User Profile
printscreen
Brass Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Sentinel incidents sync with other Microsoft security portals
Hi, I would like to know if Sentinel can automatically sync the incidents which are closed in other Microsoft security portals. If it syncs automatically, what is the delay for each? Does sentinel incidents get automatically synced with incidents in Defender? Does sentinel incidents get automatically synced with incidents in MDI? Does sentinel incidents get automatically synced with incidents in MCAS(Microsoft cloud apps security portal)? Does sentinel incidents get automatically synced with AAD risky users actions(like the risky users which we analyze and decide risk dismissal/compromised in AAD)? If anyone can help me with this information, it would be great! ThanksASR rules configuration in GPO
Hi! I'm aware that a few of the GUID values for ASR rules policy can be found here. I'm configuring attack surface reduction rules by using Group Policy, unfortunately, I couldn't find any GUID values for the other ASR policies(Web protection (Microsoft Edge Legacy), App and browser isolation etc..,) Are these the only 15 GUID values available for configuring ASR or am I missing something?Re: Azure AD detection User added to group vs User added to role
ceesmandjes if you wish to list out the for roles & groups, then the appropriate operation names are 'Add member to role', 'Add member to group'. You can tweak the template rule which is mentioned above by adding these to the list, something like below (Note that, below is just a few first lines from default template rule as an example) let timeframe = 1h; let OperationList = dynamic(["Add member to role", "Add member to role", "Add member to group" ,"Add member to role in PIM requested (permanent)"]); let PrivilegedGroups = dynamic(["UserAccountAdmins","PrivilegedRoleAdmins","TenantAdmins"]); AuditLogs | where TimeGenerated >= ago(timeframe) | where LoggedByService =~ "Core Directory"Re: Technical details and integration
Maxou I could be able to answer few questions - - What datastore does Sentinel use? [Sentinel stores all logs which got ingested, in log analytics] - Does Sentinel allow to backup the data in Azure blob store and search it ? - Is it easy to get data out of Sentinel what is the cost? [you can remove sentinel easily, pls go thru this link] - How do we can collect logs and audit logs from PASS services like API management services , Azure cosmos , Synapse workspace and PowerBI Embedded? [you can easily collect any azure resource logs(in fact, a few non-Microsoft vendor logs too) through diagnostic settings. For example, if we consider APi managements service, go to Azure portal ->APIM-> Diagnostic settings-> click on '+ Add diagnostic settings'. Select appropriate logs and map the sentinel log analytic workspace there and save it) - Also how is the cost calculated if you increase the retention from 31 days to 90 days ? [With best of my knowledge, For Azure Sentinel enabled workspaces the data is retained for free for 90 days, Retention beyond 90 days will be charged per the standard Azure Monitor Log Analytics retention prices (as outlined here). Only if you do configure some changes in sentinel settings, you will find an option to increase data ingestion] I hop it helps.Re: AlienVault OTX TAXII Feed
Kevin Lovegrove Below is the Github direct link for AlientVault i believe, Ingesting Alien Vault OTX Threat Indicators into Azure Sentinel - Microsoft Tech Community and a very good article about the same Ingesting Alien Vault OTX Threat Indicators into Azure Sentinel - Microsoft Tech Community hope it helpsRe: AlienVault OTX TAXII Feed
Kevin Lovegrove below are resources which i belive in Github repo for alientVault, Azure-Sentinel/Playbooks/Get-AlienVault_OTX at master · Azure/Azure-Sentinel · GitHub and a very good article about the same Ingesting Alien Vault OTX Threat Indicators into Azure Sentinel - Microsoft Tech Community Hope it helpsRe: (KQL) calling a workspace() using a variable
jjsantanna We can do a cross workspace querying by using workspace name and union KQL statements. Something like this below, workspace('<<your workspacename>>').tablename | union workspace(''<<your workspacename>>').tablename | where CategoryValue = 'Administrative' If you would like to understand more details, pls refer this link: What’s New: Cross-workspace Analytics Rules - Microsoft Tech Community Hope it helps.How to execute KQL queries in Sentinel Notebooks?
Hi. I have installed kqlmagic library and trying to connect to my log analytics workspace to execute the kql queries in Notebooks. Can anyone help me the different approaches on how to connect to the specific workspace and execute kql queries in Notebooks? I'm aware of this below approach on connecting to the specific workspace and executing kql queries, but I'm looking for another way? %kql loganalytics://tenant=TENANT_ID;clientid=CLIENT_ID;clientsecret=APP_ID;workspace=WORKSPACE_ID;alias='azsecdb'Re: Notebooks error while installing msticpy package
ESPANETYANN AnuragSrivastava GaryBushey Thanks for your response. I was able to install msticpy. DO you have any idea about using Powershell kernel in Notebooks, I'm following this article and reached up to this below step where I got stuck with the below error, if you have any idea about this, that would be appreciated. dotnet tool install -g --add-source "https://dotnet.myget.org/F/dotnet-try/api/v3/index.json" Microsoft.dotnet-interactive
