Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,234 questions
0 answers
Microsoft Sentinel API - "triggerRuleRun" ExecutionTimeUtc Always Invalid
Issue Summary We are trying to manually trigger a Microsoft Sentinel Scheduled Analytics Rule using the triggerRuleRun API, but it always fails with the following error: { Even when using the correct timestamp format, the API never accepts…
asked 2025-02-19T10:13:34.1966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 64%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Shafiq Aziz (Admin Account)
0
Reputation points
edited a comment 2025-02-28T04:52:04.1+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini
1
Reputation point Microsoft Vendor
1 answer
microsoft sentinel data connectors not visualised in overview dashboard(GCP audit log connector)?
i have configured a GCP audit log data connector & GCP firewall data connector to my Microsoft sentinel , the connectors fetch the metrics from the source , but in the overview page of Microsoft sentinel shows no data connectors,
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 36%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
1 answer
Legacy Data Connectors being updated to use Content Hub
We've inherited a Sentinel setup using Data Connectors not connected to the content hub packages. Examples are Azure KeyVault, XDR, Entra etc. If we were to install these content hub packages to utilise the content provided what happens to the existing…
asked 2025-02-27T11:37:41.95+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 77%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
sam.holmes
0
Reputation points
answered 2025-02-28T02:02:20.15+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 26%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
Navya
15,800
Reputation points Microsoft Vendor
1 answer
One of the answers was accepted by the question author.
Azure Activity Sentinel Data Connector
Hi, I'm trying to enable Azure Activity Sentinel Data Connector. I've manage to install it and when I follow the 'Launch Azure Policy Assignment Wizard' it completes successfully, however the Azure Activity Data Connector never shows 'green/connected'…
asked 2025-02-27T09:28:56.4766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 81%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERH%3C/text%3E%3C/svg%3E)
Rondo Huang (SOS Group Limited)
0
Reputation points
accepted 2025-02-28T01:44:57.46+00:00
Rondo Huang (SOS Group Limited)
0
Reputation points
1 answer
Sentinel Analytics Rule not creating incident
I have worked with Microsoft Support and created an Analytics rule to raise an incident when 5 or more failed login attempts are detected, followed by a success. This worked originally but has now stopped working. Nothing has changed. I cannot figure out…
asked 2025-02-26T14:51:55.7166667+00:00
Conor Bateman (Alcom IT)
0
Reputation points
answered 2025-02-27T12:45:43.73+00:00
Andrew Blumhardt
9,871
Reputation points Microsoft Employee
0 answers
Jamf Protect Push Sentinel Connector retention error
Hi, While deploying Jamf Protect Push Connector in sentinel Workspace, I'm getting this error. Is it because the retention period is set to 90 day? Do we need to change the retention period in order to deploy this connector?
asked 2025-02-27T12:27:04.18+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 47%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Pradeep Kumar
20
Reputation points
commented 2025-02-27T12:40:34.4766667+00:00
Pradeep Kumar
20
Reputation points
2 answers
GitHub Analytics rule is not reflecting back to Sentinel
Hello, I configured and connected GitHub repository with Sentinel but the analytics rules which I created in GitHub after commit are not reflecting back to Sentinel. Please advise! Thank you!
asked 2025-02-25T08:54:06.2733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 11%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Gurpreet Singh Suhi
0
Reputation points
answered 2025-02-26T21:43:49.7533333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sándor Tőkési
251
Reputation points
1 answer
Microsoft Sentinel: System Assigned Managed Identity can't find location
I'm trying to connect Azure Activity to Microsoft Sentinel. It requires creating a Managed Identity. When creating a System Assigned Managed Identity, a location is required but there's no location options to select. Any idea what could be causing this?…
asked 2025-01-10T15:58:49.0066667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(57.599999999999994, 56.00000000000001%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
alfalfa
20
Reputation points
answered 2025-02-26T15:54:13.5666667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 78%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJF%3C/text%3E%3C/svg%3E)
John Fedor
0
Reputation points
1 answer
Sentinel Data Connectors Not Loading (CSP Access)
Errors loading Data Connectors on Microsoft Sentinel
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 20%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
0 answers
Workspace transformation cost for native Entra ID connector
Hey team! I want to apply workspace transformation to the native Entra ID connector and it's log types to filter logs only for specific domain. While from KQL perspective this is not difficult, I'm doubting if the cost reduction effect will be applied…
asked 2025-02-24T08:53:51.25+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 79%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIK%3C/text%3E%3C/svg%3E)
Iliyan Karakashev
0
Reputation points
commented 2025-02-26T09:14:48.1333333+00:00
Sándor Tőkési
251
Reputation points
2 answers
Azure Activity Data connector not getting delelet from MS Sentinel
I'm not able to delete Azure Activity data connector from MS Sentinel. I had deleted the Azure policy the one created by connector and also removed IAM role on subscription for the managed identities created by connector while adding it. After all…
asked 2025-02-19T12:09:04.6233333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 39%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMR%3C/text%3E%3C/svg%3E)
Muhammad Rizwan
5
Reputation points
commented 2025-02-26T05:25:56.4266667+00:00
Alex Burlachenko
1,665
Reputation points
1 answer
Sentinel unexpected error
Hi! I have an issue with Microsoft Sentinel. Every now and then I get this "unexpected error". When this happens all connectors show as not connected, I can't run any queries nor see any logs. I still receive incidents based on some analytic…
asked 2024-09-26T06:28:42.5+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 16%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESE%3C/text%3E%3C/svg%3E)
Sebastian Enström
0
Reputation points
answered 2025-02-25T11:36:34.9966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(163.2, 44%, 25%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EG5%3C/text%3E%3C/svg%3E)
Grogu-5582
0
Reputation points
0 answers
Categories AdvancedHunting-IdentityLogonEvents are not supported.
Hi All, I am getting this error ( Server error - Categories AdvancedHunting-IdentityLogonEvents are not supported) when trying to onboard the Identity tables to sentinel. I checked the clients Defender portal and they have the IdentityLogonEvents table,…
asked 2025-02-25T10:08:02.3966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 84%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shahani Silva
0
Reputation points
edited the question 2025-02-25T10:09:25.7866667+00:00
Shahani Silva
0
Reputation points
2 answers
Why defender is not correlating the Entra ID protection alerts?
Hi Team, In my environment, Entra ID Protection is generating multiple alerts even when the user, IP address, and sign-in events are the same and occur within seconds. These alerts are forwarded to Microsoft Defender, but they are not being correlated,…
asked 2025-02-17T14:53:42.8366667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 76%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Supriya Nelluri
0
Reputation points
commented 2025-02-24T14:56:23.62+00:00
Supriya Nelluri
0
Reputation points
1 answer
Alert XX was added to the incident by Microsoft Defender XDR - alert correlation
Hey, I am sending alarms/incidents from another SIEM to sentinel for centralization. The goal is that sentinel mirrors the alarms/incidents exactly. The data is sent to a custom log table, in the log analytics workspace through an API call, and I have a…
asked 2025-02-18T07:01:10.58+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 37%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
Horne, Lorents Birkeland
0
Reputation points
answered 2025-02-24T14:44:03.8633333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sakshi Devkante
1,240
Reputation points Microsoft Vendor
1 answer
Filtering Logs
We have a rsyslog server on prem that we are sending on premise firewall, switch and load balancer logs to. We are using the Cisco FTD connector for our firewalls and the regular syslog on for everything else. Problem I am having is that the FTD logs are…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 16%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
0 answers
Data connector buttons are grayed out saying No permissions
cannot enable Microsoft Defender XDR connector in sentinel despite being logged in as owner of tenant, subscription and resource group. My licence is Microsoft 365 Business Premium which I see in documentation is an Microsoft XDR eligible licence
asked 2025-02-13T12:41:56.3866667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 4%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGB%3C/text%3E%3C/svg%3E)
gutta bachelor
0
Reputation points
commented 2025-02-21T10:50:00.04+00:00
Navya
15,800
Reputation points Microsoft Vendor
0 answers
KQL Queries not showing results
No matter what is attempted in KQL, all queries consistently run past 30 minutes. Repeated attempts to recreate the VMs, Sentinels, Workspaces, etc., have not resolved the issue.
asked 2025-02-15T20:02:19.6533333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 47%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
MTOrion
0
Reputation points
commented 2025-02-21T00:41:43.34+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 62%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENR%3C/text%3E%3C/svg%3E)
Nagarjuna Reddy Yanna
10
Reputation points Microsoft Vendor
1 answer
Connect data to Microsoft Sentinel using data connectors Salesforce
I need help integrating SaleForce and Wiz into my siem.
asked 2025-02-10T14:57:39.59+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 30%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
Dunham, Jermey
0
Reputation points
commented 2025-02-20T04:52:13.6366667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 60%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECE%3C/text%3E%3C/svg%3E)
Chaithra E
480
Reputation points Microsoft Vendor
1 answer
Cannot read data from Cloudflare in Azure Sentinel
I already setting logpush from Cloudflare to Azure sentinel. it only show test log only
asked 2025-02-11T01:11:01.3066667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(35.2, 7.000000000000001%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAR%3C/text%3E%3C/svg%3E)
amir rachman
0
Reputation points
commented 2025-02-19T21:25:31.0833333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju
14,990
Reputation points Microsoft Vendor