User Profile
mikhailf
Iron Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Microsoft Sentinel - Alert suppression
Hello Tech Community, Working with Microsoft Sentinel, sometimes, we have to suppress alerts based on information about UPN, IP, hostname, and other. Let's imagine we need to suppress 20 combinations of UPN, IP hostname. Sometimes, sometimes, the suppressions fields should be empty or should be wildcarded (meaning it can be any value in the log that should be suppressed). What is the best way to suppress alerts? - Automation rules - seems not flexible and works only with entities. - Watchlist with "join" or "where" operator - good option, but doesn't support * (wildcard) - Hardcoded in KQL - not flexible, especially when you have SDLC processes Please, your ideas and advice.414Views0likes2CommentsAnti-malware policy doesn't block files
Hello Microsoft Community, We have recently found that Anti-malware policy doesn't block files that are set to be blocked by the policy. For example, when we send an *.ics file with a cmd/exe/jse/rdp and other files inside of the ics, the email is not blocked and is delivered to users. We did several tests with external security vendor by sending real malwares, ransomwares and exploits attached to the ics and all of them passed the filtering system. Is anyone aware of the issue? Doesn't MDO scans nested files?! This has happened with a few tenants. Those tenants have Microsoft E5 licenses.Cross-workspace incident management
Hello Techcommunity, We are looking for a solution to manage incidents in several Sentinel workspaces within the same tenant. 1. We reviewed Azure Lighthouse and it seems to be working only for cross-tenant management 2. We saw the option to mark the workspaces we want to monitor and click on "View incidents" 3. We also considered building the dashboard in a Workbook Could you please say if there is any other option to have a unified dashboard for managing incidents from several Sentinels within the same tenant?279Views0likes0CommentsRe: Salesforce to Sentinel Integration
Hello Prasanthdas545, Yes, first, you need to deploy the Function App. Second, you need to configure Environment variables in that Function App (check here how it looks like: Configure function app settings in Azure Functions | Microsoft Learn) These variables should contain info about the connection to Salesforce (URLs, API keys, etc.). To obtain those variables from Salesforce you need to create an application on Salesforce. This part is the trickiest and we did it with Salesforce team. Unfortunately, I don't have any videos of the process.1.3KViews0likes0CommentsRe: Salesforce to Sentinel Integration
Hello Prasanthdas545 , The fastest way is to deploy the Function App offered by Sentinel (in the Salesforce connector menu). Before that you need to create an application on the SalesForce side (we did it with their support). And the last, the events that you receive from SalesForce depend on the type of license you have.2.7KViews0likes2CommentsExport data from Log Analytics Workspace to Storage Account
Hello community, Could you please recommend a solution to migrate data from Log Analytics Workspace (1 table) to Storage Account? There are about 70 million rows that should be exported. The continuous export is not the solution here. We were thinking about a Logic App but there is too much data.410Views0likes1CommentRe: CommonSecurityLog and DCR Table Tranformation
Hello HA13029, Try the 4th step from here: (2) Filter & Split Firewall/CEF logs into multiple Sentinel tables (analytics/basic tier) to save in ingestion costs | LinkedIn You can transform the logs in the DCR. Just edit it and add the KQL you mentioned in your question. It should work well.1.1KViews0likes1Comment"Dynamics 365 CRM" app is identified as "PowerApps - apps.powerapps.com"
Hello community, We have an interesting occasion with Dynamics 365 CRM app in Sign-in logs. When a user logs into the Dynamics app, we see "PowerApps - apps.powerapps.com" in the Sig-in logs in Entra ID. Support engineer from Microsoft explained it as service dependencies. Conditional Access service dependencies - Microsoft Entra ID | Microsoft Learn We see that there is a dependency with Project, but not with Power Automate (could be missed in Microsoft article?). Does anybody here have a similar behavior? We found it while working on conditional access policy for Dynamics.404Views0likes0CommentsRe: Conditional Access and Intune Protection policy
Hello JosvanderVaart, I managed to log into Outlook, however it didn't work with MS Teams. I got the error message that the app should be protected with an Intune policy. In my environment the App Protection policy is applied for All Microsoft apps (and I believe Teams is a part of this). It also didn't work for Microsoft OneDrive app. "The app must be protected with an Intune policy before you can access company data. Please contact your IT help desk for more information". How is it supposed to work?1.2KViews0likes2CommentsConditional Access and Intune Protection policy
Hello Community, This question is about Conditional Access and Intune Application Protection policy. What if I have a Conditional Access policy that requires app protection policy applied on devices to access resources using Microsoft Apps (Outlook, Word, Excel, SharePoint, etc.). What happens when I have a new user created and this user is trying to log into an app on his phone? The new user won't get the App Protection policy until he logs in however, he can't log in because he has no app protection policy enabled. Could anybody send me a reference or tell about his/her experience?Solved1.5KViews1like5CommentsWindows Server 2012 ESU - Key Activation
Hello Community, Could anyone here help me to understand how Windows Server 2012/R2: Extended Security Updates work? We purchased the Multiple Activation Key (MAK) and tried to activate it on our Windows servers but it showed that the key is invalid. Tryed to deploy and activate the ESU MAK add-on key by using Slmgr.vbs or VAMT tool but it didn't work. Tried to open a case for Microsoft via Services Hub (microsoft.com) It didn't allow to open a case via the portal but only by phone. Called by phone, but the robot on the other side didn't forward us to a human and only disconnected the call. So we are stuck. No activation, no updates, no support. But the money was spent. 🙂Re: Salesforce to Sentinel Integration
For those who will be looking for information about Salesforce logs in the future. Login, Logout, and API usage logs are seen for the following Salesforce licenses: Enterprise, Unlimited, and Performance Edition. Additional 50 types of logs can be gathered with Developer license. If you don't want to change the license, Shield Event Monitoring feature should be purchased. https://trailhead.salesforce.com/content/learn/modules/event_monitoring/event_monitoring_intro3.9KViews0likes0CommentsTI map in several tables
Hello Tech Community, We are trying to map TI indicators in several tables in Sentinel. It is clear how to take 1 type of indicator (IP, for example) and look for it in 1 table (firewalls, for example). But what if we want to build only 1 KQL for it and we want to look for this indicator in firewalls, switches, mail relay, etc. We've tried to play with union/joins, but without success. The only message we received was about exessive amount of resources required to perform the query 😄 Has anyone here built something like this? What are the pros and cons of such a query?Solved963Views0likes1CommentRe: Tamper Protection - Cloud Attach - Windows Server
For those who will be experiencing this later. Answer from Microsoft - this is by design (expected behavior). It works in such a way for Tamper protection and GUI. If you close access to GUI, you cannot re-open it via policy. The same with Tamper protection. This can be solved only by changing the registry key.592Views0likes0Comments
Recent Blog Articles
No content to show