Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,241 questions
0 answers
How do I get windows firewall logs my workspace?
I have a W11 endpoint, not a VM btw. I deployed AMA through Intune. AMA is running fine. My workspace is only showing Heartbeat logs for the endpoint. I need FW logs. I made sure public, private & domain profiles are enabled on my endpoint. I made…
asked 2025-03-11T19:02:46.3033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(38.4, 78%, 13%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFS%3C/text%3E%3C/svg%3E)
F S
0
Reputation points
commented 2025-03-12T06:20:57.86+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(60.8, 94%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Sándor Tőkési
251
Reputation points
2 answers
Connect failed. Details: Failed to retrieve auth token from provider
I'm trying to connect Sentinel with Workday User Activity connector but I'm getting this error message "Failed to retrieve auth token from provider". Can anybody help out on this/.
asked 2025-03-10T20:19:09.15+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 68%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Kibalatu
1
Reputation point
answered 2025-03-11T22:11:01.3566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 45%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Akhilesh Vallamkonda
12,820
Reputation points Microsoft External Staff
1 answer
Creating Sentinel Incidents for Subscription-Based Security Score Recommendations
I am looking for a way to generate Sentinel incidents based on security score recommendations for subscriptions (as shown in the attached example). Is there a method to achieve this so that we can receive real-time notifications and take immediate action…
asked 2025-03-05T09:31:55.1+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 28.999999999999996%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESC%3C/text%3E%3C/svg%3E)
Someiah C S
100
Reputation points
commented 2025-03-11T19:58:07.58+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju
16,040
Reputation points Microsoft External Staff
2 answers
Alert XX was added to the incident by Microsoft Defender XDR - alert correlation
Hey, I am sending alarms/incidents from another SIEM to sentinel for centralization. The goal is that sentinel mirrors the alarms/incidents exactly. The data is sent to a custom log table, in the log analytics workspace through an API call, and I have a…
asked 2025-02-18T07:01:10.58+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 37%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHL%3C/text%3E%3C/svg%3E)
Horne, Lorents Birkeland
0
Reputation points
commented 2025-03-11T14:09:04.2466667+00:00
Horne, Lorents Birkeland
0
Reputation points
0 answers
Solution Architect
Provide a list of the Microsoft Sentinel Impact assessment
asked 2025-03-10T19:49:41.7066667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFD%3C/text%3E%3C/svg%3E)
Flint David
0
Reputation points
asked 2025-03-10T19:49:41.7066667+00:00
Flint David
0
Reputation points
1 answer
Microsoft Sentinel Question in Practice Exam for SC 200
Question: You have an Azure subscription that uses Microsoft Sentinel. You create a user named Admin1. You need to ensure that Admin1 can add playbooks in Microsoft Sentinel. The solution must follow the principle of least privilege. Which role should…
asked 2024-12-07T12:47:14.5566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 38%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVA%3C/text%3E%3C/svg%3E)
Volston Abreo
0
Reputation points
answered 2025-03-08T21:41:50.01+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 38%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMP%3C/text%3E%3C/svg%3E)
Marcin Policht
38,470
Reputation points MVP
2 answers
Why defender is not correlating the Entra ID protection alerts?
Hi Team, In my environment, Entra ID Protection is generating multiple alerts even when the user, IP address, and sign-in events are the same and occur within seconds. These alerts are forwarded to Microsoft Defender, but they are not being correlated,…
asked 2025-02-17T14:53:42.8366667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 76%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Supriya Nelluri
0
Reputation points
commented 2025-03-07T10:16:40.2733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sakshi Devkante
1,335
Reputation points Microsoft External Staff
1 answer
microsoft sentinel data connectors not visualised in overview dashboard(GCP audit log connector)?
i have configured a GCP audit log data connector & GCP firewall data connector to my Microsoft sentinel , the connectors fetch the metrics from the source , but in the overview page of Microsoft sentinel shows no data connectors,
asked 2025-02-26T11:11:48.39+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(252.8, 36%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
Aswath A
0
Reputation points
commented 2025-03-06T20:47:19.3266667+00:00
Raja Pothuraju
16,040
Reputation points Microsoft External Staff
1 answer
One of the answers was accepted by the question author.
How to send different tenant's Azure WAF log to tenant with Sentinel Configured?
Hello, I have 2 tenants. A tenant : WAF configured (Sentinel x) B tenant : Sentinel configured( WAF x) I would like to analyze A's logs in tenant B's sentinel. How can I configure? I think I should configure Azure lighthouse, is it right? If not,…
asked 2023-06-02T07:38:39.8566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 22%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
mara7
166
Reputation points
commented 2025-03-05T14:14:41.5766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 78%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK3%3C/text%3E%3C/svg%3E)
KateGokul-3672
0
Reputation points
0 answers
Jamf Protect Push Sentinel Connector retention error
Hi, While deploying Jamf Protect Push Connector in sentinel Workspace, I'm getting this error. Is it because the retention period is set to 90 day? Do we need to change the retention period in order to deploy this connector?
asked 2025-02-27T12:27:04.18+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 47%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPK%3C/text%3E%3C/svg%3E)
Pradeep Kumar
20
Reputation points
commented 2025-03-04T22:42:51.87+00:00
Raja Pothuraju
16,040
Reputation points Microsoft External Staff
2 answers
Filtering Logs
We have a rsyslog server on prem that we are sending on premise firewall, switch and load balancer logs to. We are using the Cisco FTD connector for our firewalls and the regular syslog on for everything else. Problem I am having is that the FTD logs are…
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 16%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
1 answer
Legacy Data Connectors being updated to use Content Hub
We've inherited a Sentinel setup using Data Connectors not connected to the content hub packages. Examples are Azure KeyVault, XDR, Entra etc. If we were to install these content hub packages to utilise the content provided what happens to the existing…
asked 2025-02-27T11:37:41.95+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(124.80000000000001, 77%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
sam.holmes
5
Reputation points
commented 2025-03-04T10:30:27.3266667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 5%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ES%3C/text%3E%3C/svg%3E)
SrideviM
755
Reputation points Microsoft External Staff
2 answers
Sentinel Data Connectors Not Loading (CSP Access)
Errors loading Data Connectors on Microsoft Sentinel
asked 2025-02-25T11:21:52.7433333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 20%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)
JW231
0
Reputation points
commented 2025-03-04T09:55:09.57+00:00
Sakshi Devkante
1,335
Reputation points Microsoft External Staff
2 answers
GitHub Analytics rule is not reflecting back to Sentinel
Hello, I configured and connected GitHub repository with Sentinel but the analytics rules which I created in GitHub after commit are not reflecting back to Sentinel. Please advise! Thank you!
asked 2025-02-25T08:54:06.2733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 11%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGS%3C/text%3E%3C/svg%3E)
Gurpreet Singh Suhi
10
Reputation points
commented 2025-03-04T06:49:08.5533333+00:00
SrideviM
755
Reputation points Microsoft External Staff
0 answers
Automated Automation Rule Deployment - Stuck with Service Principle Permissions via Lighthouse
(Sorry for the tag, i couldnt find somthing closer to Microsoft Sentinel via Service Principal through Lighthouse) Hi, I am trying to create a product where we essentially automatically deploy resources to customer environments for MSSP support. One of…
asked 2025-02-27T19:13:37.4233333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 16%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMJ%3C/text%3E%3C/svg%3E)
Ma Je
0
Reputation points
commented 2025-02-28T15:16:35.6666667+00:00
Sándor Tőkési
251
Reputation points
0 answers
Could not trigger playbook: xxx . An internal server error occurred. Please contact support for assistance.
Dear team, We are facing a problem with triggering a rule in sentinel. In sentinel we have a rule set to incident updated -> run playbook. As of 2:00 am this morning the automation rule is unable to run the playbook. The error that is seen in the…
asked 2025-02-28T13:53:46.0066667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVC%3C/text%3E%3C/svg%3E)
Vojtěch Mikeška
0
Reputation points
asked 2025-02-28T13:53:46.0066667+00:00
Vojtěch Mikeška
0
Reputation points
1 answer
Sentinel Analytics Rule not creating incident
I have worked with Microsoft Support and created an Analytics rule to raise an incident when 5 or more failed login attempts are detected, followed by a success. This worked originally but has now stopped working. Nothing has changed. I cannot figure out…
asked 2025-02-26T14:51:55.7166667+00:00
Conor Bateman (Alcom IT)
0
Reputation points
commented 2025-02-28T13:13:59.7733333+00:00
Raja Pothuraju
16,040
Reputation points Microsoft External Staff
0 answers
Workspace transformation cost for native Entra ID connector
Hey team! I want to apply workspace transformation to the native Entra ID connector and it's log types to filter logs only for specific domain. While from KQL perspective this is not difficult, I'm doubting if the cost reduction effect will be applied…
asked 2025-02-24T08:53:51.25+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 79%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIK%3C/text%3E%3C/svg%3E)
Iliyan Karakashev
5
Reputation points
commented 2025-02-28T11:41:49.1666667+00:00
Iliyan Karakashev
5
Reputation points
1 answer
Categories AdvancedHunting-IdentityLogonEvents are not supported.
Hi All, I am getting this error ( Server error - Categories AdvancedHunting-IdentityLogonEvents are not supported) when trying to onboard the Identity tables to sentinel. I checked the clients Defender portal and they have the IdentityLogonEvents table,…
asked 2025-02-25T10:08:02.3966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 84%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shahani Silva
0
Reputation points
answered 2025-02-28T08:53:28.7033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 17%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGM%3C/text%3E%3C/svg%3E)
Givary-MSFT
35,456
Reputation points Microsoft Employee
0 answers
Microsoft Sentinel API - "triggerRuleRun" ExecutionTimeUtc Always Invalid
Issue Summary We are trying to manually trigger a Microsoft Sentinel Scheduled Analytics Rule using the triggerRuleRun API, but it always fails with the following error: { Even when using the correct timestamp format, the API never accepts…
asked 2025-02-19T10:13:34.1966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 64%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Shafiq Aziz (Admin Account)
5
Reputation points
edited a comment 2025-02-28T04:52:04.1+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 77%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER%3C/text%3E%3C/svg%3E)
Rukmini
11
Reputation points Microsoft External Staff