need to create monitoring queries to track the health status of data connectors
I'm working with Microsoft Sentinel and need to create monitoring queries to track the health status of data connectors. Specifically, I want to: Identify unhealthy or disconnected data connectors, Determine when a data connector last lost connection Get historical connection status information What I'm looking for: A KQL query that can be run in the Sentinel workspace to check connector status OR a PowerShell script/command that can retrieve this information Ideally, something that can be automated for regular monitoring Looking at the SentinelHealth table, but unsure about the exact schema,connector, etc Checking if there are specific tables that track connector status changes Using Azure Resource Graph or management APIs Ive Tried multiple approaches (KQL, PowerShell, Resource Graph) however I somehow cannot get the information I'm looking to obtain. Please assist with this, for example i see this microsoft docs page, https://learn.microsoft.com/en-us/azure/sentinel/monitor-data-connector-health#supported-data-connectors however I would like my query to state data such as - Last ingestion of tables? How much data has been ingested by specific tables and connectors? What connectors are currently connected? The health of my connectors? Please help
ASIM built-in functions in Sentinel, are they updated automatically?
Are the ASIM built-in functions in Sentinel automatically updated? For example, the built-in parsers such for DNS, NetworkSession, and WebSession. Do the built-in ones receive automatic updates or will the workspace-deployed versions of these parsers be the most up-to-date? And if true, would it be recommended to use workspace-deployed version of parsers that already come built-in?Device Tables are not ingesting tables for an orgs workspace
Device Tables are not ingesting tables for an orgs workspace. I can confirm that all devices are enrolled and onboarded to MDE (Microsoft defender for endpoint) I had placed an EICAR file on one of the machine which bought an alert through to sentinel,however this did not invoke any of the device related tables . Workspace i am targeting Workspace from another org with tables enabled and ingesting data Microsoft Defender XDR connector shows as connected however the tables do not seem to be ingesting data; I run the following; DeviceEvents | where TimeGenerated > ago(15m) | top 20 by TimeGenerated DeviceProcessEvents | where TimeGenerated > ago(15m) | top 20 by TimeGenerated I receive no results; No results found from the specified time range Try selecting another time range Please assist As I cannot think where this is failing
Cannot access aka.ms/lademo
Hello team, I am Nikolas. I am learning KQL for Microsoft Sentinel. As far as I know, we can access the aka.ms/lademo for demo data. However I cannot access the demo. I tried using VPN, access page from many other devices with different IP address different account. But it does not work. Can you help to confirm if this link is still accessible. I can access the resource last week, but not this week. I am looking forward to hearing from you.
Constant Noninteractive sign in attempts from Microsoft IPs
In noninteractivesigninlogs, we're seeing a bunch of attempts made to sign in to our admin accounts rejected with error codes 500131 and 500133 coming from 4.231.207.170 and 2a01:111:f400:fe13::100 (Microsoft datacentre IPs), device type "Windows 10", Resources are ComplianceAuthServer/Office 365 Exchange Online. What are we seeing here, is this a misconfiguration on the Microsoft side, or an attack?
Need assistance in parsing fields
I have a table named ReconDarknetDetectionAlerts_CL with a field "Table_s" .It is not parsed properly Table_s = [{"headers":["Email","Hash Type","Password Length","Breach Name","Breach Date"],"table_description":"Leaked Credentials Info","values":[["email address removed for privacy reasons","plain",8,"leaked-credentials","2023-07-21 00:00:00"],["email address removed for privacy reasons","plain",9,"leaked-credentials","2023-07-21 00:00:00"]]}] Expected Output Email Breach Date Password Length mailto:email address removed for privacy reasons 2023-07-21 00:00:00 8 mailto:email address removed for privacy reasons 2023-07-21 00:00:00 9 mailto:email address removed for privacy reasons 2023-07-21 00:00:00 9 Query Tried so far is ReconDarknetDetectionAlerts_CL | mv-expand data = parse_json(tables_s) | project Email = tostring(data.values[0][0]), HashType = tostring(data.values[0][1]), PasswordLength = toint(data.values[0][2]), BreachName = tostring(data.values[0][3]), Challenge seen is only the first set of values is captured by above query. Output Email Breach Date Password Length mailto:email address removed for privacy reasons 2023-07-21 00:00:00 8Logs in Sentinel show all Operation logs for external users only
Greetings all Sentinel in Azure shows all Operation logs only for External users but not for Internal ones. Is it because of policies or what could be the reason? For example, it shows when a message is sent in Teams from an external user but not from internal.
New Blog Post | Must Learn KQL Updates – July 22, 2022
https://rodtrent.com/iwi Here’s what’s updated this past week… Series Updates Due to some DNS issues all links in all chapters were updated. (See the https://github.com/rod-trent/MustLearnKQL for links to all chapters). There were also some minor changes in the content and images. Again, thanks to using DevOps for publishing, these changes were suggested through the Issues option on GitHub. Due to the types of changes, this required updating of the various electronic and physical copies of the series. The free, downloadable (PDF) eBook is now at version 4.0: https://github.com/rod-trent/MustLearnKQL/tree/main/Book_Version The Kindle version (https://amzn.to/3RNv3OC) has been updated and automatically deployed to those that purchased it. Both the Paperback (https://amzn.to/3z32HY1) and Hardcover (https://amzn.to/3IZRQmf) versions have been updated. Only new purchases will get the updated version. However, the changes were really about links, which can’t be accessed by physical copies anyway.
