Send Alert When File in SharePoint is Being Accessed
Hi all, Is there a way to get the list of files which users are accessing or trying to access if they don't have permission inside a specific SharePoint site? And in addition to that is there a way for Sentinel to send alerts only for those users that don't have permission to access files? At the moment I am able to generate a list of users with number of accessed files on that specific SharePoint site: // Users accessing files // Users sorted by number of OneDrive and SharePoint files they accessed. OfficeActivity | where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed") | summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId | sort by AccessedFilesCount desc nulls last
KQL query to detect the disablement and deletion of Automation Rules
Hi Community, We want to create a KQL-query that detects whether an automation rule has been disabled. The only way to partially do that at the moment is the AzureActivity table. The problem with that table is that is does not specify whether a rule has been ENABLED or DISABLED. As far as we can see, it does not have a unique identifier for disable or enable. Both log outputs are the same: Does anyone of you have a solution for this problem? Thanks in advance 🙂 Greetings, Kevin
Send logs from one workspace to another workspace in different subscriptions
Hi team , We are looking for solution to send logs from one sentinel workspace to another workspace which is in different subscriptions under one directory. How can we do that, I think one option will be to use event hubs but how we will do that. Also how will be the pricing for it. Any other approaches to cater to the requirements will be helpful Thanks
log via syslog server agent to Azure Sentinel (list of IPs?) & dual agent to two Log Analytics space
Hi, I am currently looking at setting up something like this: Security devices > syslog server > Microsoft Sentinel In order to tie down/restrict somewhat the access this syslog server has, is there a list of known IPs for Microsoft Sentinel? Another bonus question please 😄 For one of the firewalls (one of the security devices mentioned above) we are looking to send a full set to Sentinel via this syslog server, PLUS a smaller subset of the SAME log (but with only selected columns/fields) to another Log Analytics workspace. This might be outside of scope of the syslog server agent but is there a guide on how to get this setup please? Many thanks. JTSome Sentinel Incident from Microsoft Defender 365 are not retrieving Alerts & Entities
Hello, For some incidents (From Microsoft Defender 365 connector Product name : Microsoft Defender for Office 365), in Sentinel we face an error "There was an error retrieving some of the alert information. Please try again later. If the problem persist, contact Microsoft support." Alert is not show in logs when search using AlertID and No Entities found. Thanks
Zscaler Private Access Solution not receiving data
EDIT: Solved by switching to a default Ubuntu VM. No idea what exactly it is about default Ubuntu that makes it work. We have been trying to get the logs from Zscaler Private Access connected to our Sentinel instance, with 0 success so far. We've followed the instructions on the data connector page perfectly, but there simply isn't any data from Zscaler coming into Sentinel and we cannot figure out why - We've installed the Log Analytics (OMS) agent successfully. We can see a Heartbeat coming in and even the syslog of the machine. This should prove the connection between the VM and Sentinel is working - We've placed the VM in the same subnet as the ZPA log receivers, opened the correct ports and firewall rules and we can see traffic on our VM coming from the log receivers via tcpdump. This should prove the connection between Zscaler and the VM working - We can't find any errors in the OMS agent logs. It seems to load the provided zpa.conf file correctly. - We triple checked all the steps, every step is taken correctly But there are no ZPA logs in Sentinel I've searched around and there seem to be multiple people (even in the reviews section of the solutions) running into issues with this, but there are no solutions posted anywhere Did anyone have any luck with getting this solution to work? And can you share how you did it?
