Recent DiscussionsMost RecentNewest TopicsMost LikesSolutionsTagged:TagRe: Ingest logs from Qradar to Azure sentinel. ankit976you can forward QRadar logs as syslog as explained here:QRadar Forwarding Destination Then those logs can be forwarded to Sentinel via one of our agents Regards Re: Data Connectors / Ingest capabilities for PowerBI/Apps to Azure Sentinel? PrashTechTalksmclaughlin1300for PowerBI, there's a new option to send logs to a LogA workspace:Using Azure Log Analytics in Power BI (Preview) - Power BI | Microsoft Docs Regards Re: Data Connectors / Ingest capabilities for PowerBI/Apps to Azure Sentinel?Did you try this connector to see if it brings what you need? https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/O365%20Data RegardsRe: How to mass apply a playbook to all analytic rules at once?Nice!!Re: Azure Sentinel MSP - Non-Scheduled Alert QueriesNo problem. Also, if you at some point have to go over the 10 workspaces limit that we support in the cross-ws incident view, you can always use this workbook as the central management pane: https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SentinelCentral.jsonRe: Azure Sentinel MSP - Non-Scheduled Alert QueriesYes, but protecting intellectual property only makes sense for scheduled rules, For non-scheduled rules, there's really no IP to protect, right? The best practices is to ONLY use cross-ws analytics rules when there's a need to protect IP. RegardsRe: Azure Sentinel MSP - Non-Scheduled Alert QueriesHI Leo, why do you need to bring alerts/incidents from the customer tenant to the MSSP tenant? Just trying to understand before I answerRe: Azure Sentinel Automation (Preview) - Issue with Permission assignmentAre you also working in a Lighthouse setup or in a single AAD tenant setup? if you're working in a single tenant, these instructions should work: https://docs.microsoft.com/en-us/azure/sentinel/tutorial-respond-threats-playbook#respond-to-incidents For the multi-tenant scenario, we have now added the proper instructions here: https://docs.microsoft.com/en-us/azure/sentinel/automate-incident-handling-with-automation-rules#permissions-in-a-multi-tenant-architectureRe: Azure Sentinel Automation (Preview) - Issue with Permission assignmentFor scenario #1...how can you have owner on the subscription via Lighthouse? that role is not allowed in an Lighthouse delegation: https://docs.microsoft.com/en-us/azure/lighthouse/concepts/tenants-users-roles#role-support-for-azure-lighthouse For scenario #2, azure security insights app must have Azure Sentinel Automation Contributor (not Azure Sentinel Contributor).Re: Azure Sentinel Automation (Preview) - Issue with Permission assignmentThijs, did you create the automation rules while logged in the service provider tenant?Re: Azure Sentinel Automation (Preview) - Issue with Permission assignmentyes, we're adding this to the official docs this weekRe: Azure Sentinel Automation (Preview) - Issue with Permission assignmentOk, that requires additional permissions. You need to grant Azure Sentinel Automation Contributor permissions to the Azure Security Insights app in the service provider tenant, to the RG where the playbooks are in the customer tenant. So basically you need to include this additional authorization in your Azure Lighthouse delegation. RegardsRe: Azure Sentinel Automation (Preview) - Issue with Permission assignmentare you working in a Lighthouse setup?Re: Creating Sentinel instances with codeOur stable API has the list of things that can be deployed programatically: https://docs.microsoft.com/en-us/rest/api/securityinsights/dataconnectors/createorupdate There's other connectors outside of that list that are based on diagnostics settings or solutions on top of the Log Analytics workspace, that can also be enabled programatically. RegardsRe: Searching by more than one field when using a watch list TaggingUriBarashandDeepak Agrawalfor visibility Re: Searching by more than one field when using a watch list taggingCliveWatson,JeremyTanandOfer_Shezafin case they know of a better way and to document the way Splunk does it Re: Azure Sentinel Multi tenant/MSSP Playbooks mperrottayou should be able to select a playbook in the MSSP tenant as an automatic response to an analytics rule created in the customer tenant. If you don't see those playbooks, it could be because you're lacking permissions to see the resource group where the playbooks are located or because you don't have a Logic App role granted in the MSSP tenant (or both!) Re: Azure Sentinel Multi tenant/MSSP Playbooks pavankemiplease watch this webinar as a first step:Azure Sentinel webinar: MSSP and Distributed Organization Support - YouTube let us know if you have further questions after watching Re: General MSSP Inquiry Deletedsure Re: General MSSP Inquiry Deleteddon't pay attention to the response from David, it looks like a scam.
Recent Blog ArticlesMost RecentMost LikesRe: What to do if your Sentinel Data Connector shows as [DEPRECATED] bseader thanks for your feedback. We are trying to improve the experience to that you can clearly see what connector replaces the deprecated ones. Please take a look at this article for more informat...Deploying and Managing Microsoft Sentinel as Code Do you want to learn how to deploy and operateMicrosoft Sentinelas code? In this post we explain the end-to-end process and also provide you with a working prototype for use to reuse and extend. Re: Update to Microsoft Sentinel’s Technical Playbook for MSSPs is now available (v1.5.1) Thanks for the feedback! we will correct in the next release. TaggingGaryBushey Re: Protecting MSSP’s Intellectual Property in Microsoft Sentinel AliAhmedDaryou can easily modify one of our brute force rules to just target a particular group. Regarding audit for lighthouse, see this:Monitor service provider activity - Azure Lighthouse | Micr...Re: Protecting MSSP’s Intellectual Property in Microsoft Sentinel AliAhmedDar 1. I'm pretty sure that's the issue. It's documented like this as you can see. 2. Same as above. 3. No, no costs involved as you don't need to ingest any data 4. I haven't te...Re: Protecting MSSP’s Intellectual Property in Microsoft Sentinel AliAhmedDaryou will need to create an empty sentinel workspace in order to create the Azure Security Insights app in the AAD tenant. Doesn't need to have any data, it's just to trigger the creation ...Re: Protecting MSSP’s Intellectual Property in Microsoft Sentinel AliAhmedDardid you follow step #5 instructions from my link above?Tutorial - Automate threat response in Microsoft Sentinel | Microsoft Learn Re: Protecting MSSP’s Intellectual Property in Microsoft Sentinel AliAhmedDarin that case, you just access the customer workspace via Lighthouse and execute the Playbooks from there. Permissions of the local Azure Security Insights application in the customer tena...Re: Protecting MSSP’s Intellectual Property in Microsoft Sentinel AliAhmedDarYes, Sentinel's application needs the proper permissions. Please see details here:Automate threat response with playbooks in Microsoft Sentinel | Microsoft Learn and also step #5 ...Re: Announcing Microsoft Sentinel All-in-One v2 Thanks for the feedbackDeleted. We are aware of this issue where the deployed rules need to be updated, we're currently working on a solution. In any case, even if All-in-One deploys the late...
MicrosoftMicrosoftMicrosoftMicrosoft
