McasShadowItReporting / Cloud Discovery in Azure Sentinel
Hi! I´m trying to Query the McasShadowItReporting Table, for Cloud App DISCOVERYs The Table is empty at the moment, the connector is warning me that the Workspace is onboarded to Unified Security Operations Platform So I cant activate it here I cant mange it via https://security.microsoft.com/, too The Documentation ( https://learn.microsoft.com/en-us/defender-cloud-apps/siem-sentinel#integrating-with-microsoft-sentinel ) Leads me to the SIEM Integration, which is configured for (for a while) I wonder if something is misconfigured here and why there is no log ingress / how I can query them
Sentinel Data Connector: Google Workspace (G Suite) (using Azure Functions)
I'm encountering a problem when attempting to run the GWorkspace_Report workbook in Azure Sentinel. The query is throwing this error related to the union operator: 'union' operator: Failed to resolve table expression named 'GWorkspace_ReportsAPI_gcp_CL' I've double-checked, and the GoogleWorkspaceReports connector is installed and updated to version 3.0.2. Has anyone seen this or know what might be causing the table GWorkspace_ReportsAPI_gcp_CL to be unresolved? Thanks!
Insecure Protocol Workbook
Greetings, maybe most orgs have already eliminated insecure protocols and this workbook is no longer functional? I have it added and it appears to be collecting but when I go to open the template it is completely empty. Is the Insecure Protocol aka IP still supported and if so is there any newer documentation than the blog from 2000 around it? I am hoping to identify ntlm by user and device as the domain controllers are all logging this and the MDI agents on them are forwarding this data to Defender for Identity and Sentinel.
DLP Alert Received, but no report.
Hi, I have received the following alert, but I am unable to locate the report in Compliance Centre. Can anyone give me guidance on where to look specifically? I only have default policies applied, but would like to look into this alert in more detail to understand what is happening and check it's legitimate. Many thanks, Pete A match of one or more of your organization’s policy rules has been detected. Report Id: xxxxxxx-0906-4c2e-887b-85cd0e68e117 Person who last modified document: Severity: High False positive: No Override: No Condition matched: External recipients Condition matched: Contains sensitive information
Add Search Results to alert details in Microsoft Sentinel
Hi everyone, I’m working with Microsoft Sentinel and looking to enhance my alerts by appending search results to the alert details. Specifically, I want to include the events that triggered these alerts in the SecurityAlert table for better context during investigations and for archival purposes. I came across this guide: https://learn.microsoft.com/en-us/azure/sentinel/customize-alert-details?tabs=azure, which explains how to customize alert details. However, it doesn’t clarify whether it’s possible to add search results directly to the alert details. Is there a way to achieve this? If so, what would be the best approach? I’d really appreciate any insights, best practices, or examples from those who have done something similar. Thanks in advance!
Problem running the Windows Feature Update Device Readiness Intune Report
I have a custom Intune role for our support staff. I want them to be able to run the Feature Update Device Readiness report. When they click on the Select target OS link, it shows "No data to display", instead of the OS list. They are able to click on Select scope tag and see a list of scope tags. Is there a permission they need that I'm missing? Here is what I have assigned for the custom role. Audit data Read Corporate device identifiers Create Delete Read Update Device compliance policies Read View Reports Device Configurations Read View Reports Endpoint Analytics Read Endpoint protection reports Read Enrollment programs Create device Delete device Read device Sync device Assign Profile Read Profile Managed apps Read Managed devices Delete Read Set Primary user Update View reports Organizations Read Remote tasks Clean PC Collect diagnostics Enable Windows IntuneAgent Get Filevault key Manage shared device users Reboot now Reset passcode Retire Set device name Sync devices Wipe Roles ReadFetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !Create a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes? Any help is much appreciated !
