I am learning to build Logic Apps working with Sentinel inc
Hello I am learning to build Logic Apps. The tasks will mainly involve querying Log Analytics and writing comments in incidents. How can I do this securely? I understand that I need to add the Sentinel Contributor role for the Logic App, but what next? If I need the Logic App to be able to query, do I need to give it additional access, such as Log Analytics Contributor or Reader? When I want to create a connection, I have three options: OAuth - I see that I log in with my account, and then the Logic App has access to what I have access to. Is this secure? Service Principal - I need to register an application and create a secret for it, then grant this application access to Sentinel. Can I use a single Service Principal for all Logic Apps? I understand that secrets need to be rotated – does this affect my Logic Apps? Will I need to update something to ensure everything works properly? Managed Identity - This only works within the specific Logic App? This seems like the best solution, but I managed to add a new Managed Identity to query Log Analytics, and in the next step, I wanted it to add tasks to an incident in Sentinel, and unfortunately, it didn't work. (However, I changed the last step and added it via OAuth, and it worked, allowing the Logic App to add tasks to the incident in Sentinel.) this is one of example i am working on. https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Get-SOCTasks/readme.md adding role assignment I would be great if you can share your experiences! thank you
Unified Security Operation Sentinel Vs Defender Tables
I have a question regarding the Unified SOC portal. In the session below, they highlighted one advantage: the ability to use Defender and Sentinel Tables together. However, both the SignInLogs and DeviceLogonEvents tables are already accessible in Sentinel through the Defender connector. Am I missing something, or did they use an incorrect example to demonstrate an advantage that Sentinel already provides? https://www.youtube.com/live/ndAKk8l5VMo?si=ZvUh21DaknXRYgXr&t=1223
Sentinel outage
Hi All , As we had a Sentinel outage last month (https://status.azure.com/en-us/status/history/ , I have been tasked to create a process to troubleshoot or validate the impact in MS Sentinel. I am wondering if you think of any steps to follow during such outages to validate and assess the impact .
