Microsoft Sentinel

How to retrieve output data after the deployment

Hello there, I am wondering if there's a straightforward method to retrieve the output results after a deployment is completed. By 'straightforward,' I mean configuring a specific API-link during the deployment to which the output data, along with its…

Export Logs from Log Analytics Workspace to Blob Storage

Hi all, I have a Log Analytics Workspace that is linked to Sentinel. I have a lot of logs that I need to export from the Workspace into Blob Storage. Th logs date back 30 days and it is about 400GB, it is about 500 million logs. Please let me know what…

Azure Sentinel Log Screen KQL mode to start by default

Azure Sentinel changed about a month ago the Log page GUI. It added a default Simple Mode, which does not seem to allow to enter KQL query by typing. The KQL mode, much more practical, needs to be selected over and over in the right side of the screen.…

Sentinel _BilledSize and estimate_data_size differences

hey folks Could somebody tell me the relationship between the _BilledSize field in a log and the result of the estimate_data_size(*) KQL command? I do understand that the _BilledSize field contains the info of the size of the data I have to pay for…

ActionConditionFailed The execution of template action 'Get_user' is skipped: there are no items to repeat.

Can not enable MSD Threat Intelligence Data Connector

I have a cx that is getting the error below when attempting to enable Microsoft Defender Threat Intelligence data connector. He is using the (Preview) version. What could be causing this?

Segregating and Identifying Alerts in Sentinel Workspace

I am seeking a method to segregate alerts in a Sentinel workspace to facilitate easier identification and prioritization. For instance, if we have multiple clients' logs in a single workspace, we need a way to identify and segregate alerts based on the…

Sentniel free data sources

Hi, quoting from https://learn.microsoft.com/en-us/azure/sentinel/billing?tabs=commitment-tier#free-data-sources "The following data sources are free with Microsoft Sentinel: Azure Activity Logs. Office 365 Audit Logs, including all…

Sentinel to azure firewall connection issues

I am having issues connecting sentinel to azure firewall. I have establish 9 other connections no problem but not to the azure firewall from sentinel data connector. I have rebuilt the firewall several times, I confirmed the diagnostic log setting and…

CloudWatch ASIM Parser

I have successfully connected AWS CloudWatch to Sentinel, and I am receiving events from multiple log groups. However, I am facing an issue with parsing the events, particularly with the 'Message' field that is in JSON format. Currently, the 'Message'…

Sentinel as IaC with Terraform

Hi, Trying to instantiate Sentinel using Terraform. Should be straightforward, create a resource group (azurerm_resource_group), log analytics workspace (azurerm_log_analytics_workspace), onboarding Sentinel…

Due to the scoring of MDCA being discontinued, if we need to retain the TOP 10 users using UEBA, what methods can we use?

Due to the scoring of MDCA being discontinued, if we need to retain the TOP 10 users using UEBA, what methods can we use? 'Investigation priority score' feature and 'Investigation priority score increase policy' will be phased out in the coming weeks,…

Minimum hardware requirements for installation of AMA via ARC on Servers

Hello Community. Having a bit of a hard time trying to find the minimum hardware requirements for Windows and Linux Servers for the installation of AMA via ARC. I'm looking for something similar that I found with MDE like this. MDE Minimum…

Ingesting Cisco ASA logs into Sentinel using the AMA agent

Hi there, We are looking to onboard Cisco ASA logs into Microsoft Sentinel. Currently the Cisco ASA integration guide (linked below) on Microsoft Docs is referencing using the old MMA agent to get these logs onboarded. As this agent is being deprecated…

DataConnector connectorUI attributes - sampleQueries

hey folks, I was working on some data connectors and seemingly some of the old features are not working anymore. I tried to use some fields which seem to be dated now. The most relevant would be the 'sampleQueries' attribute. I remember having these in…

Regarding None Accounts Adding to Security Enabled Local, Global and Universal Groups

Hello Team, Greetings!! During our monitoring activities in Sentinel, we have observed that some non-accounts have been added to security-enabled local, global, and universal groups. Could you please provide insight into why this activity is being…

Find creation date of custom analytical rule created in Sentinel

Hi all, I am aiming to find the number of new analytical rules created per month (including custom as well as from github deployed), as well as the existing total per month on Sentinel for the last 2 months and present it to a Sentinel workbook. How…

How to disconnect Azure Sentinel data connectors?

In Sentinel I cant able to find an option to disconnect the data connectors . And there are no documents available for the same. So what are the methods to disconnect a data connector inside sentinel for both native and non native products. When I…

Stop Creating Incidents in Sentinel For every Alert generated by Custom detection rule in defender for endpoint

Hi Team, I have created a custom rule in Defender with KQL query to get the details about Device & owners of Vulnerable machines. So results are having rows more than 1500, and its generating that many alerts in defender. And same events are getting…

API Version Discrepancies for 'Data Connector Definitions' in Sentinel

Hello MS Community, Would you please help explain the discrepancy regarding API references to "data connector definitions"? I noticed the API related link…

Microsoft Sentinel

Microsoft Sentinel

A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.

1,048 questions

Sign in to follow

Azure Startups

Azure Startups

Azure: A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.Startups: Companies that are in their initial stages of business and typically developing a business model and seeking financing.

237 questions

Sign in to follow