Cant Import Sentinel Alert Rules
Good morning, I am having difficulty importing sentinel rules after I deleted old ones. I deleted the old rules on friday 9/27 9am EST and am getting the error the rule with ID 'xyz' was recently deleted. You need to allow some time before re-using the…
What is the application "Office 365 Management" (AppId 00b41c95-dab0-4487-9791-b9d2c32c80f2) and why is Conditional Access not applied to it?
I am investigating a security incident and I have identified entries in the MS Sentinel SigninLogs table that might be related to the breach with the attributes: AppDisplayName: Office 365 Management AppId:…
How to enable Azure Activity Sentinel Data Connector
Hi, I'm trying to enable Azure Activity Sentinel Data Connector. I've manage to install it and when I follow the 'Launch Azure Policy Assignment Wizard' it completes successfully, however the Azure Activity Data Connector never shows 'green/connected'…
Cannot enable UEBA feature on Sentinel
Hi, I'm having some issues while trying to enable the UEBA feature in a Sentinel instance. When I try to turn the switch ON, I get the following error message: "Updating the Entity Providers failed". I've seen 2 questions related to this…
Difficulty Identifying Edited Rules in Azure Firewall Logs via KQL
Hello, community! I'm having trouble identifying specific changes to Azure Firewall rules through KQL (Kusto Query Language). After modifying certain firewall rules, I can see that edits have occurred through the firewall’s logs tab (where it shows a…
Sentinel duplicate alerts and incidents
In sentinel We have an alert "User Assigned Privileged Role" and it repeats every hour for a day or two. How do I stop it repeating itself. The rule itself triggers when an administrator changes permissions for another user (or themselves)…
How to Upload Carbon Black Logs and Alerts into Azure Sentinel for Evaluation
I am trying to evaluate how much Azure Sentinel helps my business's security needs. I am particularly interested in seeing how well Azure Sentinel can cluster alerts together. I have taken a small amount of EDR logs and alerts (which are in json format)…
How to do a recursive function with KQL
I have table in Sentinel for all employees. Each lines has an name, employee ID and a direct supervisor ID. I want to be able to give the supervisor ID, and from there, have a recursive loop that will verify all employee who has that supervisor as a…
How can I configure Microsoft Sentinel to create a new incident instead of adding to an existing one?
I'm facing an issue in Microsoft Sentinel where incidents generated by an analytics rule are automatically closing and merging with an existing "multiple-stage" incident. As shown in the attached screenshot, each new incident created by the…
Pagination in MS Sentinel Threat Indicators API
I am using the below endpoint to list Azure Sentinel Threat Indicators. I have about 350~ in the MS Sentinel instance, and when I query the endpoint it gives me the first 100 and also a nextLink value. I query the next set using the nextlink value and…
How I can see criticality level of subscription in Azure sentinel
Generally, we can configure criticality level of subscription in Azure portal so how we can see such information in Azure sentinel logs.
Incidents in Microsoft Sentinel Auto-Closing Without Automation Rules
I'm currently using Microsoft Sentinel and noticing that some incidents are automatically closing themselves, sometimes with the reason "resolved at source" or no comment at all. I've checked for any automation rules or playbooks that might be…
AWS S3 bucket logs not ingesting to Microsoft Sentinel
I have configured the AWS S3 data connector in Microsoft Sentinel. Ref: https://learn.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3. I have created a S3 bucket and Simple queue service as documented on the connector page. Furthermore, I have…
How to retrieve a DCR Immutable Id from createUiDefinition
Hi Community, I am testing UX for Sentinel Solution on https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/SandboxBlade I am wondering after obtaining the Resource Group, workspace, and Data Collection Rule, I would like to further retrieve the…
Verification Failed when trying to deploy custom Sentinel template on Azure
Hello, I am having an issue deploying my custom Sentinel template in which I can't get validated because I don't have the write permissions for 'microsoft.aadiam/diagnosticSettings/write' at scope…
Do AMA Collectors Require Static IP Addresses?
When deploying multiple AMA agents, do the IP addresses need to be static for each agent, or can they be dynamic/shared?
How to configure a new DCR to ingest to an existing Custom Log table?
Hi All, I am currently migrating existing syslog logfeeds running over Logstash pipelines with the "microsoft-logstash-output-azure-loganalytics" output module to Logstash pipelines with the…
Which table should I use to pull log ingestion numbers for Computers?
Hello everyone, I have been tasked by a client to create a query to get the total monthly log ingestion from a group of Computers using a Watchlist. My first thought was to use the Usage table, join that with the Watchlist and then get the log ingestion…
Is there a way to Query all Table Schemas to count How many Columns every Table in Sentinel has using KQL
I am Trying to return a list of tables where they have more than a certain amount of columns, get schema works but it would be a painful task to run it for every table. The Table name is also not maintained when you run getSchema so I tried to union all…
Change path on Linux for Azure AMA and CEF Collectors
I'm setting up Azure Monitoring Agents on Linux with CEF Collector. I would like to change the cache directories to a separate drive. Can anyone point me to where these paths are configured?