1,157 questions with Microsoft Sentinel tags

Sort by: Updated
1 answer

Cant Import Sentinel Alert Rules

Good morning, I am having difficulty importing sentinel rules after I deleted old ones. I deleted the old rules on friday 9/27 9am EST and am getting the error the rule with ID 'xyz' was recently deleted. You need to allow some time before re-using the…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-09-30T13:22:40.92+00:00
Eugene Golovanyuk 35 Reputation points
commented 2024-11-07T18:19:18.3966667+00:00
Igor Guarisma 0 Reputation points
0 answers

What is the application "Office 365 Management" (AppId 00b41c95-dab0-4487-9791-b9d2c32c80f2) and why is Conditional Access not applied to it?

I am investigating a security incident and I have identified entries in the MS Sentinel SigninLogs table that might be related to the breach with the attributes: AppDisplayName: Office 365 Management AppId:…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-11-07T16:22:56.1666667+00:00
Tilman Schmidt 0 Reputation points
1 answer

How to enable Azure Activity Sentinel Data Connector

Hi, I'm trying to enable Azure Activity Sentinel Data Connector. I've manage to install it and when I follow the 'Launch Azure Policy Assignment Wizard' it completes successfully, however the Azure Activity Data Connector never shows 'green/connected'…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-11-07T12:11:18.33+00:00
Silva, Luis 0 Reputation points
commented 2024-11-07T14:22:45.7333333+00:00
Silva, Luis 0 Reputation points
1 answer

Cannot enable UEBA feature on Sentinel

Hi, I'm having some issues while trying to enable the UEBA feature in a Sentinel instance. When I try to turn the switch ON, I get the following error message: "Updating the Entity Providers failed". I've seen 2 questions related to this…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-11-06T12:02:39.82+00:00
Alberto Barrado Jiménez 0 Reputation points
commented 2024-11-07T14:21:03.9766667+00:00
Givary-MSFT 33,081 Reputation points Microsoft Employee
0 answers

Difficulty Identifying Edited Rules in Azure Firewall Logs via KQL

Hello, community! I'm having trouble identifying specific changes to Azure Firewall rules through KQL (Kusto Query Language). After modifying certain firewall rules, I can see that edits have occurred through the firewall’s logs tab (where it shows a…

Azure Firewall
Azure Firewall
An Azure network security service that is used to protect Azure Virtual Network resources.
680 questions
Azure Firewall Manager
Azure Firewall Manager
An Azure service that provides central network security policy and route management for globally distributed, software-defined perimeters.
93 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-11-07T14:16:55.0666667+00:00
Hyago Santana Mariano 20 Reputation points
1 answer One of the answers was accepted by the question author.

Sentinel duplicate alerts and incidents

In sentinel We have an alert "User Assigned Privileged Role" and it repeats every hour for a day or two. How do I stop it repeating itself. The rule itself triggers when an administrator changes permissions for another user (or themselves)…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-11-06T15:31:49.9433333+00:00
Son man 20 Reputation points
accepted 2024-11-07T13:29:36.64+00:00
Son man 20 Reputation points
2 answers

How to Upload Carbon Black Logs and Alerts into Azure Sentinel for Evaluation

I am trying to evaluate how much Azure Sentinel helps my business's security needs. I am particularly interested in seeing how well Azure Sentinel can cluster alerts together. I have taken a small amount of EDR logs and alerts (which are in json format)…

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
3,220 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-11-05T17:55:49.1566667+00:00
psec-comp 0 Reputation points
answered 2024-11-06T12:12:44.0266667+00:00
Andrew Blumhardt 9,861 Reputation points Microsoft Employee
2 answers

How to do a recursive function with KQL

I have table in Sentinel for all employees. Each lines has an name, employee ID and a direct supervisor ID. I want to be able to give the supervisor ID, and from there, have a recursive loop that will verify all employee who has that supervisor as a…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-11-01T19:34:43.5533333+00:00
GuyP Dubois 0 Reputation points
answered 2024-11-06T10:12:36.93+00:00
Clive Watson 6,521 Reputation points MVP
1 answer

How can I configure Microsoft Sentinel to create a new incident instead of adding to an existing one?

I'm facing an issue in Microsoft Sentinel where incidents generated by an analytics rule are automatically closing and merging with an existing "multiple-stage" incident. As shown in the attached screenshot, each new incident created by the…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-10-29T05:26:13.2566667+00:00
mara7 166 Reputation points
commented 2024-11-06T09:06:14.4466667+00:00
Clive Watson 6,521 Reputation points MVP
1 answer

Pagination in MS Sentinel Threat Indicators API

I am using the below endpoint to list Azure Sentinel Threat Indicators. I have about 350~ in the MS Sentinel instance, and when I query the endpoint it gives me the first 100 and also a nextLink value. I query the next set using the nextlink value and…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-09-30T16:48:50.29+00:00
JB 0 Reputation points
answered 2024-11-05T09:26:16.4433333+00:00
Pauline Mbabu 480 Reputation points Microsoft Employee
1 answer One of the answers was accepted by the question author.

How I can see criticality level of subscription in Azure sentinel

Generally, we can configure criticality level of subscription in Azure portal so how we can see such information in Azure sentinel logs.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-11-04T06:40:27.5366667+00:00
Nishit 60 Reputation points
accepted 2024-11-05T06:18:49.3+00:00
Nishit 60 Reputation points
1 answer One of the answers was accepted by the question author.

Incidents in Microsoft Sentinel Auto-Closing Without Automation Rules

I'm currently using Microsoft Sentinel and noticing that some incidents are automatically closing themselves, sometimes with the reason "resolved at source" or no comment at all. I've checked for any automation rules or playbooks that might be…

Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,411 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,093 questions
asked 2024-10-17T14:15:27.48+00:00
Hyago Santana Mariano 20 Reputation points
accepted 2024-11-04T19:55:29.14+00:00
Hyago Santana Mariano 20 Reputation points
1 answer

AWS S3 bucket logs not ingesting to Microsoft Sentinel

I have configured the AWS S3 data connector in Microsoft Sentinel. Ref: https://learn.microsoft.com/en-us/azure/sentinel/connect-aws?tabs=s3. I have created a S3 bucket and Simple queue service as documented on the connector page. Furthermore, I have…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-08-06T11:51:09.73+00:00
Deep Thakkar 10 Reputation points
commented 2024-11-04T12:53:20.8033333+00:00
Deep Thakkar 0 Reputation points
2 answers

How to retrieve a DCR Immutable Id from createUiDefinition

Hi Community, I am testing UX for Sentinel Solution on https://portal.azure.com/#blade/Microsoft_Azure_CreateUIDef/SandboxBlade I am wondering after obtaining the Resource Group, workspace, and Data Collection Rule, I would like to further retrieve the…

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,317 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-10-29T08:17:55.2266667+00:00
LXF 205 Reputation points
commented 2024-11-04T06:35:09.74+00:00
LXF 205 Reputation points
1 answer

Verification Failed when trying to deploy custom Sentinel template on Azure

Hello, I am having an issue deploying my custom Sentinel template in which I can't get validated because I don't have the write permissions for 'microsoft.aadiam/diagnosticSettings/write' at scope…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-10-17T22:08:47.4633333+00:00
Aviv Yaaran 0 Reputation points
commented 2024-11-01T04:54:19.54+00:00
Givary-MSFT 33,081 Reputation points Microsoft Employee
1 answer

Do AMA Collectors Require Static IP Addresses?

When deploying multiple AMA agents, do the IP addresses need to be static for each agent, or can they be dynamic/shared?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,317 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-10-31T13:38:58.65+00:00
Kyle 0 Reputation points
edited the question 2024-10-31T21:38:01.5233333+00:00
VarunTha 9,185 Reputation points Microsoft Vendor
0 answers

How to configure a new DCR to ingest to an existing Custom Log table?

Hi All, I am currently migrating existing syslog logfeeds running over Logstash pipelines with the "microsoft-logstash-output-azure-loganalytics" output module to Logstash pipelines with the…

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,317 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-10-31T13:04:33.53+00:00
Callens Nico 0 Reputation points
edited the question 2024-10-31T21:28:07.83+00:00
VarunTha 9,185 Reputation points Microsoft Vendor
1 answer

Which table should I use to pull log ingestion numbers for Computers?

Hello everyone, I have been tasked by a client to create a query to get the total monthly log ingestion from a group of Computers using a Watchlist. My first thought was to use the Usage table, join that with the Watchlist and then get the log ingestion…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-09-09T20:19:33.94+00:00
Matthew Agosta 0 Reputation points
commented 2024-10-31T02:44:15.3933333+00:00
James Hamil 25,236 Reputation points Microsoft Employee
1 answer

Is there a way to Query all Table Schemas to count How many Columns every Table in Sentinel has using KQL

I am Trying to return a list of tables where they have more than a certain amount of columns, get schema works but it would be a painful task to run it for every table. The Table name is also not maintained when you run getSchema so I tried to union all…

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-07-16T11:52:21.9533333+00:00
Andrew Ryan 0 Reputation points
commented 2024-10-30T23:56:38.5866667+00:00
James Hamil 25,236 Reputation points Microsoft Employee
0 answers

Change path on Linux for Azure AMA and CEF Collectors

I'm setting up Azure Monitoring Agents on Linux with CEF Collector. I would like to change the cache directories to a separate drive. Can anyone point me to where these paths are configured?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,317 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,157 questions
asked 2024-09-20T12:23:12.28+00:00
Jody Spoor 0 Reputation points
commented 2024-10-29T11:53:12.26+00:00
Pauline Mbabu 480 Reputation points Microsoft Employee