Recent Discussions
Is it possible to import logs that are being written into an SQL server table, into Sentinel?
We have an environment in Azure where for some reason, application logs are being written into a separate SQL Server table. How do we bring that log data. from a SQL server table into Sentinel? do we convert the table, into a flat file and then import or any other convenient way is possible?
Cribl o Logstash vs AMA CEF: What’s the Best Choice for Ingesting Firewall Logs?
Hi everyone, what are the advantages of using Cribl or Logstash over a CEF log collector via AMA for ingesting firewall logs such as Palo Alto for example into Microsoft Sentinel? In a typical scenario, how would you configure the ingestion to optimize performance, scalability, and cost? What do you think? Let’s discuss and share experiences!
AMPLS Restrictions Preventing Outbound API Calls in Logic Apps – Any Workarounds?
Hi everyone, I’m encountering an issue where Azure Monitor Private Link Scope (AMPLS) restrictions are preventing Azure Logic Apps from making any outbound API calls, even to Microsoft-owned outbound IP addresses. One specific problem is that when running KQL queries inside a Logic App, the Azure Monitor connector fails because it attempts to access Microsoft outbound IPs, which are blocked by AMPLS restrictions. Since this is happening within Logic Apps itself, I don’t have direct control over these outbound calls. Has anyone found a workaround to allow Logic Apps to function correctly while keeping AMPLS in place? Would Private Endpoints, VNET Integration, or any other configuration help resolve this? Any insights or solutions would be greatly appreciated!
Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !AMPLS Restrictions Preventing Outbound API Calls in Logic Apps – Any Workarounds?
Hi everyone, I’m encountering an issue where Azure Monitor Private Link Scope (AMPLS) restrictions are preventing Azure Logic Apps from making any outbound API calls, even to Microsoft-owned outbound IP addresses. One specific problem is that when running KQL queries inside a Logic App, the Azure Monitor connector fails because it attempts to access Microsoft outbound IPs, which are blocked by AMPLS restrictions. Since this is happening within Logic Apps itself, I don’t have direct control over these outbound calls. Has anyone found a workaround to allow Logic Apps to function correctly while keeping AMPLS in place? Would Private Endpoints, VNET Integration, or any other configuration help resolve this? Any insights or solutions would be greatly appreciated!
Cannot stop CEF duplication to syslog when both processed by same Linux VM
We have a situation where we are sending CEF records from FortiGate firewall to Microsoft Sentinel via Common Event Format (CEF) via AMA Data connector and we also use Syslog via AMA Data connector (both on the same Ubuntu Linux VM using rsyslog) and result is that we are getting duplicates of the CEF records in the syslog. I've read a lot of articles about the duplication and possible ways to fix however I've had not success. My most recent attempt is to create a file /etc/rsyslog.d/05-filter-CEF.conf with the following entries: if ($programname == "CEF") then @@127.0.0.1:28330 & stop Unfortunately we still get duplicates. One article I read said to use @@127.0.0.1:25226 however then we don't get CEF records in a CommonSecurityLog or Syslog. Is there anyone that can help?KQL to extract URL from TI Feeds
Hello, I need some help to extract a specific field (URL) from URL Haus Database. Example "3430907","2025-02-07 11:02:07","http://chmod0777kk.com/main","online","2025-02-07 11:02:07","malware_download","elf","https://urlhaus.abuse.ch/url/3430907/","anonymous" Needed output http://chmod0777kk.com/main Regards, HA
Zscaler Private Access Solution not receiving data
EDIT: Solved by switching to a default Ubuntu VM. No idea what exactly it is about default Ubuntu that makes it work. We have been trying to get the logs from Zscaler Private Access connected to our Sentinel instance, with 0 success so far. We've followed the instructions on the data connector page perfectly, but there simply isn't any data from Zscaler coming into Sentinel and we cannot figure out why - We've installed the Log Analytics (OMS) agent successfully. We can see a Heartbeat coming in and even the syslog of the machine. This should prove the connection between the VM and Sentinel is working - We've placed the VM in the same subnet as the ZPA log receivers, opened the correct ports and firewall rules and we can see traffic on our VM coming from the log receivers via tcpdump. This should prove the connection between Zscaler and the VM working - We can't find any errors in the OMS agent logs. It seems to load the provided zpa.conf file correctly. - We triple checked all the steps, every step is taken correctly But there are no ZPA logs in Sentinel I've searched around and there seem to be multiple people (even in the reviews section of the solutions) running into issues with this, but there are no solutions posted anywhere Did anyone have any luck with getting this solution to work? And can you share how you did it?
Questions on Implementing Forced Password Resets Using Sentinel Playbooks
Hello! I am working on automating a forced password reset at the next login using Sentinel playbooks. I have a couple of questions and would love some help with this: How can I set this up so that users are required to reset their passwords upon their next login? I've noticed there isn't much information available online about this process. Are there alternative methods or suggestions for achieving this? Why might this approach not be commonly recommended, and are there any additional insights that could be helpful? Thank you!Help Ingesting PingID Logs into Microsoft Sentinel
Hello, Microsoft Sentinel has a Data Connector for PingFederate, however this does not capture other PingIdentity products. Namely, PingID logs. Making this post asking if there are any ways to best implement ingesting PingID logs into Sentinel, as I am unable to find any documentation for PingIdentity or Sentinel that would assist me in coming up with a solution. Thank you for all comments and ideas.Create a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes? Any help is much appreciated !How do you investigate network anomaly related alerts?
Hello everyone. Using some of the built-in analytical rules such as "Anomaly was observed with IPv6-ICMP Traffic", when you go into the incident event details, its just some numbers of the expected baseline vs actual value. What do you do with this? Similar case with following rules: Anomaly found in Network Session Traffic (ASIM Network Session schema) Anomaly was observed with ESP Traffic Anomaly was observed with Outbound Traffic Anomaly was observed with Unassigned TrafficSentinel and Amazon Web Services S3 WAF
Hello, I'm using Sentinel to fetch AWS WAF logs using the new collector Amazon Web Services S3 WAF . I setup a first collection using the ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-central-1.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel I then add new collection using ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-west-3.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel Adding the second collection erase the first one !! Is it a bug ?? Regards, HAUrgent !! CEF Syslog duplication Issue
Hi All I have configured a Fortinet integration with Azure sentinel on local7 facility. My current configuration is ingesting Fortinet logs in both the tables `CommonSecurityLog` and `syslog`. The number of logs are quite large and duplication may cost double cost. Please help to fix this issue Actions tried: 1. Performed steps as mentioned in the documentation. Using the same machine to forward both plain Syslog and CEF messages If you plan to use this log forwarder machine to forward Syslog messages as well as CEF, then in order to avoid the duplication of events to the Syslog and CommonSecurityLog tables: On each source machine that sends logs to the forwarder in CEF format, you must edit the Syslog configuration file to remove the facilities that are being used to send CEF messages. This way, the facilities that are sent in CEF won't also be sent in Syslog. See Configure Syslog on Linux agent for detailed instructions on how to do this. You must run the following command on those machines to disable the synchronization of the agent with the Syslog configuration in Azure Sentinel. This ensures that the configuration change you made in the previous step does not get overwritten. sudo su omsagent -c 'python /opt/microsoft/omsconfig/Scripts/OMS_MetaConfigHelper.py --disable' 2. Tried removing syslog facilities on log analytics workspace => agent configuration => syslog
Recent Blogs
- This guide will walk you through the steps required to integrate Fluent Bit with Microsoft Sentinel. Beware that in this article, we assume you already have a Sentinel workspace, a Data Collection En...Feb 14, 2025
- Microsoft Sentinel just rolled out a powerful new public preview feature: Ingestion Rules. This feature lets you fine-tune your threat intelligence (TI) feeds before they are ingested to Microsoft Se...Feb 14, 2025
