User Profile
GaryBushey
Bronze Contributor
Joined 9 years ago
User Widgets
Recent Discussions
Re: Extract Email Address from Incident Entity
Since the information being returned is part of a JSON array, you would need to perform a loop to get all the entries in it. Kind of surprised that Logic App didn't automatically do this for you when using that field. You would need to do a loop on "relatedEntities" and then you can send the Email(s)91Views1like0CommentsRe: Extract Email Address from Incident Entity
The easiest way is to create a playbook that just has the Sentinel Entity trigger and kick that off from an incident that is the same type as the one you want. Then you can see all the data that the trigger contains. This will tell you if you need to either make another query or perhaps use the Sentinel Connector to get more entities, like Accounts114Views0likes0CommentsRe: How to Filter Logs by User Parameter in Sentinel Workbook KQL?
One thing I would recommend is to create a new Text step that displays just {{UserParam}} to make sure it is actually returning what you expect. It may have a subfield is extra text that you are not expecting. There may also be a case mismatch so you may need "=~" rather than "==" when comparing that field99Views0likes0CommentsRe: Add Search Results to alert details in Microsoft Sentinel
What search results are you talking about? Are you running a query in the Logs area and want to add the results to the alert? If so, and it is the same query every time, you could create a Playbook that does this and setup Automation to trigger it.141Views0likes3CommentsRe: Update content package Metadata
As you have stated, that API doesn't work completely (not really sure why it is there). If you watch what MS Sentinel does when a solution is deployed, it uses "/subscriptions/$($SubscriptionId)/resourcegroups/$($ResourceGroup)/providers/Microsoft.Resources/deployments/" + the deployment name. Take a look at the All-In-One V2's PowerShell script to see how we used this command to deploy the selected solutions: Azure-Sentinel/Tools/Sentinel-All-In-One/v2 at master · Azure/Azure-Sentinel325Views1like2CommentsBug in stand-alone MS Sentinel MITRE tactics
I setup a new Analytic rule where I had selected multiple tactics/techniques combinations. When I create an incident from that rule, only one of the tactics/techniques actually show up in the stand-alone MS Sentinel UI as well as in the SecurityIncident table. It isn't even the first one I selected; it is the last one. I did double check the Analytic rule and all the tactics/techniques are selected. If I look at the incident using the MS Sentinel REST API, it does show that all the tactics/techniques are there as well as if I look in the M365 portal (I have my MS Sentinel instance linked). Heck, even the Graph Query will show them all (after expanding the incident to show the alerts as well). Has anyone noticed this recently? Is it a bug or another new "feature"?101Views0likes0CommentsRe: How to integrate Beyond Trust Logs With Sentinel
I am not familiar with Beyond Trust but if they have an API you can call, you can use the Microsoft Sentinel Codeless Connector to obtain the data. Create a codeless connector for Microsoft Sentinel | Microsoft Learn Unsure what would be required on the Beyond Trust side.567Views1like0CommentsRe: Investigation Insights Workbook IP address Search
For future reference, if you go into the workbook, select "Edit" and then select "Settings", there is a "Versions" tab where you can see the different versions that have been saved. I don't know how many versions it will hold and, sadly, there are no comments about what has changed, but you can view and restore old versions there.78Views0likes0CommentsRe: Send to Sentinel logs from many Log Analytics
Hairy_Zeus The main reason is cost. You are needlessly duplicating data and you will need to pay the ingestion charges for both workspaces and this includes any of the free data (like O365 logs and Azure audit logs). It will not be free when being sent to the second workspace6KViews0likes0CommentsRe: Playbook is not running
I take it you are trying to do a union with 5 different Microsoft Sentinel instances? Those unions are not cheap in terms of processing and will take a long to time run since you are getting all the information and then doing a filter. I would suggest filtering the data on each union command so that only the information you need is actually being sent with the union command.2.3KViews0likes7CommentsRe: Adding "relevant analytics templates" to custom data connector
I would look into using a Microsoft Sentinel solution. It will allow you to push not only the data connector but the analytic rules, workbooks, playbooks, etc. https://docs.microsoft.com/EN-US/azure/sentinel/sentinel-solutions653Views0likes0Comments
Recent Blog Articles
No content to show