I am learning to build Logic Apps working with Sentinel inc
Hello I am learning to build Logic Apps. The tasks will mainly involve querying Log Analytics and writing comments in incidents. How can I do this securely? I understand that I need to add the Sentinel Contributor role for the Logic App, but what next? If I need the Logic App to be able to query, do I need to give it additional access, such as Log Analytics Contributor or Reader? When I want to create a connection,I have three options: OAuth - I see that I log in with my account, and then the Logic App has access to what I have access to. Is this secure? Service Principal - I need to register an application and create a secret for it, then grant this application access to Sentinel. Can I use a single Service Principal for all Logic Apps? I understand that secrets need to be rotated – does this affect my Logic Apps? Will I need to update something to ensure everything works properly? Managed Identity - This only works within the specific Logic App? This seems like the best solution, but I managed to add a new Managed Identity to query Log Analytics, and in the next step, I wanted it to add tasks to an incident in Sentinel, and unfortunately, it didn't work. (However, I changed the last step and added it via OAuth, and it worked, allowing the Logic App to add tasks to the incident in Sentinel.) this is one of example i am working on. https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Get-SOCTasks/readme.md adding role assignment I would be great if you can share your experiences! thank you
Some Sentinel Incident from Microsoft Defender 365 are not retrieving Alerts & Entities
Hello, For some incidents (From Microsoft Defender 365 connector Product name : Microsoft Defender for Office 365), in Sentinel we face an error "There was an error retrieving some of the alert information. Please try again later. If the problem persist, contact Microsoft support." Alert is not show in logs when search using AlertID and No Entities found. Thanks
Handling Entity Data in Sentinel
So, I have set up some playbooks that allow me to add IPs/Domains/File Hashes to the MDE Indicators list, which is awesome to have and saves time when we need to block malicious entities. However, I have not found a great way for Sentinel to give me more information regarding File Hashes. Really, my main worry with just a list of hashes in an incident is not knowing the file name for each hash, like so: So, in this case, I am to just assume that both file hashes go to the 'FileCoAuth' file. Easy enough. But, are there ever cases where something like msedge.exe shows up in this list of file hashes? Right now, I feel like in this 'Info' tab, it might be more helpful to have 'File Name', but I might be looking at this all wrong. I guess, I am just looking for some guidance into this entity so that I don't accidentally block the wrong file and end up breaking systems. Even if these hashes only ever correspond to the one file entity in the incident, I am still a bit confused at how little data comes over into this. Even for the File entity: Great, I know the name of the file and the path.. However, over in Defender, I get TONS of info for the file, including all the hashes connected to it, First seen / last seen, basic VirusTotal info, and a bunch of other items. Am I expecting too much by hoping that we wouldn't have to jump over to Defender? We set up Sentinel with the hopes of making it the go-to, but still find ourselves going right back to Defender for investigations and I wasn't sure if there was something that I am missing in this setup, or if there was a way to get more data enrichment without having to pay VirusTotal's insane bill (we are SMB and were quoted 90k per year, minimum). Even then, when Defender has some of the basic VirusTotal info, I was hoping Sentinel would have that and more..
User missing from incident owners
Greetings I cannot understand an issue I'm facing. In our small team of SOC-analysts I, as a manager, is unable to add incidents to one of the analysts. His account isn't listed as a possible owner and isn't found when searching for it. He can take ownership of incidents himself but cannot be assigned by someone else. Where exactly does Sentinel get the possible owners from? Both analysts have native EntraID accounts and the same roles in Sentinel and the LA workspace. Peace Fredrik
Query All Logs/sources for Credit Card Numbers
We thought this might be something that Microsoft Sentinel could have some built in functionality for but seems we cannot find it. We are looking to be able to query all of our log sources for any credit card numbers but I cannot seem to think of a great way to do this and I don't believe union is possible in an analytics rule. Has anyone else created logic in KQL to potentially solve this gap in the solution? Happy to post our regex here as well: (.*)((?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14}|3[47][0-9]{13}|6(?:011|5[0-9]{2})[0-9]{12}))(.*) Common Goal: 1. Query the log source(s) for the specific regex 2. Parse the field identified as matching the regex so we can capture where it matches and go from there, not just that a "match exists" This seems rather easy but also....struggling to think of a good way to make this happen especially across all log sources rather than querying one table at a time.
assigning sentinel incidents to users within managed tenant
I am running MSSP service and I have onboarded clients via lighthouse, hence I do not have direct access to users within client entra id. As part of my Incident Response service there are few incidents that i want to assign to client so that they could work on them. Unfortunately i cannot see any of their users when I look for assigning the incidents Hence I want to know the possibility of assigning the incidents
How can DLP alerts be filtered before reaching into Alerts and Incidents table in Sentinel?
Goal - how to stop dlp alerts before reaching to the tables. Not interested in using any automation or playbooks. There is a single data connector which has defender suite alerts. Even If, no dlp alerts and incidents are enabled, it reaches to alert and incidents. No analytics rules are enabled. We have separate team for SOC and DLP under different organization, and every team needs to see their own alerts. How do we stop them reaching to the tables in Sentinel?
