Issue when ingesting Defender XDR table in Sentinel
Hello, We are migrating our on-premises SIEM solution to Microsoft Sentinel since we have E5 licences for all our users. The integration between Defender XDR and Sentinel convinced us to make the move. We have a limited budget for Sentinel, and we found out that the Auxiliary/Data Lake feature is sufficient for verbose log sources such as network logs. We would like to retain Defender XDR data for more than 30 days (the default retention period). We implemented the solution described in this blog post: https://jeffreyappel.nl/how-to-store-defender-xdr-data-for-years-in-sentinel-data-lake-without-expensive-ingestion-cost/ However, we are facing an issue with 2 tables: DeviceImageLoadEvents and DeviceFileCertificateInfo. The table forwarded by Defender to Sentinel are empty like this row: We created a support ticket but so far, we haven't received any solution. If anyone has experienced this issue, we would appreciate your feedback. Lucas
Device Tables are not ingesting tables for an orgs workspace
Device Tables are not ingesting tables for an orgs workspace. I can confirm that all devices are enrolled and onboarded to MDE (Microsoft defender for endpoint) I had placed an EICAR file on one of the machine which bought an alert through to sentinel,however this did not invoke any of the device related tables . Workspace i am targeting Workspace from another org with tables enabled and ingesting data Microsoft Defender XDR connector shows as connected however the tables do not seem to be ingesting data; I run the following; DeviceEvents | where TimeGenerated > ago(15m) | top 20 by TimeGenerated DeviceProcessEvents | where TimeGenerated > ago(15m) | top 20 by TimeGenerated I receive no results; No results found from the specified time range Try selecting another time range Please assist As I cannot think where this is failing
Microsoft 365 defender alerts not capturing fields (entities) in azure sentinel
We got an alert from 365 defenders to azure sentinel ( A potentially malicious URL click was detected). To investigate this alert we have to check in the 365 defender portal. We noticed that entities are not capturing (user, host, IP). How can we resolve this issue? Note: This is not a custom rule.Insecure Protocol Workbook
Greetings, maybe most orgs have already eliminated insecure protocols and this workbook is no longer functional? I have it added and it appears to be collecting but when I go to open the template it is completely empty. Is the Insecure Protocol aka IP still supported and if so is there any newer documentation than the blog from 2000 around it? I am hoping to identify ntlm by user and device as the domain controllers are all logging this and the MDI agents on them are forwarding this data to Defender for Identity and Sentinel.
MDE DeviceNetworkEvents missing full URL for HTTPS traffic
Hiall , I've integrated Sentinel with some external TI feeds (like Phishtank, etc) and collected MDE DeviceNetworkEvents. It seems that most (if not all) HTTPS traffic (URL) is not fully logged. Example: https://cloudflare-ipfs.com instead of https://cloudflare-ipfs.com/xxx.dat. PS: with HTTP traffic I got the full URL with path, etc. It means that the URL doesn't match when trying to compare URL TI source (full URL) and URL (partial) generated by the browser. The goal is to push the IOC (in this case the URL) into the Indicators list. I don't want to populate the indicator with domain list because it can blacklist a full domain. Example : https://docs.google.com/presentation/d/e/2PACX-1vRGjFhr93UKVkVDMTd0C_wPzcFWTVxUN4SJk272Br_7T2eL48rH8QNQ9T5T3F9WtLyeYYnrSrvlbPlg/pub?start=false&loop=false&delayms=3000 It could be a phishing URL, but don't want to blacklist docs.google.com domain because it can contains valid URL... Any idea ? Regards, HAI am trying to implement a Logic App - playbook with incident trigger.
Hello I am trying to implement a Logic App - playbook with incident trigger. logic app fails with error Failed to trigger playbook Caller is missing required playbook triggering permissions on playbook resource /resourceGroups/Test/providers/Microsoft.Logic/workflows/test2', or Microsoft Sentinel is missing required permissions to verify the caller has permissions As i validated all the parameters and permissions seem correct i dont know what i am doing wrong. - Sentinel settings are correct - I give Microsoft Sentinel permissions to run playbooks. - added Microsoft Sentinel Responder ( Identity playbook) please see screenshots not to sure, why its says incident arm id missing? Many thanks for any ideas!
