Handling Entity Data in Sentinel
So, I have set up some playbooks that allow me to add IPs/Domains/File Hashes to the MDE Indicators list, which is awesome to have and saves time when we need to block malicious entities. However, I have not found a great way for Sentinel to give me more information regarding File Hashes. Really, my main worry with just a list of hashes in an incident is not knowing the file name for each hash, like so: So, in this case, I am to just assume that both file hashes go to the 'FileCoAuth' file. Easy enough. But, are there ever cases where something like msedge.exe shows up in this list of file hashes? Right now, I feel like in this 'Info' tab, it might be more helpful to have 'File Name', but I might be looking at this all wrong. I guess, I am just looking for some guidance into this entity so that I don't accidentally block the wrong file and end up breaking systems. Even if these hashes only ever correspond to the one file entity in the incident, I am still a bit confused at how little data comes over into this. Even for the File entity: Great, I know the name of the file and the path.. However, over in Defender, I get TONS of info for the file, including all the hashes connected to it, First seen / last seen, basic VirusTotal info, and a bunch of other items. Am I expecting too much by hoping that we wouldn't have to jump over to Defender? We set up Sentinel with the hopes of making it the go-to, but still find ourselves going right back to Defender for investigations and I wasn't sure if there was something that I am missing in this setup, or if there was a way to get more data enrichment without having to pay VirusTotal's insane bill (we are SMB and were quoted 90k per year, minimum). Even then, when Defender has some of the basic VirusTotal info, I was hoping Sentinel would have that and more..Log Analytics Workspace Daily Cap
Hello everyone, I am new to Microsoft Sentinel, and I hope all of you are doing good. I wanted to know that I set a daily cap limit on my log analytics workspace of 23 MB, as it was the lowest I could go in my test environment. I created alerts on that too, like whenever the daily cap is reached I am notified via email. I wanted to know a couple of things. If I set the daily cap limit, it should stop ingesting data after reaching 23 MB right? Considering that the data is coming from my windows and Linux virtual machines via AMA. But I can see around 27 MB of data being ingested as of today. I want to know the reason behind it. If it is not stopping the ingestion of data is there any rule that I can configure which forces to stop this ingestion? I have gone through all the Alerts that are present in the Log Analytics Workspace but there is no option. Thanking in advance. Best Regards, Sharjeel Khan.
