Microsoft Sentinel | Microsoft Community Hub

Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Forum Widgets

Latest Discussions

Join Our Azure Sentinel Community
Visit Our Blog Now that we have announced Azure Sentinel, we'd like to invite you to speak directly to our engineering team. We believe that the best way to improve our products is by having no barrier between you and the people that create them. That's why we need your participation in our community. As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining conference call discussions, or attending in-person events. To try out Azure Sentinel, log into your Azure Portal and then click here to join the preview. Join Us To join our community, click here, and then click the join button and the heart icon for Azure Sentinel, as pictured below. Stay Updated via our Blog To keep up-to-date on all our major announcements, please visit our blog at https://aka.ms/AzureSentinelBlog. Check Out our GitHub Repository We have queries, detections, playbooks, and more on our GitHub repository at https://aka.ms/AzureSentinel/GitHub and we'll be investing significant efforts developing this content. We welcome contributions and hope you benefit from the shared expertise of our entire community. Additional Security Groups Here's a list of other security-related groups you may want to join. Azure Azure Security Center Azure Security and Identity Enterprise Mobility + Security Azure Advanced Threat Protection and ATA Azure Information Protection Microsoft Cloud App Security Microsoft Graph Security API Security, Privacy & Compliance. Windows Defender Advanced Threat Protection Find us on LinkedIn We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free to connect with me. Webinars and Private Preview Calls We hold regular webinars and calls where we provide technical training, preview forthcoming features, gather feedback, and host discussions. Many of these allow you to join private previews. Meeting invitations for the calls are posted here in this group, so please check back regularly. Our latest Azure Sentinel webinar can be found at https://aka.ms/AzureSentinelWebinar. We hope to hear from you soon!
Solved
Ryan Heffernan
Microsoft
Feb 22, 2019
26KViews
44likes
28Comments
MSSP
We are interested in knowing when a Managed Security Service Provider can use Azure Sentinel to manage multiple customer environments. Is this MSSP scenario something the engineering team is committed to?
Joe Stocker
Bronze Contributor
Feb 28, 2019
3.4KViews
11likes
8Comments
Everything Azure Sentinel connectors
Hi Everyone, I have finalized my blog series on ingesting data to Azure Sentinel and thought you might find a summary useful. Even if you don't find the event, or enrichment, source in one of the built-in connectors, good chances that Sentinel does support it, and if not, Sentinel has a broad array of tools to create custom connectors. Here are the relevant blog posts to guide you to find your connector or develop a custom one: Using the agent to collect telemetry from on-prem and IaaS server Collecting Azure PaaS services logs The Syslog and CEF source configuration grand list Creating Custom Connectors ~ Ofer
Ofer_Shezaf
Microsoft
Sep 20, 2019
3.9KViews
6likes
3Comments
Private preview for automated playbook activation on an alert
Hi Everyone, Encountered this? I am happy to announce that we have started private for automated playbook activation. If you would like to fire up a playbook when an alert rule triggers, contact me to be included in the preview. Thanks ~ Ofer
Ofer_Shezaf
Microsoft
May 08, 2019
1.3KViews
6likes
3Comments
Time Series analysis and visualization in Azure Sentinel
I have posted couple of blogs around Time Series analysis and visualization on security event log data sources in Azure Sentinel Blog 1: Introduction to Time Series, Step by step guide on compiling queries, configure alerts and investigate the results. Data Source : Windows Event Log - Process Execution Data https://techcommunity.microsoft.com/t5/Azure-Sentinel/Looking-for-unknown-anomalies-what-is-normal-Time-Series/ba-p/555052 Blog 2: Visualization and interpreting Time Series Data. Data Source- Palo Alto Network Traffic Logs https://techcommunity.microsoft.com/t5/Azure-Sentinel/Time-Series-visualization-of-Palo-Alto-logs-to-detect-data/ba-p/666344 As always, Feedbacks or questions are welcome.
Ashwin_Patil
Microsoft
Jun 10, 2019
2.9KViews
5likes
1Comment
Public Preview: Improved Data Connector
We’ve improved the data connector for Azure Sentinel and we’d like you to try it out. You can participate in the public preview by visiting the Azure Sentinel “Data connectors” page. Screenshots, explanations, and other details can be found in our documentation at https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources. The data connector’s new interface includes better visualization for status and permissions, improved search, and better instructions. We’d love to get your feedback at https://aka.ms/ASDCvNext.
Ryan Heffernan
Microsoft
Jul 16, 2019
2.5KViews
4likes
3Comments
Detailed Email Alerts
One area that I haven't seen covered is how to get more detail into email alerts that may be generated as the result of a playbook execution. You can get basic alert information but no information on the event data. I configured this playbook which will run the query that is part of the analytic rule and send those in an email formatted as an HTML table. This is the JSON schema: { "properties": { "Query": { "type": "string" }, "Query End Time UTC": { "type": "string" }, "Query Period": { "type": "string" }, "Query Results Aggregation Kind": { "type": "string" }, "Query Start Time UTC": { "type": "string" }, "Search Query Results Overall Count": { "type": "string" }, "Total Account Entities": { "type": "string" }, "Total Host Entities": { "type": "string" }, "Total URL Entities": { "type": "string" }, "Trigger Operator": { "type": "string" }, "Trigger Threshold": { "type": "string" } }, "type": "object" } Hope this is helpful for some of you.
mperrotta
Brass Contributor
Apr 15, 2020
5.9KViews
4likes
7Comments
Azure Sentinel: Webinar Recordings
All the recordings of the past webinars have moved to a new location: https://aka.ms/SecurityWebinars
Valon_Kolica
Microsoft
Sep 09, 2019
12KViews
3likes
11Comments
Using Jupyter Notebooks for CyberSecurity Hunting
We've start a blog companion to the #AzureSentinel Community. I've recently posted 2 articles on using Jupter Notebooks in Azure Sentinel for hunting and investigation. Security Investigation with Azure Sentinel and Jupyter Notebooks – Part 1 Security Investigation with Azure Sentinel and Jupyter Notebooks – Part 2 (3rd and final part coming shortly). Also check out this article if Jupyter is new to you Why Use Jupyter for Security Investigations? Also check out shainw's article on Azure Sentinel: Performing Additional Security Monitoring of High-Value Accounts. Feedback (including requests for future subjects) is very much welcome. Ian
ianhelle
Microsoft
Apr 26, 2019
2.6KViews
3likes
1Comment
Multiple Subscriptions in Sentinel
Hello all, Can I set up a central Azure Sentinel to monitor multiple subscriptions? Or is one Azure Sentinel recommended per subscription? Best Christian
christian-knipping
Copper Contributor
Mar 28, 2019
21KViews
3likes
19Comments

Resources

Tags

siem404 Topics
KQL279 Topics
data collection225 Topics
Log Data200 Topics
analytics143 Topics
azure137 Topics
automation126 Topics
integration122 Topics
kusto113 Topics
playbooks110 Topics

Share