occasionColor":"#D13A1F","occasionFontFamily":"var(--lia-bs-font-family-base)","occasionFontWeight":"var(--lia-default-message-font-weight)","occasionLineHeight":"var(--lia-bs-line-height-base)","occasionFontStyle":"var(--lia-default-message-font-style)","occasionMessageLinkColor":"var(--lia-default-message-link-color)","occasionMessageLinkDecoration":"var(--lia-default-message-link-decoration)","occasionMessageLinkFontStyle":"var(--lia-default-message-link-font-style)","occasionMessageLinkFontWeight":"var(--lia-default-message-link-font-weight)","grouphubColor":"#333333","categoryColor":"#949494","communityColor":"#FFFFFF","productColor":"#949494","__typename":"CoreTypesThemeSettings"},"colors":{"black":"#000000","white":"#FFFFFF","gray100":"#F7F7F7","gray200":"#F7F7F7","gray300":"#E8E8E8","gray400":"#D9D9D9","gray500":"#CCCCCC","gray600":"#717171","gray700":"#707070","gray800":"#545454","gray900":"#333333","dark":"#545454","light":"#F7F7F7","primary":"#0069D4","secondary":"#333333","bodyText":"#1E1E1E","bodyBg":"#FFFFFF","info":"#409AE2","success":"#41C5AE","warning":"#FCC844","danger":"#BC341B","alertSystem":"#FF6600","textMuted":"#707070","highlight":"#FFFCAD","outline":"var(--lia-bs-primary)","custom":["#D3F5A4","#243A5E"],"__typename":"ColorsThemeSettings"},"divider":{"size":"3px","marginLeft":"4px","marginRight":"4px","borderRadius":"50%","bgColor":"var(--lia-bs-gray-600)","bgColorActive":"var(--lia-bs-gray-600)","__typename":"DividerThemeSettings"},"dropdown":{"fontSize":"var(--lia-bs-font-size-sm)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius-sm)","dividerBg":"var(--lia-bs-gray-300)","itemPaddingY":"5px","itemPaddingX":"20px","headerColor":"var(--lia-bs-gray-700)","__typename":"DropdownThemeSettings"},"email":{"link":{"color":"#0069D4","hoverColor":"#0061c2","decoration":"none","hoverDecoration":"underline","__typename":"EmailLinkSettings"},"border":{"color":"#e4e4e4","__typename":"EmailBorderSettings"},"buttons":{"borderRadiusLg":"5px","paddingXLg":"16px","paddingYLg":"7px","fontWeight":"700","primaryTextColor":"#ffffff","primaryTextHoverColor":"#ffffff","primaryBgColor":"#0069D4","primaryBgHoverColor":"#005cb8","primaryBorder":"1px solid transparent","primaryBorderHover":"1px solid transparent","__typename":"EmailButtonsSettings"},"panel":{"borderRadius":"5px","borderColor":"#e4e4e4","__typename":"EmailPanelSettings"},"__typename":"EmailThemeSettings"},"emoji":{"skinToneDefault":"#ffcd43","skinToneLight":"#fae3c5","skinToneMediumLight":"#e2cfa5","skinToneMedium":"#daa478","skinToneMediumDark":"#a78058","skinToneDark":"#5e4d43","__typename":"EmojiThemeSettings"},"heading":{"color":"var(--lia-bs-body-color)","fontFamily":"Segoe UI","fontStyle":"NORMAL","fontWeight":"400","h1FontSize":"34px","h2FontSize":"32px","h3FontSize":"28px","h4FontSize":"24px","h5FontSize":"20px","h6FontSize":"16px","lineHeight":"1.3","subHeaderFontSize":"11px","subHeaderFontWeight":"500","h1LetterSpacing":"normal","h2LetterSpacing":"normal","h3LetterSpacing":"normal","h4LetterSpacing":"normal","h5LetterSpacing":"normal","h6LetterSpacing":"normal","subHeaderLetterSpacing":"2px","h1FontWeight":"var(--lia-bs-headings-font-weight)","h2FontWeight":"var(--lia-bs-headings-font-weight)","h3FontWeight":"var(--lia-bs-headings-font-weight)","h4FontWeight":"var(--lia-bs-headings-font-weight)","h5FontWeight":"var(--lia-bs-headings-font-weight)","h6FontWeight":"var(--lia-bs-headings-font-weight)","__typename":"HeadingThemeSettings"},"icons":{"size10":"10px","size12":"12px","size14":"14px","size16":"16px","size20":"20px","size24":"24px","size30":"30px","size40":"40px","size50":"50px","size60":"60px","size80":"80px","size120":"120px","size160":"160px","__typename":"IconsThemeSettings"},"imagePreview":{"bgColor":"var(--lia-bs-gray-900)","titleColor":"var(--lia-bs-white)","controlColor":"var(--lia-bs-white)","controlBgColor":"var(--lia-bs-gray-800)","__typename":"ImagePreviewThemeSettings"},"input":{"borderColor":"var(--lia-bs-gray-600)","disabledColor":"var(--lia-bs-gray-600)","focusBorderColor":"var(--lia-bs-primary)","labelMarginBottom":"10px","btnFontSize":"var(--lia-bs-font-size-sm)","focusBoxShadow":"0 0 0 3px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)","checkLabelMarginBottom":"2px","checkboxBorderRadius":"3px","borderRadiusSm":"var(--lia-bs-border-radius-sm)","borderRadius":"var(--lia-bs-border-radius)","borderRadiusLg":"var(--lia-bs-border-radius-lg)","formTextMarginTop":"4px","textAreaBorderRadius":"var(--lia-bs-border-radius)","activeFillColor":"var(--lia-bs-primary)","__typename":"InputThemeSettings"},"loading":{"dotDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)","dotLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.5)","barDarkColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.06)","barLightColor":"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l), 0.4)","__typename":"LoadingThemeSettings"},"link":{"color":"var(--lia-bs-primary)","hoverColor":"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) - 10%))","decoration":"none","hoverDecoration":"underline","__typename":"LinkThemeSettings"},"listGroup":{"itemPaddingY":"15px","itemPaddingX":"15px","borderColor":"var(--lia-bs-gray-300)","__typename":"ListGroupThemeSettings"},"modal":{"contentTextColor":"var(--lia-bs-body-color)","contentBg":"var(--lia-bs-white)","backgroundBg":"var(--lia-bs-black)","smSize":"440px","mdSize":"760px","lgSize":"1080px","backdropOpacity":0.3,"contentBoxShadowXs":"var(--lia-bs-box-shadow-sm)","contentBoxShadow":"var(--lia-bs-box-shadow)","headerFontWeight":"700","__typename":"ModalThemeSettings"},"navbar":{"position":"FIXED","background":{"attachment":null,"clip":null,"color":"var(--lia-bs-white)","imageAssetName":"","imageLastModified":"0","origin":null,"position":"CENTER_CENTER","repeat":"NO_REPEAT","size":"COVER","__typename":"BackgroundProps"},"backgroundOpacity":0.8,"paddingTop":"15px","paddingBottom":"15px","borderBottom":"1px solid var(--lia-bs-border-color)","boxShadow":"var(--lia-bs-box-shadow-sm)","brandMarginRight":"30px","brandMarginRightSm":"10px","brandLogoHeight":"30px","linkGap":"10px","linkJustifyContent":"flex-start","linkPaddingY":"5px","linkPaddingX":"10px","linkDropdownPaddingY":"9px","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkColor":"var(--lia-bs-body-color)","linkHoverColor":"var(--lia-bs-primary)","linkFontSize":"var(--lia-bs-font-size-sm)","linkFontStyle":"NORMAL","linkFontWeight":"400","linkTextTransform":"NONE","linkLetterSpacing":"normal","linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkBgColor":"transparent","linkBgHoverColor":"transparent","linkBorder":"none","linkBorderHover":"none","linkBoxShadow":"none","linkBoxShadowHover":"none","linkTextBorderBottom":"none","linkTextBorderBottomHover":"none","dropdownPaddingTop":"10px","dropdownPaddingBottom":"15px","dropdownPaddingX":"10px","dropdownMenuOffset":"2px","dropdownDividerMarginTop":"10px","dropdownDividerMarginBottom":"10px","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","controllerIconColor":"var(--lia-bs-body-color)","controllerIconHoverColor":"var(--lia-bs-body-color)","controllerTextColor":"var(--lia-nav-controller-icon-color)","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","controllerHighlightColor":"hsla(30, 100%, 50%)","controllerHighlightTextColor":"var(--lia-yiq-light)","controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerColor":"var(--lia-nav-controller-icon-color)","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","hamburgerBgColor":"transparent","hamburgerBgHoverColor":"transparent","hamburgerBorder":"none","hamburgerBorderHover":"none","collapseMenuMarginLeft":"20px","collapseMenuDividerBg":"var(--lia-nav-link-color)","collapseMenuDividerOpacity":0.16,"__typename":"NavbarThemeSettings"},"pager":{"textColor":"var(--lia-bs-link-color)","textFontWeight":"var(--lia-font-weight-md)","textFontSize":"var(--lia-bs-font-size-sm)","__typename":"PagerThemeSettings"},"panel":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-bs-border-radius)","borderColor":"var(--lia-bs-border-color)","boxShadow":"none","__typename":"PanelThemeSettings"},"popover":{"arrowHeight":"8px","arrowWidth":"16px","maxWidth":"300px","minWidth":"100px","headerBg":"var(--lia-bs-white)","borderColor":"var(--lia-bs-border-color)","borderRadius":"var(--lia-bs-border-radius)","boxShadow":"0 0.5rem 1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.15)","__typename":"PopoverThemeSettings"},"prism":{"color":"#000000","bgColor":"#f5f2f0","fontFamily":"var(--font-family-monospace)","fontSize":"var(--lia-bs-font-size-base)","fontWeightBold":"var(--lia-bs-font-weight-bold)","fontStyleItalic":"italic","tabSize":2,"highlightColor":"#b3d4fc","commentColor":"#62707e","punctuationColor":"#6f6f6f","namespaceOpacity":"0.7","propColor":"#990055","selectorColor":"#517a00","operatorColor":"#906736","operatorBgColor":"hsla(0, 0%, 100%, 0.5)","keywordColor":"#0076a9","functionColor":"#d3284b","variableColor":"#c14700","__typename":"PrismThemeSettings"},"rte":{"bgColor":"var(--lia-bs-white)","borderRadius":"var(--lia-panel-border-radius)","boxShadow":" var(--lia-panel-box-shadow)","customColor1":"#bfedd2","customColor2":"#fbeeb8","customColor3":"#f8cac6","customColor4":"#eccafa","customColor5":"#c2e0f4","customColor6":"#2dc26b","customColor7":"#f1c40f","customColor8":"#e03e2d","customColor9":"#b96ad9","customColor10":"#3598db","customColor11":"#169179","customColor12":"#e67e23","customColor13":"#ba372a","customColor14":"#843fa1","customColor15":"#236fa1","customColor16":"#ecf0f1","customColor17":"#ced4d9","customColor18":"#95a5a6","customColor19":"#7e8c8d","customColor20":"#34495e","customColor21":"#000000","customColor22":"#ffffff","defaultMessageHeaderMarginTop":"40px","defaultMessageHeaderMarginBottom":"20px","defaultMessageItemMarginTop":"0","defaultMessageItemMarginBottom":"10px","diffAddedColor":"hsla(170, 53%, 51%, 0.4)","diffChangedColor":"hsla(43, 97%, 63%, 0.4)","diffNoneColor":"hsla(0, 0%, 80%, 0.4)","diffRemovedColor":"hsla(9, 74%, 47%, 0.4)","specialMessageHeaderMarginTop":"40px","specialMessageHeaderMarginBottom":"20px","specialMessageItemMarginTop":"0","specialMessageItemMarginBottom":"10px","__typename":"RteThemeSettings"},"tags":{"bgColor":"var(--lia-bs-gray-200)","bgHoverColor":"var(--lia-bs-gray-400)","borderRadius":"var(--lia-bs-border-radius-sm)","color":"var(--lia-bs-body-color)","hoverColor":"var(--lia-bs-body-color)","fontWeight":"var(--lia-font-weight-md)","fontSize":"var(--lia-font-size-xxs)","textTransform":"UPPERCASE","letterSpacing":"0.5px","__typename":"TagsThemeSettings"},"toasts":{"borderRadius":"var(--lia-bs-border-radius)","paddingX":"12px","__typename":"ToastsThemeSettings"},"typography":{"fontFamilyBase":"Segoe UI","fontStyleBase":"NORMAL","fontWeightBase":"400","fontWeightLight":"300","fontWeightNormal":"400","fontWeightMd":"500","fontWeightBold":"700","letterSpacingSm":"normal","letterSpacingXs":"normal","lineHeightBase":"1.5","fontSizeBase":"16px","fontSizeXxs":"11px","fontSizeXs":"12px","fontSizeSm":"14px","fontSizeLg":"20px","fontSizeXl":"24px","smallFontSize":"14px","customFonts":[{"source":"SERVER","name":"Segoe UI","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"},{"style":"NORMAL","weight":"300","__typename":"FontStyleData"},{"style":"NORMAL","weight":"600","__typename":"FontStyleData"},{"style":"NORMAL","weight":"700","__typename":"FontStyleData"},{"style":"ITALIC","weight":"400","__typename":"FontStyleData"}],"assetNames":["SegoeUI-normal-400.woff2","SegoeUI-normal-300.woff2","SegoeUI-normal-600.woff2","SegoeUI-normal-700.woff2","SegoeUI-italic-400.woff2"],"__typename":"CustomFont"},{"source":"SERVER","name":"MWF Fluent Icons","styles":[{"style":"NORMAL","weight":"400","__typename":"FontStyleData"}],"assetNames":["MWFFluentIcons-normal-400.woff2"],"__typename":"CustomFont"}],"__typename":"TypographyThemeSettings"},"unstyledListItem":{"marginBottomSm":"5px","marginBottomMd":"10px","marginBottomLg":"15px","marginBottomXl":"20px","marginBottomXxl":"25px","__typename":"UnstyledListItemThemeSettings"},"yiq":{"light":"#ffffff","dark":"#000000","__typename":"YiqThemeSettings"},"colorLightness":{"primaryDark":0.36,"primaryLight":0.74,"primaryLighter":0.89,"primaryLightest":0.95,"infoDark":0.39,"infoLight":0.72,"infoLighter":0.85,"infoLightest":0.93,"successDark":0.24,"successLight":0.62,"successLighter":0.8,"successLightest":0.91,"warningDark":0.39,"warningLight":0.68,"warningLighter":0.84,"warningLightest":0.93,"dangerDark":0.41,"dangerLight":0.72,"dangerLighter":0.89,"dangerLightest":0.95,"__typename":"ColorLightnessThemeSettings"},"localOverride":false,"__typename":"Theme"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Loading/LoadingDot-1745505307000","value":{"title":"Loading..."},"localOverride":false},"CachedAsset:text:en_US-components/common/EmailVerification-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/common/EmailVerification-1745505307000","value":{"email.verification.title":"Email Verification Required","email.verification.message.update.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. To change your email, visit My Settings.","email.verification.message.resend.email":"To participate in the community, you must first verify your email address. The verification email was sent to {email}. Resend email."},"localOverride":false},"CachedAsset:text:en_US-pages/tags/TagPage-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-pages/tags/TagPage-1745505307000","value":{"tagPageTitle":"Tag:\"{tagName}\" | {communityTitle}","tagPageForNodeTitle":"Tag:\"{tagName}\" in \"{title}\" | {communityTitle}","name":"Tags Page","tag":"Tag: {tagName}"},"localOverride":false},"Category:category:microsoft-sentinel":{"__typename":"Category","id":"category:microsoft-sentinel","entityType":"CATEGORY","displayId":"microsoft-sentinel","nodeType":"category","depth":4,"title":"Microsoft Sentinel","shortTitle":"Microsoft Sentinel","parent":{"__ref":"Category:category:microsoft-security"}},"Category:category:top":{"__typename":"Category","id":"category:top","displayId":"top","nodeType":"category","depth":0,"title":"Top"},"Category:category:communities":{"__typename":"Category","id":"category:communities","displayId":"communities","nodeType":"category","depth":1,"parent":{"__ref":"Category:category:top"},"title":"Communities"},"Category:category:products-services":{"__typename":"Category","id":"category:products-services","displayId":"products-services","nodeType":"category","depth":2,"parent":{"__ref":"Category:category:communities"},"title":"Products"},"Category:category:microsoft-security":{"__typename":"Category","id":"category:microsoft-security","displayId":"microsoft-security","nodeType":"category","depth":3,"parent":{"__ref":"Category:category:products-services"},"title":"Microsoft Security","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftSentinelBlog":{"__typename":"Blog","id":"board:MicrosoftSentinelBlog","entityType":"BLOG","displayId":"MicrosoftSentinelBlog","nodeType":"board","depth":5,"conversationStyle":"BLOG","title":"Microsoft Sentinel Blog","description":"

Microsoft Sentinel is a cloud-native SIEM, enriched with AI and automation to provide expansive visibility across your digital environment.

\n\n\n

When evaluating various solutions, your peers value hearing from people like you who’ve used the product. Review Microsoft Sentinel by filling out a Gartner Peer Insights survey and receive a $25 USD gift card (for customers only). Here are the Privacy/Guideline links: Microsoft Privacy Statement, Gartner’s Community Guidelines & Gartner Peer Insights Review Guide.

","avatar":null,"profileSettings":{"__typename":"ProfileSettings","language":null},"parent":{"__ref":"Category:category:microsoft-sentinel"},"ancestors":{"__typename":"CoreNodeConnection","edges":[{"__typename":"CoreNodeEdge","node":{"__ref":"Community:community:gxcuf89792"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:communities"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:products-services"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-security"}},{"__typename":"CoreNodeEdge","node":{"__ref":"Category:category:microsoft-sentinel"}}]},"userContext":{"__typename":"NodeUserContext","canAddAttachments":false,"canUpdateNode":false,"canPostMessages":false,"isSubscribed":false},"boardPolicies":{"__typename":"BoardPolicies","canPublishArticleOnCreate":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","key":"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied","args":[]}}},"theme":{"__ref":"Theme:customTheme1"},"shortTitle":"Microsoft Sentinel Blog","tagPolicies":{"__typename":"TagPolicies","canSubscribeTagOnNode":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.corenode.subscribe_labels.allow.accessDenied","key":"error.lithium.policies.labels.action.corenode.subscribe_labels.allow.accessDenied","args":[]}},"canManageTagDashboard":{"__typename":"PolicyResult","failureReason":{"__typename":"FailureReason","message":"error.lithium.policies.labels.action.corenode.admin_labels.allow.accessDenied","key":"error.lithium.policies.labels.action.corenode.admin_labels.allow.accessDenied","args":[]}}}},"CachedAsset:quilt:o365.prod:pages/tags/TagPage:board:MicrosoftSentinelBlog-1746740537323":{"__typename":"CachedAsset","id":"quilt:o365.prod:pages/tags/TagPage:board:MicrosoftSentinelBlog-1746740537323","value":{"id":"TagPage","container":{"id":"Common","headerProps":{"removeComponents":["community.widget.bannerWidget"],"__typename":"QuiltContainerSectionProps"},"items":[{"id":"tag-header-widget","layout":"ONE_COLUMN","bgColor":"var(--lia-bs-white)","showBorder":"BOTTOM","sectionEditLevel":"LOCKED","columnMap":{"main":[{"id":"tags.widget.TagsHeaderWidget","__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"},"__typename":"OneColumnQuiltSection"},{"id":"messages-list-for-tag-widget","layout":"ONE_COLUMN","columnMap":{"main":[{"id":"messages.widget.messageListForNodeByRecentActivityWidget","props":{"viewVariant":{"type":"inline","props":{"useUnreadCount":true,"useViewCount":true,"useAuthorLogin":true,"clampBodyLines":3,"useAvatar":true,"useBoardIcon":false,"useKudosCount":true,"usePreviewMedia":true,"useTags":false,"useNode":true,"useNodeLink":true,"useTextBody":true,"truncateBodyLength":-1,"useBody":true,"useRepliesCount":true,"useSolvedBadge":true,"timeStampType":"conversation.lastPostingActivityTime","useMessageTimeLink":true,"clampSubjectLines":2}},"panelType":"divider","useTitle":false,"hideIfEmpty":false,"pagerVariant":{"type":"loadMore"},"style":"list","showTabs":true,"tabItemMap":{"default":{"mostRecent":true,"mostRecentUserContent":false,"newest":false},"additional":{"mostKudoed":true,"mostViewed":true,"mostReplies":false,"noReplies":false,"noSolutions":false,"solutions":false}}},"__typename":"QuiltComponent"}],"__typename":"OneSectionColumns"},"__typename":"OneColumnQuiltSection"}],"__typename":"QuiltContainer"},"__typename":"Quilt"},"localOverride":false},"CachedAsset:quiltWrapper:o365.prod:Common:1746564068160":{"__typename":"CachedAsset","id":"quiltWrapper:o365.prod:Common:1746564068160","value":{"id":"Common","header":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"community.widget.navbarWidget","props":{"showUserName":true,"showRegisterLink":true,"useIconLanguagePicker":true,"useLabelLanguagePicker":true,"className":"QuiltComponent_lia-component-edit-mode__0nCcm","links":{"sideLinks":[],"mainLinks":[{"children":[],"linkType":"INTERNAL","id":"gxcuf89792","params":{},"routeName":"CommunityPage"},{"children":[],"linkType":"EXTERNAL","id":"external-link","url":"/Directory","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft365","params":{"categoryId":"microsoft365"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows","params":{"categoryId":"Windows"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-microsoft365-copilot-link","params":{"categoryId":"Microsoft365Copilot"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-teams","params":{"categoryId":"MicrosoftTeams"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-securityand-compliance","params":{"categoryId":"microsoft-security"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"azure","params":{"categoryId":"Azure"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"Common-content_management-link","params":{"categoryId":"Content_Management"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"exchange","params":{"categoryId":"Exchange"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"windows-server","params":{"categoryId":"Windows-Server"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"outlook","params":{"categoryId":"Outlook"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-endpoint-manager","params":{"categoryId":"microsoftintune"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-2","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities","url":"/","target":"BLANK"},{"children":[{"linkType":"INTERNAL","id":"a-i","params":{"categoryId":"AI"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"education-sector","params":{"categoryId":"EducationSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"partner-community","params":{"categoryId":"PartnerCommunity"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"i-t-ops-talk","params":{"categoryId":"ITOpsTalk"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"healthcare-and-life-sciences","params":{"categoryId":"HealthcareAndLifeSciences"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-mechanics","params":{"categoryId":"MicrosoftMechanics"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"public-sector","params":{"categoryId":"PublicSector"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"s-m-b","params":{"categoryId":"MicrosoftforNonprofits"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"io-t","params":{"categoryId":"IoT"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"startupsat-microsoft","params":{"categoryId":"StartupsatMicrosoft"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"driving-adoption","params":{"categoryId":"DrivingAdoption"},"routeName":"CategoryPage"},{"linkType":"EXTERNAL","id":"external-link-1","url":"/Directory","target":"SELF"}],"linkType":"EXTERNAL","id":"communities-1","url":"/","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external","url":"/Blogs","target":"SELF"},{"children":[],"linkType":"EXTERNAL","id":"external-1","url":"/Events","target":"SELF"},{"children":[{"linkType":"INTERNAL","id":"microsoft-learn-1","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"linkType":"INTERNAL","id":"microsoft-learn-blog","params":{"boardId":"MicrosoftLearnBlog","categoryId":"MicrosoftLearn"},"routeName":"BlogBoardPage"},{"linkType":"EXTERNAL","id":"external-10","url":"https://learningroomdirectory.microsoft.com/","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-3","url":"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-4","url":"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-5","url":"https://docs.microsoft.com/learn/topics/sci/?wt.mc_id=techcom_header-webpage-m365","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-6","url":"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-7","url":"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-8","url":"https://docs.microsoft.com/learn/teams/?wt.mc_id=techcom_header-webpage-teams","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-9","url":"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet","target":"BLANK"},{"linkType":"EXTERNAL","id":"external-2","url":"https://docs.microsoft.com/learn/azure/?WT.mc_id=techcom_header-webpage-m365","target":"BLANK"}],"linkType":"INTERNAL","id":"microsoft-learn","params":{"categoryId":"MicrosoftLearn"},"routeName":"CategoryPage"},{"children":[],"linkType":"INTERNAL","id":"community-info-center","params":{"categoryId":"Community-Info-Center"},"routeName":"CategoryPage"}]},"style":{"boxShadow":"var(--lia-bs-box-shadow-sm)","controllerHighlightColor":"hsla(30, 100%, 50%)","linkFontWeight":"400","dropdownDividerMarginBottom":"10px","hamburgerBorderHover":"none","linkBoxShadowHover":"none","linkFontSize":"14px","backgroundOpacity":0.8,"controllerBorderRadius":"var(--lia-border-radius-50)","hamburgerBgColor":"transparent","hamburgerColor":"var(--lia-nav-controller-icon-color)","linkTextBorderBottom":"none","brandLogoHeight":"30px","linkBgHoverColor":"transparent","linkLetterSpacing":"normal","collapseMenuDividerOpacity":0.16,"dropdownPaddingBottom":"15px","paddingBottom":"15px","dropdownMenuOffset":"2px","hamburgerBgHoverColor":"transparent","borderBottom":"1px solid var(--lia-bs-border-color)","hamburgerBorder":"none","dropdownPaddingX":"10px","brandMarginRightSm":"10px","linkBoxShadow":"none","collapseMenuDividerBg":"var(--lia-nav-link-color)","linkColor":"var(--lia-bs-body-color)","linkJustifyContent":"flex-start","dropdownPaddingTop":"10px","controllerHighlightTextColor":"var(--lia-yiq-dark)","controllerTextColor":"var(--lia-nav-controller-icon-color)","background":{"imageAssetName":"","color":"var(--lia-bs-white)","size":"COVER","repeat":"NO_REPEAT","position":"CENTER_CENTER","imageLastModified":""},"linkBorderRadius":"var(--lia-bs-border-radius-sm)","linkHoverColor":"var(--lia-bs-body-color)","position":"FIXED","linkBorder":"none","linkTextBorderBottomHover":"2px solid var(--lia-bs-body-color)","brandMarginRight":"30px","hamburgerHoverColor":"var(--lia-nav-controller-icon-color)","linkBorderHover":"none","collapseMenuMarginLeft":"20px","linkFontStyle":"NORMAL","controllerTextHoverColor":"var(--lia-nav-controller-icon-hover-color)","linkPaddingX":"10px","linkPaddingY":"5px","paddingTop":"15px","linkTextTransform":"NONE","dropdownBorderColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)","controllerBgHoverColor":"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)","linkBgColor":"transparent","linkDropdownPaddingX":"var(--lia-nav-link-px)","linkDropdownPaddingY":"9px","controllerIconColor":"var(--lia-bs-body-color)","dropdownDividerMarginTop":"10px","linkGap":"10px","controllerIconHoverColor":"var(--lia-bs-body-color)"},"showSearchIcon":false,"languagePickerStyle":"iconAndLabel"},"__typename":"QuiltComponent"},{"id":"community.widget.breadcrumbWidget","props":{"backgroundColor":"transparent","linkHighlightColor":"var(--lia-bs-primary)","visualEffects":{"showBottomBorder":true},"linkTextColor":"var(--lia-bs-gray-700)"},"__typename":"QuiltComponent"},{"id":"custom.widget.community_banner","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"usePageWidth":false,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"},{"id":"custom.widget.HeroBanner","props":{"widgetVisibility":"signedInOrAnonymous","usePageWidth":false,"useTitle":true,"cMax_items":3,"useBackground":false,"title":"","lazyLoad":false,"widgetChooser":"custom.widget.HeroBanner"},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"footer":{"backgroundImageProps":{"assetName":null,"backgroundSize":"COVER","backgroundRepeat":"NO_REPEAT","backgroundPosition":"CENTER_CENTER","lastModified":null,"__typename":"BackgroundImageProps"},"backgroundColor":"transparent","items":[{"id":"custom.widget.MicrosoftFooter","props":{"widgetVisibility":"signedInOrAnonymous","useTitle":true,"useBackground":false,"title":"","lazyLoad":false},"__typename":"QuiltComponent"}],"__typename":"QuiltWrapperSection"},"__typename":"QuiltWrapper","localOverride":false},"localOverride":false},"CachedAsset:text:en_US-components/common/ActionFeedback-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/common/ActionFeedback-1745505307000","value":{"joinedGroupHub.title":"Welcome","joinedGroupHub.message":"You are now a member of this group and are subscribed to updates.","groupHubInviteNotFound.title":"Invitation Not Found","groupHubInviteNotFound.message":"Sorry, we could not find your invitation to the group. The owner may have canceled the invite.","groupHubNotFound.title":"Group Not Found","groupHubNotFound.message":"The grouphub you tried to join does not exist. It may have been deleted.","existingGroupHubMember.title":"Already Joined","existingGroupHubMember.message":"You are already a member of this group.","accountLocked.title":"Account Locked","accountLocked.message":"Your account has been locked due to multiple failed attempts. Try again in {lockoutTime} minutes.","editedGroupHub.title":"Changes Saved","editedGroupHub.message":"Your group has been updated.","leftGroupHub.title":"Goodbye","leftGroupHub.message":"You are no longer a member of this group and will not receive future updates.","deletedGroupHub.title":"Deleted","deletedGroupHub.message":"The group has been deleted.","groupHubCreated.title":"Group Created","groupHubCreated.message":"{groupHubName} is ready to use","accountClosed.title":"Account Closed","accountClosed.message":"The account has been closed and you will now be redirected to the homepage","resetTokenExpired.title":"Reset Password Link has Expired","resetTokenExpired.message":"Try resetting your password again","invalidUrl.title":"Invalid URL","invalidUrl.message":"The URL you're using is not recognized. Verify your URL and try again.","accountClosedForUser.title":"Account Closed","accountClosedForUser.message":"{userName}'s account is closed","inviteTokenInvalid.title":"Invitation Invalid","inviteTokenInvalid.message":"Your invitation to the community has been canceled or expired.","inviteTokenError.title":"Invitation Verification Failed","inviteTokenError.message":"The url you are utilizing is not recognized. Verify your URL and try again","pageNotFound.title":"Access Denied","pageNotFound.message":"You do not have access to this area of the community or it doesn't exist","eventAttending.title":"Responded as Attending","eventAttending.message":"You'll be notified when there's new activity and reminded as the event approaches","eventInterested.title":"Responded as Interested","eventInterested.message":"You'll be notified when there's new activity and reminded as the event approaches","eventNotFound.title":"Event Not Found","eventNotFound.message":"The event you tried to respond to does not exist.","redirectToRelatedPage.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.title":"Showing Related Content","redirectToRelatedPageForBaseUsers.message":"The content you are trying to access is archived","redirectToRelatedPage.message":"The content you are trying to access is archived","relatedUrl.archivalLink.flyoutMessage":"The content you are trying to access is archived View Archived Content"},"localOverride":false},"CachedAsset:component:custom.widget.community_banner-en-us-1746740527664":{"__typename":"CachedAsset","id":"component:custom.widget.community_banner-en-us-1746740527664","value":{"component":{"id":"custom.widget.community_banner","template":{"id":"community_banner","markupLanguage":"HANDLEBARS","style":".community-banner {\n a.top-bar.btn {\n top: 0px;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0px;\n background: #0068b8;\n color: white;\n padding: 10px 0px;\n display: block;\n box-shadow: none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0px !important;\n font-size: 14px;\n }\n}\n","texts":{},"defaults":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.community_banner","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"community announcement text","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_community_banner_community-banner_1x9u2_1 {\n a.custom_widget_community_banner_top-bar_1x9u2_2.custom_widget_community_banner_btn_1x9u2_2 {\n top: 0;\n width: 100%;\n z-index: 999;\n text-align: center;\n left: 0;\n background: #0068b8;\n color: white;\n padding: 0.625rem 0;\n display: block;\n box-shadow: none !important;\n border: none !important;\n border-radius: none !important;\n margin: 0 !important;\n font-size: 0.875rem;\n }\n}\n","tokens":{"community-banner":"custom_widget_community_banner_community-banner_1x9u2_1","top-bar":"custom_widget_community_banner_top-bar_1x9u2_2","btn":"custom_widget_community_banner_btn_1x9u2_2"}},"form":null},"localOverride":false},"CachedAsset:component:custom.widget.HeroBanner-en-us-1746740527664":{"__typename":"CachedAsset","id":"component:custom.widget.HeroBanner-en-us-1746740527664","value":{"component":{"id":"custom.widget.HeroBanner","template":{"id":"HeroBanner","markupLanguage":"REACT","style":null,"texts":{"searchPlaceholderText":"Search this community","followActionText":"Follow","unfollowActionText":"Following","searchOnHoverText":"Please enter your search term(s) and then press return key to complete a search.","blogs.sidebar.pagetitle":"Latest Blogs | Microsoft Tech Community","followThisNode":"Follow this node","unfollowThisNode":"Unfollow this node"},"defaults":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.HeroBanner","form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":null,"fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[{"id":"max_items","dataType":"NUMBER","list":false,"defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"control":"INPUT","__typename":"PropDefinition"}],"__typename":"ComponentProperties"},"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"},"__typename":"Component","localOverride":false},"globalCss":null,"form":{"fields":[{"id":"widgetChooser","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"title","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useTitle","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"useBackground","validation":null,"noValidation":null,"dataType":"BOOLEAN","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"widgetVisibility","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"moreOptions","validation":null,"noValidation":null,"dataType":"STRING","list":null,"control":null,"defaultValue":null,"label":null,"description":null,"possibleValues":null,"__typename":"FormField"},{"id":"cMax_items","validation":null,"noValidation":null,"dataType":"NUMBER","list":false,"control":"INPUT","defaultValue":"3","label":"Max Items","description":"The maximum number of items to display in the carousel","possibleValues":null,"__typename":"FormField"}],"layout":{"rows":[{"id":"widgetChooserGroup","type":"fieldset","as":null,"items":[{"id":"widgetChooser","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"titleGroup","type":"fieldset","as":null,"items":[{"id":"title","className":null,"__typename":"FormFieldRef"},{"id":"useTitle","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"useBackground","type":"fieldset","as":null,"items":[{"id":"useBackground","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"widgetVisibility","type":"fieldset","as":null,"items":[{"id":"widgetVisibility","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"moreOptionsGroup","type":"fieldset","as":null,"items":[{"id":"moreOptions","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"},{"id":"componentPropsGroup","type":"fieldset","as":null,"items":[{"id":"cMax_items","className":null,"__typename":"FormFieldRef"}],"props":null,"legend":null,"description":null,"className":null,"viewVariant":null,"toggleState":null,"__typename":"FormFieldset"}],"actionButtons":null,"className":"custom_widget_HeroBanner_form","formGroupFieldSeparator":"divider","__typename":"FormLayout"},"__typename":"Form"}},"localOverride":false},"CachedAsset:component:custom.widget.MicrosoftFooter-en-us-1746740527664":{"__typename":"CachedAsset","id":"component:custom.widget.MicrosoftFooter-en-us-1746740527664","value":{"component":{"id":"custom.widget.MicrosoftFooter","template":{"id":"MicrosoftFooter","markupLanguage":"HANDLEBARS","style":".context-uhf {\n min-width: 280px;\n font-size: 15px;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.c-uhff-link {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.c-uhff {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.c-uhff-nav {\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n .c-heading-4 {\n color: #616161;\n word-break: break-word;\n font-size: 15px;\n line-height: 20px;\n padding: 36px 0 4px;\n font-weight: 600;\n }\n .c-uhff-nav-row {\n .c-uhff-nav-group {\n display: block;\n float: left;\n min-height: 1px;\n vertical-align: text-top;\n padding: 0 12px;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 12px;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.c-list.f-bare {\n font-size: 11px;\n line-height: 16px;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 8px 0;\n margin: 0;\n }\n }\n }\n }\n}\n.c-uhff-base {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(1600px + 10%);\n padding: 30px 5% 16px;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.c-uhff-ccpa {\n font-size: 11px;\n line-height: 16px;\n float: left;\n margin: 3px 0;\n }\n a.c-uhff-ccpa:hover {\n text-decoration: underline;\n }\n ul.c-list {\n font-size: 11px;\n line-height: 16px;\n float: right;\n margin: 3px 0;\n color: #616161;\n li {\n padding: 0 24px 4px 0;\n display: inline-block;\n }\n }\n .c-list.f-bare {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 30px 24px 16px;\n }\n}\n\n.social-share {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n\n.sharing-options {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 43px;\n border-radius: 0px 7px 7px 0px;\n}\n.linkedin-icon {\n border-top-right-radius: 7px;\n}\n.linkedin-icon:hover {\n border-radius: 0;\n}\n.social-share-rss-image {\n border-bottom-right-radius: 7px;\n}\n.social-share-rss-image:hover {\n border-radius: 0;\n}\n\n.social-link-footer {\n position: relative;\n display: block;\n margin: -2px 0;\n transition: all 0.2s ease;\n}\n.social-link-footer:hover .linkedin-icon {\n border-radius: 0;\n}\n.social-link-footer:hover .social-share-rss-image {\n border-radius: 0;\n}\n\n.social-link-footer img {\n width: 40px;\n height: auto;\n transition: filter 0.3s ease;\n}\n\n.social-share-list {\n width: 40px;\n}\n.social-share-rss-image {\n width: 40px;\n}\n\n.share-icon {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n\n.share-icon:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n\n.share-icon:hover .label {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n\n.label {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 10px;\n top: 50%;\n transform: translateY(-50%);\n height: 40px;\n border-radius: 0 6px 6px 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 20px 5px 20px 8px;\n margin-left: -1px;\n}\n.linkedin {\n background-color: #0474b4;\n}\n.facebook {\n background-color: #3c5c9c;\n}\n.twitter {\n background-color: white;\n color: black;\n}\n.reddit {\n background-color: #fc4404;\n}\n.mail {\n background-color: #848484;\n}\n.bluesky {\n background-color: white;\n color: black;\n}\n.rss {\n background-color: #ec7b1c;\n}\n#RSS {\n width: 40px;\n height: 40px;\n}\n\n@media (max-width: 991px) {\n .social-share {\n display: none;\n }\n}\n","texts":{"New tab":"What's New","New 1":"Surface Laptop Studio 2","New 2":"Surface Laptop Go 3","New 3":"Surface Pro 9","New 4":"Surface Laptop 5","New 5":"Surface Studio 2+","New 6":"Copilot in Windows","New 7":"Microsoft 365","New 8":"Windows 11 apps","Store tab":"Microsoft Store","Store 1":"Account Profile","Store 2":"Download Center","Store 3":"Microsoft Store Support","Store 4":"Returns","Store 5":"Order tracking","Store 6":"Certified Refurbished","Store 7":"Microsoft Store Promise","Store 8":"Flexible Payments","Education tab":"Education","Edu 1":"Microsoft in education","Edu 2":"Devices for education","Edu 3":"Microsoft Teams for Education","Edu 4":"Microsoft 365 Education","Edu 5":"How to buy for your school","Edu 6":"Educator Training and development","Edu 7":"Deals for students and parents","Edu 8":"Azure for students","Business tab":"Business","Bus 1":"Microsoft Cloud","Bus 2":"Microsoft Security","Bus 3":"Dynamics 365","Bus 4":"Microsoft 365","Bus 5":"Microsoft Power Platform","Bus 6":"Microsoft Teams","Bus 7":"Microsoft Industry","Bus 8":"Small Business","Developer tab":"Developer & IT","Dev 1":"Azure","Dev 2":"Developer Center","Dev 3":"Documentation","Dev 4":"Microsoft Learn","Dev 5":"Microsoft Tech Community","Dev 6":"Azure Marketplace","Dev 7":"AppSource","Dev 8":"Visual Studio","Company tab":"Company","Com 1":"Careers","Com 2":"About Microsoft","Com 3":"Company News","Com 4":"Privacy at Microsoft","Com 5":"Investors","Com 6":"Diversity and inclusion","Com 7":"Accessiblity","Com 8":"Sustainibility"},"defaults":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"components":[{"id":"custom.widget.MicrosoftFooter","form":null,"config":null,"props":[],"__typename":"Component"}],"grouping":"CUSTOM","__typename":"ComponentTemplate"},"properties":{"config":{"applicablePages":[],"description":"The Microsoft Footer","fetchedContent":null,"__typename":"ComponentConfiguration"},"props":[],"__typename":"ComponentProperties"},"form":null,"__typename":"Component","localOverride":false},"globalCss":{"css":".custom_widget_MicrosoftFooter_context-uhf_105bp_1 {\n min-width: 17.5rem;\n font-size: 0.9375rem;\n box-sizing: border-box;\n -ms-text-size-adjust: 100%;\n -webkit-text-size-adjust: 100%;\n & *,\n & *:before,\n & *:after {\n box-sizing: inherit;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-link_105bp_12 {\n color: #616161;\n word-break: break-word;\n text-decoration: none;\n }\n &a:link,\n &a:focus,\n &a:hover,\n &a:active,\n &a:visited {\n text-decoration: none;\n color: inherit;\n }\n & div {\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff_105bp_12 {\n background: #f2f2f2;\n margin: -1.5625;\n width: auto;\n height: auto;\n}\n.custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35 {\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 0 5%;\n box-sizing: inherit;\n &:before,\n &:after {\n content: ' ';\n display: table;\n clear: left;\n }\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n .custom_widget_MicrosoftFooter_c-heading-4_105bp_49 {\n color: #616161;\n word-break: break-word;\n font-size: 0.9375rem;\n line-height: 1.25rem;\n padding: 2.25rem 0 0.25rem;\n font-weight: 600;\n }\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57 {\n .custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58 {\n display: block;\n float: left;\n min-height: 0.0625rem;\n vertical-align: text-top;\n padding: 0 0.75rem;\n width: 100%;\n zoom: 1;\n &:first-child {\n padding-left: 0;\n @media only screen and (max-width: 1083px) {\n padding-left: 0.75rem;\n }\n }\n @media only screen and (min-width: 540px) and (max-width: 1082px) {\n width: 33.33333%;\n }\n @media only screen and (min-width: 1083px) {\n width: 16.6666666667%;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n margin-top: 0;\n margin-bottom: 0;\n padding-left: 0;\n list-style-type: none;\n li {\n word-break: break-word;\n padding: 0.5rem 0;\n margin: 0;\n }\n }\n }\n }\n}\n.custom_widget_MicrosoftFooter_c-uhff-base_105bp_94 {\n background: #f2f2f2;\n margin: 0 auto;\n max-width: calc(100rem + 10%);\n padding: 1.875rem 5% 1rem;\n &:before,\n &:after {\n content: ' ';\n display: table;\n }\n &:after {\n clear: both;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: left;\n margin: 0.1875rem 0;\n }\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107:hover {\n text-decoration: underline;\n }\n ul.custom_widget_MicrosoftFooter_c-list_105bp_78 {\n font-size: 0.6875rem;\n line-height: 1rem;\n float: right;\n margin: 0.1875rem 0;\n color: #616161;\n li {\n padding: 0 1.5rem 0.25rem 0;\n display: inline-block;\n }\n }\n .custom_widget_MicrosoftFooter_c-list_105bp_78.custom_widget_MicrosoftFooter_f-bare_105bp_78 {\n padding-left: 0;\n list-style-type: none;\n }\n @media only screen and (max-width: 1083px) {\n display: flex;\n flex-wrap: wrap;\n padding: 1.875rem 1.5rem 1rem;\n }\n}\n.custom_widget_MicrosoftFooter_social-share_105bp_138 {\n position: fixed;\n top: 60%;\n transform: translateY(-50%);\n left: 0;\n z-index: 1000;\n}\n.custom_widget_MicrosoftFooter_sharing-options_105bp_146 {\n list-style: none;\n padding: 0;\n margin: 0;\n display: block;\n flex-direction: column;\n background-color: white;\n width: 2.6875rem;\n border-radius: 0 0.4375rem 0.4375rem 0;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-top-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_linkedin-icon_105bp_156:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-bottom-right-radius: 7px;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162:hover {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 {\n position: relative;\n display: block;\n margin: -0.125rem 0;\n transition: all 0.2s ease;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_linkedin-icon_105bp_156 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169:hover .custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n border-radius: 0;\n}\n.custom_widget_MicrosoftFooter_social-link-footer_105bp_169 img {\n width: 2.5rem;\n height: auto;\n transition: filter 0.3s ease;\n}\n.custom_widget_MicrosoftFooter_social-share-list_105bp_188 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162 {\n width: 2.5rem;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195 {\n border: 2px solid transparent;\n display: inline-block;\n position: relative;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover {\n opacity: 1;\n border: 2px solid white;\n box-sizing: border-box;\n}\n.custom_widget_MicrosoftFooter_share-icon_105bp_195:hover .custom_widget_MicrosoftFooter_label_105bp_207 {\n opacity: 1;\n visibility: visible;\n border: 2px solid white;\n box-sizing: border-box;\n border-left: none;\n}\n.custom_widget_MicrosoftFooter_label_105bp_207 {\n position: absolute;\n left: 100%;\n white-space: nowrap;\n opacity: 0;\n visibility: hidden;\n transition: all 0.2s ease;\n color: white;\n border-radius: 0 10 0 0.625rem;\n top: 50%;\n transform: translateY(-50%);\n height: 2.5rem;\n border-radius: 0 0.375rem 0.375rem 0;\n display: flex;\n align-items: center;\n justify-content: center;\n padding: 1.25rem 0.3125rem 1.25rem 0.5rem;\n margin-left: -0.0625rem;\n}\n.custom_widget_MicrosoftFooter_linkedin_105bp_156 {\n background-color: #0474b4;\n}\n.custom_widget_MicrosoftFooter_facebook_105bp_237 {\n background-color: #3c5c9c;\n}\n.custom_widget_MicrosoftFooter_twitter_105bp_240 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_reddit_105bp_244 {\n background-color: #fc4404;\n}\n.custom_widget_MicrosoftFooter_mail_105bp_247 {\n background-color: #848484;\n}\n.custom_widget_MicrosoftFooter_bluesky_105bp_250 {\n background-color: white;\n color: black;\n}\n.custom_widget_MicrosoftFooter_rss_105bp_254 {\n background-color: #ec7b1c;\n}\n#custom_widget_MicrosoftFooter_RSS_105bp_1 {\n width: 2.5rem;\n height: 2.5rem;\n}\n@media (max-width: 991px) {\n .custom_widget_MicrosoftFooter_social-share_105bp_138 {\n display: none;\n }\n}\n","tokens":{"context-uhf":"custom_widget_MicrosoftFooter_context-uhf_105bp_1","c-uhff-link":"custom_widget_MicrosoftFooter_c-uhff-link_105bp_12","c-uhff":"custom_widget_MicrosoftFooter_c-uhff_105bp_12","c-uhff-nav":"custom_widget_MicrosoftFooter_c-uhff-nav_105bp_35","c-heading-4":"custom_widget_MicrosoftFooter_c-heading-4_105bp_49","c-uhff-nav-row":"custom_widget_MicrosoftFooter_c-uhff-nav-row_105bp_57","c-uhff-nav-group":"custom_widget_MicrosoftFooter_c-uhff-nav-group_105bp_58","c-list":"custom_widget_MicrosoftFooter_c-list_105bp_78","f-bare":"custom_widget_MicrosoftFooter_f-bare_105bp_78","c-uhff-base":"custom_widget_MicrosoftFooter_c-uhff-base_105bp_94","c-uhff-ccpa":"custom_widget_MicrosoftFooter_c-uhff-ccpa_105bp_107","social-share":"custom_widget_MicrosoftFooter_social-share_105bp_138","sharing-options":"custom_widget_MicrosoftFooter_sharing-options_105bp_146","linkedin-icon":"custom_widget_MicrosoftFooter_linkedin-icon_105bp_156","social-share-rss-image":"custom_widget_MicrosoftFooter_social-share-rss-image_105bp_162","social-link-footer":"custom_widget_MicrosoftFooter_social-link-footer_105bp_169","social-share-list":"custom_widget_MicrosoftFooter_social-share-list_105bp_188","share-icon":"custom_widget_MicrosoftFooter_share-icon_105bp_195","label":"custom_widget_MicrosoftFooter_label_105bp_207","linkedin":"custom_widget_MicrosoftFooter_linkedin_105bp_156","facebook":"custom_widget_MicrosoftFooter_facebook_105bp_237","twitter":"custom_widget_MicrosoftFooter_twitter_105bp_240","reddit":"custom_widget_MicrosoftFooter_reddit_105bp_244","mail":"custom_widget_MicrosoftFooter_mail_105bp_247","bluesky":"custom_widget_MicrosoftFooter_bluesky_105bp_250","rss":"custom_widget_MicrosoftFooter_rss_105bp_254","RSS":"custom_widget_MicrosoftFooter_RSS_105bp_1"}},"form":null},"localOverride":false},"CachedAsset:text:en_US-components/community/Breadcrumb-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Breadcrumb-1745505307000","value":{"navLabel":"Breadcrumbs","dropdown":"Additional parent page navigation"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagsHeaderWidget-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagsHeaderWidget-1745505307000","value":{"tag":"{tagName}","topicsCount":"{count} {count, plural, one {Topic} other {Topics}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListForNodeByRecentActivityWidget-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListForNodeByRecentActivityWidget-1745505307000","value":{"title@userScope:other":"Recent Content","title@userScope:self":"Contributions","title@board:FORUM@userScope:other":"Recent Discussions","title@board:BLOG@userScope:other":"Recent Blogs","emptyDescription":"No content to show","MessageListForNodeByRecentActivityWidgetEditor.nodeScope.label":"Scope","title@instance:1722894000155":"Recent Discussions","title@instance:1727367112619":"Recent Blog Articles","title@instance:1727367069748":"Recent Discussions","title@instance:1727366213114":"Latest Discussions","title@instance:1727899609720":"","title@instance:1727363308925":"Latest Discussions","title@instance:1737115580352":"Latest Articles","title@instance:1720453418992":"Recent Discssions","title@instance:1727365950181":"Latest Blog Articles","title@instance:bmDPnI":"Latest Blog Articles","title@instance:IiDDJZ":"Latest Blog Articles","title@instance:1721244347979":"Latest blog posts","title@instance:1728383752171":"Related Content","title@instance:1722893956545":"Latest Skilling Resources","title@instance:dhcgCU":"Latest Discussions"},"localOverride":false},"Category:category:Exchange":{"__typename":"Category","id":"category:Exchange","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Outlook":{"__typename":"Category","id":"category:Outlook","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Community-Info-Center":{"__typename":"Category","id":"category:Community-Info-Center","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:EducationSector":{"__typename":"Category","id":"category:EducationSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:DrivingAdoption":{"__typename":"Category","id":"category:DrivingAdoption","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Azure":{"__typename":"Category","id":"category:Azure","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows-Server":{"__typename":"Category","id":"category:Windows-Server","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftTeams":{"__typename":"Category","id":"category:MicrosoftTeams","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PublicSector":{"__typename":"Category","id":"category:PublicSector","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoft365":{"__typename":"Category","id":"category:microsoft365","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:IoT":{"__typename":"Category","id":"category:IoT","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:HealthcareAndLifeSciences":{"__typename":"Category","id":"category:HealthcareAndLifeSciences","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:ITOpsTalk":{"__typename":"Category","id":"category:ITOpsTalk","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftLearn":{"__typename":"Category","id":"category:MicrosoftLearn","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Blog:board:MicrosoftLearnBlog":{"__typename":"Blog","id":"board:MicrosoftLearnBlog","blogPolicies":{"__typename":"BlogPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}},"boardPolicies":{"__typename":"BoardPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:AI":{"__typename":"Category","id":"category:AI","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftMechanics":{"__typename":"Category","id":"category:MicrosoftMechanics","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:MicrosoftforNonprofits":{"__typename":"Category","id":"category:MicrosoftforNonprofits","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:StartupsatMicrosoft":{"__typename":"Category","id":"category:StartupsatMicrosoft","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:PartnerCommunity":{"__typename":"Category","id":"category:PartnerCommunity","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Microsoft365Copilot":{"__typename":"Category","id":"category:Microsoft365Copilot","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Windows":{"__typename":"Category","id":"category:Windows","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:Content_Management":{"__typename":"Category","id":"category:Content_Management","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Category:category:microsoftintune":{"__typename":"Category","id":"category:microsoftintune","categoryPolicies":{"__typename":"CategoryPolicies","canReadNode":{"__typename":"PolicyResult","failureReason":null}}},"Conversation:conversation:4189136":{"__typename":"Conversation","id":"conversation:4189136","topic":{"__typename":"BlogTopicMessage","uid":4189136},"lastPostingActivityTime":"2025-04-21T13:38:29.131-07:00","solved":false},"User:user:2553398":{"__typename":"User","uid":2553398,"login":"chi_nguyen26","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-1.svg?time=0"},"id":"user:2553398"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM4NGk4MEI2NkVBREVGMjAzRjU1?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM4NGk4MEI2NkVBREVGMjAzRjU1?revision=9","title":"ws onboard error.png","associationType":"BODY","width":636,"height":193,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM4Nmk0NkU3RTkwOEUzNERCMTE4?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM4Nmk0NkU3RTkwOEUzNERCMTE4?revision=9","title":"xdr connector.png","associationType":"BODY","width":624,"height":166,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM5N2kwNTVFRTFGM0JDRjA1NDM5?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM5N2kwNTVFRTFGM0JDRjA1NDM5?revision=9","title":"unlink alert.png","associationType":"BODY","width":479,"height":355,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM5OWk5QzU1QjQ5Rjg3RkE1NDlB?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM5OWk5QzU1QjQ5Rjg3RkE1NDlB?revision=9","title":"Automation 1.png","associationType":"BODY","width":462,"height":293,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM3NWkyNzhEMjY0MEY4MjVGRjVC?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM3NWkyNzhEMjY0MEY4MjVGRjVC?revision=9","title":"chi_nguyen26_4-1720707692050.png","associationType":"BODY","width":1939,"height":600,"altText":null},"BlogTopicMessage:message:4189136":{"__typename":"BlogTopicMessage","subject":"Unified Security Operations Platform - Technical FAQ!","conversation":{"__ref":"Conversation:conversation:4189136"},"id":"message:4189136","revisionNum":9,"uid":4189136,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:2553398"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" In this blog, we dive into some of the most common questions and share best practices to expedite resolution, bring more clarity, and save valuable troubleshooting time. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":23818},"postTime":"2024-07-11T09:03:28.757-07:00","lastPublishTime":"2024-10-21T09:27:02.501-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Introduction \n \n If you are a security practitioner who uses Microsoft Sentinel in your daily workflows, and you have tried or are evaluating the unified security operations platform for your SOC – this blog is for you. With Microsoft Sentinel now Generally Available in the Microsoft Defender portal, as part of our unified security operations platform, it’s a great time to try and get started with a streamlined experience for the two products. \n \n In this blog, we dive into some of the most common questions and share best practices to expedite resolution, bring more clarity, and save valuable troubleshooting time. \n \n First, a brief overview if you are new to the unified security operations platform. Our vision of the platform is a solution that makes your job as a security practitioner easier, keeping you and your organizations safer. It is single pane of glass for all security operations – here you can seamlessly integrate SIEM, XDR, exposure management, and Copilot for Security. It’s your comprehensive hub for preventing, detecting, investigating, and responding to incidents across your digital estate—all from one centralized location. \n \n Here are some of the most common questions and guidance when working with the unified platform. \n \n Onboarding \n \n What role/permissions are required to connect a Microsoft Sentinel workspace to the unified platform? \n \n To connect or disconnect a Microsoft Sentinel workspace to the unified platform, you will need one of the following permissions and scopes: \n a. Owner rights for the Subscription AND Microsoft Sentinel Contributor rights for the Subscription or Resource Group or Log Analytics workspace. OR \n b. User Access Administrator for the Subscription AND Microsoft Sentinel Contributor for the Subscription or Resource Group or Log Analytics workspace. \n \n 2. I see the following error message when trying to connect my Microsoft Sentinel workspace with the unified platform “couldn’t connect the workspace. Turn on the Defender XDR connector for incidents in Microsoft Sentinel first”. What to do? \n \n \n \n a. Microsoft Defender XDR (formerly named Microsoft 365 Defender) connector is one of the prerequisites for the onboarding, so if it hasn’t been configured, you will most likely see this message. The good thing is configuring the connector is a rather straightforward process. Follow these steps to configure the connector. \n \n b. When configuring the connector, make sure to click on “Connect incidents & alerts” button. While Microsoft incident creation rules for the Microsoft Defender products will be turned off by default, if for some reason you don’t see them disabled, make sure to check this box “Turn off all Microsoft creation rules for these products. Recommended”. \n \n \n \n What happens when I enable the Microsoft Defender XDR connector in Microsoft Sentinel? \n \n a. The Security incident creation rules are disabled by default. Incidents are created first in the unified portal, then synced back to Microsoft Sentinel. \n b. You may notice a delay of up to 5 minutes for incidents to show up in Microsoft Sentinel. We are working on reducing this latency. \n \n 4. Why don’t I see all my Microsoft Sentinel workspaces in the unified portal? \n You can only see Microsoft Sentinel workspaces that you have permission to onboard. Refer to question 1 for the specific permissions. \n \n Alerts, Incidents, and Correlation \n 1. I noticed Microsoft Defender XDR incidents are delayed in Microsoft Sentinel. What is the expected delay for incidents to show up in Microsoft Sentinel? \n It may take up to 5 minutes for Microsoft Defender incidents to show in Microsoft Sentinel. We are working on reducing this latency. Stay tuned through our customer connection program for the latest updates. \n \n 2. Does that delay in incidents also delay Automatic Attack Disruption? \n No, it will not. The delay for incidents is from Microsoft Defender to Microsoft Sentinel. Attack Disruption occurs within the unified platform. \n \n 3. Could that be up to 5 minutes delayed in the Microsoft Sentinel to trigger playbooks too? \n Yes. Currently this delay affects both scenarios for playbooks - whether a playbook is automatically invoked from an automation rule or manually invoked. As mentioned, we are working on reducing the latency. \n \n 4. I am seeing duplication of incidents and alerts in Microsoft Sentinel and Microsoft Defender XDR. How to avoid this? \n The duplication is likely due to the misconfiguration of the Microsoft Defender XDR connector. Please check the Microsoft Defender XDR connector configuration first to make sure the Microsoft incident creation rules are turned off for the Microsoft Defender products. \n \n 5. What are synced bi-directional for incidents? \n Incident status, tags, resolution, closing reasons, closing comments are bi-directionally synced. \n \n 6. Microsoft Defender has 14 Incident Classifications; Microsoft Sentinel has 5. How are they mapped? \n We are working on aligning the classifications. Stay tuned through our customer connection program for the latest updates. \n \n \n Why and when does the incident auto-merging happen? \n \n a. Microsoft Defender XDR’s correlation activities don’t stop when incidents are created. Microsoft Defender XDR continues to detect commonalities and relationships between incidents, and between alerts across incidents. When two or more incidents are determined to be sufficiently alike, Microsoft Defender XDR merges the incidents into a single incident. \n b. The correlation engine merges the incident when common elements are detected, like: \n - Entities – like users, devices, mailboxes, and others \n - Artifacts – like files, processes, email senders, and others \n - Time frames \n - Sequence of events: For example, a malicious email click event that follows closely on a phishing email detection \n c. Refer to the documentation for more details on incident merging and correlation. \n \n \n How does incident and alert correlation work in the unified platform? \n \n a. When the alert is sufficiently unique across all alert sources within a particular time frame, Microsoft Defender XDR creates a new incident and adds the alert to it. \n b. When the alert is sufficiently related to other alerts from the same source or across sources within a particular time frame, Microsoft Defender XDR adds the alert to an existing incident. \n \n 9. What happens when incidents are merged? \n - Alerts contained in the abandoned incident are moved to the consolidated incident \n - Entities (assets etc.) follow the alerts they’re linked to \n - Tags are aggregated into the consolidated incident \n - Analytics rules recorded as involved in the creation of the abandoned incident are added to the rules recorded in the consolidated incident \n - Currently, comments and activity log entries in the abandoned incident are not moved to the consolidated incident and remain in the abandoned incident. \n \n 10. When is incident correlation not happening? \n - One of the incidents has the status of \"Closed\". Incidents that are resolved will not be reopened. \n - The two incidents eligible for merging are assigned to two different people. \n - Merging the two incidents would raise the number of entities in the merged incident above the maximum allowed. \n - The two incidents contain devices in different device groups as defined by the organization. \n (Note: this condition is not in effect by default; it must be enabled.) \n \n \n When should I unlink an alert? \n \n When you decide that the alert does not belong to the correlated incident, link the alert to another incident or create a new one. This will also help improve the correlation engine (in case of unexpected correlations). \n \n \n Analytics/Custom Detections \n \n Does custom detection support entity mappings like in Analytics rules in Microsoft Sentinel? \n \n Currently no, but we are adding the features of analytic rules from Microsoft Sentinel such as more flexible entity mappings. Stay tuned through our customer connection program for the latest updates. \n \n \n Does the unified platform support Fusion rules? \n \n The Fusion analytics rule, which creates incidents based on alert correlations made by the Fusion correlation engine, is disabled when you onboard Microsoft Sentinel to the unified security operations platform. \n The unified security operations platform uses Microsoft Defender XDR's incident-creation and correlation functionalities to replace those of the Fusion engine. \n \n \n How can I create detection rules across Microsoft Sentinel and Defender XDR data? \n \n a. You can now create Custom Detection rules across the two datasets without having to ingest Microsoft Defender data into Sentinel, unless you need longer data retention. Advanced hunting in Microsoft Defender - Microsoft Defender XDR | Microsoft Learn. \n b. If your Defender XDR data is ingested into Microsoft Sentinel, you have the option to choose between Create custom detection and Create analytics rule. \n \n Automation and Playbooks \n \n Will Automation rules work as normal? \n \n Automation rules will continue to work in the unified experience. However, there are some differences in the way automation functions work in the new experience. Please refer to the documentation for more information on the differences and changes. \n \n \n What are some best practices for using automation rules in the unified platform? \n \n a. Use the condition “Analytic rule name” instead of the incident title or use the condition on a Tag. \n \n \n b. In both the Azure portal and the unified security operations platform, for automation rule condition, use Alert product names instead of Incident provider. The reason is that in Sentinel standalone experience, all incidents have Microsoft XDR as the incident provider (the value in the providerName field). \n \n \n \n \n Will we be able to run a playbook as part of the actions of a custom detection rule? \n \n Yes, incidents created by custom detection rules are part of the Microsoft Defender XDR incidents which is supported by the “When incident is created” trigger in Automation. Please take note of some of the best practices documented when configuring the trigger condition. \n \n APIs \n \n Can I still use the Microsoft Sentinel REST APIs with the unified platform? \n \n You can use most of the existing Microsoft Sentinel REST APIs; however, you should use the Microsoft Graph REST API queries for alerts and incidents \n List alerts_v2 - Microsoft Graph v1.0 | Microsoft Learn \n List incidents - Microsoft Graph v1.0 | Microsoft Learn \n \n \n Advanced hunting \n \n How do I bookmark a query in Advanced Hunting? \n \n There will be a new capability which is similar to bookmarks coming soon in the unified experience. Stay tuned through our customer connection program for the latest updates. \n \n \n Can we query ADX data (with KQL adx() function) in Advanced Hunting? \n \n You can run a query that correlates Microsoft Sentinel data with ADX data using adx() in Advanced Hunting. Please note that the query of adx() needs to be correlated with tables from Microsoft Sentinel. This is in parity with what customers could run in Microsoft Sentinel today. \n \n Data Retention \n \n Do I need to do anything additional with Retention in either Microsoft Sentinel or Microsoft Defender? \n \n The existing Sentinel data retention configurations remain unchanged. \n \n \n Do I still need to ingest my Microsoft Defender XDR tables into Microsoft Sentinel? \n \n With the unified experience, you can query and correlate your Defender XDR logs with third-party logs from Microsoft Sentinel without ingesting the Microsoft Defender XDR logs into Microsoft Sentinel. Additionally, the same query of Microsoft Defender XDR and Microsoft Sentinel tables can be used in Microsoft Defender’s custom detection. Therefore, the primary reason for ingesting Microsoft Defender XDR data into Sentinel would be for data retention needs beyond 30 days. \n \n \n Would there be any changes in the Microsoft Sentinel E5 benefit? \n \n There is no change in the existing Microsoft Sentinel E5 benefit. \n \n \n Are there any changes in the default retention? \n \n No change in the default retention in the unified SOC platform. You will still be getting the 30 days of default retention for XDR data and 90 days for Microsoft Sentinel data at no additional retention cost. \n \n Role Based Access Control (RBAC) \n \n What happens if the analyst has RBAC in place which filters Microsoft Defender XDR alerts, but has read access to the Microsoft Sentinel workspace? Will they see all the alerts, or the Microsoft Defender ones they have access to and all the Microsoft Sentinel ones? Or will they see all alerts regardless of the source? \n \n Since we unify two RBAC models: Azure/Sentinel RBAC and Defender RBAC, we apply a consolidated RBAC view to the unified portal incident queue, filtering out the service source(s) that they analyst is not allowed to see. \n However, if the analyst has Sentinel reader permissions, they still can access the SecurityIncident and SecurityAlert tables directly through Advanced Hunting or in Sentinel’s log search which contains the data that is filtered out in the unified portal. \n \n For example, let's say a user has RBAC configured to view everything except for MDC alerts. The user won't be able to see the MDC alerts/incidents in the unified portal Also, if there is a multi-stage incident involving Sentinel, MDE, MDI and MDC alerts, the user can still see the incidents but not the individual MDC alerts that got correlated. However, take note that the user will be able to see the MDC alerts in Microsoft Sentinel portal since the user has read access to the workspace. \n \n Copilot for Security in embedded experience \n 1. Do I need to purchase Microsoft Defender for Threat Intelligence (MDTI) license if I want to use the Copilot for Security embedded experience? \n No, if you have a Copilot for Security license, that should automatically include MDTI license. \n 2. Do I need another license for Copilot for Security? \n Yes, Copilot for Security is sold separately from SIEM and XDR. Find out more here Microsoft Copilot for Security - Pricing | Microsoft Azure. \n \n Threat Intelligence \n \n With the unification, how should we be handling threat intel? Before we'd ingest it via the Security API for Microsoft Sentinel and Microsoft Defender, and then Microsoft Sentinel branched off into its own ingestion API. Are these being consolidated? (E.g. If you ingest threat intel into Microsoft Sentinel, can Microsoft Defender use it?) \n \n The Threat Intelligence experience remains the same and separated in the unified experience. However, we are considering making the experience more seamless. Stay tuned through our customer connection program for the latest updates. \n \n UEBA \n \n Are there plans to consolidate UEBA components with unified platform? \n \n Entity pages for devices, users, IP addresses, and Azure resources in the Microsoft Defender portal display information from Microsoft Sentinel and Microsoft Defender data sources. These entity pages give you an expanded context for your investigations of incidents and alerts in the Defender portal. \n \n Additional Resources \n \n Onboard Microsoft Sentinel to Microsoft Defender XDR \n Alerts, incidents, and correlation in Microsoft Defender XDR \n Advanced Hunting in Microsoft Defender XDR \n Automation in the unified security operation platform \n The unified security operations platform GA announcement \n Non-technical FAQ for Unified SOC platform \n \n \n Many thanks to my colleagues for reviewing and contributing to this article Tiander Turpijn \n AlexKlaus GBushey JeremyTan Sreedhar Ande \n \n \n \n \n \n \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"16147","kudosSumWeight":7,"repliesCount":5,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM4NGk4MEI2NkVBREVGMjAzRjU1?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM4Nmk0NkU3RTkwOEUzNERCMTE4?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM5N2kwNTVFRTFGM0JDRjA1NDM5?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM5OWk5QzU1QjQ5Rjg3RkE1NDlB?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTg5MTM2LTU5OTM3NWkyNzhEMjY0MEY4MjVGRjVC?revision=9\"}"}}],"totalCount":5,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4211883":{"__typename":"Conversation","id":"conversation:4211883","topic":{"__typename":"BlogTopicMessage","uid":4211883},"lastPostingActivityTime":"2025-03-27T02:33:46.193-07:00","solved":false},"User:user:1424765":{"__typename":"User","uid":1424765,"login":"VipulDabhi","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-12.svg?time=0"},"id":"user:1424765"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEyNGkyMEIyRjdENkQ3Q0EyRkNB?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEyNGkyMEIyRjdENkQ3Q0EyRkNB?revision=3","title":"VipulDabhi_32-1722963294269.png","associationType":"BODY","width":691,"height":482,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA4N2k5MTE0MDM2QzZFQTVFOEZE?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA4N2k5MTE0MDM2QzZFQTVFOEZE?revision=3","title":"VipulDabhi_1-1722962095403.png","associationType":"BODY","width":991,"height":284,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA4OGk3NEMzQTA4ODEzRTBDQ0Mw?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA4OGk3NEMzQTA4ODEzRTBDQ0Mw?revision=3","title":"VipulDabhi_2-1722962095405.png","associationType":"BODY","width":881,"height":583,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA4OWk1ODVCOTM2MERGNkMxQjZE?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA4OWk1ODVCOTM2MERGNkMxQjZE?revision=3","title":"VipulDabhi_3-1722962095407.png","associationType":"BODY","width":222,"height":422,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5MWkwOEJENUE1QUFDMERDNkFF?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5MWkwOEJENUE1QUFDMERDNkFF?revision=3","title":"VipulDabhi_4-1722962095413.png","associationType":"BODY","width":1240,"height":867,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5MGk4RUVGRTE0RjM1RDgwNDA1?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5MGk4RUVGRTE0RjM1RDgwNDA1?revision=3","title":"VipulDabhi_5-1722962095414.png","associationType":"BODY","width":508,"height":381,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5Mmk1MTI3QUNBMDJBOEVGNTY3?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5Mmk1MTI3QUNBMDJBOEVGNTY3?revision=3","title":"VipulDabhi_6-1722962095415.png","associationType":"BODY","width":230,"height":77,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5NGlDNTI1QzQ1MEZFQTVDRUYx?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5NGlDNTI1QzQ1MEZFQTVDRUYx?revision=3","title":"VipulDabhi_7-1722962095417.png","associationType":"BODY","width":591,"height":448,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwMGk2NTM5NzA4QTg1NEZCQUMz?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwMGk2NTM5NzA4QTg1NEZCQUMz?revision=3","title":"VipulDabhi_12-1722962095424.png","associationType":"BODY","width":1269,"height":577,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5N2k2RUI4ODkwMzk3QTMyNUM2?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5N2k2RUI4ODkwMzk3QTMyNUM2?revision=3","title":"VipulDabhi_10-1722962095420.png","associationType":"BODY","width":594,"height":412,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5NWkzRDlFOTUzM0RENUI1NDE0?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5NWkzRDlFOTUzM0RENUI1NDE0?revision=3","title":"VipulDabhi_9-1722962095419.png","associationType":"BODY","width":451,"height":212,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5OWk0RDk5MzA5RTE5QkI5QjY5?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5OWk0RDk5MzA5RTE5QkI5QjY5?revision=3","title":"VipulDabhi_13-1722962095426.png","associationType":"BODY","width":1049,"height":325,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5NmkwQTQ5RjczMDgyRDlCODEx?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5NmkwQTQ5RjczMDgyRDlCODEx?revision=3","title":"VipulDabhi_11-1722962095421.png","associationType":"BODY","width":485,"height":157,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5OGkxMUQ5Rjk0NjI3M0YyMjk0?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5OGkxMUQ5Rjk0NjI3M0YyMjk0?revision=3","title":"VipulDabhi_14-1722962095427.png","associationType":"BODY","width":604,"height":300,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwMmk2OTU3NzEzNzc5QUM5NkJD?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwMmk2OTU3NzEzNzc5QUM5NkJD?revision=3","title":"VipulDabhi_15-1722962095428.png","associationType":"BODY","width":496,"height":228,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwM2lFM0QzOEMxNzEwRDM2RTVE?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwM2lFM0QzOEMxNzEwRDM2RTVE?revision=3","title":"VipulDabhi_16-1722962095432.png","associationType":"BODY","width":1045,"height":425,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwNGk5OTI4ODg0NjU0RkZDMDdG?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwNGk5OTI4ODg0NjU0RkZDMDdG?revision=3","title":"VipulDabhi_18-1722962095435.png","associationType":"BODY","width":883,"height":511,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwNmlERDE3ODg5ODVGNTFBODY0?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwNmlERDE3ODg5ODVGNTFBODY0?revision=3","title":"VipulDabhi_19-1722962095438.png","associationType":"BODY","width":1079,"height":507,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwNWk3MUEwMkRFN0NBOTRDMTY1?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwNWk3MUEwMkRFN0NBOTRDMTY1?revision=3","title":"VipulDabhi_20-1722962095439.png","associationType":"BODY","width":314,"height":549,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwOWk3MzY3QzM2MUQ0ODI4REM1?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwOWk3MzY3QzM2MUQ0ODI4REM1?revision=3","title":"VipulDabhi_21-1722962095443.png","associationType":"BODY","width":1037,"height":689,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwN2k1OTU4MTgxNURERjNDMkNB?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwN2k1OTU4MTgxNURERjNDMkNB?revision=3","title":"VipulDabhi_22-1722962095444.png","associationType":"BODY","width":353,"height":326,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwOGlDQUMwQTJDQzQxRUNCQjNB?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwOGlDQUMwQTJDQzQxRUNCQjNB?revision=3","title":"VipulDabhi_23-1722962095446.png","associationType":"BODY","width":536,"height":392,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzExMGk4NzZFQzI5NUE4ODM0QUFD?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzExMGk4NzZFQzI5NUE4ODM0QUFD?revision=3","title":"VipulDabhi_24-1722962095447.png","associationType":"BODY","width":547,"height":308,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzExMWkzQ0I5RDlGQTZFQzc4Rjg4?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzExMWkzQ0I5RDlGQTZFQzc4Rjg4?revision=3","title":"VipulDabhi_25-1722962095449.png","associationType":"BODY","width":255,"height":532,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzExMmlFOUY2QzlENzk5NDM3RjI3?revision=3\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzExMmlFOUY2QzlENzk5NDM3RjI3?revision=3","title":"VipulDabhi_26-1722962095453.png","associationType":"BODY","width":918,"height":414,"altText":null},"BlogTopicMessage:message:4211883":{"__typename":"BlogTopicMessage","subject":"Microsoft Sentinel & Cyberint Threat Intel Integration Guide","conversation":{"__ref":"Conversation:conversation:4211883"},"id":"message:4211883","revisionNum":3,"uid":4211883,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:1424765"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Explore comprehensive guide on \"Microsoft Sentinel & Cyberint Threat Intel Integration Guide,\" to learn how to integrate Cyberint's advanced threat intelligence with Microsoft Sentinel. This detailed resource will walk you through the integration process, enabling you to leverage enriched threat data for improved detection and response. Elevate your security posture and ensure robust protection against emerging threats. Read the guide to streamline your threat management and enhance your security capabilities. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":9366},"postTime":"2024-08-07T05:50:11.463-07:00","lastPublishTime":"2024-08-07T05:50:11.463-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Microsoft Sentinel & Cyberint IOC Module Integration Guide \n In today’s cybersecurity landscape, threat intelligence plays a critical role in identifying and mitigating potential threats. Microsoft Sentinel, a powerful cloud-native SIEM (Security Information and Event Management) solution, provides robust capabilities for security monitoring and incident response. Integrating Microsoft Sentinel with Cyberint (Cyberint - Threat Intelligence & Digital Risk Protection) module enhances its ability to detect and respond to emerging threats using threat intelligence feeds. \n \n This guide outlines the steps to integrate Cyberint’s module with Microsoft Sentinel, enabling you to leverage enriched threat intelligence data for more effective security operations. \n PREQUISITES 1. Ensure you have an active Azure account with sufficient permissions to create resources \n 2. Active Cyberint account. (To get the API Token & URL) \n This blog will guide you through the steps for integrating with Cyberint TI feeds and how to troubleshoot various issues that may arise during integration. Here is a brief summary of the steps needed \n \n Log in to your Azure account. \n Create a new Logic App \n Ensure that Managed Identity for the Logic app is enabled. \n Switch to Code view and paste in the JSON code \n Use JSON Lint to verify and validate the Json Format. \n Save the Logic App code. \n Add a Switch-Case to handle HTTP action redirect status code 307. \n Add steps for delay action to handle the Status code 429. \n Configure the Logic App to execute daily. \n Add Retry Policy if Status code 429 persists. \n Grant Microsoft Sentinel Contributor Role to Logic App at the Resource Group Level. \n \n Create a Blank logic app 1. Sign In to Azure Portal \n \n Go to: Azure Portal \n Log in with your Azure credentials. \n \n 2. Create a new Logic App \n \n Navigate to: All services > Logic Apps \n Click: + Add or + Create \n Configure Basics:\n \n Subscription: Select your Azure subscription. \n Resource Group: Choose or create a new one. \n Logic App Name: Enter a unique name. \n Region: Choose your preferred region. \n Select Type: Choose Logic App (Consumption) for pay-as-you-go pricing. \n \n \n \n Click: Review + Create, then Create. \n \n 3. Ensure that the Logic app's Managed Identity \n Under the \"Settings\" section in the navigation bar, select \"Identity\" \n \n \n Switch the \"Status\" slider to \"On\" and verify that you wish to perform this action. \n \n \n You will assign role assignments later in the Blog post. \n \n \n 4. Switch to Code View to paste in JSON code \n After activating the managed Identity, proceed to the Code view within Logic app. \n \n \n Under the \"Development Tools\" section in the navigation bar, select \"Logic app code view\" \n \n \n \n Insert the following code, making sure to substitute the elements marked in yellow with the relevant information specific to your environment. \n \n The information you will need to gather is: \n \n Microsoft Sentinel Subscription ID \n Microsoft Sentinel Resource Group Name \n Microsoft Sentinel Deployment Region \n Cyberint API Token \n Cyberint Environment URL \n \n \n \n **Utilize the following code provided by CYBERINT to implement the foundational logic structure. Substitute the sections highlighted in Red with the appropriate values. ----------------------------------------------------------------------------------------------------------- ----------------------------------------------------------------------------------------------------------- \n { \n \"definition\": { \n \"$schema\": \"https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#\", \n \"actions\": { \n \"Compose\": { \n \"inputs\": \"@split(variables('input'), '\\n')\", \n \"runAfter\": { \n \"Initialize_variable\": [ \n \"Succeeded\" \n ] \n }, \n \"type\": \"Compose\" \n }, \n \"Filter_array\": { \n \"inputs\": { \n \"from\": \"@outputs('Compose')\", \n \"where\": \"@not(equals(item(), ''))\" \n }, \n \"runAfter\": { \n \"Compose\": [ \n \"Succeeded\" \n ] \n }, \n \"type\": \"Query\" \n }, \n \"Follow_redirect_http\": { \n \"inputs\": { \n \"method\": \"GET\", \n \"uri\": \"@{outputs('HTTP')['headers']['location']}\" \n }, \n \"runAfter\": { \n \"HTTP\": [ \n \"Failed\" \n ] \n }, \n \"type\": \"Http\" \n }, \n \"For_each\": { \n \"actions\": { \n \"Parse_JSON_2\": { \n \"inputs\": { \n \"content\": \"@items('For_each')\", \n \"schema\": { \n \"properties\": { \n \"confidence\": { \n \"type\": \"integer\" \n }, \n \"description\": { \n \"type\": \"string\" \n }, \n \"detected_activity\": { \n \"type\": \"string\" \n }, \n \"ioc_type\": { \n \"type\": \"string\" \n }, \n \"ioc_value\": { \n \"type\": \"string\" \n }, \n \"observation_date\": { \n \"type\": \"string\" \n }, \n \"severity_score\": { \n \"type\": \"integer\" \n } \n }, \n \"type\": \"object\" \n } \n }, \n \"runAfter\": {}, \n \"type\": \"ParseJson\" \n }, \n \"Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)\": { \n \"inputs\": { \n \"body\": { \n \"indicators\": [ \n { \n \"confidence\": \"@{body('Parse_JSON_2')?['confidence']}\", \n \"created\": \"@{utcNow()}\", \n \"description\": \"@{body('Parse_JSON_2')?['description']}\", \n \"external_references\": [], \n \"granular_markings\": [], \n \"id\": \"indicator--@{guid()}\", \n \"indicator_types\": [ \n \"@{body('Parse_JSON_2')?['detected_activity']}\" \n ], \n \"kill_chain_phases\": [ \n { \n \"kill_chain_name\": \"mandiant-attack-lifecycle-model\", \n \"phase_name\": \"establish-foothold\" \n } \n ], \n \"labels\": [ \n \"cyberint\" \n ], \n \"lang\": \"\", \n \"modified\": \"@{utcNow()}\", \n \"name\": \"@{body('Parse_JSON_2')?['ioc_value']}\", \n \"object_marking_refs\": [], \n \"pattern\": \"[ipv4-addr:value = '@{body('Parse_JSON_2')?['ioc_value']}']\", \n \"pattern_type\": \"ipv4-addr\", \n \"spec_version\": \"2.1\", \n \"type\": \"indicator\", \n \"valid_from\": \"@{body('Parse_JSON_2')?['observation_date']}\" \n } \n ], \n \"sourcesystem\": \"Cyberint\" \n }, \n \"host\": { \n \"connection\": { \n \"name\": \"@parameters('$connections')['azuresentinel']['connectionId']\" \n } \n }, \n \"method\": \"post\", \n \"path\": \"/V2/ThreatIntelligence/@{encodeURIComponent('<Microsoft Sentinel workspaceid>')}/UploadIndicators/\" \n }, \n \"runAfter\": { \n \"Parse_JSON_2\": [ \n \"Succeeded\" \n ] \n }, \n \"type\": \"ApiConnection\" \n } \n }, \n \"foreach\": \"@body('Filter_array')\", \n \"runAfter\": { \n \"Filter_array\": [ \n \"Succeeded\" \n ] \n }, \n \"type\": \"Foreach\" \n }, \n \"HTTP\": { \n \"inputs\": { \n \"cookie\": \"access_token=<cyberint api token>\", \n \"method\": \"GET\", \n \"queries\": { \n \"date\": \"@{formatDateTime(utcNow(), 'yyyy-MM-dd')}\", \n \"detected_activity\": \"cnc_server\", \n \"ioc_type\": \"ipv4\" \n }, \n \"uri\": \"https://<cyberint environment url>/ioc/api/v1/feed/daily\" \n }, \n \"runAfter\": {}, \n \"type\": \"Http\" \n }, \n \"Initialize_variable\": { \n \"inputs\": { \n \"variables\": [ \n { \n \"name\": \"input\", \n \"type\": \"string\", \n \"value\": \"@{body('Follow_redirect_http')}\" \n } \n ] \n }, \n \"runAfter\": { \n \"Follow_redirect_http\": [ \n \"Succeeded\" \n ] \n }, \n \"type\": \"InitializeVariable\" \n } \n }, \n \"contentVersion\": \"1.0.0.0\", \n \"outputs\": {}, \n \"parameters\": { \n \"$connections\": { \n \"defaultValue\": {}, \n \"type\": \"Object\" \n } \n }, \n \"triggers\": { \n \"Recurrence\": { \n \"evaluatedRecurrence\": { \n \"frequency\": \"Week\", \n \"interval\": 1 \n }, \n \"recurrence\": { \n \"frequency\": \"Week\", \n \"interval\": 1 \n }, \n \"type\": \"Recurrence\" \n } \n } \n }, \n \"parameters\": { \n \"$connections\": { \n \"value\": { \n \"azuresentinel\": { \n \"connectionId\": \"/subscriptions/<azure subscriptionid>/resourceGroups/<Sentinel Resource Group Name>/providers/Microsoft.Web/connections/azuresentinel\", \n \"connectionName\": \"azuresentinel\", \n \"id\": \"/subscriptions/<azure subscriptionid>/providers/Microsoft.Web/locations/<deployment Region>/managedApis/azuresentinel\" \n } \n } \n } \n } \n } \n \n ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- \n \n 5. Utilize Json Lint Validator \n Since you have modified the JSON code, it makes sense to double check it. In a new tab or window in your browser, go to JSON Online Validator and Formatter - JSON Lint, paste in your modified code, and then click on the green \"Validate JSON\" button. \n Fix any errors that may show up and repeat the process until the JSON passes. Copy the modified code if you made any changes back into the Logic App. \n \n \n 6. Save the Logic App code \n In the Logic App code view page, click on the \"Save\" button. The Azure portal notifications bell will show that this activity is running. You can click on that to see if any errors have occurred. \n \n \n 7. Implement the Switch Case Action \n There is an additional Switch-Case Action required (to handle the Http Action Redirect) to be added once the above code is deployed, follow below instructions to update the above logic app \n \n \n In the \"Development Tools\" in the navigation menu, select \"Logic App designer\" to switch back to the graphical view. Note: You can also get to this view by clicking on the \"Edit\" button in the \"Overview\" page. The Switch action is to be added after the HTTP action: \n \n \n \n Use the following steps to add the needed actions \n \n Use Add an action: \n \n \n \n 2. Search for the \"Switch\" action and select it: \n \n \n Add Status Code value to be fetched from previous HTTP step as: \n \n \n Make sure your Switch action has the \"Run After\" options ‘Has Failed’ & ‘Is Successful’ checked under the \"Settings\" tab \n \n \n 3. Click on Add Case button: \n \n \n Add an exact status code (307) value to Case2 as shown below: \n \n Add new HTTP Action in the case: \n \n \n Search for the \"HTTP\" action and select it \n \n \n \n We need to fetch the new relocated location from our previous step into this HTTP2 action by using the following string ‘@{outputs('HTTP')['headers']['location']}’ respectively as and ensure to use GET method respectively: \n \n \n Open Http 2 and add string ‘@{outputs('HTTP')['headers']['location']}’: \n \n \n \n 8. Add Additional Delay action \n \n There may be a case where the JSON receives a status code of 429. To resolve that add a for Each loop after parse JSON 2 to resolve it \n \n \n Click the Add Action button that is directly under the \"Parse JSON 2\" action. \n Search for \"Delay\" and select it \n Set its \"Count\" to 5 and change the \"Unit\" to \"Second\" \n \n \n More information on the status code 429 can be found at the Official Microsoft Reference links: 1.Microsoft Sentinel - Connectors | Microsoft Learn 2.https://learn.microsoft.com/en-us/azure/logic-apps/handle-throttling-problems-429-errors?tabs=consumption \n \n 9. Adjust the recurrence of the Logic App \n \n This Logic App should run daily because Cyberint produces threat intelligence feeds every day; this is a recommended practice compared to the default weekly schedule. Optionally, a specific time of day can be selected for the Logic App to execute. \n \n Select the \"Recurrence\" trigger at the beginning of the Logic App\" \n Change the \"Interview\" to \"1\" and the \"Frequency\" to \"Day\" \n If you wish to have this Logic app run at a specific time, use the \"At These Hours\" and \"At These Minutes\" fields to specify when you want the Logic App to run as shown in the image below \n \n \n \n 10. Adding Retry Policy if Status code 429 persist: \n In Case if the Logic app still fails due to 429 as depicted below, we will add a retry policy \n Follow the steps to add a retry policy: 1. Navigate to Logic app Designer. 2. Get to the Threat Intelligence Upload indicator of Compromise Step in Logic app. 3. Check Settings tab as depicted: \n \n \n \n Under Networking select the Retry Policy and select Fixed Interval \n \n \n \n \n Provide the count and Interval as required (the logic app currently have 4 counts 20s of interval) \n \n \n \n \n 11. Grant Microsoft Sentinel Contributor Role to Logic App at the Resource Group Level \n To resolve the Unauthorized issue at the last step for Logic app, the Logic App's managed identity will need Microsoft Sentinel contributor rights. Use the following steps to grant this right: \n \n \n \n \n Login to Azure portal(portal.azure.com) \n Go to the Microsoft Sentinel's Resource Group. \n Navigate to \"Access Control (IAM)\" \n \n \n \n 4. Click on the \"Add\" button and select \"Add role assignment\" \n 5. Select \"Microsoft Sentinel Contributor\" role and then click the \"Next\" button at the bottom of the screen \n \n 6. Select the \"Managed Identity\" radio button \n 7. Click \"Select members\" \n 8. Select the correct Subscription \n 9. In the \"Managed Identity\" drop down, select \"Logic app\" \n 10. Find the name of the Logic App and select it. \n 11. Click the \"Select\" button at the bottom of the page. \n 12. Click the \"Review and assign\" button at the bottom of the page to assign the permission \n \n The Logic App is now ready to be run daily to ingest the Cyberint Threat Intelligence data. \n The verify that the data is being ingested, you can use the KQL below to validate. \n ThreatIntelligenceIndicator | where SourceSystem contains \"Cyberint\" \n \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"40731","kudosSumWeight":1,"repliesCount":1,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEyNGkyMEIyRjdENkQ3Q0EyRkNB?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA4N2k5MTE0MDM2QzZFQTVFOEZE?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA4OGk3NEMzQTA4ODEzRTBDQ0Mw?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA4OWk1ODVCOTM2MERGNkMxQjZE?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5MWkwOEJENUE1QUFDMERDNkFF?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5MGk4RUVGRTE0RjM1RDgwNDA1?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5Mmk1MTI3QUNBMDJBOEVGNTY3?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5NGlDNTI1QzQ1MEZFQTVDRUYx?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDk","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwMGk2NTM5NzA4QTg1NEZCQUMz?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEw","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5N2k2RUI4ODkwMzk3QTMyNUM2?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEx","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5NWkzRDlFOTUzM0RENUI1NDE0?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEy","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5OWk0RDk5MzA5RTE5QkI5QjY5?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEz","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5NmkwQTQ5RjczMDgyRDlCODEx?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE0","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzA5OGkxMUQ5Rjk0NjI3M0YyMjk0?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE1","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwMmk2OTU3NzEzNzc5QUM5NkJD?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE2","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwM2lFM0QzOEMxNzEwRDM2RTVE?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE3","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwNGk5OTI4ODg0NjU0RkZDMDdG?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE4","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwNmlERDE3ODg5ODVGNTFBODY0?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE5","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwNWk3MUEwMkRFN0NBOTRDMTY1?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDIw","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwOWk3MzY3QzM2MUQ0ODI4REM1?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDIx","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwN2k1OTU4MTgxNURERjNDMkNB?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDIy","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzEwOGlDQUMwQTJDQzQxRUNCQjNB?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDIz","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzExMGk4NzZFQzI5NUE4ODM0QUFD?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI0","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzExMWkzQ0I5RDlGQTZFQzc4Rjg4?revision=3\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI1","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MjExODgzLTYwNzExMmlFOUY2QzlENzk5NDM3RjI3?revision=3\"}"}}],"totalCount":30,"pageInfo":{"__typename":"PageInfo","hasNextPage":true,"endCursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI1","hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4179790":{"__typename":"Conversation","id":"conversation:4179790","topic":{"__typename":"BlogTopicMessage","uid":4179790},"lastPostingActivityTime":"2024-11-18T21:22:10.816-08:00","solved":false},"User:user:1075439":{"__typename":"User","uid":1075439,"login":"mahmoudmsft","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-3.svg?time=0"},"id":"user:1075439"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3NGlERjZBRjM4OTZENDJBQTg1?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3NGlERjZBRjM4OTZENDJBQTg1?revision=12","title":"mahmoudmsft_0-1719823727244.png","associationType":"BODY","width":1252,"height":511,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3NmkxMDFBODc3NEM0NEJFRDc5?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3NmkxMDFBODc3NEM0NEJFRDc5?revision=12","title":"mahmoudmsft_0-1719823920070.png","associationType":"BODY","width":1161,"height":751,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3OGlBRUQ1OEE4M0M4OUE5RjE3?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3OGlBRUQ1OEE4M0M4OUE5RjE3?revision=12","title":"mahmoudmsft_1-1719824058751.png","associationType":"BODY","width":952,"height":536,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3OWlGODY1RjFCQ0M0NTE4OUUz?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3OWlGODY1RjFCQ0M0NTE4OUUz?revision=12","title":"mahmoudmsft_0-1719824115889.png","associationType":"BODY","width":916,"height":761,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4MGkxNTc5RUFENzlDOEMxN0RG?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4MGkxNTc5RUFENzlDOEMxN0RG?revision=12","title":"mahmoudmsft_1-1719824143474.png","associationType":"BODY","width":828,"height":802,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4MWlEOTgzMzU5MURCN0FDQUI3?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4MWlEOTgzMzU5MURCN0FDQUI3?revision=12","title":"mahmoudmsft_2-1719824173308.png","associationType":"BODY","width":923,"height":647,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4MmlDMTM1Mzk4QjI2REJDMUFB?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4MmlDMTM1Mzk4QjI2REJDMUFB?revision=12","title":"mahmoudmsft_3-1719824221962.png","associationType":"BODY","width":952,"height":536,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4M2k4RkIzOUQxRTY0ODczQUU1?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4M2k4RkIzOUQxRTY0ODczQUU1?revision=12","title":"mahmoudmsft_4-1719824242638.png","associationType":"BODY","width":1053,"height":666,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4NGlCQkQwQThCQTJGQ0E1MjU3?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4NGlCQkQwQThCQTJGQ0E1MjU3?revision=12","title":"mahmoudmsft_5-1719824270786.png","associationType":"BODY","width":1006,"height":567,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4NmlDQTA1NEVGMUY2NzIzRTI0?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4NmlDQTA1NEVGMUY2NzIzRTI0?revision=12","title":"mahmoudmsft_6-1719824335848.png","associationType":"BODY","width":1492,"height":539,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4N2kzRkVDQjlCMUM3OTYyNUUz?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4N2kzRkVDQjlCMUM3OTYyNUUz?revision=12","title":"mahmoudmsft_7-1719824377217.png","associationType":"BODY","width":1725,"height":500,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4OWk1RDVEQzg4RDNFNDhERjkx?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4OWk1RDVEQzg4RDNFNDhERjkx?revision=12","title":"mahmoudmsft_8-1719824395767.png","associationType":"BODY","width":1730,"height":767,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI5MWlDRjY3NDFEMzU1RjFFNjdB?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI5MWlDRjY3NDFEMzU1RjFFNjdB?revision=12","title":"mahmoudmsft_9-1719824427014.png","associationType":"BODY","width":2216,"height":1156,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI5M2lFMUUwQjBCRUMwMTcyNkMy?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI5M2lFMUUwQjBCRUMwMTcyNkMy?revision=12","title":"mahmoudmsft_10-1719824454056.png","associationType":"BODY","width":1296,"height":564,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI5NGkyQjgxOUYyNUMzQjM4OTQ1?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI5NGkyQjgxOUYyNUMzQjM4OTQ1?revision=12","title":"mahmoudmsft_11-1719824471581.png","associationType":"BODY","width":1875,"height":510,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjM3OGlFM0NEOTk3MjYxN0Q4NTkw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjM3OGlFM0NEOTk3MjYxN0Q4NTkw?revision=12","title":"mahmoudmsft_2-1719840549863.png","associationType":"BODY","width":2813,"height":1583,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjM4MGlFQUExRjJDMDEyMjg0ODI2?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjM4MGlFQUExRjJDMDEyMjg0ODI2?revision=12","title":"mahmoudmsft_3-1719840753073.png","associationType":"BODY","width":1253,"height":437,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjM4M2lDNkI1N0NFMDE5Mjc5QTdD?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjM4M2lDNkI1N0NFMDE5Mjc5QTdD?revision=12","title":"mahmoudmsft_4-1719840948280.png","associationType":"BODY","width":2933,"height":1253,"altText":null},"BlogTopicMessage:message:4179790":{"__typename":"BlogTopicMessage","subject":"Using Cribl Stream to ingest logs into Microsoft Sentinel","conversation":{"__ref":"Conversation:conversation:4179790"},"id":"message:4179790","revisionNum":12,"uid":4179790,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:1075439"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" How to ingest syslog data into Sentinel using Cribl Stream ","introduction":"","metrics":{"__typename":"MessageMetrics","views":8612},"postTime":"2024-07-01T14:52:19.179-07:00","lastPublishTime":"2024-07-01T14:52:19.179-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" \n I would like to thank Javier Soriano, Eric Burkholder and Maria de Sousa-Valadas for helping out on this blog post. On 06 May 2024 it was announced by Microsoft here and by Cribl here that together, Microsoft and Cribl are working to drive accelerated SIEM migrations for customers looking to modernize their security operations (SecOps) with Microsoft Sentinel. \n \n As quoted: \n “By combining Cribl’s leading data management technology with Microsoft Sentinel’s next generation SecOps SIEM solution, we are collectively helping customers transform and secure their businesses,” said Vlad Melnik, vice president of business development, alliances at Cribl. “We are excited to deepen our collaboration with Microsoft and unlock more value for our joint customers.” \n \n \n Cribl stream architecture \n As mentioned in this cribl document, Cribl stream helps you process machine data – logs, instrumentation data, application data, metrics, etc. – in real time, and deliver them to your analysis platform of choice. \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n \n Specifically in the context of Microsoft Sentinel migration projects, Cribl brings some advantages as seen from the field: \n \n \n Fast and easy deployment of Cribl. \n \n Cribl offers cloud based SaaS and self hosted scenario as well when needed. Here the whole cribl pipeline could be spin up quickly allowing for faster migration to Microsoft Sentinel \n \n \n \n GUI rich features \n \n Having easy GUI interface that lets you design, ingest data, process data, send data to destinations makes it so easy and helps teams quickly design and test a new data ingestion pipeline. \n For example Cribl allows you to add data sources just by doing drag and drop and also allows you to configure listner details like IP address and port numbers and other information and add new fields to ingested data stream all within few clicks. \n \n \n Applying data processing and\\or transformation easily using pipelines. \n \n Within same GUI Cribl offers built in data processing capabilities and functions that makes it easy to manipulate, alter and apply data transformation before ingesting into Microsoft Sentinel. In addition to the built in ones Cribl also allows you to add new from scratch giving you full control on the pipeline design. \n \n \n Capture and test data at each stage \n \n A very important feature is the ability to capture live data at each stage of the pipeline to inspect how data has been processed or even the ability to use a sample log data at every stage of the pipeline giving you the great visibility and anticipation of how data is processed and how data looks like at every stage of the pipeline. \n \n \n Ability to work in push and pull mechanisms \n \n \n \n Following is a basic architecture concept of Cribl stream pipeline as mentioned in this cribl document: \n \n \n \n Now to show a simple scenario of ingesting syslog data in a migration project scenario using cribl. Following are the high level steps I will go over in following sections: \n \n \n Add Microsoft Sentinel as destination \n Add a syslog data source \n Add new fields to incoming events \n Show how to Create a new pipeline to transform data \n Show how to use Cribl built in packs \n \n \n \n \n \n Add Microsoft Sentinel as destination \n \n Step by step adding Microsoft Sentinel as destination is referenced here in this document. It’s worth it to note that Cribl stream is utilizing the standard Microsoft’s ingestion API. These steps involves creating a new data collection rule and data collection endpoint to receive the ingestion stream. In addition cribl would need a new app registered in Microsoft Entra ID to be able to use the ingestion API. All steps are mentioned in above cribl document. \n \n From the quick connect screen we click on “Add Destination” and then select Sentinel \n \n \n \n \n \n \n \n Here we fill up the ingestion API details like DCE endpoint and DCR immutable ID and other details: \n \n \n \n Under authentication tab we fill up details about the App ID and App secret as obtained from Microsoft Entra ID \n \n \n \n \n \n 2- Add a syslog data source \n Go to the quick connect we add a new syslog source \n \n \n \n Add a new syslog source: \n \n \n \n Here we configure the syslog port number to listen on. I have chosen port 9514 \n \n \n \n Once the syslog data source is added we can go ahead and capture live data to see how it looks like \n \n \n For the demo purposes of this blog post I have used following logger command to send a mock syslog message. \n \n \n \n \n \n \n \n logger -P 9514 -n <IPaddress-of-Cribl-stream-listner> --rfc3164 \"0|Cribl-test|MOCK|common=event-format-test|end|TRAFFIC|1|rt=$common=event-formatted-receive_time\" \n \n \n \n \n \n Data fields after running above logger command looks as shown in following screenshot when using the live data capture feature at source: \n \n \n \n \n Now I’m going to add new fields to the incoming stream as hard coded which is useful in scenarios where a dedicated syslog pipeline is required for each syslog source or a 1:1 mapping. \n \n \n 3. Add new fields to incoming events \n \n \n \n And we can capture again to see result of the new added fields: \n \n \n \n Now that we have data coming is we can do some light data mapping in order to map incoming fields to the columns of the standard Sentinel syslog table. For this, we have two options: \n \n A) Create your own pipeline transformation \n B) Use an existing Cribl Pack \n \n \n I have created a new pipeline with two functions. First function is to do a rename operation to some fields and second is to drop from fields entirely. As shown on right hand side all changes are shown in the standard pink\\green colors with sample data \n \n \n \n \n And now we have the whole pipeline ready \n \n \n \n \n Now using same logger command we see how data is landing into Sentinel: \n \n \n \n \n Cribl Stream Packs Dispensary \n \n In order to reduce complexity of creating processing pipelines with transformation capabilities specially in large organizations Cribl does have many built in processing packs to make it easy and quick to onboard several data sources. \n \n As mentioned in this Cribl document packs include: \n \n \n Routes (Pack-level) \n Pipelines (Pack-level) \n Functions (built-in and custom) \n Sample data files \n \n \n \n \n \n \n Specifically for Microsoft Sentinel there are several packs available. Following are some of available Sentinel packs: \n \n \n \n If we go ahead and try importing Microsoft Sentinel pack we see that it consists of following functions that cover data coming from sources like Palo Alto, Cisco ASA and Fortinet and Windows Event forwarding as well. All that just built in and more importantly is fully customizable within few clicks. It's also worth it to note that within same imported pack you get data automatically detected and forwarded to different Sentinel table like Syslog, CommonSecurityLog and WindowsEvent tables. \n \n \n \n \n \n \n Cribl Stream packs could be found here \n \n So far it's obvious how Cribl could be used to help in scenarios of Sentinel migrations specially with its fast configurations and easy interface and choice between having Cribl as cloud instance or self hosted on-prem or in cloud VMs makes it a good choice. \n \n Thanks \n \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"8098","kudosSumWeight":2,"repliesCount":3,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3NGlERjZBRjM4OTZENDJBQTg1?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3NmkxMDFBODc3NEM0NEJFRDc5?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3OGlBRUQ1OEE4M0M4OUE5RjE3?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI3OWlGODY1RjFCQ0M0NTE4OUUz?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4MGkxNTc5RUFENzlDOEMxN0RG?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4MWlEOTgzMzU5MURCN0FDQUI3?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4MmlDMTM1Mzk4QjI2REJDMUFB?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4M2k4RkIzOUQxRTY0ODczQUU1?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDk","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4NGlCQkQwQThCQTJGQ0E1MjU3?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEw","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4NmlDQTA1NEVGMUY2NzIzRTI0?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEx","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4N2kzRkVDQjlCMUM3OTYyNUUz?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEy","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI4OWk1RDVEQzg4RDNFNDhERjkx?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEz","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI5MWlDRjY3NDFEMzU1RjFFNjdB?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE0","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI5M2lFMUUwQjBCRUMwMTcyNkMy?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE1","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjI5NGkyQjgxOUYyNUMzQjM4OTQ1?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE2","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjM3OGlFM0NEOTk3MjYxN0Q4NTkw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE3","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjM4MGlFQUExRjJDMDEyMjg0ODI2?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE4","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MTc5NzkwLTU5NjM4M2lDNkI1N0NFMDE5Mjc5QTdD?revision=12\"}"}}],"totalCount":18,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4294146":{"__typename":"Conversation","id":"conversation:4294146","topic":{"__typename":"BlogTopicMessage","uid":4294146},"lastPostingActivityTime":"2024-11-18T07:46:16.745-08:00","solved":false},"User:user:839695":{"__typename":"User","uid":839695,"login":"JesseKopavi","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS04Mzk2OTUtMjI4ODcwaTY4MDI1QTUwMDE3MjA1MTA"},"id":"user:839695"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWc4SXhjQw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWc4SXhjQw?revision=12","title":"SecOps.JPG","associationType":"COVER","width":9504,"height":6336,"altText":""},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWtmV2ZqeQ?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWtmV2ZqeQ?revision=12","title":"clipboard_image-1-1731569885565.png","associationType":"BODY","width":292,"height":56,"altText":"1Password logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTk2amtaSg?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTk2amtaSg?revision=12","title":"image.png","associationType":"BODY","width":199,"height":105,"altText":"Cisco logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWhMMU9DZw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWhMMU9DZw?revision=12","title":"image.png","associationType":"BODY","width":205,"height":60,"altText":"Crible logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LUwzR2NXRQ?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LUwzR2NXRQ?revision=12","title":"clipboard_image-2-1731569930251.png","associationType":"BODY","width":474,"height":53,"altText":"FortiNDR Cloud logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTI5eVA0Zw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTI5eVA0Zw?revision=12","title":"image.png","associationType":"BODY","width":199,"height":35,"altText":"PURE STORAGE logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LVlLaTRkaw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LVlLaTRkaw?revision=12","title":"image.png","associationType":"BODY","width":199,"height":45,"altText":"CyberArk logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LU5GckhoNA?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LU5GckhoNA?revision=12","title":"image.png","associationType":"BODY","width":199,"height":72,"altText":"Cybersixgill logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LUgxZEVFbA?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LUgxZEVFbA?revision=12","title":"image.png","associationType":"BODY","width":199,"height":39,"altText":"Cyware logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LXBrNmV2Sw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LXBrNmV2Sw?revision=12","title":"image.png","associationType":"BODY","width":199,"height":115,"altText":"Ermes Browser Security logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LVQwN2VTYg?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LVQwN2VTYg?revision=12","title":"image.png","associationType":"BODY","width":199,"height":34,"altText":"Gigamon logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWcxUDRBNQ?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWcxUDRBNQ?revision=12","title":"image.png","associationType":"BODY","width":199,"height":50,"altText":"Illumio logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWdWZ2JUTw?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWdWZ2JUTw?revision=12","title":"image.png","associationType":"BODY","width":199,"height":44,"altText":"Infoblox logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTBxV1FheQ?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTBxV1FheQ?revision=12","title":"image.png","associationType":"BODY","width":199,"height":74,"altText":"Cognyte logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LXZKTE15Tg?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LXZKTE15Tg?revision=12","title":"image.png","associationType":"BODY","width":199,"height":74,"altText":"Prancer logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LXRaT0pDQQ?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LXRaT0pDQQ?revision=12","title":"image.png","associationType":"BODY","width":199,"height":37,"altText":"Phosphorus logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LW5XSnlvNg?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LW5XSnlvNg?revision=12","title":"image.png","associationType":"BODY","width":199,"height":44,"altText":"Silverfort logo"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTRyY1o0ZQ?revision=12\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTRyY1o0ZQ?revision=12","title":"image.png","associationType":"BODY","width":199,"height":51,"altText":"Transmit logo"},"BlogTopicMessage:message:4294146":{"__typename":"BlogTopicMessage","subject":"What’s New: Exciting new Microsoft Sentinel Connectors Announcement - Ignite 2024","conversation":{"__ref":"Conversation:conversation:4294146"},"id":"message:4294146","revisionNum":12,"uid":4294146,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:839695"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":"","introduction":"","metrics":{"__typename":"MessageMetrics","views":2888},"postTime":"2024-11-18T07:46:16.745-08:00","lastPublishTime":"2024-11-18T07:46:16.745-08:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Microsoft Sentinel continues to be a leading cloud-native security information and event management (SIEM) solution, empowering organizations to detect, investigate, and respond to threats across their digital ecosystem at scale. Microsoft Sentinel offers robust out of the box (OOTB) content, allowing seamless connections with a wide array of data sources from both Microsoft and third-party providers. This enables comprehensive collection and analysis of security signals across multicloud, multiplatform environments, enhancing your overall security posture. \n In this Ignite 2024 blog post, we are thrilled to present the latest integrations contributed by our esteemed Partners. \n These new integrations further expand the capabilities of Microsoft Sentinel, enabling you to connect your existing security solutions and leverage Microsoft Sentinel’s powerful analytics and automation capabilities to fortify your defenses against evolving cyber threats. \n Featured ISV \n \n \n \n \n \n \n \n \n \n 1Password for Microsoft Sentinel \n The integration between 1Password Extended Access Management and Microsoft Sentinel provides businesses with real-time visibility and alerts for login attempts and account changes. It enables quick detection of security threats and streamlines reporting by monitoring both managed and unmanaged apps from a single, centralized platform, ensuring faster response times and enhanced security. \n \n \n \n \n \n Cisco Secure Email Threat Defense Sentinel Application \n This application collects threat information from Cisco Secure Email Threat Defense and ingests it into Microsoft Sentinel for visualization and analysis. It enhances email security by detecting and blocking advanced threats, providing comprehensive visibility and fast remediation. \n \n \n \n \n \n Cribl Stream Solution for Microsoft Sentinel \n Cribl Stream accelerates SIEM migrations by ingesting, transforming, and enriching third party data into Microsoft Sentinel. It simplifies data onboarding, optimizes data in various formats, and helps maintain compliance, enhancing security operations and threat detection. \n \n \n \n \n \n \n \n FortiNDR Cloud \n FortiNDR Cloud integrates Fortinet’s network detection and response capabilities with Microsoft Sentinel, providing advanced threat detection and automated response. Fortinet FortiNDR Cloud enhances network security by helping to identify and mitigate threats in real-time. \n \n \n \n \n \n Pure Storage Solution for Microsoft Sentinel \n This solution integrates Pure Storage’s data storage capabilities with Sentinel, providing enhanced data protection and performance. It helps optimize storage infrastructure and improve data security. \n \n \n \n \n \n \n New and Notable \n \n \n \n \n \n \n \n CyberArk Audit for Microsoft Sentinel \n This solution extracts audit trail data from CyberArk and integrates it with Microsoft Sentinel, providing a comprehensive view of system and user activities. It enhances incident response with automated workflows and real-time threat detection. \n \n \n \n \n \n Cybersixgill Actionable Alerts for Microsoft Sentinel \n Cybersixgill provides contextual and actionable alerts based on data from the deep and dark web. It helps SOC analysts detect phishing, data leaks, and vulnerabilities, enhancing incident response and threat remediation. \n \n \n \n \n \n Cyware For Microsoft Sentinel \n Cyware integrates with Microsoft Sentinel to automate incident response and enhance threat hunting. It uses Logic Apps and hunting queries to streamline security operations and provides contextual threat intelligence. \n \n \n \n \n \n Ermes Browser Security for Microsoft Sentinel \n Ermes Browser Security ingests security and audit events into Microsoft Sentinel, providing enhanced visibility and reporting. It helps monitor and respond to web threats, improving the organization’s security posture. \n \n \n \n \n \n Gigamon Data Connector for Microsoft Sentinel \n This solution integrates Gigamon GigaVUE Cloud Suite, including Application Metadata Intelligence, with Microsoft Sentinel, providing comprehensive network traffic visibility and insights. It helps detect anomalies and optimize network performance, enhancing overall security. \n \n \n \n \n \n Illumio Sentinel Integration \n Illumio integrates its micro-segmentation capabilities with Microsoft Sentinel, providing real-time visibility and control over network traffic. It helps prevent lateral movement of threats and enhances overall network security. \n \n \n \n \n \n Infoblox App for Microsoft Sentinel \n The Infoblox solution enhances SecOps capabilities by seamlessly integrating Infoblox's AI-driven analytics, providing actionable insights, dashboards, and playbooks derived from DNS intelligence. These insights empower SecOps teams to achieve rapid incident response and remediation, all within the familiar Microsoft Sentinel user interface. \n \n \n \n \n \n LUMINAR Threat Intelligence for Microsoft Sentinel \n LUMINAR integrates threat intelligence and leaked credentials data into Microsoft Sentinel, helping organizations maintain visibility of their threat landscape. It provides timely, actionable insights to help detect and respond to threats before they impact the organization. \n \n \n \n \n \n Prancer PenSuite AI \n Prancer PenSuite AI now supercharges Microsoft Sentinel by injecting pentesting and real-time AppSec data into SOC operations. With powerful red teaming simulations, it empowers teams to detect vulnerabilities earlier, respond faster, and stay ahead of evolving threats. \n \n \n \n \n \n Phosphorus Connector for Microsoft Sentinel \n Phosphorus Cybersecurity’s Intelligent Active Discovery provides in-depth context for xIoT assets, that enhances threat detection and allows for targeted responses, enabling organizations to isolate or secure specific devices based on their criticality. \n \n \n \n \n \n Silverfort for Microsoft Sentinel \n Silverfort integrates its Unified Identity Protection Platform with Microsoft Sentinel, securing authentication and access to sensitive systems, both on-premises and in the cloud without requiring agents or proxies. \n \n \n \n \n \n Transmit Security Data Connector for Sentinel \n Transmit Security integrates its identity and access management capabilities with Sentinel, providing real-time monitoring and threat detection for user activities. It helps secure identities and prevent unauthorized access. \n \n \n \n \n \n \n \n In addition to commercially supported integrations, Microsoft Sentinel Content Hub also connects you to hundreds of community-based solutions as well as thousands of practitioner contributions. For more details and instructions on how to set up these integrations see Microsoft Sentinel data connectors | Microsoft Learn. \n To our partners: Thank you for your unwavering partnership and invaluable contributions on this journey to deliver the most comprehensive, timely insights and security value to our mutual customers. Security is indeed a team sport, and we are grateful to be working together to enhance the security landscape. Your dedication and innovation are instrumental in our collective success. \n We hope you find these new partner solutions useful, and we look forward to hearing your feedback and suggestions. Stay tuned for more updates and announcements on Microsoft Sentinel and its partner ecosystem. \n Learn More \n Microsoft’s commitment to Security \n \n Microsoft’s Secure Future Initiative \n Unified SecOps | SIEM and XDR Solutions \n Unified Platform documentation | Microsoft Defender XDR \n \n What else is new with Microsoft Sentinel? \n \n Microsoft Sentinel product home \n Schema Mapping \n Microsoft Sentinel Partner Solution Contributions Update – Ignite 2023 \n \n Additional resources: \n \n Sentinel Ignite 2024 Blog \n Latest Microsoft Tech Community Sentinel blog announcements \n Microsoft Sentinel solution for SAP \n Microsoft Sentinel solution for Power Platform \n Microsoft Sentinel pricing \n Microsoft Sentinel customer stories \n Microsoft Sentinel documentation \n \n \n \n \n \n \n \n \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"8174","kudosSumWeight":0,"repliesCount":0,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWc4SXhjQw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWtmV2ZqeQ?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTk2amtaSg?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWhMMU9DZw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LUwzR2NXRQ?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTI5eVA0Zw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LVlLaTRkaw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LU5GckhoNA?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDk","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LUgxZEVFbA?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEw","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LXBrNmV2Sw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEx","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LVQwN2VTYg?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEy","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWcxUDRBNQ?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEz","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWdWZ2JUTw?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE0","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTBxV1FheQ?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE1","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LXZKTE15Tg?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE2","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LXRaT0pDQQ?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE3","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LW5XSnlvNg?revision=12\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE4","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LTRyY1o0ZQ?revision=12\"}"}}],"totalCount":18,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":{"__typename":"UploadedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00Mjk0MTQ2LWc4SXhjQw?revision=12"},"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:1350371":{"__typename":"Conversation","id":"conversation:1350371","topic":{"__typename":"BlogTopicMessage","uid":1350371},"lastPostingActivityTime":"2024-11-16T06:58:41.129-08:00","solved":false},"User:user:606518":{"__typename":"User","uid":606518,"login":"robeving","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-3.svg?time=0"},"id":"user:606518"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE5MTQxMWkyQjVGNEZFOEU3NzQ3QUI0?revision=13\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE5MTQxMWkyQjVGNEZFOEU3NzQ3QUI0?revision=13","title":"misp.PNG","associationType":"BODY","width":286,"height":213,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE5MTQxMGk2QzIzNzc4MzQwODFCMERG?revision=13\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE5MTQxMGk2QzIzNzc4MzQwODFCMERG?revision=13","title":"x1.png","associationType":"BODY","width":925,"height":727,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE4NzkxOGk2MDREOUY4Rjc3QUQ4QjA2?revision=13\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE4NzkxOGk2MDREOUY4Rjc3QUQ4QjA2?revision=13","title":"blogc.png","associationType":"BODY","width":1117,"height":191,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE4NzkyMGk5NjJGQjUzQ0VBNEQzOEIw?revision=13\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE4NzkyMGk5NjJGQjUzQ0VBNEQzOEIw?revision=13","title":"blogd.png","associationType":"BODY","width":776,"height":339,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE4NzkyMmk0MUI5RkRGODVGMjZEODNB?revision=13\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE4NzkyMmk0MUI5RkRGODVGMjZEODNB?revision=13","title":"bloge.png","associationType":"BODY","width":386,"height":360,"altText":null},"BlogTopicMessage:message:1350371":{"__typename":"BlogTopicMessage","subject":"Integrating open source threat feeds with MISP and Sentinel","conversation":{"__ref":"Conversation:conversation:1350371"},"id":"message:1350371","revisionNum":13,"uid":1350371,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:606518"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" I show how to import TI feeds into Sentinel using MISP. As an example we'll be using Microsoft's COVID-19 TI feed. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":54176},"postTime":"2020-05-14T10:55:34.855-07:00","lastPublishTime":"2021-11-02T17:55:53.545-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Recently, Microsoft released an open source set of malicious file hash indicators identified as using COVID-19 themed malicious email attachments in attempted attacks against our customers. Office365 successfully blocked these attempts, but the indicators can be consumed and used by customers to further protect themselves. The feed of indicators is provided as data file on GitHub which can be consumed using MISP. \n \n \n \n \n In this blog post I will show Azure Sentinel customers how to set up a MISP server that can receive any public feeds, including these COVID-19 indicators, and import the data into your Azure Sentinel environment. It is also possible to use this code to import MISP data into Microsoft Defender ATP as well. Haim Goldshtein has already written a blog post on doing this. Instructions here have been tested on Ubuntu 18.04 but should be applicable to many other distributions – even WSL. \n \n \n \n \n \n The COVID-specific threat intelligence feed represents a start at sharing some of Microsoft’s COVID-related IOCs. We will continue to explore ways to improve the data over the duration of the crisis. While some threats and actors are still best defended more discreetly, we are committed to greater transparency and taking community feedback on what types of information is most useful to defenders in protecting against COVID-related threats. This is a time limited feed. We are maintaining this feed through the peak of the outbreak to help organizations focus on recovery. \n \n If you have questions or feedback on this COVID-19 feed, please email msft-covid19-ti@microsoft.com. \n \n To integrate this feed with your MISP server you will need to use the following URL: \n https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv \n \n Install Docker \n The Docker project has already published comprehensive documentation on setting up the most recent version of Docker for your distribution of choice. For this blog I used the Ubuntu instructions. \n The Docker MISP instance also requires ‘docker-compose’ so once you have followed the Docker install guide enter the following command. \n \n sudo apt-get install docker-compose \n \n \n Set up MISP Docker instance \n The MISP project has published a Docker compose configuration, you can use this by first entering these commands. \n \n git clone https://github.com/MISP/misp-docker\ncd misp-docker \n \n Next, you will need to edit the configuration file, making sure to set a strong password. If you do not set a strong enough password, you might not be able to sign into your MISP instance. This can be fixed later. \n \n cp template.env .env\nnano .env \n \n Now the Docker image needs to be built. Run these two commands to build the image and start the container. \n \n sudo docker-compose build\nsudo docker-compose up \n \n At this point a MISP instance will be running on port 80. You should be able to sign in and begin adding new feeds. If you are hosting this server on the Internet, you will want to look at how to secure this installation further with TLS and restrictions on access to the web front end. \n \n If you are unable to login to the front end, then perhaps the password was not strong enough. You can reset the password with the following commands. \n \n sudo docker exec -i -t misp_web /bin/bash\n/var/www/MISP/app/Console/cake Password admin@admin.test NEWPASSWORD\nexit \n \n \n Add the COVID-19 feed \n The next step is to add the Microsoft feed to the MISP server. There is good documentation for this but in brief click ‘Sync Actions’ on the main menu then ‘List feeds’ and click ‘Add Feed’. The address of Microsoft’s COVID-19 feed can be found above. Enter this in the URL textbox. Next you will need to select ‘Simple CSV Parsed Feed’ from the list box. Most of the text boxes can be left blank but you must set the ‘Value field(s) in the CSV’ to 2. Set the other properties to reasonable values and click Add. Make sure you have ticked the ‘Enable’ checkbox. \n \n There are several other 3 rd party feeds you may also want to enable and have available in your Sentinel workspace. Each of these will need to be enabled separately. \n \n The next step is to ensure that the feed is automatically updated. In the ‘Scheduled Tasks’ section of the Administration menu set the fetch_feeds task frequency to 1h. If you want to fetch on a quicker schedule this can be performed via a cron job. \n \n You should see a new COVID-19 event appear from the Microsoft COVID-19 feed when the sync process starts. \n \n Retrieve your MISP auth key \n Within the MISP web interface click ‘Event Actions’ on the menu bar then select ‘Automation’. Your MISP auth key will be listed on the screen, note this down for entry into the script later. \n \n Connect your MISP instance to Sentinel \n Much of this section is an abridged version of the Sentinel threat intelligence feed connector and MISP to Microsoft Graph script documentation. You should review this documentation first. \n \n Create an App Registration with the required permissions \n In order to connect your MISP server to Sentinel you need to create an App Registration with the required permissions. This is a straightforward process but does require a user with 'Global Administrator', 'Security Administrator' or 'Security Reader' permission to grant access. In brief: \n \n Open the Application Registration Portal and click New registration on the menu bar. \n Enter a name, and choose Register, other options can be left with their defaults. \n Note down the Application (client) ID and Directory (tenant) ID. You will need to enter these into the script’s configuration file. \n Under Certificates & secrets, click New client secret enter a description and click Add. A new secret will be displayed. Copy this for later entry into the script. \n Under API permissions, choose Add a permission > Microsoft Graph. \n Under Application Permissions, add ThreatIndicators.ReadWrite.OwnedBy. \n \n \n Enable the Sentinel Connector \n Open your Azure Sentinel workspace, click ‘Data connectors’ and then look for the ‘Threat Intelligence Platforms’ connection. Open the connector and click Connect. \n \n \n Setup the script \n The script can be run on any machine that has access to your MISP infrastructure and the Microsoft Graph API. In order to reduce complexity, I ran the script on the same machine as the MISP instance. \n Enter the following commands. These will create an environment for the script to run, download it from GitHub, install the necessary prerequisites and open the configuration file. \n \n sudo apt-get install python3-venv\npython3 -m venv mispToSentinel\ncd mispToSentinel\nsource bin/activate\ngit clone https://github.com/microsoftgraph/security-api-solutions\ncd security-api-solutions/Samples/MISP/\npip install -r requirements.txt\nnano config.py \n \n There are a few options that need to be changed in the configuration file: \n \n Under the graph_auth key enter the details from the AAD App Registration earlier. \n Set the ‘<targetProduct>’ to be ‘Azure Sentinel’. \n I added a # comment at the start of each line in the misp_event_filters section to effectively disable any filtering, all data from the MISP server will be available in Sentinel. \n Set ‘<action>’ to ‘alert’. \n Enter you MISP auth key in ‘<misp key>’ and URL in ‘<misp url>’. \n Finally set the lifetime for this data, I would recommend 30-60 days depending on your use case. \n \n You can now run the script to pull data from the MISP instance and push into your Sentinel workspace. \n \n python script.py \n \n After a few minutes you should be able to query the ThreatIntelligenceIndicator table in your Sentinel workspace. \n \n Use the data \n Now the data is in your Sentinel workspace you can easily search for matching hashes in a variety of datasets. As an example, this query will examine the SecurityEvent table for matching hashes. \n \n let BadHashes=ThreatIntelligenceIndicator\n| summarize by FileHashValue;\nSecurityEvent\n| where FileHash in (BadHashes)\n| count \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"8360","kudosSumWeight":6,"repliesCount":27,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE5MTQxMWkyQjVGNEZFOEU3NzQ3QUI0?revision=13\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE5MTQxMGk2QzIzNzc4MzQwODFCMERG?revision=13\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE4NzkxOGk2MDREOUY4Rjc3QUQ4QjA2?revision=13\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE4NzkyMGk5NjJGQjUzQ0VBNEQzOEIw?revision=13\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xMzUwMzcxLTE4NzkyMmk0MUI5RkRGODVGMjZEODNB?revision=13\"}"}}],"totalCount":5,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:2677696":{"__typename":"Conversation","id":"conversation:2677696","topic":{"__typename":"BlogTopicMessage","uid":2677696},"lastPostingActivityTime":"2024-10-25T01:13:28.090-07:00","solved":false},"User:user:538161":{"__typename":"User","uid":538161,"login":"Sarah_Young","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS01MzgxNjEtNTU5NjcyaUU4MDQ3QTIyQjY3QzI0OTQ"},"id":"user:538161"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNjc3Njk2LTMwNTI5NmkzQUY4RjI5NDk0M0RFNjMw?revision=7\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNjc3Njk2LTMwNTI5NmkzQUY4RjI5NDk0M0RFNjMw?revision=7","title":"Sarah_Young_0-1629780482350.png","associationType":"TEASER","width":582,"height":452,"altText":null},"BlogTopicMessage:message:2677696":{"__typename":"BlogTopicMessage","subject":"What's new: Microsoft Sentinel Ninja Training Knowledge Check","conversation":{"__ref":"Conversation:conversation:2677696"},"id":"message:2677696","revisionNum":7,"uid":2677696,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:538161"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Announcing the Microsoft Sentinel Ninja Training knowledge check! Think you're a true Sentinel Ninja? Take the knowledge check and find out. \n \n \n \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":12686},"postTime":"2021-08-23T21:43:36.389-07:00","lastPublishTime":"2021-11-03T04:01:19.561-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Announcing the Microsoft Sentinel Ninja Training knowledge check! Think you're a true Sentinel Ninja? Take the knowledge check and find out. If you pass the knowledge check with a score of over 80% you can request a certificate to prove your ninja skills! \n \n 1. Take the knowledge check here. \n 2. If you score 80% or more in the knowledge check, request your participation certificate here. If you achieved less than 80%, please review the questions that you got it wrong, study more and take the assessment again. \n \n Note: it can take up to one business day for you to receive your certificate via email. \n \n The Microsoft Sentinel Ninja training forms the basis of the skills and knowledge tested in this exercise which can accessed here. \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"796","kudosSumWeight":8,"repliesCount":4,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNjc3Njk2LTMwNTI5NmkzQUY4RjI5NDk0M0RFNjMw?revision=7\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:4014565":{"__typename":"Conversation","id":"conversation:4014565","topic":{"__typename":"BlogTopicMessage","uid":4014565},"lastPostingActivityTime":"2024-07-16T10:05:30.812-07:00","solved":false},"User:user:1250080":{"__typename":"User","uid":1250080,"login":"Josefa_Sepulveda","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xMjUwMDgwLTM4NTE2MWkxMDk3QzY2QzJFQUFBQkNF"},"id":"user:1250080"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDE0NTY1LTUzNjg1NmlENUExNjc0QjcwOTYzNTA2?revision=31\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDE0NTY1LTUzNjg1NmlENUExNjc0QjcwOTYzNTA2?revision=31","title":"microsoft-365-defender-integration-with-azure-sentinel.png","associationType":"BODY","width":1162,"height":579,"altText":null},"BlogTopicMessage:message:4014565":{"__typename":"BlogTopicMessage","subject":"Unified Operation Platform features released at public preview","conversation":{"__ref":"Conversation:conversation:4014565"},"id":"message:4014565","revisionNum":31,"uid":4014565,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:1250080"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Get deeper using Unified Security Operations Platform with Microsoft Sentinel and Defender XDR! ","introduction":"","metrics":{"__typename":"MessageMetrics","views":34092},"postTime":"2024-01-02T02:24:38.709-08:00","lastPublishTime":"2024-07-16T10:05:30.812-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" (Last updated April 2024) \n \n ** The integration of Microsoft Sentinel into the Defender portal is currently in public preview, with the eventual goal of a fully integrated and aligned user experience. The preview, specific feature information mentioned here is under development and therefore subject to change. Our recommendation is to regularly check for new developments and improvements. ** \n \n \n Update August 2024 Please refer to the most updated content in this blog New enhancements in the Unified Security Operation Platform! Watch our latest webinar \n \n Starting point \n Getting started with XDR+SIEM Unified Experience? Watch the Ignite video: Unifying XDR + SIEM: A new era in SecOps \n \n What is happening to Microsoft Sentinel and Defender XDR? \n We are bringing together these products to deliver the most optimized and unified security operations platform. This experience will combine the full power of Microsoft Sentinel with Microsoft Defender XDR into a single portal enhanced with more comprehensive features, AI, automation, guided experiences, and curated threat intelligence. Customers will enjoy a fully integrated toolset to protect, detect, investigate, and respond to threats across every layer of digital estate. \n \n Microsoft has been on a mission to empower security operations teams by unifying the many tools essential for protecting a digital estate and delivering them into an effective solution driven by AI and automation. Today, we help SOC teams build a powerful defense using the most comprehensive XDR platform on the market, Microsoft Defender XDR, by delivering unified visibility, investigation, response across endpoints, hybrid identities, emails, collaboration tools, cloud apps, and data. We also help provide unparalleled visibility into the overall threat landscape with our cloud native SIEM solution, Microsoft Sentinel, to extend coverage to every edge and layer of the digital environment. These experiences are natively integrated with bidirectional solutions, giving security operations teams an easy way to benefit from the comprehensiveness and flexibility of the SIEM and the threat driven approach of the XDR. Microsoft is ready to continue this journey to delivering the most comprehensive offering for security operations, and by bringing together mature, market leading SIEM and XDR customers can stay safer, more easily than ever before. \n \n Before continuing with the Ninja Training, we recommend reviewing the Unified SOC Platform FAQ Watch the video on Microsoft Defender XDR, Security Copilot & Microsoft Sentinel now in one portal (youtube.com) Already did the Unified SOC Platform Ninja Training? check what's new. \n \n \n Table of Contents \n \n XDR+SIEM Overview \n Module 1. Unified security operations platform benefits \n Module 2. Getting started with Unified SOC Platform \n Module 3. Common Use Cases and Scenarios \n \n Operating with XDR+SIEM Unified Experience \n Module 1. Connecting to Microsoft Defender XDR \n Module 2. Unified Incidents \n Module 3. Automation \n Module 4. Advanced Hunting \n Module 5. SOC optimization \n Module 6. More learning and support options \n \n XDR+SIEM Overview \n \n Watch the Ignite 2023 session \"What’s new in SIEM and XDR: Attack disruption and SOC empowerment\" \n \n Module 1. Unified security operations platform benefits \n \n A unified security operations platform will empower you and your organization to: \n • Drive analyst efficiency by unifying the SIEM and XDR experiences. \n • Reduce context switching with the merger of duplicate features. \n • Quicker time to value with less integration work and more out of the box value. \n • Automatically detect and disrupt attacks proactively over expanded estate of Microsoft and non-Microsoft products, starting with SAP, backed my Microsoft security research and insights. \n • Get the most out of tools with guided optimizations and better manage the SOC while managing costs. \n • Use Microsoft Security Copilot in context. Leverage generative AI with in-product experiences that surface skills relevant to the tasks at hand. Watch the MDTI: Now Anyone Can Tap Into Game-Changing Threat Intelligence session from Ignite 2023. \n • Benefit from a breadth of coverage with the most expansive XDR on the market and a SIEM that spans multi-cloud, business applications, IoT, OT and multi-platform. \n \n Module 2. Getting started with Unified SOC Platform \n The Microsoft Defender portal supports a single Microsoft Entra tenant and the connection to one workspace at a time. In the context of this article, a workspace is a Log Analytics workspace with Microsoft Sentinel enabled. \n To onboard and use Microsoft Sentinel in the Microsoft Defender portal, you must have the following resources and access: \n \n \n A Microsoft Entra tenant that’s allow-listed by Microsoft to connect a workspace through the Defender portal \n \n \n A Log Analytics workspace that has Microsoft Sentinel enabled \n \n \n The data connector for Microsoft Defender XDR (formerly named Microsoft Defender XDR) enabled in Microsoft Sentinel for incidents and alerts \n \n \n Microsoft Defender XDR onboarded to the Microsoft Entra tenant \n \n \n An Azure account with the appropriate roles to onboard and use Microsoft Sentinel in the Defender portal. \n \n \n Read more about the onboarding process and requisites in our documentation \n \n Module 3. Common use cases and scenarios \n \n \n One-click connect of Microsoft Defender XDR incidents, including all alerts and entities from Microsoft Defender XDR components, into Microsoft Sentinel. \n \n \n Bi-directional sync between Sentinel and Microsoft Defender XDR incidents on status, owner, and closing reason. \n \n \n Application of Microsoft Defender XDR alert grouping and enrichment capabilities in Microsoft Sentinel, thus reducing time to resolve. \n \n \n In-context deep link between a Microsoft Sentinel incident and its parallel Microsoft Defender XDR incident, to facilitate investigations across both portals. \n \n \n \n Operating with XDR+SIEM Unified Experience \n \n Module 1. Connecting to Microsoft Defender XDR \n Install the Microsoft Defender XDR solution for Microsoft Sentinel and enable the Microsoft Defender XDR data connector to collect incidents and alerts. Microsoft Defender XDR incidents appear in the Microsoft Sentinel incidents queue, with Microsoft Defender XDR in the Product name field, shortly after they are generated in Microsoft Defender XDR. \n \n \n It can take up to 10 minutes from the time an incident is generated in Microsoft Defender XDR to the time it appears in Microsoft Sentinel. \n \n \n Alerts and incidents from Microsoft Defender XDR (those items which populate the SecurityAlert and SecurityIncident tables) are ingested into and synchronized with Microsoft Sentinel at no charge. For all other data types from individual Defender components (such as DeviceInfo, DeviceFileEvents, EmailEvents, and so on), ingestion will be charged. \n \n \n Once the Microsoft Defender XDR integration is connected, the connectors for all the integrated components and services (Defender for Endpoint, Defender for Identity, Defender for Office 365, Defender for Cloud Apps, Microsoft Entra ID Protection) will be automatically connected in the background if they weren't already. If any component licenses were purchased after Microsoft Defender XDR was connected, the alerts and incidents from the new product will still flow to \n Microsoft Sentinel with no additional configuration or charge. \n \n Watch this short overview of Microsoft Sentinel integration with Microsoft Defender XDR video (5 minutes). \n \n Here's how it works. \n \n Get a deeper understanding of Connecting to Microsoft Defender XDR \n \n Module 2. Unified incidents \n • For successful onboarding and integration, the M365D connector needs to be enabled. The separate Defender connectors will be disabled to avoid alert duplication. This means that your Microsoft Security Services based detection rules will be replaced by the M365D connector incidents creation rule. This can potentially impact any incident filtering or automation based on incident titles. To preserve filtering capabilities please use alert tuning or automation rules. • Because the unified portal will provide correlations across all signals – which is the strength of our combined SIEM + XDR solution – alerts from a Sentinel incident with a custom incident title might be merged into a new incident with a new title to group all related alerts. An example is a multi-stage attack which contains all alerts related to the attacker’s lateral movement. This behavior impacts any automation against the custom incident title as a condition and visual triaging of the incident queue. Our proposed mitigation is to leverage tags which will be merged into the new incident to support automation and visual triaging of the incident queue. • Incidents programmatically created in Microsoft Sentinel through the API, playbook, or manually from the incident creation interface are not synchronized to the unified portal. However, these incidents are still supported in the Microsoft Sentinel portal and the API. • A Sentinel alert can no longer be removed from the Sentinel incident. • Creating new incident comments within the new portal is supported but editing existing ones created at incident generation time is not. • The ProviderName in the SecurityIncident table will be changed to Microsoft XDR for all incidents, including those created by Microsoft Sentinel analytic rules. This may affect automation rules (more information in the Automation section of this document) or queries which are leveraged from within Workbooks as an example. • Tasks manually added, or created by automation rules or playbooks, will not be reflected in the unified portal. • The option to set the grouping definition in analytic rules to reopen closed incidents in case of a new alert being added to the incident (documented here) will not be supported in the first release of this integration. Incidents that were closed will not re-open as is the case with M365 Defender correlations. \n \n Module 3. Automation \n • Triggering a Logic App playbook from an incident or an entity will become available at the end of this year (2023). • Automation rules with a condition based on the ProviderName field (e.g., Incident provider equals Microsoft Sentinel) will continue to run, even after the incident provider name has changed to Microsoft XDR. The system, however, will ignore the \n incident provider condition. This means that the automation rule with only the incident provider condition will run on ALL incidents, rather than only on Microsoft Sentinel or M365D incidents. The Incident provider condition will also not be available in the Unified Portal UI. • Automation rules with a condition updated by will be changed to include more details (e.g., who/what updated the incident). Instead of reflecting M365 Defender as the update source (which is the case today), we will provide the name of the user or service \n who performed the change. Values can include a username, alert grouping, AIR (automated investigation and response), application or others. • It can take up to 10 minutes from alert creation to running an automation rule. This is because incidents are created first in the unified portal and then forwarded to Microsoft Sentinel. We are continuously working on eliminating this delay. \n \n Module 4. Advanced Hunting \n The Microsoft Defender XDR connector also lets you stream advanced hunting events - a type of raw event data - from Microsoft Defender XDR and its component services into Microsoft Sentinel. You can now (as of April 2022) collect advanced hunting events from all Microsoft Defender XDR components, and stream them straight into purpose-built tables in your Microsoft Sentinel workspace. \n \n • Microsoft Defender XDR tables can be queried with a maximum lookback period of 30 days. To support longer retention periods, the recommendation is to ingest the required tables into the Sentinel workspace. o Queries can be executed from the Unified Portal to cover Sentinel data but not from the Sentinel side to access XDR data unless raw data ingestion into Sentinel has been configured. • Saved queries and functions from Sentinel cannot be edited. They can only be viewed and used. • The IdentityInfo table from Sentinel is not available, as the IdentityInfo remains as is in Defender XDR. Sentinel features like analytics rules that query this table won’t be impacted as they are querying the Log Analytics workspace directly. • The Sentinel SecurityAlert table is replaced by AlertInfo and AlertEvidence tables, which both contain all the alert data. While SecurityAlert is not available in the schema tab, you can still use it in queries using the advanced hunting editor. This provision is made to not break existing queries from Sentinel that use this table. • Guided hunting mode is supported by Microsoft Defender XDR data only. • Custom detections, links to incidents, and take actions capabilities are supported for Defender XDR data only. • Right-clicking query results is not yet supported for columns in the JSON array format or lists. • Bookmarks are not supported in the advanced hunting experience. \n \n Get a deeper understanding of advanced hunting in this document. \n Watch our video introductory on Unified Advanced Hunting \n \n Quick overview & a short tutorial that will get you started fast on Defender XDR Advanced Hunting Watch the Microsoft Sentinel Incident Investigation Experience webinar Learn how to Hunt for threats with Microsoft Sentinel Use Hunts to conduct end-to-end proactive threat hunting in Microsoft Sentinel \n \n Module 5. SOC optimization \n Tailored recommendations. The new SOC optimization feature will be available for Microsoft Sentinel customers in private preview, both in the unified SOC platform and in the Azure portal. New data ingestion analysis will provide recommendations to help manage costs, ensure value on all data ingested and better protect companies against threats. Tailored suggestions will be available to customers for things like recommended data log tiers, adding relevant content on top of data or ingesting new sources to protect against relevant threats. \n \n Module 6. More learning and support options \n Learn more: \n 1. Unified platform documentation: aka.ms/unifiedsiemxdrdocs \n 2. SIEM and XDR Solutions | Microsoft Security \n 3. Microsoft Sentinel: https://aka.ms/microsoftsentinel \n 4. Blogs: Microsoft Sentinel Blog - Microsoft Tech Community \n 5. Microsoft Sentinel solution for SAP: Microsoft Sentinel solution for SAP® applications – SAP Monitoring | Microsoft Azure \n 6. Microsoft Customer Stories \n 7. Microsoft Sentinel documentation | Microsoft Learn \n 8. Private preview community \n 9. Security Operations Platform FAQ \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"15294","kudosSumWeight":11,"repliesCount":9,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS00MDE0NTY1LTUzNjg1NmlENUExNjc0QjcwOTYzNTA2?revision=31\"}"}}],"totalCount":1,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:2774502":{"__typename":"Conversation","id":"conversation:2774502","topic":{"__typename":"BlogTopicMessage","uid":2774502},"lastPostingActivityTime":"2024-06-17T20:54:46.497-07:00","solved":false},"User:user:19686":{"__typename":"User","uid":19686,"login":"Matt Egen","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS0xOTY4Ni0zMTk3MGlFMzYxRjE0NjRFNDE1ODgw"},"id":"user:19686"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMzcyMWlCMjBDREU4Mzg4OThBQzI4?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMzcyMWlCMjBDREU4Mzg4OThBQzI4?revision=9","title":"whois.png","associationType":"TEASER","width":1115,"height":624,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3MGk2NzJGRDBGMzRBQjJFOEZF?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3MGk2NzJGRDBGMzRBQjJFOEZF?revision=9","title":"MattEgen_0-1632321618709.png","associationType":"BODY","width":384,"height":1060,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3MWk1NUI4Rjg4NEQzQ0E1M0U5?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3MWk1NUI4Rjg4NEQzQ0E1M0U5?revision=9","title":"MattEgen_1-1632321618715.png","associationType":"BODY","width":609,"height":76,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3MmlDQzUzQ0Q2MDQxMzQ2MTJB?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3MmlDQzUzQ0Q2MDQxMzQ2MTJB?revision=9","title":"MattEgen_2-1632321618719.png","associationType":"BODY","width":354,"height":441,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3M2lFNTJERUEzREMwREY5NUE3?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3M2lFNTJERUEzREMwREY5NUE3?revision=9","title":"MattEgen_3-1632321618721.png","associationType":"BODY","width":1150,"height":208,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3NWkzODEzOUEwNTFDNzdGN0Uy?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3NWkzODEzOUEwNTFDNzdGN0Uy?revision=9","title":"MattEgen_4-1632321618734.png","associationType":"BODY","width":1529,"height":779,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3NGlGM0ZDNkJBNUE5ODdEQkRD?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3NGlGM0ZDNkJBNUE5ODdEQkRD?revision=9","title":"MattEgen_5-1632321618737.png","associationType":"BODY","width":1296,"height":414,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3Nmk1MDQ4MkZCNDM4NDg0MzlD?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3Nmk1MDQ4MkZCNDM4NDg0MzlD?revision=9","title":"MattEgen_6-1632321618745.png","associationType":"BODY","width":1029,"height":1104,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3OGlENkQ2RkYwODU3Mjk4NzYz?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3OGlENkQ2RkYwODU3Mjk4NzYz?revision=9","title":"MattEgen_7-1632321618756.png","associationType":"BODY","width":1125,"height":971,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3N2lCQjRGN0JCODc5MDk5QTM1?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3N2lCQjRGN0JCODc5MDk5QTM1?revision=9","title":"MattEgen_8-1632321618765.png","associationType":"BODY","width":972,"height":1277,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3OWlDOTA4QjIzRUZGNUVCNDFE?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3OWlDOTA4QjIzRUZGNUVCNDFE?revision=9","title":"MattEgen_9-1632321618772.png","associationType":"BODY","width":721,"height":682,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA4MGkwOTBFOTNGRTUwRjg1OEEx?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA4MGkwOTBFOTNGRTUwRjg1OEEx?revision=9","title":"MattEgen_10-1632321618775.png","associationType":"BODY","width":847,"height":228,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA4MWkyM0NCNjhDN0EyNUE2MDk4?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA4MWkyM0NCNjhDN0EyNUE2MDk4?revision=9","title":"MattEgen_11-1632321618780.png","associationType":"BODY","width":775,"height":536,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA4Mmk4RENGRTU4NjBDNDVCREZG?revision=9\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA4Mmk4RENGRTU4NjBDNDVCREZG?revision=9","title":"MattEgen_12-1632321618785.png","associationType":"BODY","width":1191,"height":245,"altText":null},"BlogTopicMessage:message:2774502":{"__typename":"BlogTopicMessage","subject":"Querying WHOIS/Registration Data Access Protocol (RDAP) with Azure Sentinel and Azure Functions","conversation":{"__ref":"Conversation:conversation:2774502"},"id":"message:2774502","revisionNum":9,"uid":2774502,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:19686"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" \n With the amazing increase in domains and top-level domains (TLD's) on the Internet, it's difficult to know just where our users are going. Newly registered domains, domain generation algorithms, and typo-squatting are all tactics used by adversaries to compromise users. By researching the domains our users are accessing and generating alerts on potentially suspicious activity, we can be more aware of the risks and hopefully get ahead of the problem. This blog post covers and example of extending Azure Sentinel using Azure Functions to call the Registration Data Access Protocol (RDAP) to gather information on the domains that are being accessed in an environment. ","introduction":"","metrics":{"__typename":"MessageMetrics","views":14115},"postTime":"2021-09-29T12:44:45.419-07:00","lastPublishTime":"2021-11-03T04:05:19.850-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" With the amazing increase in domains and top-level domains (TLD's) on the Internet, it's difficult to know just where our users are going. Newly registered domains, domain generation algorithms, and typo-squatting are all tactics used by adversaries to compromise users. Recently I was talking with a customer about Azure Sentinel and they had a question about if and how they could raise an alert when a user received an email from a newly registered domain (by their definition this was any domain that had been registered in the last thirty days). While we don't have a built-in feature for this in Sentinel, it is possible to extend Sentinel to include this type of functionality. This blog post is about one way that such an extension could be created. \n \n Domain registration history \n \n First off, we need to understand domain registrations in general. To be usable on the Internet, all domain names must be registered so they can be propagated throughout the global DNS world. This information is created with a domain registrar or their resellers who are accredited by the Internet Corporation for Assigned Names and Numbers (ICANN), a not-for-profit public-benefit corporation who defines the policies and rules around domain registration. A simplified process flow is that when a domain is requested, the registrar will check if the domain name is available for registration and if so, will then create a \"WHOIS\" record with the domain name registrant's information. WHOIS is a protocol defined by the Internet Engineering Taskforce (IETF) in RFC3912. WHOIS is a TCP based connection using port 43 and responds in a human readable format. Each registrar maintains their WHOIS infrastructure, and you often must know just which registrar is authoritative for a particular domain. To keep the telephone book analogy going it's kind of like knowing that a person named \"Matt Egen\" exists somewhere in a telephone book in the world, but without knowing exactly where he is, you'd have to check all the telephone books around the world to find him. While this is fine for looking up occasional data (and back in 1985 there were a lot fewer domains (as well as much fewer Top-Level Domains (TLD) like .com, .net, .org, etc.)), it’s rather difficult to automate the process as the data isn't designed to be read by a machine. To counter this and account for not only the growing domain count but the invention of new \"Generic Top Level Domains\" (gTLD) like .store, .app, etc, ICANN and the Internet Engineering Task Force (IETF) came up with a new protocol called the Registration Data Access Protocol (RDAP). RDAP is a REST API with the same information as the traditional WHOS service, except its data is returned in a standardized JSON format. This makes it rather straightforward in parsing the returned data (although it still maintains a problem in finding the correct RDAP server / source to begin with, but we can deal with that) and automating the process. \n \n Extending Azure Sentinel with Azure Functions \n \n Azure Sentinel offers us several tools we can use to automate tasks. One method is to use Playbooks which are based on Azure Logic Apps and these provide an outstanding solution for creating a visual flow in your automation process. We could have used one here (in fact, in the v1 of this solution I did exactly that), however, there is another method we can use as well: Azure Functions. Azure Functions is a cloud service available on-demand that provides all the continually updated infrastructure and resources needed to run your applications. You focus on the pieces of code that matter most to you, and Functions handles the rest. Functions provides serverless compute for Azure. You can use Functions to build web APIs, respond to database changes, process IoT streams, manage message queues, and more. In this case, we’re going to use an Azure Function with a timer trigger to handle our RDAP query and run it on a regular schedule. \n \n Architecture and process flow \n \n The example follows a straightforward flow: \n \n \n On a regular schedule the Azure Function will trigger. \n The Function will query the Azure Sentinel instance and call a Function which will get new domain names. We’re using a Function in Sentinel because we want it to be flexible and maintainable outside of the Azure Function. This means we can modify it whenever we have / want a new source of domain names. In this example we’re using the domains returned from the DeviceEvents table which comes from the Microsoft Defender 365 data connector. However, by using a Function it could be from any or multiple source(s) so long as it’s returned in the expected format. By using a Function and leveraging joins, we can handle all the sources we want. \n Using the returned domains, we will then call the RDAP “Bootstrap” service. This is a special list of all of the gTLDs and their requisite RDAP server endpoints. Think of this as a phone book of phone books. \n After getting the correct RDAP server, we then query it and get the results in JSON notation. \n We take the relevant information (in this example this is just the registration date) and then call back into our Azure Sentinel instance to store the data in a custom log table. \n Finally there is an Analytic Rule which runs against this custom log and if it finds a domain that is younger than the set criteria, it raises an alert. \n \n \n Required Information for this example \n \n Since we’re going to be accessing data in an Azure Sentinel instance we need some information to enable that. \n \n Creating the Sentinel Function \n \n To retrieve the domain names that we want to resolve, we’re using a Sentinel Function. While it has a similar name to an Azure Function, it’s different. A Sentinel Function is written in the Kusto Query Language (KQL) and is a query that you save and then call later using an alias. You can use a Function in place of a table and use it like any other table. I’m not going to go too deep into the use cases or creation of Functions, but for our case we’re using it as a convenient tool so that we can maintain the query outside of our Azure Function and tune / adjust it as needed for different environments. If you like to learn more about Sentinel Functions, you can read about them here: Functions in Azure Monitor log queries - Azure Monitor | Microsoft Docs. For this use case, we’re going to show a straightforward example that calls into the DeviceNetworkEvents table, cleans up some of the data, checks to make sure it’s not in an exclusion list and finally that it’s not been already looked up in the last 90 days. \n \n // Function Name: GetDomainsForRDAP // ExcludedDomains is a dynamic list of domains and TLDs to not bother searching for // either because we already trust them, or perhaps we know they don’t have an RDAP server implementation. let ExcludedDomains = dynamic([\"cn\",\"io\", \"ms\", \"microsoft.com\",\"somerandomsender.com\"]); // Query the DeviceNetworkEvents table for the last 1 hour DeviceNetworkEvents | where TimeGenerated >= ago(1h) | where isnotempty(RemoteUrl) //only return records that have a RemoteUrl value // A little cleanup just in case | extend parsedDomain = case(RemoteUrl contains \"//\", parse_url(RemoteUrl).Host, RemoteUrl) // handle scenarios where the RemoteUrl includes protocol data (e.g. http/s, etc.) | extend cleanDomain = split(parsedDomain,\"/\")[0] // throw away anything after the last “/” character | extend splitDomain = split(cleanDomain,\".\") //split the domain name on the “.” | extend Domain = tolower(strcat(splitDomain[array_length(splitDomain)-2],\".\",splitDomain[array_length(splitDomain)-1])) // recombine just the last two parts of the domain (the TLD and gTLD) | extend TLD = splitDomain[array_length(splitDomain)-1] // grab the gTLD so we can see if it’s in exclusion list along with the domain | where TLD !in(ExcludedDomains) | where Domain !in(ExcludedDomains) | summarize DistinctDomain = dcount(Domain) by Domain //De-duplicate the list | project Domain // return just the domain // Now join the results above to our table of already resolved domains. We don’t want to waste cycles querying for things we already know about //| join kind=leftanti (ResolvedDomains_CL //| where TimeGenerated >= ago(90d)) on $left.Domain == $right.domainName_s //Uncomment these lines after the FIRST run of the Azure Function. \n \n One thing you may notice in the above Sentinel Function: the last two lines are commented out. This is because until the Azure Function runs the first time, the “ResolvedDomains_CL” custom log table doesn’t exist and this Sentinel Function will fail. After successfully running the Azure Function one time, you should then uncomment the last two lines. \n \n The Azure Function \n \n Now that we have the Sentinel Function out of the way, let’s talk about the Azure Function. As noted before, while having a similar name to a Sentinel Function, Azure Functions are completely different. Azure Functions is a cloud service available on-demand that provides all the continually updated infrastructure and resources needed to run your applications. You focus on the pieces of code that matter most to you, and Functions handles the rest. Azure Functions can be written in an array of different stacks including .NET, Node.Js, Python, Java, and even PowerShell Core and can be hosted on either Windows or Linux infrastructure. In this case we’re using .NET as the stack, the language is C#, and the infrastructure is Windows. \n \n To read data from Azure Sentinel, we need to create Azure AD application credentials with permission to the Azure Sentinel instance \n \n Creating an Azure AD Application with read permissions to Azure Sentinel \n \n This blog post is already getting a little long so rather than rewrite the steps to create an Azure AD Application, I’m just going to provide a link to my peer Rin Ure’s great blog post on the API’s and creating credentials: Access Azure Sentinel Log Analytics via API (Part 1) - Microsoft Tech Community The specific permission that we want to make sure we gran to the applications is covered in the linked article under the “Give the AAD Application permissions to your (Sentinel) Log Analytics Workspace” section. After following the steps in that article, we will have two of the settings that we will need for the RDAP Query engine: the Client ID and the Client Secret. We will be using these later when we configure the Azure Function. \n \n Ok, so now we have what we need to read the data, but what about writing back our results? To write data to the Azure Sentinel instance, we need the Workspace ID and either the Primary or Secondary key for the workspace. \n \n Getting the Workspace ID and Key for Azure Sentinel \n \n Azure Sentinel uses Log Analytics as the underlying data store. To write data to the Log Analytics workspace, we need the workspace ID and Key and can access these very simply in Azure Sentinel. In Sentinel, go to Settings... \n \n \n \n \n Then, select “Workspace Settings” from the top of the resulting page... \n \n \n \n And finally, select “Agents Management” \n \n \n This will take you to a screen that will show you the Workspace ID and two keys, a primary and secondary, that can be used to send data to the workspace... \n \n \n \n We can use either the primary or the secondary, it doesn’t matter which one we choose just remember to copy and save the Workspace ID and one of the keys as we’re going to need them in the next section. \n \n Now that we have the values we need to access Azure Sentinel we are going use then in our Azure Function by storing them in Application Settings. \n \n Azure Function – Application Settings \n \n As an Azure Function, the example can be configured via . Application settings are encrypted at rest and transmitted over an encrypted channel. Application Settings are exposed as environment variables for access by the application at runtime. This allows us to store keys and values in the Azure Function without having to store them in code. There are two advantages to this: 1) we’re not storing secrets in the actual code itself and 2) we can change them if we need to later. \n \n For this Function we use the following Application Settings: \n \n \"SharedKey\": \"[LogAnalytics WorkSpace Primary or Secondary Key]\", \"WorkspaceID\": \"[LogAnalytics Workspace ID]\", \"LogName\": \"[The name of the custom log to store results. Recommend:ResolvedDomains]\", \"tenant_id\": \"[AzureAD TenantID]\", \"client_id\": \"[AzureAD Application Client ID]\", \"client_secret\": \"[AzureAD Application Client Secret]\", \"grant_type\": \"[Grant Type for Bearer Token]\", \"resource\": \"[Resource URL for Bearer Token]\", “query_string”,”[The Sentinel function name to call]” \n \n These values are used in the C# code that does the actual work in the Azure Function and will be populated from the Application Settings into the code at runtime. This makes it very easy for us to change settings without having to rewrite / redeploy code. After deploying the application to an Azure Function, we configure the Application Settings on the Configuration blade... \n \n \n \n \n For each of the settings, simply click the “New Application Setting” button and enter the name and value of the setting... \n \n \n \n \n Now let’s look at the code and how we can deploy it to an Azure Function. \n \n RDAP Query Engine C# Code \n \n I’m not going to go through every line in the code, but instead leave that as an exercise for the reader. Keep in mind this is an example and as such could probably be improved. The code is hosted on GitHub here: Azure-Sentinel/Tools/RDAP/RDAPQuery at master · Azure/Azure-Sentinel (github.com). However, I’m going to cover the main function and the overall structure. \n \n “CheckDomains” \n \n \n \n CheckDomains is the initialization point for the code and is called by the Azure Function framework based on a Timer trigger (in fact CheckDomains is an alias for the interal “Run” function that Azure Functions is calling). The timer is set to fire at a set period of time (default every five minutes) and in turn makes all of the other calls to get authentication, retrieve data from Sentinel, query RDAP, and finally write the results back to Sentinel. Let’s map out this function... \n [create a visio of the function?] \n \n “QueryData” \n \n \n \n One of the first things that CheckDomains does is call the QueryData function which is responsible for calling into Azure Sentinel and retrieving any new domains to lookup. It takes one parameter which is the actual query to execute. Since querying the data in Azure Sentinel requires us to authenticate, it first retrieves an OAUTH bearer token (via a call to “GetBearerToken()” and then uses it in the subsequent call to the Log Analytics API. If we receive a successful status code from the call, we then deserialize the results into a QueryResults object and return it back to the CheckDomains function. \n \n After calling QueryData, we run a ForEach() loop over the results, do a little cleanup (by splitting out the top-level domain (.com, .net, etc.) with a split() function) and then call BootStrapTLD. \n \n BootStrapTLD() \n \n \n \n BootStrapTLD takes the passed in top-level domain (TLD) and uses it to call the IANA bootstrap URL at https://data.iana.org/rdap/dns.json (this is hardcoded as it’s supposed to never change) which is a JSON file that has all the different TLDs mapped out with the appropriate RDAP server URL that we can call to get the detailed information about the domain. We make a call to the JSON file and then deserialize it into a Services object. Since we deserialized the entire list, we then run a foreach loop over the returned values to check for a match with the TLD we’re searching for. When we have a match we then break out of the ForEach and return the value back to CheckDomains() \n Now that we have the RDAP server that is responsible for the TLD, it’s time to call it and get the information we want. \n \n QueryRDAP \n \n \n \n This function is very straightforward as it simply calls the passed in URL, deserializes the results (if any) into an RDAPResponse object and then returns that back to CheckDomains. CheckDomains then parses the returned object to find the “events” node and specifically one with an eventType of “registration”. If we find one, we create a new “RDAPUpdate” object which just holds the domain name we looked up along with the registration date that was returned. This object is then passed to the WriteData function which will store it into Sentinel / Log Analytics. \n \n WriteData() \n \n \n \n WriteData is possibly the simplest function in all of this code as it just takes the passed object, converts it into a JSON string, builds a signature (using the Workspace ID and keys from earlier) and then calls PostData which does the actual write to Sentinel / Log Analytics. \n \n PostData() \n \n \n And finally, PostData() calls the Log Analytics API and commits our data. \n \n So…I’ve got a bunch of domain names and their registration dates, now what? \n \n Going back to our original need (alert on domains that are younger than 30 days), we can write a very simple query in the Logs blade of Sentinel to search for these: \n \n ResolvedDomains_CL | where TimeGenerated >= ago(1h) | where registrationDate_t >= ago(30d) \n And to automate this query, we could convert it into an Analytics rule to generate an Incident for an analyst to review by selecting the “New Alert” drop down and choosing “Create Azure Sentinel Alert” \n \n \n \n Another use case could be to create an enrichment query to add registration data during an investigation. For example, create a join() between a domain source table and the ResolvedDomains_CL table to add in the registration date for any domains seen, and then add that data to an analytic using the new Custom Details feature. \n \n Next steps / further improvements \n \n One thing I noticed in creating this example was that not every top-level domain has activated an RDAP server yet. Notably, a number of country TLDs are still using the traditional WHOIS infrastructure (this is why I added the ability to exclude domains and TLD’s in the GetDomainsForRDAP Sentinel Function). As a next step for this project, I am going to look to add traditional WHOS queries (via a TCP connection to port 43) in cases where RDAP cannot find a domain / receives an error. Also, the code currently doesn’t handle raw IP addresses (either IPv4 or IPv6) and instead just does a lookup and fails. I’m looking at modifying the code to support RDAP queries for IP addresses as well, but since it’s an IP address it doesn’t have a “registration date” per se. Would love some feedback on what you think would be useful information from an IP address. Look for this update soon. \n \n Until next time, happy hunting! \n \n \n \n \n \n \n \n \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"19706","kudosSumWeight":2,"repliesCount":4,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMzcyMWlCMjBDREU4Mzg4OThBQzI4?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3MGk2NzJGRDBGMzRBQjJFOEZF?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3MWk1NUI4Rjg4NEQzQ0E1M0U5?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3MmlDQzUzQ0Q2MDQxMzQ2MTJB?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3M2lFNTJERUEzREMwREY5NUE3?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3NWkzODEzOUEwNTFDNzdGN0Uy?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3NGlGM0ZDNkJBNUE5ODdEQkRD?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3Nmk1MDQ4MkZCNDM4NDg0MzlD?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDk","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3OGlENkQ2RkYwODU3Mjk4NzYz?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEw","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3N2lCQjRGN0JCODc5MDk5QTM1?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEx","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA3OWlDOTA4QjIzRUZGNUVCNDFE?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEy","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA4MGkwOTBFOTNGRTUwRjg1OEEx?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDEz","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA4MWkyM0NCNjhDN0EyNUE2MDk4?revision=9\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE0","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzc0NTAyLTMxMjA4Mmk4RENGRTU4NjBDNDVCREZG?revision=9\"}"}}],"totalCount":14,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:1583204":{"__typename":"Conversation","id":"conversation:1583204","topic":{"__typename":"BlogTopicMessage","uid":1583204},"lastPostingActivityTime":"2024-02-26T11:32:23.814-08:00","solved":false},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0OGk0OTNBRDQ1M0RCQ0U3QzhD?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0OGk0OTNBRDQ1M0RCQ0U3QzhD?revision=16","title":"AKS diagram.PNG","associationType":"TEASER","width":582,"height":484,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0OWkwRDc3MTYwOEMyQTkzODg5?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0OWkwRDc3MTYwOEMyQTkzODg5?revision=16","title":"AKS diagram.PNG","associationType":"BODY","width":582,"height":484,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0NGk0QzUzN0E0RTAxMkE5M0FE?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0NGk0QzUzN0E0RTAxMkE5M0FE?revision=16","title":"k8s-matrix.png","associationType":"BODY","width":1440,"height":766,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0NmlCNDlFMDI1MUY1RTdDMEQy?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0NmlCNDlFMDI1MUY1RTdDMEQy?revision=16","title":"ASC AKS.png","associationType":"BODY","width":1744,"height":809,"altText":null},"BlogTopicMessage:message:1583204":{"__typename":"BlogTopicMessage","subject":"Monitoring Azure Kubernetes Service (AKS) with Microsoft Sentinel","conversation":{"__ref":"Conversation:conversation:1583204"},"id":"message:1583204","revisionNum":16,"uid":1583204,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:538161"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" In this blog post we explore how to use Microsoft Sentinel to monitor your Azure Kubernetes Service (AKS) environments. \n \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":27001},"postTime":"2020-08-13T13:59:12.071-07:00","lastPublishTime":"2021-11-02T18:08:08.369-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" In 2020 Kubernetes only marked its sixth birthday, but in that time its usage has grown exponentially and it is now considered a core part of many organization’s application platforms. The flexibility and scalability of containerized environments makes deploying applications as microservices in containers very attractive and Kubernetes has emerged as the orchestrator of choice for many. Azure offers Azure Kubernetes Service (AKS) where your Kubernetes cluster is managed and integrated into the platform. In this blog we are going to look at how you can use Microsoft Sentinel to monitor your AKS clusters for security incidents. \n \n \n Overview \n \n There are several sources that you can use to help monitor your AKS cluster, of which you can deploy one or several in tandem depending on your environment and the security posture of your organization. We will be looking at the following detection sources that you can integrate into Sentinel: \n \n \n Azure Security Center (ASC) AKS threat protection \n Azure Diagnostics logs \n Third party tool alert integration \n \n \n Below is a diagram illustrating how these different sources integrate into Microsoft Sentinel: \n \n \n \n Before we dive into each of these sources, I want to mention an excellent piece of work created by my colleague Yossi Weizman where he created a threat matrix for Kubernetes clusters, aligned to the MITRE ATT&CK framework. You can read his full article here but we will refer to this threat matrix when assessing whether you have considered if this scenario is applicable to your AKS implementation, and if it is, how you can get visibility of this happening in your environment. \n \n \n \n \n Azure Security Center (ASC) AKS threat protection \n \n Azure Security Center Standard has threat protection built-in for the resources that it monitors. ASC has an optional Kubernetes bundle that you can enable, and ASC threat protection will look at your AKS cluster for signs of suspicious activity. To enable the AKS bundle in ASC, go to \"Pricing & settings\", select the subscription and make sure the \"Kubernetes\" resource type is enabled, as per the below: \n \n \n \n (The ASC Kubernetes bundle also provides security configuration and hardening recommendations for your AKS cluster, but that is outside the scope of this blog post. You can read more about this here.) \n \n If you have already connected ASC threat alerts to your Azure Sentinel workspace via the native ASC connector these AKS threat alerts will also be sent directly into Microsoft Sentinel. Some of the threats that ASC can detect in your AKS cluster are below: \n \n \n Container with a sensitive volume mount detected \n Digital currency mining container detected \n Exposed Kubernetes dashboard detected \n \n \n For an up-to-date list of ASC AKS-specific detections, please go here. \n \n \n Azure Diagnostics logs \n \n If you have use cases not covered by ASC threat detections, you can also turn on AKS diagnostic logs and send to a Log Analytics workspace (you may notice that some documents referenced here refer to Azure Monitor. Note that Log Analytics is part of the larger Azure Monitor platform.) Follow the steps found here to enable resource logging. The logs that can be retrieved from AKS in this manner include: \n \n \n kube-apiserver \n kube-controller-manager \n kube-scheduler \n kube-audit \n cluster-autoscaler \n \n \n After you have enabled the logging to be sent your Log Analytics workspace, you can start to run detections on these logs. These logs will be sent to the AzureDiagnostics table. \n \n Let’s look at a basic query you can on these logs in Sentinel to look at (in this case) an NGINX pod: \n \n \n \n \n \n \n AzureDiagnostics\n| where Category == \"kube-apiserver\"\n| where log_s contains \"pods/nginx\"\n| project log_s \n \n \n \n \n \n \n Now let’s look at some more security-focused queries that you can run on AKS logs. Note that we are using the threat matrix mentioned earlier in this blog as a guide for the manner of detections one may require on an AKS cluster: \n \n \n \n \n \n \n # query for cluster-admin clusterrolebinding + extend columns\n# detects: kubectl create clusterrolebinding my-svc-acct-admin --clusterrole=cluster-admin\n\nAzureDiagnostics\n| where Category == \"kube-audit\"\n| where parse_json(log_s).verb == \"create\"\n| where parse_json(tostring(parse_json(tostring(parse_json(log_s).requestObject)).roleRef)).name == \"cluster-admin\"\n| where parse_json(tostring(parse_json(log_s).requestObject)).kind == \"ClusterRoleBinding\"\n| extend k8skind = parse_json(tostring(parse_json(log_s).requestObject)).kind\n| extend k8sroleref = parse_json(tostring(parse_json(tostring(parse_json(log_s).requestObject)).roleRef)).name\n| extend k8suser = parse_json(tostring(parse_json(log_s).user)).username\n| extend k8sipaddress = parse_json(tostring(parse_json(log_s).sourceIPs))[0]\n \n \n \n \n \n \n \n \n \n \n \n \n \n # query for CronJob creation\n\nAzureDiagnostics\n| where Category == \"kube-audit\"\n| where parse_json(log_s).verb == \"create\"\n| where parse_json(tostring(parse_json(log_s).requestObject)).kind == \"CronJob\" \n \n \n \n \n \n \n \n \n \n \n \n \n # query for actions from standard user account (az aks get-credentials)\n\nAzureDiagnostics\n| where Category == \"kube-audit\"\n| project log_s\n| where parse_json(tostring(parse_json(log_s).user)).username == \"masterclient\" \n \n \n \n \n \n \n \n \n \n \n \n \n # query for specific source IP\n\nAzureDiagnostics\n| where Category == \"kube-audit\"\n| project log_s\n| where parse_json(tostring(parse_json(log_s).sourceIPs))[0] == \"192.168.1.1\" \n \n \n \n \n \n \n \n \n \n \n \n \n # query for RBAC result (allow, deny, etc.)\n\nAzureDiagnostics\n| where Category == \"kube-audit\"\n| project log_s\n| where parse_json(log_s).verb == \"create\"\n| where parse_json(tostring(parse_json(log_s).annotations)).[\"authorization.k8s.io/decision\"] == \"allow\" \n \n \n \n \n \n \n \n \n \n \n \n \n # query for Azure RBAC AKS role assignment\n\nAzureActivity\n| where OperationName == \"Create role assignment\"\n| extend RoleDef = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).Properties)).RoleDefinitionId)\n| extend Caller = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).Properties)).Caller)\n| where RoleDef contains \"8e3af657-a8ff-443c-a75c-2fe8c4bcb635\" or RoleDef contains \"b24988ac-6180-42a0-ab88-20f7382dd24c\"\n| extend AccountCustomEntity = Caller\n| extend IPCustomEntity = CallerIpAddress\n| extend URLCustomEntity = HTTPRequest\n| extend HostCustomEntity = ResourceId \n \n \n \n \n \n \n Of course, this is just a start – there are many more AKS detections you could create with these logs that will be specific to your organization’s use cases and environment. \n \n \n Third party tools \n \n If you are using a third-party Kubernetes monitoring tool, this can also be integrated into Sentinel. At the time of writing, we already have a native connector for Alcide kAudit, but look for more native integrations to come in the future! \n \n Remember, if you are using a third party tool that does not yet have a native connector in Sentinel, you can still integrate the logs using a custom connector. For example, Twistlock offers a number of ways to pull the audit events from the product itself. \n \n \n Summary \n \n Sentinel offers many options for monitoring AKS clusters, so we recommend that you look at your organization’s environment and the tools you have available to decide on a strategy that works best for you. Do you have some AKS-specific detections, Workbooks or something else to share? Please contribute to our GitHub repo here and share with the community! \n \n With thanks to George__Wilburn for his AKS queries and Nicholas DiCola (SECURITY JEDI) and Chi Nguyen for their comments and feedback on this article. ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"8559","kudosSumWeight":8,"repliesCount":2,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0OGk0OTNBRDQ1M0RCQ0U3QzhD?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0OWkwRDc3MTYwOEMyQTkzODg5?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0NGk0QzUzN0E0RTAxMkE5M0FE?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0xNTgzMjA0LTIxMTk0NmlCNDlFMDI1MUY1RTdDMEQy?revision=16\"}"}}],"totalCount":4,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"Conversation:conversation:996229":{"__typename":"Conversation","id":"conversation:996229","topic":{"__typename":"BlogTopicMessage","uid":996229},"lastPostingActivityTime":"2024-02-15T23:45:38.330-08:00","solved":false},"User:user:129678":{"__typename":"User","uid":129678,"login":"Amar Patel (C AND E)","registrationData":{"__typename":"RegistrationData","status":null},"deleted":false,"avatar":{"__typename":"UserAvatar","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/m_assets/avatars/default/avatar-11.svg?time=0"},"id":"user:129678"},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI3aUI5MzJFREUxOURDRDUwREI?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI3aUI5MzJFREUxOURDRDUwREI?revision=16","title":"Palo Alto Alert Rule.png","associationType":"TEASER","width":936,"height":524,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTE1aUI1NDlENzlBMjA3MDIxM0U?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTE1aUI1NDlENzlBMjA3MDIxM0U?revision=16","title":"RCW1.png","associationType":"BODY","width":884,"height":648,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTE4aTQ5N0JDQTgwMEJERjExNDY?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTE4aTQ5N0JDQTgwMEJERjExNDY?revision=16","title":"RCW2.png","associationType":"BODY","width":883,"height":640,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI2aTI1N0I2M0FFNTYwQkRFRjU?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI2aTI1N0I2M0FFNTYwQkRFRjU?revision=16","title":"RCW3.png","associationType":"BODY","width":884,"height":636,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTIwaTQzQjFBOTMyNjQwNzNBMzM?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTIwaTQzQjFBOTMyNjQwNzNBMzM?revision=16","title":"RQ1.png","associationType":"BODY","width":522,"height":212,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU2MTkyaTY4RTM3NEFENkVDQTg1QTE?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU2MTkyaTY4RTM3NEFENkVDQTg1QTE?revision=16","title":"RQ2.png","associationType":"BODY","width":557,"height":213,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI0aTI1MUY2OUVGMTBCMTcyNjE?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI0aTI1MUY2OUVGMTBCMTcyNjE?revision=16","title":"RCW4.png","associationType":"BODY","width":883,"height":635,"altText":null},"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI1aUE1MTkwNDRBOEQ0NEM1M0Q?revision=16\"}":{"__typename":"AssociatedImage","url":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI1aUE1MTkwNDRBOEQ0NEM1M0Q?revision=16","title":"Palo Alto Alert Rule.png","associationType":"BODY","width":936,"height":524,"altText":null},"BlogTopicMessage:message:996229":{"__typename":"BlogTopicMessage","subject":"Using the new built-in URL detonation in Azure Sentinel","conversation":{"__ref":"Conversation:conversation:996229"},"id":"message:996229","revisionNum":16,"uid":996229,"depth":0,"board":{"__ref":"Blog:board:MicrosoftSentinelBlog"},"author":{"__ref":"User:user:129678"},"teaser@stripHtml({\"removeProcessingText\":true,\"truncateLength\":-1})":" Learn how to setup and use the new built-in URL detonation in Azure Sentinel. \n \n \n ","introduction":"","metrics":{"__typename":"MessageMetrics","views":23860},"postTime":"2019-11-11T09:52:27.906-08:00","lastPublishTime":"2021-11-02T17:43:57.868-07:00","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})":" Last week at Ignite, we announced the public preview of URL detonation in Azure Sentinel. This blog post provides more details on its benefits and how to enable it. \n \n Security operations center (SOC) analysts constantly face the challenge of determining where to focus. URL detonation provides insights that can enable SOC analysts to triage alerts faster. For example, logs ingested by Azure Sentinel can contain URLs. For alerts that include a URL (e.g., a URL visited by a user from within the corporate network), that URL can be automatically detonated to gain added insight that can help accelerate the triage process. \n \n With Azure Sentinel, URL detonation is built-in and is seamlessly integrated, eliminating the need to stitch together separate SIEM and detonation products. \n \n The sections that follow provide a step-by-step overview of how to enable integrated URL detonation. \n \n Enabling URL detonation \n \n When creating scheduled alert rules, any URL data in the query results can be mapped to the newly available URL entity type. Whenever an alert containing a URL fires, the mapped URL is automatically detonated, and the investigation graph is immediately enriched with the detonation results. \n \n Mapping URL entities \n \n To map URLs from logs to the URL entity type, navigate to the Analytics blade. At the top of blade, click +Create and select Scheduled query rule to navigate to the Rule creation wizard. Click Set rule logic. In the Rule query field, you can reference any log that contains a column of URLs. We’ll illustrate this by entering “CommonSecurityLog” in the Rule query field. After entering “CommonSecurityLog”, you’ll notice that the Choose column drop down for the URL entity type in the Map entities section is enabled. \n \n \n \n In “CommonSecurityLog”, there is a column called “RequestURL” that contains URLs. To map this column to the URL entity type, select it in the Choose column drop down and click Add. \n \n \n \n Once the column is added, the following code is automatically added to your Rule query. It maps the column of interest to the URL entity denoted by “URLCustomEntity”. \n \n \n CommonSecurityLog\n| extend URLCustomEntity = RequestURL \n \n \n The Rule query will look like this and the URL entity type will be mapped as defined in the Rule query: \n \n \n \n To verify that the selected column contains well-formed URLs required for detonation, click View Query results > located below the Rule query field to navigate to the Logs blade where you can run the query. Inspecting the query results, you’ll notice that the URLs in the “URLCustomEntity” column are missing the protocol identifier: \n \n \n \n Here’s an example of how you can append the protocol identifier to the URL to create a well-formed URL for detonation (Note: As an example, you’ll need to do this step for Palo Alto logs in CEF format): \n \n \n CommonSecurityLog\n| extend Url = case(ApplicationProtocol == \"ssl\" and RequestURL !startswith \"https://\", strcat(\"https://\", trim ('\"', RequestURL)), ApplicationProtocol == \"web-browsing\" and RequestURL !startswith \"http://\", strcat(\"http://\", trim ('\"', RequestURL)), RequestURL)\n| extend URLCustomEntity = Url \n \n \n You can test this directly in the Logs blade to validate the formatting: \n \n \n \n The final Rule query will look like this: \n \n \n \n You can then configure the other parameters, review everything, and then finish creating your Rule. \n \n Viewing detonation results in the Investigation blade \n \n Once you’ve activated your Rule, you can navigate to the Incidents blade, select any Incident associated with your Rule, and click Investigate to view the detonation results in the Investigation blade. \n \n The Investigation blade will include a graph with a node for the detonated URL as well as the following information: \n \n \n URL – the original detonated URL. \n DetonationVerdict – the high-level Boolean determination from detonation. ‘Bad’ means the site was classified as hosting malware/phishing content. \n DetonationFinalUrl – the final observed landing page URL after all redirects from the original URL. \n DetonationScreenshot – what the page looked like at the time the alert fired; you can click the screenshot to enlarge. \n \n \n \n \n Conclusion \n \n URL detonation provides deeper insights that enable faster triage of alerts. Moreover, with Azure Sentinel, it’s seamlessly integrated and easy to enable. As a final tip, if you don’t’ see URLs in your logs, check that URL logging (e.g., threat logging) is enabled for your secure web gateways, web proxies, firewalls, or legacy IDS/IPS. You can also create custom logs to channel URLs of interest into Azure Sentinel. \n ","body@stripHtml({\"removeProcessingText\":true,\"removeSpoilerMarkup\":true,\"removeTocMarkup\":true,\"truncateLength\":-1})@stringLength":"4955","kudosSumWeight":7,"repliesCount":4,"readOnly":false,"images":{"__typename":"AssociatedImageConnection","edges":[{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDE","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI3aUI5MzJFREUxOURDRDUwREI?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDI","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTE1aUI1NDlENzlBMjA3MDIxM0U?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDM","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTE4aTQ5N0JDQTgwMEJERjExNDY?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDQ","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI2aTI1N0I2M0FFNTYwQkRFRjU?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDU","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTIwaTQzQjFBOTMyNjQwNzNBMzM?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDY","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU2MTkyaTY4RTM3NEFENkVDQTg1QTE?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDc","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI0aTI1MUY2OUVGMTBCMTcyNjE?revision=16\"}"}},{"__typename":"AssociatedImageEdge","cursor":"MjUuM3wyLjF8b3wyNXxfTlZffDg","node":{"__ref":"AssociatedImage:{\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS05OTYyMjktMTU1OTI1aUE1MTkwNDRBOEQ0NEM1M0Q?revision=16\"}"}}],"totalCount":8,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"videos":{"__typename":"VideoConnection","edges":[],"totalCount":0,"pageInfo":{"__typename":"PageInfo","hasNextPage":false,"endCursor":null,"hasPreviousPage":false,"startCursor":null}},"coverImage":null,"coverImageProperties":{"__typename":"CoverImageProperties","style":"STANDARD","titlePosition":"BOTTOM","altText":""}},"CachedAsset:text:en_US-components/community/Navbar-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/Navbar-1745505307000","value":{"community":"Community Home","inbox":"Inbox","manageContent":"Manage Content","tos":"Terms of Service","forgotPassword":"Forgot Password","themeEditor":"Theme Editor","edit":"Edit Navigation Bar","skipContent":"Skip to content","gxcuf89792":"Tech Community","external-1":"Events","s-m-b":"Nonprofit Community","windows-server":"Windows Server","education-sector":"Education Sector","driving-adoption":"Driving Adoption","Common-content_management-link":"Content Management","microsoft-learn":"Microsoft Learn","s-q-l-server":"Content Management","partner-community":"Microsoft Partner Community","microsoft365":"Microsoft 365","external-9":".NET","external-8":"Teams","external-7":"Github","products-services":"Products","external-6":"Power Platform","communities-1":"Topics","external-5":"Microsoft Security","planner":"Outlook","external-4":"Microsoft 365","external-3":"Dynamics 365","azure":"Azure","healthcare-and-life-sciences":"Healthcare and Life Sciences","external-2":"Azure","microsoft-mechanics":"Microsoft Mechanics","microsoft-learn-1":"Community","external-10":"Learning Room Directory","microsoft-learn-blog":"Blog","windows":"Windows","i-t-ops-talk":"ITOps Talk","external-link-1":"View All","microsoft-securityand-compliance":"Microsoft Security","public-sector":"Public Sector","community-info-center":"Lounge","external-link-2":"View All","microsoft-teams":"Microsoft Teams","external":"Blogs","microsoft-endpoint-manager":"Microsoft Intune","startupsat-microsoft":"Startups at Microsoft","exchange":"Exchange","a-i":"AI and Machine Learning","io-t":"Internet of Things (IoT)","Common-microsoft365-copilot-link":"Microsoft 365 Copilot","outlook":"Microsoft 365 Copilot","external-link":"Community Hubs","communities":"Products"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarHamburgerDropdown-1745505307000","value":{"hamburgerLabel":"Side Menu"},"localOverride":false},"CachedAsset:text:en_US-components/community/BrandLogo-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/BrandLogo-1745505307000","value":{"logoAlt":"Khoros","themeLogoAlt":"Brand Logo"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarTextLinks-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarTextLinks-1745505307000","value":{"more":"More"},"localOverride":false},"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/authentication/AuthenticationLink-1745505307000","value":{"title.login":"Sign In","title.registration":"Register","title.forgotPassword":"Forgot Password","title.multiAuthLogin":"Sign In"},"localOverride":false},"CachedAsset:text:en_US-components/nodes/NodeLink-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/nodes/NodeLink-1745505307000","value":{"place":"Place {name}"},"localOverride":false},"CachedAsset:text:en_US-components/tags/TagSubscriptionAction-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/tags/TagSubscriptionAction-1745505307000","value":{"success.follow.title":"Following Tag","success.unfollow.title":"Unfollowed Tag","success.follow.message.followAcrossCommunity":"You will be notified when this tag is used anywhere across the community","success.unfollowtag.message":"You will no longer be notified when this tag is used anywhere in this place","success.unfollowtagAcrossCommunity.message":"You will no longer be notified when this tag is used anywhere across the community","unexpected.error.title":"Error - Action Failed","unexpected.error.message":"An unidentified problem occurred during the action you took. Please try again later.","buttonTitle":"{isSubscribed, select, true {Unfollow} false {Follow} other{}}","unfollow":"Unfollow"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/QueryHandler-1745505307000","value":{"title":"Query Handler"},"localOverride":false},"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/community/NavbarDropdownToggle-1745505307000","value":{"ariaLabelClosed":"Press the down arrow to open the menu"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageListTabs-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageListTabs-1745505307000","value":{"mostKudoed":"{value, select, IDEA {Most Votes} other {Most Likes}}","mostReplies":"Most Replies","mostViewed":"Most Viewed","newest":"{value, select, IDEA {Newest Ideas} OCCASION {Newest Events} other {Newest Topics}}","newestOccasions":"Newest Events","mostRecent":"Most Recent","noReplies":"No Replies Yet","noSolutions":"No Solutions Yet","solutions":"Solutions","mostRecentUserContent":"Most Recent","trending":"Trending","draft":"Drafts","spam":"Spam","abuse":"Abuse","moderation":"Moderation","tags":"Tags","PAST":"Past","UPCOMING":"Upcoming","sortBymostRecent":"Sort By Most Recent","sortBymostRecentUserContent":"Sort By Most Recent","sortBymostKudoed":"Sort By Most Likes","sortBymostReplies":"Sort By Most Replies","sortBymostViewed":"Sort By Most Viewed","sortBynewest":"Sort By Newest Topics","sortBynewestOccasions":"Sort By Newest Events","otherTabs":" Messages list in the {tab} for {conversationStyle}","guides":"Guides","archives":"Archives"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageView/MessageViewInline-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageView/MessageViewInline-1745505307000","value":{"bylineAuthor":"{bylineAuthor}","bylineBoard":"{bylineBoard}","anonymous":"Anonymous","place":"Place {bylineBoard}","gotoParent":"Go to parent {name}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/Pager/PagerLoadMore-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/Pager/PagerLoadMore-1745505307000","value":{"loadMore":"Show More"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/common/OverflowNav-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/common/OverflowNav-1745505307000","value":{"toggleText":"More"},"localOverride":false},"CachedAsset:text:en_US-components/users/UserLink-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/users/UserLink-1745505307000","value":{"authorName":"View Profile: {author}","anonymous":"Anonymous"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageSubject-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageSubject-1745505307000","value":{"noSubject":"(no subject)"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageTime-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageTime-1745505307000","value":{"postTime":"Published: {time}","lastPublishTime":"Last Update: {time}","conversation.lastPostingActivityTime":"Last posting activity time: {time}","conversation.lastPostTime":"Last post time: {time}","moderationData.rejectTime":"Rejected time: {time}"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/nodes/NodeIcon-1745505307000","value":{"contentType":"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge Base} IDEA {Ideas} OCCASION {Events} other {}} icon"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageUnreadCount-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageUnreadCount-1745505307000","value":{"unread":"{count} unread","comments":"{count, plural, one { unread comment} other{ unread comments}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageViewCount-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageViewCount-1745505307000","value":{"textTitle":"{count, plural,one {View} other{Views}}","views":"{count, plural, one{View} other{Views}}"},"localOverride":false},"CachedAsset:text:en_US-components/kudos/KudosCount-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/kudos/KudosCount-1745505307000","value":{"textTitle":"{count, plural,one {{messageType, select, IDEA{Vote} other{Like}}} other{{messageType, select, IDEA{Votes} other{Likes}}}}","likes":"{count, plural, one{like} other{likes}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageRepliesCount-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageRepliesCount-1745505307000","value":{"textTitle":"{count, plural,one {{conversationStyle, select, IDEA{Comment} OCCASION{Comment} other{Reply}}} other{{conversationStyle, select, IDEA{Comments} OCCASION{Comments} other{Replies}}}}","comments":"{count, plural, one{Comment} other{Comments}}"},"localOverride":false},"CachedAsset:text:en_US-components/messages/MessageBody-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-components/messages/MessageBody-1745505307000","value":{"showMessageBody":"Show More","mentionsErrorTitle":"{mentionsType, select, board {Board} user {User} message {Message} other {}} No Longer Available","mentionsErrorMessage":"The {mentionsType} you are trying to view has been removed from the community.","videoProcessing":"Video is being processed. Please try again in a few minutes.","bannerTitle":"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the provider's site.","buttonTitle":"Accept","urlText":"watch"},"localOverride":false},"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1745505307000":{"__typename":"CachedAsset","id":"text:en_US-shared/client/components/users/UserAvatar-1745505307000","value":{"altText":"{login}'s avatar","altTextGeneric":"User's avatar"},"localOverride":false}}}},"page":"/tags/TagPage/TagPage","query":{"nodeId":"board:MicrosoftSentinelBlog","tagName":"detection"},"buildId":"-gVUpXaWnPcjlrLJZ92B7","runtimeConfig":{"buildInformationVisible":false,"logLevelApp":"info","logLevelMetrics":"info","openTelemetryClientEnabled":false,"openTelemetryConfigName":"o365","openTelemetryServiceVersion":"25.3.0","openTelemetryUniverse":"prod","openTelemetryCollector":"http://localhost:4318","openTelemetryRouteChangeAllowedTime":"5000","apolloDevToolsEnabled":false,"inboxMuteWipFeatureEnabled":false},"isFallback":false,"isExperimentalCompile":false,"dynamicIds":["./components/community/Navbar/NavbarWidget.tsx","./components/community/Breadcrumb/BreadcrumbWidget.tsx","./components/customComponent/CustomComponent/CustomComponent.tsx","./components/tags/TagsHeaderWidget/TagsHeaderWidget.tsx","./components/messages/MessageListForNodeByRecentActivityWidget/MessageListForNodeByRecentActivityWidget.tsx","./components/tags/TagSubscriptionAction/TagSubscriptionAction.tsx","./components/external/components/ExternalComponent.tsx","./components/customComponent/CustomComponentContent/TemplateContent.tsx","../shared/client/components/common/List/ListGroup/ListGroup.tsx","./components/messages/MessageView/MessageView.tsx","./components/messages/MessageView/MessageViewInline/MessageViewInline.tsx","../shared/client/components/common/Pager/PagerLoadMore/PagerLoadMore.tsx"],"appGip":true,"scriptLoader":[{"id":"analytics","src":"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1730819800000/analytics.js?page.id=TagPage","strategy":"afterInteractive"}]}