Azure Sentinel topics Azure Sentinel topics Mon, 25 Oct 2021 20:34:09 GMT AzureSentinel 2021-10-25T20:34:09Z Security Event connector - Azure Sentinel <P>Hello,</P><P>&nbsp;</P><P>Few days back I enabled security Events connector on Sentinel and now I am successfully getting all the security events, but I do not require all security events from the devices because it is just being too expensive. Instead I want the security logs for few of the event Id's mentioned below:</P><P>Lock: 4800</P><P>Unlock: 4801</P><P><SPAN>Shutdown, restart event ids : </SPAN><SPAN>1074</SPAN></P><P>Signin : 4648, 4624</P><P>Signout/logoff : 4647</P><P>UAC: 4673, 4688</P><P>&nbsp;</P><P>Is there any way by which security events can be collected with respect to specific event id(s) as mentioned above?&nbsp;</P><P>&nbsp;</P><P><LI-USER uid="324945"></LI-USER>&nbsp;Thanks for your reply to my previous post. It was really helpful! and yes, you rightly said the cost for collecting logs on all is expensive. Looking for some help here as well!</P><P>&nbsp;</P> Fri, 22 Oct 2021 22:17:01 GMT RaghavJain 2021-10-22T22:17:01Z Linux OMS Agent - "no patterns matched " Checkpoint FW Logs <P>Hi Community,</P><P>&nbsp;</P><P>we will transfer via oms agent checkpoint logs to Azure Sentinel, but we have some trouble und warnings..</P><P>&nbsp;</P><P>The Checkpoint FW sends the logs via CEF to the syslog server.</P><P>Have you some ideas whats going wrong or is missing in the config?</P><P>&nbsp;</P><P>Thank you!</P><P>--------------------------</P><P>omsagent.conf:</P><P>&lt;source&gt;</P><P>&nbsp; type tail</P><P>&nbsp; pos_file /backup/syslog/checkpoint/checkpoint.log.pos</P><P>&nbsp; path /backup/syslog/checkpoint/checkpoint.log</P><P>&nbsp; format none</P><P>&nbsp; tag checkpoint</P><P>&lt;/source&gt;</P><P>----------------------</P><P>&nbsp;</P><P>root@XXXXX:~# /opt/microsoft/omsagent/bin/omsagent -c /etc/opt/microsoft/omsagent/$TENANT/conf/omsagent.conf</P><P>2021-10-22 08:57:10 +0200 [info]: reading config file path="/etc/opt/microsoft/omsagent/$TENANT/conf/omsagent.conf"</P><P>2021-10-22 08:57:10 +0200 [info]: starting fluentd-0.12.40</P><P>2021-10-22 08:57:10 +0200 [info]: gem 'fluent-plugin-mdsd' version ''</P><P>2021-10-22 08:57:10 +0200 [info]: gem 'fluentd' version '0.12.40'</P><P>2021-10-22 08:57:10 +0200 [info]: adding source type="tail"</P><P>2021-10-22 08:57:10 +0200 [info]: using configuration file: &lt;ROOT&gt;</P><P>&nbsp; &lt;source&gt;</P><P>&nbsp;&nbsp;&nbsp; type tail</P><P>&nbsp;&nbsp;&nbsp; pos_file /backup/syslog/checkpoint/checkpoint.log.pos</P><P>&nbsp;&nbsp;&nbsp; path /backup/syslog/checkpoint/checkpoint.log</P><P>&nbsp;&nbsp;&nbsp; format none</P><P>&nbsp;&nbsp;&nbsp; tag checkpoint</P><P>&nbsp; &lt;/source&gt;</P><P>&lt;/ROOT&gt;</P><P>2021-10-22 08:57:10 +0200 [info]: following tail of /backup/syslog/checkpoint/checkpoint.log</P><P><FONT color="#FF0000"><STRONG>2021-10-22 08:57:10 +0200 [warn]: no patterns matched tag="checkpoint"</STRONG></FONT></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 22 Oct 2021 08:12:50 GMT Garfield-P 2021-10-22T08:12:50Z Print Job Auditing <P>I need to centralize print job monitoring across all workstations. For testing, I enabled the Print Service Operational log on a group of workstations. Then I configured data collection for Error, Warning, and Informational events from that Log Name under the "Agents configuration" blade in Sentinel. Those changes were all made ~24 hours ago. Since then, several test print jobs have been performed but I don't appear to be receiving any of those log entries. I also have the "Security Events via Legacy Agent" data connector configured and I am seeing security events for the last 24 hours for the same systems.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Any idea what I'm missing?</P><P>&nbsp;</P><P>TIA</P> Thu, 21 Oct 2021 19:18:27 GMT NH_Dad2Three 2021-10-21T19:18:27Z Create alert based on no. of open incidents <P>Hello!&nbsp;</P><P>&nbsp;</P><P>Hoping someone can help... I'm looking to create an email notification based on if the number of open incidents is greater than X value. Has anyone achieved this or can provide pointers, or guidance in setting up a playbook or similar to achieve this?&nbsp;</P><P>&nbsp;</P><P>Thanks :)</img>&nbsp;</P> Thu, 21 Oct 2021 08:42:48 GMT ClemFandango2055 2021-10-21T08:42:48Z Is it safe to disable the 'Microsoft Defender for Endpoint' connector in Sentinel <P>We recently noticed that the 'Microsoft Defender for Endpoint' connector is no longer sending logs to Sentinel instances for the clients we manage.&nbsp;<BR />These now seem to be forwarded through the 'Microsoft 365 Defender (Preview)' connector.<BR />However, I am seeing Sentinel instances where the&nbsp;'Microsoft 365 Defender (Preview)' connector has not been enabled still receiving MDE logs.</P><P>I was wondering if it is safe to enable the 'Microsoft 365 Defender (Preview)' connector and disable the&nbsp;'Microsoft Defender for Endpoint' connector or if that would affect the log forwarding ?&nbsp;</P><P>&nbsp;</P><P>Regards,</P><P>Princely Dmello&nbsp;</P> Thu, 21 Oct 2021 05:25:50 GMT Princely 2021-10-21T05:25:50Z How to block IPs trying to hit Key Vaults? <P>I have an alert -&nbsp;<SPAN>Mass secret retrieval from Azure Key Vault - for an external IP that is trying to access out key vaults over and over. When I check the Azure Key Vault Security workbook and look under the '<SPAN class="">Analytics over Key Vault events' tab and then go to Event Analysis &gt; Failed events &gt; Activity&nbsp;by Caller IP, I see this IP at the top of the list basically launching continuous key vault requests.</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN class="">How do I go about blocking this IP?</SPAN></SPAN></P><P>&nbsp;</P><P><SPAN><SPAN class="">Thx</SPAN></SPAN></P> Thu, 21 Oct 2021 10:48:26 GMT Jeff Walzer 2021-10-21T10:48:26Z Broken playbook on GitHub <P>Hello, the 'deploy to Azure' button for this playbook doesn't work and when I try to paste the raw code in a new playbook, it fails too.&nbsp;<A href="#" target="_blank"></A>.</P><P>&nbsp;</P><P>Appreciate if the authors could fix it :)</img></P><P>&nbsp;</P><P>Thank you!&nbsp;</P> Wed, 20 Oct 2021 15:54:52 GMT João Paulo 2021-10-20T15:54:52Z Query for common (legit) remote management solutions <P>Reading the CISA alert on <A href="#" target="_self">Blackmatter Ransomware</A></P><P>just now and it leads me to this question - has someone put together a Defender for Endpoint/Sentinel query to inventory common remote management solutions (particularly those favored by ransomware operators)?&nbsp; I know that I could leverage vulnerability management for this but I'd like to fashion a Sentinel detection for whenever something unexpected shows up in my environment.</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 20 Oct 2021 15:12:26 GMT Kyrouz 2021-10-20T15:12:26Z New Blog Post | What’s New: Azure Sentinel Threat Intelligence Workbook <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634660903818.gif" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634660903818.gif" alt="JasonCohen1892_0-1634660903818.gif" /></span></P> <P><A href="" target="_blank" rel="noopener">What’s New: Azure Sentinel Threat Intelligence Workbook (</A></P> <P><SPAN>Customers exploring threat intelligence indicators in their cloud workloads today face challenges understanding, aggregating, and actioning data across multiple sources. Threat intelligence is an advanced cybersecurity discipline requiring detailed knowledge of identifying and responding to an attacker based on observation of indicators in various stages of the attack cycle. Azure Sentinel is a cloud native SIEM solution that allows customers to import threat intelligence data from various places such as paid threat feeds, open-source feeds, and threat intelligence sharing communities. Azure Sentinel supports open-source standards to bring in feeds from Threat Intelligence Platforms (TIPs) across STIX &amp; TAXII. Microsoft has released the next evolution of threat hunting capabilities in the Azure Sentinel Threat Intelligence Workbook.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | What’s New: Azure Sentinel Threat Intelligence Workbook - Microsoft Tech Community</A></SPAN></P> Tue, 19 Oct 2021 16:30:32 GMT JasonCohen1892 2021-10-19T16:30:32Z New Blog Post | MITRE ATT&CK technique coverage with Sysmon for Linux <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634660643701.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634660643701.png" alt="JasonCohen1892_0-1634660643701.png" /></span></P> <P><A href="" target="_blank" rel="noopener">MITRE ATT&amp;CK technique coverage with Sysmon for Linux - Microsoft Tech Community</A></P> <P>In this blog, we will focus in on the Ingress Tool Transfer technique (<A href="#" target="_blank" rel="nofollow noopener noreferrer">ID T1105</A>) and highlight a couple of the Sysmon events that can be used to see it. We observe this technique being used against Linux systems and sensor networks regularly, and while we have tools to alert on this activity, it is still a good idea to ensure you have visibility into the host so you can investigate attacks. To look at this technique, we will show how to enable collection of three useful events, what those events look like when they fire, and how they can help you understand what happened. Additionally, we will show what those events look like in Azure Sentinel.</P> <P>&nbsp;</P> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | MITRE ATT&amp;CK technique coverage with Sysmon for Linux - Microsoft Tech Community</A></P> Tue, 19 Oct 2021 16:27:01 GMT JasonCohen1892 2021-10-19T16:27:01Z MCAS Data Connector - Only Resolved/Dismissed Alerts to Azure Sentinel <P>Hi all,</P><P>&nbsp;</P><P>From yesterday (18/10/2021), we observe that only Security Alerts from MCAS with Status <STRONG>"Dismissed"</STRONG>, <STRONG>"Resolved"</STRONG> are ingested to Azure Sentinel SecurityAlert table.</P><P>Although we have Alerts in MCAS console with status<STRONG> "Open"</STRONG>, we can't see them to Azure Sentinel. Once their status changes to "Resolved" the are normally ingested to Azure Sentinel.</P><P>&nbsp;</P><P>The integration we use is through Azure Sentinel Native Data Connector for MCAS.</P><P>&nbsp;</P><P>The same issue is also evident to Microsoft 365 Defender. Only <STRONG>"Resolved"</STRONG> Alerts/Incidents are ingested from Cloud App Security.</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gregoval_1-1634633688592.png" style="width: 400px;"><img src=";px=400" role="button" title="gregoval_1-1634633688592.png" alt="gregoval_1-1634633688592.png" /></span></P><P>&nbsp;</P><P>Is there any change in the Integration between MCAS Alerts and Azure Sentinel?</P><P>&nbsp;</P><P>Regards,</P><P>Greg</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 19 Oct 2021 09:39:53 GMT gregoval 2021-10-19T09:39:53Z Azure sentinel unable to capture Windows firewall logs on domain controller <P>I have 10 domain controllers enabled with Windows Firewall for incoming connections. Incoming connection doesn't have a firewall rule will be blocked. To validate we have enabled dropped windows firewall logs. Log collection on sentinel not happening after enabling only dropped firewall logs.</P><P>&nbsp;</P><P>I investigated and found the management pack named “<EM>Microsoft.IntelligencePacks.FirewallLog.701</EM>” is responsible to collect data. The configuration says it capture data from the file with “*<EM>.log.old </EM>” extension.</P><P>&nbsp;</P><P>On the domain controller logging works only on the “<EM>pfirewall.log</EM>”. File with “.<EM>log.old</EM>” generates only with the “pfirewall.log" log file got filled. Since we modified dropped log capture the file size is not getting increase, so the new file with “*<EM>.log.old </EM>” extension not getting created.</P><P>&nbsp;</P><P>The log file size could be reduced but the log data varies greatly between DCs. If I set the file size too small, we will lose the log data on the servers.</P><P>&nbsp;</P><P>We need to find a better solution.</P> Mon, 18 Oct 2021 19:44:02 GMT layolavimalkumar 2021-10-18T19:44:02Z NetApp Filer Integration with Azure Sentinel Hi Folks,<BR /><BR />Can someone please guide me how to integrate NetApp Filers with Azure Sentinel.<BR /><BR />Regards,<BR />Ashish Kumar Mon, 18 Oct 2021 01:21:21 GMT Ashish_Kumar 2021-10-18T01:21:21Z Can't add playbook to incident automation of an analytics rule. <P>Hello,</P><P>whenever I add a playbook to the incident automation of an analytics rule i get this message after saving it:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="photo_2021-10-18_16-28-55.jpg" style="width: 400px;"><img src=";px=400" role="button" title="photo_2021-10-18_16-28-55.jpg" alt="photo_2021-10-18_16-28-55.jpg" /></span></P><P>&nbsp;</P><P>The playbooks won't be added to the rule. Other actions like changing the status or assigning an owner are possible.</P><P>Does anyone know what the problem may be?</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 18 Oct 2021 15:02:56 GMT basc0 2021-10-18T15:02:56Z OMS Agent on Azure Sentinel Log forwarder not receiving and forwarding logs to sentinel workspace <P>Hello,</P><P>&nbsp;</P><P>We have observed that we no longer are receiving Syslog and CEF logs from the Azure Sentinel Log forwarder that is deployed on client premise. I have performed the following steps:</P><P>&nbsp;</P><P class="">netstat -an | grep 514</P><P class=""><STRONG>Status: Listening or established (which is fine)</STRONG></P><P class="">&nbsp;</P><P class="">netstat -an | grep 25226</P><P class=""><STRONG>Status: Listening or established (which is fine)</STRONG></P><P class="">&nbsp;</P><P class="">sudo tcpdump -A -ni any port 514 -vv</P><P class=""><STRONG>Status: receive logs from the data sources (which is fine)</STRONG></P><P class="">&nbsp;</P><P class="">sudo tcpdump -A -ni any port 514 -vv | grep (Zscaler IP)</P><P class=""><STRONG>Status: receive logs from the Zscaler data source, the logs showed Palo Alto name in the CEF messages which means Zscaler traffic was routed through the firewall (which is fine, as confirmed by client)</STRONG></P><P class="">&nbsp;</P><P class="">sudo tcpdump -A -ni any port 25226 -vv</P><P class=""><STRONG><FONT color="#FF0000">Status: No logs were received (Issue Identified)</FONT></STRONG></P><P class="">&nbsp;</P><P class="">sudo tcpdump -A -ni any port 25226 -vv | grep (Zscaler IP)</P><P class=""><FONT color="#FF0000"><STRONG>Status: No logs were received (Issue Identified)</STRONG></FONT></P><P class="">&nbsp;</P><P class="">Restarted the Rsyslog Service:</P><P class=""><STRONG>service rsyslog restart (After service restart, Azure Sentinel Started receiving the syslog. The Syslog data source came up and working fine)</STRONG></P><P class="">&nbsp;</P><P class="">Restarted the OMSAgent Service</P><P class="">/opt/microsoft/omsagent/bin/service_control restart {workspace ID}</P><P class=""><STRONG>Status: There was no status message and prompt came, assuming it restarted in the background (<FONT color="#FF0000">Please confirm if this is the normal, not prompting or showing any message</FONT>)</STRONG></P><P class="">&nbsp;</P><P class=""><STRONG>After OMS Agent restart, ran tcpdump again on OMS Agent to see if it starts receiving the logs but no luck.</STRONG></P><P class="">&nbsp;</P><P class="">I followed the following link:&nbsp;<A href="#" target="_blank" rel="noopener"></A></P><P class="">&nbsp;</P><P class="">Can any one guide what probably be the cause of this issue????? Any help will be much appreciated. Thanks in advance.</P> Fri, 15 Oct 2021 19:56:15 GMT FahadAhmed 2021-10-15T19:56:15Z New Blog Post | A Quick Guide on Using Sysmon for Linux in Azure Sentinel <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634312207858.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634312207858.png" alt="JasonCohen1892_0-1634312207858.png" /></span></P> <P><A href="" target="_blank" rel="noopener">A Quick Guide on Using Sysmon for Linux in Azure Sentinel - Microsoft Tech Community</A></P> <P><SPAN data-contrast="auto">Today,&nbsp;Linux is&nbsp;one of the fastest growing platforms on Azure. Linux based images&nbsp;form&nbsp;over 60% of Azure Marketplace Images. With Azure's support of common Linux distributions growing&nbsp;every day,&nbsp;the sophistication of&nbsp;cyber-attacks&nbsp;targeting Linux&nbsp;continues to grow.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">As part of the&nbsp;</SPAN><A href="" target="_blank" rel="noopener"><SPAN data-contrast="none">Sysinternals 25</SPAN><SPAN data-contrast="none">th</SPAN><SPAN data-contrast="none">&nbsp;anniversary</SPAN></A><SPAN data-contrast="auto">,&nbsp;the&nbsp;Sysinternals&nbsp;team&nbsp;released a new&nbsp;Sysmon&nbsp;tool&nbsp;supporting&nbsp;Linux.&nbsp;Sysmon for&nbsp;Linux is&nbsp;an open-source&nbsp;Linux system monitoring tool that helps with providing details on process creations, network connections,&nbsp;file creations&nbsp;and deletions among other things.&nbsp;Sysmon for Linux is&nbsp;based on an&nbsp;eBPF (Extended Berkeley Packet Filter)-based technology&nbsp;targeted at in-kernel monitoring without&nbsp;making&nbsp;any changes to the kernel source code.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">By collecting the events it generates using Azure Sentinel&nbsp;and subsequently analyzing them, you can identify malicious or anomalous activity and understand how intruders and malware operate on your network.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Sysmon for Linux can be used to&nbsp;analyze&nbsp;pre compromise&nbsp;and&nbsp;post compromise&nbsp;activity&nbsp;and when&nbsp;correlated&nbsp;with Azure Security&nbsp;Center (ASC)/Azure Defender&nbsp;(AzD)&nbsp;Linux detections&nbsp;this&nbsp;helps&nbsp;detecting the end-to-end attacker activity.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this blog post we will be taking a quick look at different log events made available by Sysmon for Linux that defenders can use to gather more information on the alerts triggered in Azure Sentinel.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | A Quick Guide on Using Sysmon for Linux in Azure Sentinel - Microsoft Tech Community</A></SPAN></P> Fri, 15 Oct 2021 15:38:57 GMT JasonCohen1892 2021-10-15T15:38:57Z Windows 10 Event Logs not appearing on Log Analytics Workspace <P>Hello,</P><P>I have been trying to get the event logs from windows 10 devices to log analytics workspace at first. On the 'Agent Configuration' page under Log Analytics workspace, I have added Application and System Event Logs. Data for those events is appearing when I run the query.&nbsp;</P><P>I want the logs for the below mentioned events:</P><H6>Signin : 4648</H6><H6>Signout : 4647</H6><H6>UAC: 4673, 4688</H6><P>&nbsp;</P><P>Also apart from these events, on a broader aspect I would require the entire Security event logs to be visible under Log Analytics Workspace, but I cannot see any pre-defined 'Security' windows event log available on 'Agent Configuration' page in my Workspace.&nbsp;</P><P>&nbsp;</P><P><SPAN>Can anyone explain if this is possible and how I would be able to bring the Security event logs to the Workspace?</SPAN></P><P>&nbsp;</P><P><SPAN>Thank You!</SPAN></P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="RaghavJain_0-1634308622373.png" style="width: 400px;"><img src=";px=400" role="button" title="RaghavJain_0-1634308622373.png" alt="RaghavJain_0-1634308622373.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 15 Oct 2021 14:41:11 GMT RaghavJain 2021-10-15T14:41:11Z Sentinel Automation - MFA <P>Hello,</P><P>&nbsp;</P><P>I am fairly new to the world of automation. I am looking to automate one of our security incidents based on whether or not MFA has succeeded or not.&nbsp;</P><P><BR />EX: Impossible travel activity incident. Attempted authentication from unknown IP's to a user account. Want to create a playbook that will look at whether or not the unknown IP successfully completed MFA, and if it did, automate some type of account lockout or password reset requirement.</P><P>&nbsp;</P><P>Can anyone explain if this is possible, and if it is possible, how I would go about achieving something like this?</P><P>&nbsp;</P><P>Thank you!</P> Fri, 15 Oct 2021 12:28:45 GMT edifarnecio 2021-10-15T12:28:45Z New Blog Post | Automating the deployment of Sysmon for Linux & Azure Sentinel in a lab environment <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1634238879640.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1634238879640.png" alt="JasonCohen1892_0-1634238879640.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Automating the deployment of Sysmon for Linux :penguin:</img> and Azure Sentinel in a lab environment 🧪 - Microsoft Tech Community</A></P> <P><SPAN data-contrast="auto">Today, we celebrate&nbsp;</SPAN><A href="" target="_blank" rel="noopener"><SPAN data-contrast="none">25 years of Sysinternals</SPAN></A><SPAN data-contrast="auto">,&nbsp;a set of utilities to analyze, troubleshoot and optimize Windows systems and applications.&nbsp;Also,&nbsp;as part of this special anniversary,&nbsp;we are&nbsp;releasing&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Sysmon for Linux</SPAN></STRONG><SPAN data-contrast="auto">,&nbsp;an open-source&nbsp;system monitor tool&nbsp;developed&nbsp;to collect security events&nbsp;from Linux environments&nbsp;using&nbsp;eBPF (</SPAN><SPAN data-contrast="none">Extended Berkeley Packet Filter)&nbsp;and</SPAN><SPAN data-contrast="auto">&nbsp;sending&nbsp;them to Syslog&nbsp;for easy consumption.&nbsp;Sysmon for Linux is built on&nbsp;a&nbsp;library also released today named&nbsp;<A href="#" target="_blank" rel="noopener noreferrer">sysinternalsEBPF</A>&nbsp;which is built on&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">libbpf</SPAN></A><SPAN data-contrast="auto">&nbsp;including a library of eBPF inline functions used as helpers.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this post, we will show you how to automatically deploy a research lab environment with&nbsp;an&nbsp;Azure&nbsp;Sentinel&nbsp;instance and&nbsp;a&nbsp;few Linux virtual machines&nbsp;with Sysmon for Linux&nbsp;already&nbsp;installed and configured to&nbsp;take it for&nbsp;a&nbsp;drive and explore&nbsp;it.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Automating the deployment of Sysmon for Linux &amp; Azure Sentinel in a lab environment - Microsoft Tech Community</A></SPAN></P> Thu, 14 Oct 2021 19:16:32 GMT JasonCohen1892 2021-10-14T19:16:32Z Hunting "Run all Queries" <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sentinel.JPG" style="width: 400px;"><img src=";px=400" role="button" title="Sentinel.JPG" alt="Sentinel.JPG" /></span></P><P> </P><P>Hi there!</P><P>&nbsp;</P><P>Is there a way that we can automate or schedule "<STRONG>Run all queries</STRONG>" button under Hunting to run every day. Let's say every day morning 8AM it <EM>run all queries</EM> automatically and send out the report.</P><P>&nbsp;</P><P>Thanks!</P> Wed, 13 Oct 2021 08:20:11 GMT VikramJha 2021-10-13T08:20:11Z auto assessment playbook with "tag indicators" <P>Has anyone here done any work on the idea of a playbook to perform triage on Sentinel incidents?</P><P>eg:</P><P>If the incident contains a username entity, run these kql queries and create tags depending on the results.</P><P>The tags would represent specific findings eg:</P><P>username has been seen in 5 distinct alerts in the past 7 days, so tag name = "5D-User"</P><P>IP has been seen in 3 distinct alerts in the past 7 days, so tag name = "3D-IP"</P><P>username is sensitive, so tag name = "sensitive-user"</P><P>&nbsp;</P><P>Do you see where I'm going here?</P><P>I want to use tags to create a library of common tags which will accelerate triage by identifying interesting indicators.</P><P>&nbsp;</P><P>(I've already created such a playbook but I'm looking for more ideas to add to it)</P><P><BR /><STRONG>Even if you haven't done such a playbook please share your ideas for interesting indicators that would help triage an incident.</STRONG><BR /><BR /></P><P>Thank you!</P><P>&nbsp;</P> Wed, 13 Oct 2021 01:51:25 GMT bobsyouruncle 2021-10-13T01:51:25Z Enabling AWS data connector as code <P>Hi,<BR /><BR />Has anyone succeeded enabling the AWS data connector as code? In this example (<A href="#" target="_blank"></A>) other data connectors are enabled through code, but I am unsure how to "add the role" for the AWS data connector.<BR /><BR />Assume that the role is already created in the IAM of AWS, and I have the Role ARN</P> Tue, 12 Oct 2021 07:54:13 GMT Larssen92 2021-10-12T07:54:13Z New Blog Post | Analyzing Endpoints Forensics - Azure Sentinel Connector <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1633970700253.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1633970700253.png" alt="JasonCohen1892_0-1633970700253.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Analyzing Endpoints Forensics - Azure Sentinel Connector - Microsoft Tech Community</A></P> <P><SPAN>The field of Endpoint forensics seeks to help investigators reconstruct what happened during an endpoint intrusion. Did an attacker break in because of a missing definition / signature / policy / setting or a configuration, and if so, how? What havoc did the attacker wreak after breaking in? Tools that help investigators answer these types of questions are still quite primitive and are often hindered by incomplete or incorrect information. Analyzing Endpoints Forensics - Azure Sentinel Connector can enable more-powerful forensic analysis through techniques such as streaming a computer’s EPP (Endpoint Protection) health status, policies, settings, and configuration in addition to IoT vulnerable assets, data events &amp; vulnerabilities.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Devices (IT/OT)&nbsp;</SPAN><SPAN class="hiddenGrammarError">health</SPAN><SPAN>&nbsp;state and security configurations policies and settings (Microsoft Defender for Endpoint &amp; Azure Defender for IoT) are critical to SOC&nbsp;</SPAN><SPAN class="hiddenGrammarError">team</SPAN><SPAN>&nbsp;helping them to address the following use&nbsp;</SPAN><SPAN>cases:</SPAN></P> <P>&nbsp;</P> <UL> <LI>Identifying onboarded devices and their health status</LI> <LI>Activity and a security posture for IT/OT assets</LI> <LI>Viewing the compliance status of the devices based on the security recommendations</LI> <LI>Identifying devices vulnerabilities and hence provide a triage – matrix remediation framework</LI> </UL> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Analyzing Endpoints Forensics - Azure Sentinel Connector - Microsoft Tech Community</A></P> Mon, 11 Oct 2021 16:46:23 GMT JasonCohen1892 2021-10-11T16:46:23Z Merge identical values from different variables <P>Greetings,&nbsp;</P><P>&nbsp;</P><P>I have recently been trying to figure out a decent way to make an alert when a certain amount of informational alerts triggers from other Defender products, like for example large amounts of Emails with malicious URL's removed. This could indicate a phishing campaign that i would like to be notified about.&nbsp;</P><P>&nbsp;</P><P>The problem is this:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="stianhoydal_0-1633942416986.png" style="width: 400px;"><img src=";px=400" role="button" title="stianhoydal_0-1633942416986.png" alt="stianhoydal_0-1633942416986.png" /></span></P><P>The sender domains are stored in different parts of Entities although they are from the same sender.&nbsp;</P><P>Is there a way to merge these into one variable instead of having them separated like this.&nbsp;</P> Mon, 11 Oct 2021 08:56:40 GMT stianhoydal 2021-10-11T08:56:40Z Unable to decode base64 value - Kusto <P>Hi,</P><P>&nbsp;</P><P>I need your assistance please.</P><P>I have the following query:</P><P><BR />F5_CL<BR />| where TimeGenerated &gt;= ago(3m) //change to required time<BR />| extend RawData=split(RawData, '##') //split all raw data to specific values<BR />|extend base64Value = tostring(RawData[24]) // base64 value</P><P>&nbsp;</P><P>In the base64value there is base 64 value.</P><P>I don't know how to decode this value with extend!<BR />I want that each parameter inside of this value will be separated.</P><P>&nbsp;</P><P>Will appreciate your support please.</P><P>Thanks!</P><P>&nbsp;</P> Sun, 10 Oct 2021 10:24:57 GMT MatRock345 2021-10-10T10:24:57Z Normalization and the Azure Sentinel Information Model (ASIM) ARM template deployment <P>I am looking to deploy the&nbsp;The Azure Sentinel Information Model (ASIM) Authentication parsers ARM template from GitHub and was wondering what values Workspace Name and Location are to be defined as this is the first time I'm deploying an ARM template.</P><P>&nbsp;</P><P>I have selected the subscription and resource group, but I'm not clear on what is being asked for&nbsp;Workspace Name and Location.</P><P>&nbsp;</P><P>Thx</P> Thu, 07 Oct 2021 13:38:33 GMT Jeff Walzer 2021-10-07T13:38:33Z How to show amount of query results as entity on incident created in Azure Sentinel <P>Hi,</P><P>&nbsp;</P><P>I need to do a simple monitoring on the amount of event logs from our SQL databases to our log analytics space.</P><P>&nbsp;</P><P>The query looks like this</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="sql">SQLEvent | where TimeGenerated &gt; ago (15min)</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Then I'm configuring Alert Threshold to trigger an incident if the amount of query result is fewer than 500.</P><P>&nbsp;</P><P>I would like to use Entity mapping to map the query number result so I quickly can see the number without the need of running the query manually.</P><P>&nbsp;</P><P>Is this possible to create?</P><P>&nbsp;</P><P>Regards,</P><P>Tony</P> Thu, 07 Oct 2021 12:51:15 GMT Tony555 2021-10-07T12:51:15Z Adding Windows Srecurity Logs into Azure sentinel <P>Hello,</P><P>I wanted to add a the windows security log into ingestion but it cannot be done:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PawelB1645_0-1633599072795.png" style="width: 400px;"><img src=";px=400" role="button" title="PawelB1645_0-1633599072795.png" alt="PawelB1645_0-1633599072795.png" /></span></P><P>although, no security events are sent into my sentinel by default:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PawelB1645_1-1633599123075.png" style="width: 400px;"><img src=";px=400" role="button" title="PawelB1645_1-1633599123075.png" alt="PawelB1645_1-1633599123075.png" /></span></P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PawelB1645_2-1633599196282.png" style="width: 400px;"><img src=";px=400" role="button" title="PawelB1645_2-1633599196282.png" alt="PawelB1645_2-1633599196282.png" /></span></P><P>The events with the ID 4625 are of course created:</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="PawelB1645_3-1633599261780.png" style="width: 400px;"><img src=";px=400" role="button" title="PawelB1645_3-1633599261780.png" alt="PawelB1645_3-1633599261780.png" /></span></P><P>&nbsp;</P><P>What could I do?</P><P>&nbsp;</P><P>Best regards</P> Thu, 07 Oct 2021 09:34:52 GMT PawelB1645 2021-10-07T09:34:52Z Permissions required for Editing Azure Sentinel Workbooks <P>Hello&nbsp;</P><P>I have currently "Contributor" privileges on an azure tenant that is accessed through Azure Light house. However, i cannot edit the workbooks, there is no option available for that.&nbsp;</P><P>&nbsp;</P><P>I have checked the documentation from the below link that shows that I need to have "Azure Sentinel Contributor" role in order to edit the workbooks.</P><P>&nbsp;</P><P><A href="#" target="_blank">Permissions in Azure Sentinel | Microsoft Docs</A></P><P>&nbsp;</P><P>Can you confirm if "Contributor" permissions are enough since it says that Contributor have "<SPAN>Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image</SPAN>"&nbsp;</P><P>&nbsp;</P><P>Do I still need "Azure Sentinel Contributor" permissions so I can speak with the admin.</P><P>&nbsp;</P><P>Thanks</P><P>Fahad.</P> Thu, 07 Oct 2021 08:27:46 GMT FahadAhmed 2021-10-07T08:27:46Z Onboarding Ivanti Application Control logs to Azure Sentinel <P>Hi all,<BR />Just wondering if anyone has onboarded <A title="Ivanti Application Control " href="#" target="_self">"Ivanti Application Control "</A> logs to Azure Sentinel?<BR /><BR />-Log source is&nbsp; on-prem (No cloud presence, neither a connector available in Sentinel)<BR />-Product does not support Syslog or CEF<BR />-To extract logs from central management server you can use a data base query (DbConnect in Splunk World)<BR />OR<BR />-To extract logs from clients you can extract logs from every client in&nbsp; either XML or CSV format<BR /><BR />Has anyone on-boarded these logs before or have any suggestions ?<BR />Thank you<BR /><BR /><BR /><BR /></P> Thu, 07 Oct 2021 01:25:38 GMT Aman_Khan 2021-10-07T01:25:38Z Sentinel Watchlist and KQL query <P>I created a Sentinel VIP user watchlist and would like to use the SecurityAlert logs</P><P>&nbsp;</P><P>I have the following query:</P><P>&nbsp;</P><LI-CODE lang="applescript">SecurityAlert | extend User_Account_ = tostring(parse_json(ExtendedProperties).["User Account"])</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>The VIP user watchlist uses&nbsp;User Principal Name as a field so how can I create an alias for the User_Account field to match the&nbsp;User Principal Name of the User VIP watchlist?</P><P>&nbsp;</P><P>Thx&nbsp;</P> Wed, 06 Oct 2021 12:21:03 GMT Jeff Walzer 2021-10-06T12:21:03Z Palo Alto Syslogs to Sentinel <P>Hi,</P><P>&nbsp;</P><P>We are ingesting Palo Alto firewall logs into Sentinel that seems to be mostly working, however the fields are not populating correctly.</P><P>&nbsp;</P><P>There is an additional field called 'AdditionalExtensions' that contains most of the pertinent information within the log in one big text string, such as destip, srcip, user, etc.</P><P>&nbsp;</P><P>Has any one had this issue before? Would this issue be caused by configuration on the Firewall itself, the proxy forwarder, or is there something I can do within Sentinel itself?</P><P>&nbsp;</P><P>Many thanks for any assistance</P> Wed, 06 Oct 2021 03:02:36 GMT Micah-NENZ 2021-10-06T03:02:36Z Cisco AMP and Cisco Securex integration with Azure Sentinel <P>Hello Everyone,</P><P>&nbsp;</P><P>Kindly suggest us how to integrate cisco AMP and Cisco Securex integration with azure sentinel.</P><P>&nbsp;</P><P>&nbsp;</P> Tue, 05 Oct 2021 16:30:41 GMT Pradeepgm 2021-10-05T16:30:41Z Creation of AMSI deactivation rule in Azure Sentinel <P>Hello guys,</P><P>&nbsp;</P><P>I am investigating about the detection of a rule in Azure sentinel, I want to monitor if AMSI has been disabled on a Windows 10 device.</P><P>&nbsp;</P><P>I have run the disable command, but it does not show me anything in the security events. This is command:</P><DIV class=""><DIV class=""><SPAN><SPAN class="">"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue(</SPAN><SPAN class="">$null</SPAN><SPAN class="">,</SPAN><SPAN class="">$true</SPAN><SPAN class="">)"</SPAN></SPAN></DIV><DIV class="">&nbsp;</DIV></DIV><P>I have several questions:</P><P>&nbsp;</P><P>In which section of the events should I look?<BR />Do they appear in the security events?<BR />Can the AMSI event be monitored with the event Id 4688?<BR />How can I see the AMSI status?</P><P>&nbsp;</P><P>Regards.</P><P>&nbsp;</P> Tue, 05 Oct 2021 16:22:37 GMT Cristian_Librero 2021-10-05T16:22:37Z Enable multiple Sentinel Rules from Rule templates <P>Hello,</P><P>is there a way to enable multiple rules from Analytics &gt; rule templates on once or do I need to click them all one by one?</P> Tue, 05 Oct 2021 14:44:50 GMT PawelB1645 2021-10-05T14:44:50Z Investigations - Investigation cannot be used to investigate this incident because of an error. <P>Hi,</P><P>&nbsp;</P><P>I'm really sorry for the newbie comment, but I have both template Analytic rules and my own Analytic rules and map identities to allow the investigation function to work, but I get an error</P><P>&nbsp;</P><P><SPAN>Investigation cannot be used to investigate this incident because of an error, please try again later.</SPAN></P><P>&nbsp;</P><P><SPAN>I'm scratching my head as to what is not working here, even considering rebuilding our Sentinel environment.</SPAN></P><P>&nbsp;</P><P><SPAN>My example</SPAN></P><P>&nbsp;</P><P><SPAN>SecurityEvent<BR />| where EventID == "4688"<BR />| where Process == "cscript.exe"<BR />|project StartTimeUtc = TimeGenerated, Computer, Account, NewProcessName, CommandLine, ParentProcessName<BR />| extend timestamp = StartTimeUtc, AccountCustomEntity = Account, HostCustomEntity = Computer</SPAN></P><P>&nbsp;</P><P><SPAN>and I have mapped the fields shown.</SPAN></P><P>&nbsp;</P><P><SPAN>Please could anybody kindly help?</SPAN></P><P>&nbsp;</P> Tue, 05 Oct 2021 13:12:09 GMT sm4rterguy 2021-10-05T13:12:09Z Specific query - question <P>Hi, I need assistance please.</P><P>Given the following query:</P><P><BR />F5_CL<BR />| where TimeGenerated &gt;= ago(3m) //change to required time<BR />| extend RawData=split(RawData, '##') //split all raw data to specific values<BR />| extend remote_address = tostring(RawData[1]) // take external remote address<BR />| extend URL_Path = trim(@'\?(.*)',trim(@'([^\s]+)',tostring(RawData[5])))<BR />|extend responseStatus = tostring(RawData[3])<BR />| summarize count() by URL_Path,remote_address<BR />| where responseStatus != "403" and responseStatus != "404" and <STRONG>responseStatus</STRONG> != "503" and count_ &gt; 150 and remote_address != ""</P><P>&nbsp;</P><P>The problem is that&nbsp;<STRONG>responseStatus</STRONG>&nbsp;is not recognized in "where" line since it's not summarize. I don't want it to be summarize since it will split all values of&nbsp;<STRONG>responseStatus.</STRONG></P><P>&nbsp;</P><P>Anybody has idea how <STRONG>and responseStatus != "503"&nbsp;</STRONG>will be valid in "where" line?</P><P>&nbsp;</P><P>I hope the question is clear, Thanks.</P> Tue, 05 Oct 2021 11:31:04 GMT MatRock345 2021-10-05T11:31:04Z Kusto - How to identify content from array of regex <P>Hi,</P><P>&nbsp;</P><P>I want to create an alert, that given an input, will validate the input content match <STRONG>at least</STRONG> one of the regex from a given structure (array/list/etc'...)</P><P>How can I do that? Example will help...</P><P>Thanks.</P><P>&nbsp;</P> Tue, 05 Oct 2021 11:10:45 GMT MatRock345 2021-10-05T11:10:45Z Create alert when there are no results from query <P>Hi,</P><P>&nbsp;</P><P>I want to create alert when there are no results in the last 30 minutes is specific table.</P><P>How can I do it?</P> Tue, 05 Oct 2021 09:13:58 GMT MatRock345 2021-10-05T09:13:58Z Can we query the NIST RDS from Azure Sentinel? <P>In reference to this SANS Blog "Easy Access to the NIST RDS Database"</P><P>&nbsp;</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P><P>How can I fashion that first lookup into an Azure Sentinel query?&nbsp; I'd love to be able to leverage NIST's list of known good applications during investigations (perhaps as enrichment in a workbook), and my first thought of "download the entire RDS into Azure blobs" just doesn't seem as practical as this.</P> Sun, 03 Oct 2021 14:33:37 GMT Kyrouz 2021-10-03T14:33:37Z Send to Sentinel logs from many Log Analytics <P>Hello dear colleagues, we have several Log Analytics workspaces (13) and one Azure sentinel. Is it possible to send logs from our 13 Log Analytics Workspaces to one Azure Sentinel workspace? Is it possible?</P><P>&nbsp;</P> Fri, 01 Oct 2021 08:32:17 GMT Artem_Rozhko 2021-10-01T08:32:17Z New Blog Post | The Azure Sentinel Anomalies Simulator <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1633027591188.png" style="width: 708px;"><img src="" width="708" height="370" role="button" title="AshleyMartin_0-1633027591188.png" alt="AshleyMartin_0-1633027591188.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel Anomalies Simulator (</A></P> <P><SPAN>We are pleased to announce the “Unusual Mass Downgrade AIP Label” anomaly simulator, the first in a series of simulators for Azure Sentinel Anomalies. This simulator will populate the table in Azure Sentinel monitored by the relevant anomaly rule with simulated data. This simulated data will trigger an anomaly. You can review the anomaly by querying the Anomalies table for the anomaly rule’s name. These simulators will enable users to validate that an anomaly rule works in their Sentinel workspace.</SPAN></P> <P><SPAN>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | The Azure Sentinel Anomalies Simulator - Microsoft Tech Community</A></SPAN></P> Thu, 30 Sep 2021 18:49:04 GMT AshleyMartin 2021-09-30T18:49:04Z how to monitor failed rdp login activity for authorized user and wrong passowrd <P>how to monitor failed rdp login activity for authorized user and wrong passowrd as no Event Id 4625 is not generated for this condition</P><P>&nbsp;</P><P>Event Id 4625 is generated for rdp activity for user not existing in AD.</P><P>&nbsp;</P><P>We are collecting Domain Controller logs and target system logs in our sentinel workspace.</P><P>Can anyone suggest how i can monitor the above mentioned activity</P> Thu, 30 Sep 2021 07:54:52 GMT deepak198486 2021-09-30T07:54:52Z Custom mass download alert <P>Greetings, I have been messing around with Cloud App Security and have noticed their mass download alert, unfortunately i seem unable to add exclusion to this alert so it triggers way to often on totally uninportant sharepoint sites.</P><P>&nbsp;</P><P>Therefore i have made my own query to check for mass downloads, however i can't make the query both count how many download operations a user has togheter with which sites they have downloaded from. It's either how many downloads total and no info on which site they have downloaded from or on a per sharepoint-site basis which is not very usefull when some of the folders are very small and will not trigger on the set threshold.&nbsp;</P><P>&nbsp;</P><P>My query looks like this where i have used the extract function to filter out the uninteresting sharepoint sites which the CAS alerts keep triggering on.</P><LI-CODE lang="cpp">let uninterestingPNNNNSites = OfficeActivity //Removes sites containing /p-NNNN, N being a number | where Operation contains "download" | extend pGroups = extract("(p+\\-+\\d{4}\\/$)",1, Site_Url) | where pGroups != "" | summarize count() by Site_Url; let uninterestingPersonalSites = OfficeActivity //Removes /personal sites | where Operation contains "download" | extend personalGroups = extract("(\\/+personal+\\/)", 1 , Site_Url) | where personalGroups != "" | summarize count() by Site_Url; let uninterestingSiteP = OfficeActivity //Removes the site /p/, this being an old site that is not going to be used. | where Operation contains "download" | extend pGroups = extract("(/p/)",1, Site_Url) | where pGroups != "" | summarize count() by Site_Url; OfficeActivity | where Operation contains "download" | where Site_Url !in ( uninterestingPersonalSites ) | where Site_Url !in ( uninterestingPNNNNSites) | where Site_Url !in ( uninterestingSiteP) | summarize count() by Site_Url, UserId, ClientIP //Remove Site-Url for total downloads per user | project-rename Number_of_downloadoperations = count_ | where Number_of_downloadoperations &gt; 300</LI-CODE><P>&nbsp;Preferably i would be able to summarize by only UserId and ClientIP giving a count for how many downloads they have done in a day, but also attaching a list of which sites they have downloaded from for analysts to act on without having to run their own manual search.&nbsp;</P> Thu, 30 Sep 2021 06:57:55 GMT stianhoydal 2021-09-30T06:57:55Z New Blog Post | Querying WHOIS/RDAP with Azure Sentinel and Azure Functions <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632949098122.png" style="width: 710px;"><img src="" width="710" height="362" role="button" title="AshleyMartin_0-1632949098122.png" alt="AshleyMartin_0-1632949098122.png" /></span></P> <P>&nbsp;</P> <P><A href="" target="_blank" rel="noopener">Querying WHOIS/Registration Data Access Protocol (RDAP) with Azure Sentinel and Azure Functions - Mi...</A></P> <P><SPAN>With the amazing increase in domains and top-level domains (TLD's) on the Internet, it's difficult to know just where our users are going. Newly registered domains, domain generation algorithms, and typo-squatting are all tactics used by adversaries to compromise users. Recently I was talking with a customer about Azure Sentinel and they had a question about if and how they could raise an alert when a user received an email from a newly registered domain (by their definition this was any domain that had been registered in the last thirty days).&nbsp; While we don't have a built-in feature for this in Sentinel, it is possible to extend Sentinel to include this type of functionality. This blog post is about one way that such an extension could be created.&nbsp;</SPAN></P> <P><SPAN>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Querying WHOIS/RDAP with Azure Sentinel and Azure Functions - Microsoft Tech Community</A></SPAN></P> Wed, 29 Sep 2021 20:59:15 GMT AshleyMartin 2021-09-29T20:59:15Z New Blog Post | Monitoring Azure Sentinel Analytical Rules – Push Health Notifications <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632948085475.png" style="width: 730px;"><img src="" width="730" height="205" role="button" title="AshleyMartin_0-1632948085475.png" alt="AshleyMartin_0-1632948085475.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Monitoring Azure Sentinel Analytical Rules – Push Health Notifications - Microsoft Tech Community</A></P> <P>Azure Sentinel Analytical rules help Security Teams discover threats and anomalous behaviors to ensure full security coverage for your environment</P> <P>&nbsp;</P> <P>After connecting our data sources to Azure Sentinel, first we enable Analytical rules. Each data source comes with built-in, out-of-the-box templates to create threat detection rules.</P> <P>&nbsp;</P> <P>Analytics rules search for specific events or sets of events across your environment, alert you when certain event thresholds or conditions are reached, generate incidents for SOC to triage and investigate, and respond to threats with automated tracking and remediation processes<SPAN>.</SPAN></P> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Monitoring Azure Sentinel Analytical Rules – Push Health Notifications - Microsoft Tech Community</A></P> Wed, 29 Sep 2021 20:45:16 GMT AshleyMartin 2021-09-29T20:45:16Z Data Dog Integration with Azure Sentinel <P>Hi All,</P><P>&nbsp;</P><P>Are there any resources available surrounding data dog integration with Azure Sentinel in terms of forwarding the Data Dog signals within the Azure Sentinel platform?</P><P>&nbsp;</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>Kind Regards,<BR />Adam</P> Wed, 29 Sep 2021 14:35:39 GMT AdamPowell 2021-09-29T14:35:39Z Notebook could not be saved error <P>Hello,</P><P>I am using Azure Lighthouse to access one of the client environment. Everything is working fine, I have contributor privileges on the customer tenant. When I try to Clone the notebook by saving it, it gives the error "Notebook could not be saved". Any thoughts how to fix it???</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FahadAhmed_0-1632888480231.png" style="width: 276px;"><img src="" width="276" height="500" role="button" title="FahadAhmed_0-1632888480231.png" alt="FahadAhmed_0-1632888480231.png" /></span></P><P>Thanks</P><P>Fahad</P> Wed, 29 Sep 2021 04:30:25 GMT FahadAhmed 2021-09-29T04:30:25Z Sending Dynamics 365 Non-Prod (Sandbox / Dev / Test / Staging) Logs to Sentinel <P>Hello,</P><P>The new Dynamics 365 connector in Sentinel looks great. However, there currently seems to be a gap without being able to collect audit logs from&nbsp;Non-Prod (Sandbox / Dev / Test / Staging) D365 environments.</P><P>I'm working with a customer that has a lot of sensitive data (not scrubbed) in their non-prod environments and they need to collect the audit logs into Sentinel. I found this <A href="#" target="_self">KB</A> about how to do this possibly through Power Apps and the O365 audit log.</P><P>&nbsp;</P><P>Is there an initiative on the Sentinel team's roadmap to integrate&nbsp;Non-Prod (Sandbox / Dev / Test / Staging) D365 logs into Sentinel via the Data Connector interface in Sentinel (with 1-click)?</P><P>Are there any other limitations I'm not aware of or am I missing something? I'm definitely not a D365 SME.</P><P>&nbsp;</P><P>My customer is trying to determine if they should integrate logs with the underlying Power Apps approach or if they should just wait for direct non-prod D365 log support in Sentinel.&nbsp;</P><P>&nbsp;</P><P>Thank you,</P><P>Todd</P> Tue, 28 Sep 2021 21:21:24 GMT ToddB330 2021-09-28T21:21:24Z New Blog Post | Azure Sentinel Threat Intelligence in Public and Azure Government Cloud <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632846077617.jpeg" style="width: 718px;"><img src="" width="718" height="352" role="button" title="AshleyMartin_0-1632846077617.jpeg" alt="AshleyMartin_0-1632846077617.jpeg" /></span></P> <P><A href="" target="_blank" rel="noopener">General Availability of Azure Sentinel Threat Intelligence in Public and Azure Government&nbsp;cloud - Microsoft Tech Community</A></P> <P><SPAN data-contrast="auto">In today’s era of growing cyber-attacks, Cyber Threat Intelligence (CTI) is a key factor to help Security Operations Center (SOC) analyst&nbsp;triage and respond to incidents. Azure Sentinel is a cloud native SIEM solution that allows&nbsp;customers&nbsp;to import threat intelligence data from various&nbsp;places such as paid threat feeds, open-source feeds,&nbsp;and from various threat intelligence sharing communities like ISAC’s.&nbsp;Today we are announcing the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">General availability&nbsp;(GA)</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;of&nbsp;<STRONG>Azure Sentinel&nbsp;</STRONG></SPAN><STRONG><SPAN data-contrast="auto">Threat Intelligence&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">in Public cloud and&nbsp;<SPAN class="TextRun SCXW174353307 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW174353307 BCX0">Azure Government cloud</SPAN></SPAN>&nbsp;within 30 days from today.&nbsp;</SPAN></P> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Azure Sentinel Threat Intelligence in Public and Azure Government Cloud - Microsoft Tech Community</A></P> Tue, 28 Sep 2021 16:29:00 GMT AshleyMartin 2021-09-28T16:29:00Z Integrating Anomali TI data with Sentinel <P>Hello Experts,</P><P>&nbsp;</P><P>As we all might already be aware that we can connect to various TI feeds from Sentinel, using the TAXII data connectors. We would very much like to go ahead and integrate it with Anomali, however had a few questions if I may ask</P><P>1) In the TAXII data connector we are connecting to specific Collection IDs to get the data from Anomali. Is the time period considered by default or Anomali just provides us with whatever info it has? If there are thousands of records they all will be ingested into the workspace.</P><P>2) Per my understanding new TI data will be ingested into the TI table as and when it is available. What is the size of each record and will connecting to multiple ids increase the amount of storage substantially?</P><P>&nbsp;</P><P>Any leads on this would be appreciated.&nbsp;<A href="#" target="_blank" rel="noopener"></A></P> Tue, 28 Sep 2021 10:09:55 GMT Pranesh1060 2021-09-28T10:09:55Z How to integrate SQL Server 2012 database logs to Azure Sentinel?? <P>I would like to know&nbsp;How to integrate SQL Server 2012 database logs to Azure Sentinel?? The server is on-premise, what are the possible options available.&nbsp;</P><P>&nbsp;</P><P>I see there are no out of the box data connectors for this, an expedited response is much appreciated.</P><P>&nbsp;</P><P>Thanks</P><P>Fahad.</P> Mon, 27 Sep 2021 19:38:39 GMT FahadAhmed 2021-09-27T19:38:39Z How to integrate ORACLE logs to Azure Sentinel?? <P>Hello,</P><P>&nbsp;</P><P>I would like to know&nbsp;How to integrate ORACLE logs to Azure Sentinel?? The server is on-premise, what are the possible options available.&nbsp;</P><P>&nbsp;</P><P>I see there are no out of the box data connectors for this, an expedited response is much appreciated.</P><P>&nbsp;</P><P>Thanks</P><P>Fahad.</P> Mon, 27 Sep 2021 19:37:49 GMT FahadAhmed 2021-09-27T19:37:49Z Azures Sentinel Security Events collection using OMS gateway <P>Hi all,&nbsp;</P><P>&nbsp;</P><P>I'm trying to collect Security Events from windows machines on-premises using the OMS gateway.</P><P>I've already added the MDATP subscription ID, I'm trying now to add the Sentinal Subscription ID.&nbsp;</P><P>I have a firewall on the outbound traffic, so I need to add rules in the firewall to allow the Azure URLs .</P><P>I cannot find the URLs that OMS uses to communicate with azure (Log Analytics).&nbsp;</P><P>Would you please advise which URLs should I allow on the firewall?&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 27 Sep 2021 12:45:19 GMT Ahmed-a 2021-09-27T12:45:19Z Sentinel Notebooks Error <P>Hi all&nbsp;</P><P>&nbsp;</P><P>I am trying to get on the wagon of learning notebooks.&nbsp; I have permission of owner / contributor and whenever I go to clone a notebook (so part 1) it continually says error and will not complete.&nbsp; also - as you can see from the My Notebooks section - it returns error again.&nbsp; any thoughts or suggestions.&nbsp; have the same permissions as others who can complete this.&nbsp;&nbsp;</P> Thu, 23 Sep 2021 14:39:35 GMT wootts 2021-09-23T14:39:35Z Generate alert when changes made to the RBAC of Compliance Center <P>I'm trying to generate an Alert in Sentinel when someone adds or removes users from the role groups in the Compliance Center (built in RBAC system). I am using the Office 365 activity connector but there seems to be no corresponding events generated when these memberships are changed.&nbsp;</P><P>&nbsp;</P><P>If I look in the audit looks of the Compliance Center here too the descriptions of these actions seem quite vague.</P><P>&nbsp;</P><P>Does anyone know a better way to monitor these RBAC role groups for the Compliance center in Sentinel?</P> Thu, 23 Sep 2021 12:39:02 GMT brlgen 2021-09-23T12:39:02Z New Blog Post | Azure Sentinel To-Go! A Linux Lab with AUOMS - Learn About the OMI Vulnerability <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632334732117.png" style="width: 700px;"><img src="" width="700" height="436" role="button" title="AshleyMartin_0-1632334732117.png" alt="AshleyMartin_0-1632334732117.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel To-Go! A Linux :penguin:</img> Lab with AUOMS Set Up to Learn About the OMI Vulnerability :collision:</img> - Microsoft Tech Community</A></P> <P><SPAN data-contrast="auto">Last week, on September 14</SPAN><SPAN data-contrast="auto">th</SPAN><SPAN data-contrast="auto">, 2021, Microsoft released fixes for three Elevation of Privilege (EoP) vulnerabilities</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">CVE-2021-38645</SPAN></A><SPAN data-contrast="none">,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">CVE-2021-38649</SPAN></A><SPAN data-contrast="none">,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">CVE-2021-38648</SPAN></A><SPAN data-contrast="none">,&nbsp;</SPAN><SPAN data-contrast="auto">and one unauthenticated Remote Code Execution (RCE) vulnerability&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">CVE-2021-38647</SPAN></A><SPAN data-contrast="auto">&nbsp;.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">These vulnerabilities affect the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">Open Management Infrastructure (OMI)</SPAN></A><SPAN data-contrast="none">,&nbsp;an open-source project&nbsp;to further the development of a production quality implementation of the DMTF CIM/WBEM standards. The OMI&nbsp;Common Information Model Object Manager (CIMOM)&nbsp;is also designed to be portable and highly modular. It is written in C and the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer"><SPAN data-contrast="none">code is available in GitHub</SPAN></A><SPAN data-contrast="none">.</SPAN></P> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Azure Sentinel To-Go! A Linux Lab with AUOMS - Learn About the OMI Vulnerability - Microsoft Tech Community</A></P> Wed, 22 Sep 2021 18:21:39 GMT AshleyMartin 2021-09-22T18:21:39Z automation and stats hi team - wanting to figure out a way of seeinf how the use of automation has improved the quality of information going into the SOC. by looking at what we have coming in with the increase and the number of items that automation plays a part in. any thoughts. ? Wed, 22 Sep 2021 16:41:01 GMT wootts 2021-09-22T16:41:01Z AND operator in KQL <P>How can we whitelist combination of columns using KQL. For Eg. I want to create exclusion like below:</P><P>&nbsp;</P><P>| where column1 !contains "abc" and column2 !contains "qwe" and column3 !contains "xyz"</P><P>&nbsp;</P><P>while this looks pretty straight forward but my observation is that it does not make exclusion based on above 3 combination of criteria.</P><P>&nbsp;</P><P>Seems like I'm missing something very basic but not able to identify what.</P> Wed, 22 Sep 2021 12:37:31 GMT jainshamu 2021-09-22T12:37:31Z New Blog Post | Azure Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632246318485.png" style="width: 698px;"><img src="" width="698" height="480" role="button" title="AshleyMartin_0-1632246318485.png" alt="AshleyMartin_0-1632246318485.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks - the Grand List - Microsoft Tech Community</A></P> <P>Through<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Part 1</A><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener nofollow noreferrer">Part 2</A><SPAN>&nbsp;</SPAN>of this Azure Sentinel Notebook Ninja series, we’ve discussed the concepts and activities to best become acclimated with Jupyter notebooks for Azure Sentinel. The next step in our process is understanding the value of having ready-made notebooks ready for use as part of the solution.</P> <P>&nbsp;</P> <P>When a customer stands-up Azure Sentinel for the first time, there are a number of additional pieces of ready-to-use collateral that are provided<SPAN>&nbsp;</SPAN><EM>out-of-the-box</EM><SPAN>&nbsp;</SPAN>including Analytics Rules, Hunting queries, Connectors, Solutions, Workbooks – and – you guessed it –<SPAN>&nbsp;</SPAN><STRONG>Notebooks</STRONG>.</P> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Azure Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks - Microsoft Tech Community</A></P> Tue, 21 Sep 2021 17:50:55 GMT AshleyMartin 2021-09-21T17:50:55Z import txt files into threat intelligence for Azure Sentinel <P>Hi All,</P><P>&nbsp;</P><P>We have our own treat intel that we use for various solutions and we retrieve this via an URL with an HTTP get request. I would like to configure Azure Sentinel to pull this .txt file every few hous and import this in the threat intel table.&nbsp;</P><P>&nbsp;</P><P>We don't have TAXI STIX or an threat intel platform and we have limited rights to the server with the threat intel. Is it possible to schedule an import of the txt file?</P><P>&nbsp;</P><P>I was trying to create a Logic App and this was easy for the HTTP get request. But I have no idea how to get the .txt file into the threat intel table.</P> Tue, 21 Sep 2021 11:03:50 GMT Marc_Schmitz 2021-09-21T11:03:50Z New Blog Post | Hunting for OMI Vulnerability Exploitation with Azure Sentinel <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1632158001259.png" style="width: 719px;"><img src="" width="719" height="302" role="button" title="AshleyMartin_0-1632158001259.png" alt="AshleyMartin_0-1632158001259.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Hunting for OMI Vulnerability Exploitation with Azure Sentinel - Microsoft Tech Community</A></P> <P><SPAN>Following the September 14</SPAN><SUP>th</SUP><SPAN>, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (</SPAN><A href="#" target="_blank" rel="noopener noreferrer">CVE-2021-38645</A><SPAN>,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">CVE-2021-38649</A><SPAN>,&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">CVE-2021-38648</A><SPAN>) and one unauthenticated Remote Code Execution (RCE) vulnerability (</SPAN><A href="#" target="_blank" rel="noopener noreferrer">CVE-2021-38647</A><SPAN>) in the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation and investigating detections to further protect customers. Following the&nbsp;</SPAN><A href="#" target="_self" rel="noopener noreferrer">MSRC guidance</A><SPAN>&nbsp;to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this blog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders to look for on host machines, and to share new detections in Azure Sentinel.</SPAN></P> <P><SPAN>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Hunting for OMI Vulnerability Exploitation with Azure Sentinel - Microsoft Tech Community</A></SPAN></P> Mon, 20 Sep 2021 17:16:34 GMT AshleyMartin 2021-09-20T17:16:34Z Monitoring specific list of users, belonging to an AD group <P>Hello everyone!</P><P>&nbsp;</P><P>I have list of users that I would like to use for additional monitoring. We could say these are "high risk" users. These users belong to specific AD groups (more than one). We are currently getting logs from our on prem domain controllers. These logs are within the "SecurityEvent" table. I'm trying to create multiple alerts specific to these users, such as these users being added to new security groups. I'm trying to come up with a query to do this but so far no luck. I have tried using the "join" or "union" operators to combine SecurityEvents and IdentityInfo tables so once an group addition event (4728 for example)&nbsp; is found in SecurityEvent table, it would look into IdentityInfo table to see if this user is part of the said groups (AD risk groups), if it is then alert is triggered.&nbsp;</P><P>&nbsp;</P><P>This was my idea but I am unable to get my query working. Am I on the right track? or would you have done it in a different way? I have come up with many different queries (that do not work) but see below for what I'm trying to achieve&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="powerquery">let HIGHRISKGROUPS= dynamic(["TEAM1", "TEAM2", "TEAM3", "TEAM4", "TEAM_5"]); SecurityEvent | union IdentityInfo | where EventID == 4728 | where GroupMembership in (HIGHRISKGROUPS) \\ this is from the IdentityInfo table but obviously I'm not sure how to correlate the user with group </LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>I'm guessing the query does not make sense but that is my struggle at the moment.&nbsp; Also, any ideas of how else would you monitor these users?</P><P>&nbsp;</P><P>applicable log sources:</P><P>AzureActivity</P><P>SecurityEvent</P><P>IdentityInfo</P><P>AzureActiveDirectory (</P><UL class=""><LI><DIV class=""><DIV class=""><DIV class="">SigninLogs</DIV></DIV><DIV class=""><DIV class="">AuditLogs</DIV></DIV><DIV class="">AADNonInteractiveUserSignInLogs</DIV><DIV class=""><DIV class="">AADServicePrincipalSignInLogs</DIV></DIV><DIV class=""><DIV class="">AADManagedIdentitySignInLogs</DIV></DIV><DIV class="">AADProvisioningLogs</DIV></DIV></LI></UL><P>&nbsp;</P> Fri, 17 Sep 2021 12:51:26 GMT Ciyaresh 2021-09-17T12:51:26Z Some predefined incidents do not have sufficient information <P>Hello,&nbsp;</P><P>&nbsp;</P><P>I have noticed that some of the predefined incident, the ones from different Defender products, sometimes are missing crucial information about the incident.&nbsp;</P><P>For example this alert from Defender for Identity</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="stianhoydal_0-1631867071280.png" style="width: 400px;"><img src=";px=400" role="button" title="stianhoydal_0-1631867071280.png" alt="stianhoydal_0-1631867071280.png" /></span></P><P>Which computers are affected is nice, but I would like to know what the "1 service" is. This information is not shown in azure sentinel, but if I check out the alert from the defender page this information is available. How do i get that information forwarded to Sentinel correctly?</P> Fri, 17 Sep 2021 08:27:37 GMT stianhoydal 2021-09-17T08:27:37Z New Blog Post | Azure Sentinel Notebooks Ninja Part 2: Getting Started with Azure Sentinel Notebooks <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1631819511611.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1631819511611.png" alt="JasonCohen1892_0-1631819511611.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel Notebooks Ninja Part 2: Getting Started with Azure Sentinel Notebooks - Microsoft Tech Community</A></P> <P><EM><SPAN class="TextRun Highlight SCXW109037511 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">This installment is part of&nbsp;</SPAN><SPAN class="NormalTextRun CommentStart SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">a broader&nbsp;</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">learning&nbsp;</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">series to&nbsp;</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">help you become</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">&nbsp;a Jupyter Notebook ninja in Azure Sentinel</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">.&nbsp;</SPAN><SPAN class="NormalTextRun SCXW109037511 BCX8" data-ccp-charstyle="Emphasis">The installments will be bite-sized to enable you to easily digest the new content.</SPAN></SPAN></EM><SPAN class="EOP SCXW109037511 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="9" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Part 1:</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="nofollow noopener noreferrer"><SPAN data-contrast="none">What are notebooks and when&nbsp;do you need them</SPAN></A><SPAN data-contrast="auto">?</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="9" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Part 2:</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;How to get started with notebooks and tour&nbsp;the features&nbsp;–&nbsp;</SPAN><STRONG><I><SPAN data-contrast="auto">this&nbsp;post</SPAN></I></STRONG><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="9" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Part 3:&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">Overview of the pre-built notebooks and how to use them</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="9" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Part 4:&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">How to create your own notebooks from scratch and how&nbsp;to customize the existing ones</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN>&nbsp;</LI> </UL> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Azure Sentinel Notebooks Ninja Part 2: Getting Started with Azure Sentinel Notebooks - Microsoft Tech Community</A></P> Thu, 16 Sep 2021 19:13:50 GMT JasonCohen1892 2021-09-16T19:13:50Z New Blog Post | Azure Sentinel Notebooks - Azure cloud support, new visualizations <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1631819197872.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1631819197872.png" alt="JasonCohen1892_0-1631819197872.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure sovereign clouds, Matrix visualization, Process Tree update in MSTICPy 1.4 (</A></P> <P class="graf graf--p">The 1.4.2 release of MSTICPy includes three major features/updates:</P> <UL class="postList"> <LI class="graf graf--li">Support for Azure sovereign clouds for Azure Sentinel, Key Vault, Azure APIs, Azure Resource Graph and Azure Sentinel APIs</LI> <LI class="graf graf--li">A new visualization — the Matrix plot</LI> <LI class="graf graf--li">Significant update to the Process Tree visualization allowing you to use process data from Microsoft Defender for Endpoint, and generic process data from other sources.</LI> </UL> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Azure Sentinel Notebooks - Azure cloud support, new visualizations - Microsoft Tech Community</A></P> Thu, 16 Sep 2021 19:09:07 GMT JasonCohen1892 2021-09-16T19:09:07Z Error while running powershell script in azure sentinel <P>I am trying to run powershell script to add playbooks in Azure Sentinel,&nbsp;</P><P>&nbsp;</P><P><A href="#" target="_blank"></A></P><P>&nbsp;</P><P><STRONG>Errors coming:&nbsp;</STRONG></P><P>The term 'Out-GridView' is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was<BR />| included, verify that the path is correct and try again.</P><P>&nbsp;</P><P>Cannot validate argument on parameter 'Subscription'. The argument is null or empty. Provide an argument that is not null or empty, and then try the command again.</P><P>&nbsp;</P><P>Any idea, how to fix it?</P> Wed, 15 Sep 2021 18:59:18 GMT FahadAhmed 2021-09-15T18:59:18Z Unable to utilize logics apps to feed data in a watchlist <P>Hey,</P><P>I am unable to add an item in my choice of watchlists using entities like an account, computer, hostname, or IP address, the step where the watchlist condition will take an input is being skipped by the logic app, can anyone help regarding this.</P><P>TIA<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="LogicAppRunTimeDetails.PNG" style="width: 999px;"><img src=";px=999" role="button" title="LogicAppRunTimeDetails.PNG" alt="LogicAppRunTimeDetails.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WatchListActionLogicApp.PNG" style="width: 587px;"><img src=";px=999" role="button" title="WatchListActionLogicApp.PNG" alt="WatchListActionLogicApp.PNG" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WatchlistLogicApp.PNG" style="width: 999px;"><img src=";px=999" role="button" title="WatchlistLogicApp.PNG" alt="WatchlistLogicApp.PNG" /></span></P> Wed, 15 Sep 2021 15:23:42 GMT abubakr786 2021-09-15T15:23:42Z New Blog Post | Azure Sentinel Information Model Fall Release: Speed and Ease <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1631643625539.png" style="width: 711px;"><img src="" width="711" height="546" role="button" title="AshleyMartin_0-1631643625539.png" alt="AshleyMartin_0-1631643625539.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel Information Model Fall Release: Speed and Ease - Microsoft Tech Community</A></P> <P>The first schema to use parametrized parsers is the&nbsp;<A href="#" target="_blank" rel="noopener noreferrer">DNS schema</A>. DNS is a high-volume source, and using optimized parsers enables the new normalized Threat Intelligence Analytics Rules (<A href="#" target="_blank" rel="noopener noreferrer">Domains</A>,<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">IPs</A>) to match your TI to even the highest volume of DNS data. And with out-of-the-box optimized parsers for a wide variety of DNS servers and clients, including Windows DNS Server, InfoBlox, Cisco Umbrella, Corelight Zeek, Google Cloud DNS, and Sysmon, you get this detection across much more of your data.&nbsp;</P> <P>&nbsp;</P> <P>Join us to learn more about parametrized parsers in our<SPAN>&nbsp;</SPAN><STRONG>upcoming webinar “Turbocharging ASIM: Making Sure Normalization Helps Performance Rather Than Impacting It”</STRONG><SPAN>&nbsp;</SPAN>on Oct 6th. Register, as usual on&nbsp;<A href="#" target="_blank" rel="noopener noreferrer"></A>.</P> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Azure Sentinel Information Model Fall Release: Speed and Ease - Microsoft Tech Community</A></P> Tue, 14 Sep 2021 18:55:16 GMT AshleyMartin 2021-09-14T18:55:16Z Azure Sentinal - how to fetch large result set of Winsec events by pagination <P>Hi Community,</P><P>We pump the logs of Window security events of some computers into Azure Sentinel SIEM. Now we retrieve those logs from Sentinel to local database by using REST API. The problem is when the result set is large, the API return error message like "Result size too large". So we want to implement pagination and fetch the data from SIEM then store it in local DB.</P><P>However, according to MS docs, Kql doesn't support "Skip" operator.&nbsp;</P><P>So are there any ideas how to implement this pagination method to fetch the large result set from SIEM?</P> Tue, 14 Sep 2021 09:22:48 GMT Peter_custodio 2021-09-14T09:22:48Z MMA Agent - Multiple Workspaces <P>Hi community,</P><P>&nbsp;</P><P>so we have a on prem windows server who has installed the microsoft defender and is connected via mma to m365 defender portal. We also need the IIS and security logs from this machine in sentinel and we add a second workspace id (Log Analytics). We can see the security logs but no IIS logs and also we got a message in the defender portal.. (MDE Client Analyzer)</P><P>What is best practice in this case?</P><P>&nbsp;</P><P>Thank you!</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GarfieldP_1-1631548724221.png" style="width: 999px;"><img src=";px=999" role="button" title="GarfieldP_1-1631548724221.png" alt="GarfieldP_1-1631548724221.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Mon, 13 Sep 2021 16:01:17 GMT Garfield-P 2021-09-13T16:01:17Z Transitioning brownfield Sentinel deployment to a management using CD/CI methodology <P>Has anyone encountered any blogs or articles dealing with transitioning an existing Sentinel deployment to a management using CD/CI methodology?</P><P>I have customers with initial basic deployments we want to bring under consistent management&nbsp;</P><P>&nbsp;</P><P>Thanks</P> Thu, 09 Sep 2021 11:40:38 GMT SimonCUK 2021-09-09T11:40:38Z Azure Sentinel triggers incident when it shouldn't <P>Greetings, I just ran into something interesting. I have created a analytics rule that looks like this:</P><P>&nbsp;</P><LI-CODE lang="cpp">let exceptionUsers = IdentityInfo | where TimeGenerated &gt; ago(22d) //IdentityInfo refreshes its information every 21 days | where todynamic(GroupMembership) contains "SG-U Guest users excluded from CA blocked countries" | distinct MailAddress; //Creates a set of users that is to be ignored when looking for logins outside of europe. SigninLogs | where TimeGenerated &gt; ago(4h) | where Location !in ( "AL","AD","AM","AT","BY","BE","BA","BG","CH","CY","CZ","DE","DK","EE","ES","FO","FI","FR","GB","GE","GI","GR","HU","HR","IE","IS","IT","LI","LT","LU","LV","MC","MK","MT","NO","NL","PL","PT","RO","RU","SE","SI","SK","SM","TR","UA","VA","SJ","") // List of country codes in europe. | where UserPrincipalName !in ( exceptionUsers ) | extend AccountCustomEntity = Identity | extend IPCustomEntity = IPAddress</LI-CODE><P>Might not be the greatest of queries, but still, I run this query and get no results. As i expect. However, the analytics rule with this configuration still manages to trigger.&nbsp;</P><P>&nbsp;</P><P>This is the view from the analytics rule wizard when i test with current data.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="stianhoydal_0-1631180987240.png" style="width: 400px;"><img src=";px=400" role="button" title="stianhoydal_0-1631180987240.png" alt="stianhoydal_0-1631180987240.png" /></span></P><P>The last spike indicates the one i saw today. How can the analytics rule wizard get different results from the same query i run in the Logs tab?</P> Thu, 09 Sep 2021 09:51:49 GMT stianhoydal 2021-09-09T09:51:49Z New Blog Post | What's New: Azure Sentinel - SOC Process Framework 8 Part Video Series! <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1631120317975.png" style="width: 672px;"><img src="" width="672" height="229" role="button" title="AshleyMartin_0-1631120317975.png" alt="AshleyMartin_0-1631120317975.png" /></span></P> <P><A href="" target="_blank" rel="noopener">What's New: Azure Sentinel - SOC Process Framework 8 Part Video Series! - Microsoft Tech Community</A></P> <P><SPAN>In this 8 part video series learn how to use the SOC Process Framework to manage your security team or Security Operations Center. You will hear expert level conversations about the development and implementation of security processes and procedures. This SOC-in-a-box approach provides easy to customize workflows and a standards-based framework to help you implement and continuously improve the multiple processes and procedures required by any modern security operations team.</SPAN></P> <P><SPAN>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | What's New: Azure Sentinel - SOC Process Framework 8 Part Video Series! - Microsoft Tech Community</A></SPAN></P> Wed, 08 Sep 2021 17:04:11 GMT AshleyMartin 2021-09-08T17:04:11Z Monitoring Azure VMWare (AVS) <P>What is the recommended approach for monitoring the new AVS with Azure Sentinel?</P> Wed, 08 Sep 2021 17:00:03 GMT Dean Gross 2021-09-08T17:00:03Z New Blog Post | Check the health of your exported Azure Sentinel logs in your ADX cluster <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_1-1631035565212.png" style="width: 730px;"><img src="" width="730" height="145" role="button" title="AshleyMartin_1-1631035565212.png" alt="AshleyMartin_1-1631035565212.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Checking the health of your ADX cluster for long-term retention logs (</A></P> <P><SPAN>More and more Azure Sentinel customers are opting for long-term retention of their logs in Azure Data Explorer (ADX), either due to compliance regulations, or because they still want to be able to perform investigations on their archived logs in the event of a security incident.</SPAN></P> <P><SPAN>As the Azure Sentinel ingestion price includes 90 days of retention for free, the option of keeping the logs for longer periods in Azure Data Explorer is preferred by many (see&nbsp;</SPAN><A href="" target="_blank" rel="noopener"><SPAN>Using Azure Data Explorer for long term retention of Azure Sentinel logs - Microsoft Tech Community</SPAN></A><SPAN>).&nbsp;</SPAN></P> <P>&nbsp;</P> <P>Even though the Azure Sentinel + ADX solution requires little to no maintenance, we wanted to provide a solution for our customers to keep an eye on the number of events and overall status of their ADX clusters and databases.&nbsp;<SPAN>For this reason,&nbsp;<STRONG>we have created two tools: the&nbsp;</STRONG></SPAN><STRONG><A href="#" target="_blank" rel="noopener noreferrer">ADXvsLA workbook</A><SPAN>&nbsp;</SPAN>and the<SPAN>&nbsp;</SPAN><A href="#" target="_self" rel="noopener noreferrer">ADX Health Playbook</A></STRONG>. The workbook will allow you to have a look at the number of logs on Azure Sentinel &amp; ADX and the overall health of your ADX cluster. The playbook will send you a warning if an unexpected delay in the ingestion of ADX is detected.</P> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Check the health of your exported Azure Sentinel logs in your ADX cluster - Microsoft Tech Community</A></P> Tue, 07 Sep 2021 17:31:52 GMT AshleyMartin 2021-09-07T17:31:52Z New Blog Post | Azure Sentinel Ninja Training - the Sept 2021 update <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1631034679746.png" style="width: 639px;"><img src="" width="639" height="407" role="button" title="AshleyMartin_0-1631034679746.png" alt="AshleyMartin_0-1631034679746.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel Ninja Training - the Sept 2021 update - Microsoft Tech Community</A></P> <P><SPAN>An important update to the training is the release of the Azure Sentinel Ninja Training knowledge check. This has already been announced in a separate blog post but for completeness it has also been included in this update post. You can take the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">knowledge check</A><SPAN>&nbsp;and if you score over 80%, you can fill in the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">self-attestation form</A><SPAN>&nbsp;to receive an Azure Sentinel Ninja Training certification.&nbsp;</SPAN></P> <P><SPAN>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Azure Sentinel Ninja Training - the Sept 2021 update - Microsoft Tech Community</A></SPAN></P> Tue, 07 Sep 2021 17:15:42 GMT AshleyMartin 2021-09-07T17:15:42Z New Blog Post | Introducing: Azure Sentinel Data Exploration Toolset (ASDET) <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1631033319672.png" style="width: 698px;"><img src="" width="698" height="307" role="button" title="AshleyMartin_0-1631033319672.png" alt="AshleyMartin_0-1631033319672.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Introducing: Azure Sentinel Data Exploration Toolset (ASDET) - Microsoft Tech Community</A></P> <P><SPAN>&nbsp; &nbsp; &nbsp; Security Analysts deal with extremely large datasets in Azure Sentinel, making it challenging to efficiently analyze them for anomalous data points. We sought to streamline the data analysis process by developing a notebook based toolset to reduce the data to a&nbsp;more manageable&nbsp;format, effectively allowing analysts to easily and efficiently gain a better understanding of their dataset and detect anomalies therein. Our toolset has three main components that each provide a different way of turning raw data into useful insights: data inference, feature engineering, and anomaly detection.</SPAN></P> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Introducing: Azure Sentinel Data Exploration Toolset (ASDET) - Microsoft Tech Community</A></P> Tue, 07 Sep 2021 16:51:53 GMT AshleyMartin 2021-09-07T16:51:53Z Unfamiliar sign-in properties does not show more information in Sentinel <P>We have already setup CA policies with strict policies when it comes to sign-in. Recently we can across and incident in Sentinel which says "Unfamiliar sign-in properties" but does not show much information in the incident. Need to check with forum members if this is expected scenarios for others as well. Kindly refer to the attach picture for more information.&nbsp;</P> Tue, 07 Sep 2021 13:20:36 GMT Susantha Silva 2021-09-07T13:20:36Z Window security events and Agents configuration <P>When I select All events in the Security events data connector configuration and in Long Analytics Workspace setting agent configuration, I filter window events logs to collected. So only that filter events logs will be ingested to Log Analytics.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Security Events.PNG" style="width: 800px;"><img src=";px=999" role="button" title="Security Events.PNG" alt="Security Events" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Security Events</span></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Agent configuration.PNG" style="width: 839px;"><img src=";px=999" role="button" title="Agent configuration.PNG" alt="Agent Configuration" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Agent Configuration</span></span></P> Tue, 07 Sep 2021 10:52:32 GMT zubairrahimsoc 2021-09-07T10:52:32Z Closing alerts in Azure Sentinel does not automatically close in Cloud App Security console <P>We have both Cloud App Security and Azure Sentinel deploy on the environment. When we get alerts from Cloud App Security to Azure Sentinel, we overlook the incidents and close them accordingly. When we do this same alert generated in Cloud App Security side is not being closed. This leads for duplication of jobs where engineer need to close the alert both in Cloud App Security and Azure Sentinel.&nbsp;</P><P>&nbsp;</P><P>Is there a way when we resolve an incident on Sentinel side it's related alerts to be closed in Cloud App Security side?</P> Mon, 06 Sep 2021 17:26:28 GMT Susantha Silva 2021-09-06T17:26:28Z App excluded in "Successful logon from IP and failure from a different IP" analytics rule <P>The description of the subject rule states "logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP" which implies that any registered app will trigger this but when I look at the logic it shows "where AppDisplayName !in ("Office 365 Exchange Online", "Skype for Business Online")". Can anyone help me understand why these apps are being excluded from the rule?</P> Sat, 04 Sep 2021 19:00:05 GMT Dean Gross 2021-09-04T19:00:05Z New solutions for Azure Sentinel <P>Hello all,</P><P>&nbsp;</P><P>I would like to contribute to Azure Sentinel solutions. Is there any particular solution that the developer community is looking for ?</P><P>&nbsp;</P><P>Thanks,</P><P>Bhavana</P> Thu, 02 Sep 2021 12:33:36 GMT bhavanat12 2021-09-02T12:33:36Z Compliance Reporting templates <P>Hi,</P> <P>&nbsp;</P> <P>How can we create regulatory compliance reporting workbook template such as PCI DSS, HIPPA, ISO 27001, etc in Sentinel? Any OOB template will be very helpful.</P> Thu, 02 Sep 2021 11:11:21 GMT Rakesh465 2021-09-02T11:11:21Z New Blog Post | "How to reduce incident triage and investigation times using dynamic alert details” <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1630526718056.png" style="width: 684px;"><img src="" width="684" height="253" role="button" title="AshleyMartin_0-1630526718056.png" alt="AshleyMartin_0-1630526718056.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Alert enrichment "how to reduce incident triage and investigation times using dynamic alert details” - Microsoft Tech Community</A></P> <P><SPAN>Generally, the purpose of “alert enrichment” is to allow customization of the Alert created from the detection.&nbsp;</SPAN></P> <P><SPAN>The main goal is to reduce the time it takes to the analyst to triage and handle the incident.&nbsp;The same applies for “Alert details” dynamic content.</SPAN><BR /><SPAN>In Azure Sentinel when you create a detection (an analytics rule), the rule name (and the description, MITRE tactics and severity) will populate the alerts created from that rule.</SPAN><BR /><SPAN>Now let’s try and examine the following case study to see how we can leverage the “Alert details” dynamic content for better investigation and incident handling.</SPAN></P> <P><SPAN>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | "How to reduce incident triage and investigation times using dynamic alert details” - Microsoft Tech Community</A></SPAN></P> <P>&nbsp;</P> Wed, 01 Sep 2021 20:08:44 GMT AshleyMartin 2021-09-01T20:08:44Z New Blog Post | Ingestion Cost Spike detection Playbook <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AshleyMartin_0-1630346069198.png" style="width: 506px;"><img src="" width="506" height="421" role="button" title="AshleyMartin_0-1630346069198.png" alt="AshleyMartin_0-1630346069198.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Ingestion Cost Spike detection Playbook - Microsoft Tech Community</A></P> <P><SPAN>Azure Sentinel is a modern SIEM solution offering cloud scale analytics to power your thereat detection and response requirements. Like most cloud solutions&nbsp;, the billing for Azure Sentinel is largely based on a pay per use model. Specifically for Azure Sentinel, billing is based on the amount of data ingested into Log Analytics and Azure Sentinel. To ensure that you have continuous visibility should the amount of billable data ingested into the platform experience an unexpected spike, we have developed this Logic App to address exactly this sort of scenario.</SPAN></P> <P><SPAN>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Ingestion Cost Spike detection Playbook - Microsoft Tech Community</A></SPAN></P> Mon, 30 Aug 2021 17:57:12 GMT AshleyMartin 2021-08-30T17:57:12Z New Blog Post | Becoming an Azure Sentinel Notebooks ninja - the series! <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JasonCohen1892_0-1630344114288.png" style="width: 999px;"><img src=";px=999" role="button" title="JasonCohen1892_0-1630344114288.png" alt="JasonCohen1892_0-1630344114288.png" /></span></P> <P><A href="" target="_blank" rel="noopener">Azure Sentinel notebook ninja - the series! (</A></P> <P>Welcome to a new series on Azure Sentinel Notebooks!&nbsp; In this post, we want to introduce everyone to the Notebooks feature of Azure Sentinel and provide some basic knowledge that we’ll build on throughout this series.</P> <P>&nbsp;</P> <P>The series will take the following form:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Part 1:</STRONG><SPAN>&nbsp;</SPAN>What are notebooks and when do you need them? –<SPAN>&nbsp;</SPAN><STRONG><EM>this post</EM></STRONG></LI> <LI><STRONG>Part 2:</STRONG><SPAN>&nbsp;</SPAN>How to get started with notebooks and tour of the features</LI> <LI><STRONG>Part 3:</STRONG><SPAN>&nbsp;</SPAN>Overview of the pre-built notebooks and how to use them</LI> <LI><STRONG>Part 4:</STRONG><SPAN>&nbsp;</SPAN>How to create your own notebooks from scratch and how to customize the existing ones</LI> </UL> <P>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | Becoming an Azure Sentinel Notebooks ninja - the series! - Microsoft Tech Community</A></P> Mon, 30 Aug 2021 17:24:00 GMT JasonCohen1892 2021-08-30T17:24:00Z Log Analytics Agents Management <P>Dear All,</P><P>&nbsp;</P><P>I deployed LA agents in my organization and when I checked the LA agents management, i saw 75 (windows -70 and Linux -5) connected. But when I check with KQL Heart Beat, some computers are duplicated with different OS names and versions in the same host. I've attached the file for your reference. How can be possible and how can I solve these issues?&nbsp;</P><P>&nbsp;</P><P>Thanks all, Stay Safe.</P> Sun, 29 Aug 2021 11:49:49 GMT zaylinhtun 2021-08-29T11:49:49Z How to connect CISCO switches logs to Sentinel <P>I have a customer who requires collecting logs from above devices, firewalls and Windows, Linux servers. I'm ok with later components but couldn't figure out a way to collect logs from switches. Do we go with Linux syslog and collect the logs from cisco devices and forward to Sentinel? If that the case how to query them?</P> Fri, 27 Aug 2021 17:57:56 GMT Susantha Silva 2021-08-27T17:57:56Z Azure Sentinel:- Azure Defender support for Oracle Database sitting in Windows/Linux Server <P>Hi Team,</P><P>&nbsp;</P><P>1. Does Azure Defender support Oracle Database which&nbsp; resides in On-Prem Windows/Linux server for monitoring in Azure Sentinel?</P><P>2. Does it under Preview?</P><P>3. When will Microsoft support Azure defender for Oracle Database in on-Prem servers?</P><P>&nbsp;</P><P>Thanks in Advance</P> Fri, 27 Aug 2021 05:46:22 GMT Nafila97 2021-08-27T05:46:22Z How to get all logs for a specific user in sentinel <P>Hi Community,</P><P>&nbsp;</P><P>Help me out how to get all the logs for an user in sentinel. I was using the below quire but it is not written the expected results</P><P>&nbsp;</P><P>UserAccessAnalytics<BR />| where SourceEntityName ==&nbsp; user email address.</P><P>&nbsp;</P><P>Thanks,</P><P>Kishore</P> Wed, 25 Aug 2021 15:08:36 GMT kishore_soc 2021-08-25T15:08:36Z How to prevent fields from trimming <P>We are getting "The following fields' values &lt;Fields&gt; of type &lt;Log_Type&gt; have been trimmed to the max allowed size, 32766 bytes. Please adjust your input accordingly.". However, we want to retain full value and don't want Azure to trim our data automatically. Can someone help us to determine how we can do this?</P> Wed, 25 Aug 2021 12:18:43 GMT Ronak_Shah 2021-08-25T12:18:43Z How to enable Azure Firewall Data connector by ARM template or power shell? <P>Hello,</P><P>&nbsp;</P><P>I would like to use code to create a data connector for Azure Firewall.<BR /><BR />However,&nbsp;Azure Firewall is not in&nbsp;<A href="#" target="_blank" rel="noopener">GitHub - javiersoriano/sentinel-all-in-one</A></P><P>And I found DataConnectorKinds API doesn't support Azure firewall.<BR /><A href="#" target="_blank" rel="noopener">Data Connectors - Create Or Update - REST API (Azure Sentinel) | Microsoft Docs</A><BR />Is it possible to use powershell or ARM to enable&nbsp;Azure Firewall Data connector?</P> Wed, 25 Aug 2021 08:11:08 GMT cklonger 2021-08-25T08:11:08Z New Blog Post | What's new: Azure Sentinel Ninja Training Knowledge Check <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Sarah_Young_0-1629780482350.png" style="width: 558px;"><img src="" width="558" height="434" role="button" title="Sarah_Young_0-1629780482350.png" alt="Sarah_Young_0-1629780482350.png" /></span></P> <P><A href="" target="_blank" rel="noopener">What's new: Azure Sentinel Ninja Training Knowledge Check - Microsoft Tech Community</A></P> <P><SPAN>Announcing the Azure Sentinel Ninja Training knowledge check! Think you're a true Sentinel Ninja? Take the knowledge check and find out. If you pass the knowledge check with a score of over 80% you can request a certificate to prove your ninja skills!</SPAN></P> <P><SPAN>Original Post:&nbsp;<A href="" target="_blank" rel="noopener">New Blog Post | What's new: Azure Sentinel Ninja Training Knowledge Check - Microsoft Tech Community</A></SPAN></P> Tue, 24 Aug 2021 17:12:12 GMT AshleyMartin 2021-08-24T17:12:12Z Sentinel Agent not forwarding logs. <P><SPAN>Hi All,</SPAN><BR /><BR /><SPAN>Still new to Azure sentinel, I tried the install windows agent &amp; linux agent on two vm.</SPAN><BR /><BR /><SPAN>Windows agent try to collect windows security event logs.</SPAN><BR /><SPAN>Linux agent was suppose to be cef forwarder to collect logs fortinet firewall.</SPAN><BR /><BR /><SPAN>Both agents are reporting in the workspace.</SPAN><BR /><BR /><SPAN>But still havent received any logs. Please help guide me on this.</SPAN></P> Tue, 24 Aug 2021 03:13:15 GMT shakti_lgs 2021-08-24T03:13:15Z In Azure Workbooks Bar chart x-axis labels are half-displayed or not displayed <P>Hi,</P><P>&nbsp;</P><P><SPAN>We are working on creating a custom connector to ingest the data in Azure Sentinel. We are now working on workbooks. But in workbooks, in the graphs, we are facing problem, that x-axis labels are getting half-displayed or are not getting displayed.</SPAN></P><P><SPAN>When we are using Bar chart as the query visualization, then the x-axis labels are getting overlapped, as shown below.</SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot (217).png" style="width: 999px;"><img src=";px=999" role="button" title="Screenshot (217).png" alt="Screenshot (217).png" /></span></SPAN></P><P>&nbsp;</P><P><SPAN>And when we are using Bar Chart(Categorical) as the visualization, then few x-axis labels are half-displayed, while few are now getting displayed.</SPAN></P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot (219).png" style="width: 999px;"><img src=";px=999" role="button" title="Screenshot (219).png" alt="Screenshot (219).png" /></span></SPAN></P><P>&nbsp;</P><P><SPAN>Can someone help me, how to show all the x-axis labels completely visible?</SPAN></P> Tue, 24 Aug 2021 03:00:29 GMT Ronak_Shah 2021-08-24T03:00:29Z In Azure Workbooks Bar chart legends are getting hidden <P>Hi,</P><P>&nbsp;</P><P><SPAN>We are working on creating a custom connector to ingest the data in Azure Sentinel. We are now working on workbooks. But in workbooks, in the graphs, we are facing problem, that few legends are getting hidden.</SPAN></P><P>&nbsp;</P><P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Screenshot (216)_LI.jpg" style="width: 999px;"><img src=";px=999" role="button" title="Screenshot (216)_LI.jpg" alt="Screenshot (216)_LI.jpg" /></span></SPAN></P><P>&nbsp;As you can see in the above image, out of 10, only 9 are displayed, and that also not complete, even though the graph panel width is set to 100%.</P><P><SPAN>And if we decrease the tab size, or zoom in, then more no. of legends are getting hidden. same applies to zoom out, if we zoom out to 80% approx, then all the 10 legends will be displayed.</SPAN></P><P>&nbsp;</P><P><SPAN><SPAN><SPAN>Can someone help me to solve the this problem, and make all the legends visible irrespective of screen size?</SPAN></SPAN></SPAN></P> Tue, 24 Aug 2021 02:45:26 GMT Ronak_Shah 2021-08-24T02:45:26Z Query on Blobstorage <P>My boss wants me to write query to find out who is accessing what on blob storage. Is there a way in azure sentinel for this?</P><P>Thank you</P> Tue, 24 Aug 2021 00:52:54 GMT Roshmi 2021-08-24T00:52:54Z "Duplicate" Workbooks <P>I was alerted of a strange issue this morning.&nbsp; It would appear as if, any workbooks that we have created, are showing as two entries within the "My Workbooks" Tab with the same name.&nbsp; This appears to be the case for any workbooks that were pushed via our CI/CD deployment outlined below as well as workbooks that were manually created.&nbsp; As far as it would appear; these two entries are in fact the same workbook (same workbookID).&nbsp; They also operate as the same workbook i.e. if a change is made in one, the change is evident to the second link.&nbsp; If one is deleted, they both are removed from the listing.&nbsp;</P><P>&nbsp;</P><P>We have also attempted to remove all workbooks and push again via the CI/CD process listed below but this still results in "duplicate" workbooks.&nbsp; &nbsp;</P><P>&nbsp;</P><P>CI/CD Deployment:&nbsp; Pushed via azure pipeline leveraging the New-AzResourceGroupDeployment cmdlet.&nbsp; This deployment has been operational for at least 3 weeks without issue.&nbsp; No change to this pipeline/deployment has taken place either.</P><P>&nbsp;</P><P>Other users have also experienced the same issue across multiple workspaces as well.&nbsp;&nbsp;</P><P>&nbsp;</P><P>Has anyone else seen this issue before?</P><P>&nbsp;</P><P>Thank you!</P> Mon, 23 Aug 2021 17:47:55 GMT bsfergu 2021-08-23T17:47:55Z Alerting when a connector stops sending logs <P>Greetings,</P><P>&nbsp;</P><P>I have been looking around and I'm quite sure someone has asked for a way to generate an alert if one(or more) of the log sources(connectors) stop sending logs. However, i have not been able to find out if this got a solution or not. I think this should possibly be a part of Sentinel out of the box, but if anyone has a different solution i would much appreciate it.&nbsp;</P> Mon, 23 Aug 2021 11:04:59 GMT stianhoydal 2021-08-23T11:04:59Z