Insecure Protocol Workbook
Greetings, maybe most orgs have already eliminated insecure protocols and this workbook is no longer functional? I have it added and it appears to be collecting but when I go to open the template it is completely empty. Is the Insecure Protocol aka IP still supported and if so is there any newer documentation than the blog from 2000 around it? I am hoping to identify ntlm by user and device as the domain controllers are all logging this and the MDI agents on them are forwarding this data to Defender for Identity and Sentinel.
Microsoft Defender XDR / Defender for Endpoint data connectors inconsistent failures
Hello, We are deploying our SOC (Sentinel) environments via Bicep. Now the Defender XDR ( MicrosoftThreatProtection) and Defender for Endpoint ( MicrosoftDefenderAdvancedThreatProtection) data connectors are failing to deploy inconsistantly. It seems to be a known issue due to the following posts: - https://github.com/Azure/SimuLand/issues/23 - https://techcommunity.microsoft.com/t5/microsoft-sentinel/quot-missing-consent-invalid-license-quot-defender-for-endpoint/m-p/3027212 - https://github.com/Azure/Azure-Sentinel/issues/5007 Next to this issue I see almost no development on the data connectors API, is there some news to be spread how to enable data connectors automated in the future, since it seems to be moving to Content Hub. It is hard to find any docs about how to deploy this for example via Bicep!? Also I have a question regarding 'Tenant-based Microsoft Defender for Cloud (Preview)' data connector. We deploy this now via GenericUI data connector kind, but this has no option to enable it via automation. Same as the question in the previous paragraph, how would this be made possible?
Sentinel missing Entra ID risky user
Greetings I feel I need to get some input on a serious omission I came across today on Sentinels part. A user had somehow gone fed up with MFA notifications on the Microsoft Authenticator, we use number matching, and the user opted to deny several notifications. This caused Entra ID protection to flag the user as compromised and lock the users account. So far everything went according to plan However none of this appeared in our Sentinel tenant which has a data connector to Entra ID protection and is reporting other Entra ID Protection events. Since we do not have SOC monitoring on anything but Sentinel this omission caused the user to be denied access to Office365 for longer than was intended. So far I've dug up the event from AADUserRiskEvents Log Analytics table which lists the event as expected. But there is no listing in any Sentinel related tables like SecurityAlerts and there is no trace what so ever in Sentinel for the incident in question. Am I missing something or is there a bug somewhere? Regards Fredrik
what is the difference in sentinel connectors azure active directory and AAD identity Protection
what is the difference in sentinel connectors azure active directory and AAD identity Protection. as you can see above azure AD also provide logs related to risky users, user risk events , what's major difference in both then
EUBA - Active Directory (Preview)
All, We have a few activity rules which rely on specific SID of well know groups etc. It is unclear to me which source is needed to enable those activity rules. There is also a preview for Active Directory, but in Microsoft docs I do not see any information besides toggle the option to On 🙂 I have the following questions: What will be ingested when you enable the Active Directory (preview)? In which UEBA tables? Which activity rules rely on the Active Directory (preview) data source? UEBA also relies on security events ingestion, we ingest those events already from our domain controllers with the common setting. 4. Will there be an overlap of security events which will be ingested? AND From Defender we also ingest the following 3 tables into Sentinel IdentityLogonEvents; IdentityQueryEvents; IdentityDirectoryEvents. Is this an overkill or is there a best practice available when you utilize all these data sources from you Domain Controllers? Regards Arjan
Azure Sentinel Side by Side with QRadar
Hi, quick question: in the "Event Filter" on Qradar we add: vendorInformation/provider eq 'Azure Sentinel' to get Sentinel events but is it possible to include another azure instances such as Cloud App, Identity, etc? I mean, like: provider eq 'Azure Sentinel, MCAS, IPS' thank you
