Testing Microsoft Defender XDR with Azure Sentinel in a CDX-like Environment
I'm looking to try out Microsoft Defender XDR with Azure Sentinel, but my current setup—a CDX tenant under an E5 subscription—doesn't have an active Azure subscription. Any suggestions for workarounds or similar environments where I can test Microsoft…
How to get additional details about Mitre attacks like(mitre_tactic_id mitre_technique_id mitre_tactic mitre_technique mitre_subTechnique) ?
Hello, Greetings of the day We are using the below endpoint to collect the alerts. These alerts consist of a wide range of data including mitreTechniques. Further, I would like to know if it is possible to extract more information about Mitre Attacks…
Caller is missing required playbook triggering permissions on playbook resource
I have created a custom playbook but I get the error: Failed to trigger playbook Caller is missing required playbook triggering permissions on playbook resource…
Not allowing to connect Sentinel Data connector with Defender XDR
Hello, I was trying to connect the "Microsoft Defender XDR" connector with "Microsoft Sentinel", but I am facing the below error. I am not sure why Sentinel is not allowing to establish the XDR connector. As I am the Owner of the…
Extensions AMA - Impossible to install agent
Hello, I'm trying to deploy an AMA extension but I m stuck in "creating" with the following error messages from the Guestconfig file on a RHEL 9 linux servers: [2024-05-15 15:52:30.135] [PID 1117] [TID 1629] [Pull Client] [INFO] Successfully…
Problems with data collectors and syslog
So, i have a task to integrate security logs that are beeing sent via syslog protocol formatted as CEF https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog-ama?tabs=syslog%2Cportal I do have an VM linux It does have the python…
Cisco FTD data connector
Hello, I have a customer that is configuring the CISCO FTD data connector. But they say CISCO FTD documentation shows it support only syslog format. They would like some clarification on the following questions: I. Clarify whether Cisco FTD supports…
Finding classic automation in Sentinel analytics
I have the ability to search through ARM templates for the Sentinel analytics and I'm hoping to find a way to detect the use of classic alert automation. Does anyone know what i should be searching for in the ARM template? We have not used this method,…
How to generate data in Alert, AlertHistory, AlertEvidence and AlertInfo tables in Log Analytics workspace?
We would like to generate the data in the following tables in Azure Monitor and Security categories described in the docs, https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/alert …
Issue with Microsoft Sentinel Connectors
Hello! Prior to May the 7th 2024, There were roughly 20 connectors that were connected and working as expected with respect to the Microsoft Sentinel and the log analytics workspace. On the mentioned date we noticed this anomaly where out of the 20 odd…
Remote Desktop Connection error- Windows 11
A newbie here trying to setup Azure Sentinel (SIEM) & connect it to a live virtual machine that will act as a honeypot. But facing an error with RDP, Windows 11 home edition doesn't support Remote Desktop.…
Sentinel Kusto Query todatetime function does not work with dynamic values.
I have a kusto query to calculate MTTR by client. When an incident is resolved, an analyst comments the resolution time in the format R: time where time is when the incident was resolved and R is to make the comment unique. Example R: Friday, May 10,…
Sentinel bicep deployment : InvalidParameter - Solution product cannot start with 'OMSGallery/' as it is reserved for Microsoft first party solutions.
Hello, i am learning how to script and i wish to deploy Sentinel with bicep. I have created a script from Microsoft templates and have added variables as well as a jsonc parameters file. I use VSC with the bicep extension in order to "easily"…
Tenable Io sentinel solution can not identify log analytics work space?
Tenable Io sentinel solution can not identify log analytics work space?
How to separate logs receiving on syslog port 514 to separate table during ingestion and avoid duplication.
Hi Team, I have centralized log forwarders setup which collects logs on 514 port from different application, I want to send those logs to separate table by filtering them at ingestion time. Currently all logs are going to syslog using default DCR rule,…
How are github links created/referenced in function app
I am finding it difficult to understand how are these links generated. https://aka.ms/sentinel-ApigeeXDataConnector-azuredeploy https://aka.ms/sentinel-ApigeeXDataConnector-functionapp I am building a similar function app json for my solution, and I…
This assessment is currently disabled due to a technical issue. Explore our other Applied Skills while we work on a fix.
Applied skills Name: Deploy containers by using Azure Kubernetes Service Issue: This assessment is currently disabled due to a technical issue. Explore our other Applied Skills while we work on a fix.
Inquiry Regarding Multiple 4624 Event ID Logs for Single User Login
Hello Team, I am reaching out to inquire about a matter related to our Windows Security logs. Specifically, we have observed multiple instances of Event ID 4624 being logged for a single user login event in the Security Events table. As part of our…
Respond to incidents across multiple tenants deploying Defender XDR from One Centralized Ms Sentinel
Hello, I have a customer having 3 tenant A,B and C. Tenant A and C each are using Microsoft Defender XDR. MS Sentinel is configured on Tenant B. He want to centralize all events and logs on Sentinel and want to configure responses if any incident is…
Watchlist Azure Sentinel Update
Is there anyone who has or knows of a source of information that can provide a more comprehensive or extensive list of SocRA than what is available in this link: https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv? I…