Behavior Analytics, investigation Priority
Hello, Regarding the field investigation Priority in the Behavior Analytics table, what would be the value that Microsoft considers to be high/critical to look into the user's account? By analyzing the logs i would say, 7 or higher, if someone could tell me, and thank you in advance.
Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !Handling Entity Data in Sentinel
So, I have set up some playbooks that allow me to add IPs/Domains/File Hashes to the MDE Indicators list, which is awesome to have and saves time when we need to block malicious entities. However, I have not found a great way for Sentinel to give me more information regarding File Hashes. Really, my main worry with just a list of hashes in an incident is not knowing the file name for each hash, like so: So, in this case, I am to just assume that both file hashes go to the 'FileCoAuth' file. Easy enough. But, are there ever cases where something like msedge.exe shows up in this list of file hashes? Right now, I feel like in this 'Info' tab, it might be more helpful to have 'File Name', but I might be looking at this all wrong. I guess, I am just looking for some guidance into this entity so that I don't accidentally block the wrong file and end up breaking systems. Even if these hashes only ever correspond to the one file entity in the incident, I am still a bit confused at how little data comes over into this. Even for the File entity: Great, I know the name of the file and the path.. However, over in Defender, I get TONS of info for the file, including all the hashes connected to it, First seen / last seen, basic VirusTotal info, and a bunch of other items. Am I expecting too much by hoping that we wouldn't have to jump over to Defender? We set up Sentinel with the hopes of making it the go-to, but still find ourselves going right back to Defender for investigations and I wasn't sure if there was something that I am missing in this setup, or if there was a way to get more data enrichment without having to pay VirusTotal's insane bill (we are SMB and were quoted 90k per year, minimum). Even then, when Defender has some of the basic VirusTotal info, I was hoping Sentinel would have that and more..Log Analytics Workspace Daily Cap
Hello everyone, I am new to Microsoft Sentinel, and I hope all of you are doing good. I wanted to know that I set a daily cap limit on my log analytics workspace of 23 MB, as it was the lowest I could go in my test environment. I created alerts on that too, like whenever the daily cap is reached I am notified via email. I wanted to know a couple of things. If I set the daily cap limit, it should stop ingesting data after reaching 23 MB right? Considering that the data is coming from my windows and Linux virtual machines via AMA. But I can see around 27 MB of data being ingested as of today. I want to know the reason behind it. If it is not stopping the ingestion of data is there any rule that I can configure which forces to stop this ingestion? I have gone through all the Alerts that are present in the Log Analytics Workspace but there is no option. Thanking in advance. Best Regards, Sharjeel Khan.
Microsoft 365 defender alerts not capturing fields (entities) in azure sentinel
We got an alert from 365 defenders to azure sentinel ( A potentially malicious URL click was detected). To investigate this alert we have to check in the 365 defender portal. We noticed that entities are not capturing (user, host, IP). How can we resolve this issue? Note: This is not a custom rule.
