How to check the azure sentinel health for all the workspace in my organization?
Can someone help on how to check the sentinel status across all the workspace in organization?
Microsoft Sentinel for SAP - No Audit Log Data - other data is visible
Hello all, we have a strange issue - we dont receive AUDIT LOG data in MS Sentinel for SAP - other data is successfully transferred: SM19/SM20 is activated with content on SAP side (checked:…
Summary rules - showing 404
I can no longer view summary rules. When I click on Summary rules it shows an error "NOT FOUND" Anybody noticed this lately? It was working pretty well before 5th of December.
Mismatch in amount of data received in logs analytics workspace and DCR metrics
I have defined a data collection rule and am using logs ingestion api to send data to 2 custom tables. I have defined diagnostic settings for the DCR such that error logs are sent to logs analytics workspace. For about an hour, I have events ingested…
What is the application "Office 365 Management" (AppId 00b41c95-dab0-4487-9791-b9d2c32c80f2) and why is Conditional Access not applied to it?
I am investigating a security incident and I have identified entries in the MS Sentinel SigninLogs table that might be related to the breach with the attributes: AppDisplayName: Office 365 Management AppId:…
Add Microsoft Sentinel to Log Analytics Workspace using Ansible
I am trying to create a Log Analytics Workspace with Microsoft Sentinel using Ansible following this module: https://docs.ansible.com/ansible/latest/collections/azure/azcollection/azure_rm_loganalyticsworkspace_module.html - name: Create a workspace…
Summary rules - Limit on total aggregated size
Folks, I'm trying to use summary rules to aggregate firewall logs. There's a hard size limit from MS per result of 100 MB which I think is not up to the mark for firewall logs. While summarizing I'm creating two sets and grouping by 7 other fields (I…
Unable to Access Log Analytics Demo (aka.ms/lademo)
Hello, I have been using the log analytics demo environment to help train for the last month for KQL. Recently, I have no idea what changed, but I have lost access the the public and free environment at "aka.ms/lademo". I have tried all…
will Incidents syncing delay after we configure unified platform?
Hello team, We are planning to enable sentinel workspace in defender XDR portal to get the unified portal experience. I have question, will there be a delay between the syncing of incidents from defender to sentinel after this change? I have searched but…
Microsoft Defender for Endpoint creates a large amount of Powershell Logs
Hello, we are using Defender for Endpoint and MS Sentinel. To enhance security, we would like to enable Powershell logging on all devices. But when we enable it, we get 10 times more logs than before. I analyzed the incomming logs and found out that…
Sentinel - interaction_required error
Hello, can you help me solve the following error? { "sessionId": "9d6b455200394724a4301aa37f8f75ea", "errors": [ { "errorMessage": "interaction_required: AADSTS160021: Application requested a…
Microsoft Sentinel for SAP - Connect your SAP system to Microsoft Sentinel - Failed to create configuration AccessDenied
Hello all, while adding a SAP Backendsystem (Add new system) to Sentinel for SAP in Azure Portal we getting a error message. Collector VM is visible as healthy in portal. When selecting the agent in the dropdown - directly the error message FAILED TO…
Analytic Rules for Log Forwarder
Good day, May you kindly assist with KQL queries to create these 4 analytic on our environment. Log Rate-Insufficient Agent Heartbeat Latency Agent Heartbeat Monitor Agent-Health-Alert
How to integrate paloalto firewall on-premises and cloud with Microsoft sentinel step by step
How to integrate paloalto firewall on-premises and cloud with Microsoft sentinel step by step
I cannot Login to Sentinel. All other admin portals work fine.
get this error everytime I logged in. I tried clearing cookies, cache, Incognito mode. Nothing works.
Issue Viewing Sentinel incidents (Token Issue)
Hey y'all, I've been having some issues viewing sentinel incidents. After I sign in and navigate to our sentinel workspace, click on "incidents" I'm greeted with the error below. Another co worker, SOC, and myself can't see this page. I was…
I want to find the devices in my azure environment that are using the most resources. I then want to find out how much these devices are costing us a month. What is the best way to do this?
I'm new to azure. I have hundreds of devices on my work network and want to find the devices that are the most active and using the most resources. I want to use the most active device as a baseline so that I know the maximum amount that I can expect to…
Unexplained Non-interactive Sign-ins
Hi Forum, I have been trying to identify the unexplained successful non-interactive sign-ins and mark them as "benign" with proof/evidence. Our organisation has blocked all logins from non-UK IP addresses. It works fine for interactive…
Duplicate SecurityEvent logging after migrating from MMA to AMA
Greetings, I added a few extra tags to this as we are not quite sure of why we cannot Disconnect or Delete the Security Events Via the Legacy Agent Connector from our Sentinel environment. All Azure VMs have been migrated from the MMA (Legacy) agent to…
DataBahn integration with Sentinel
Hi All, One of my team wants to use DataBahn for log ingestion to Sentinel. Can anyone help me with process?