Microsoft Sentinel | Microsoft Community Hub

Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Forum Widgets

Latest Discussions

Cribl o Logstash vs AMA CEF: What’s the Best Choice for Ingesting Firewall Logs?
Hi everyone, what are the advantages of using Cribl or Logstash over a CEF log collector via AMA for ingesting firewall logs such as Palo Alto for example into Microsoft Sentinel? In a typical scenario, how would you configure the ingestion to optimize performance, scalability, and cost? What do you think? Let’s discuss and share experiences!
MarPas
Brass Contributor
Mar 10, 2025
cost management
data collection
Log Data
46Views
0likes
2Comments
AMPLS Restrictions Preventing Outbound API Calls in Logic Apps – Any Workarounds?
Hi everyone, I’m encountering an issue where Azure Monitor Private Link Scope (AMPLS) restrictions are preventing Azure Logic Apps from making any outbound API calls, even to Microsoft-owned outbound IP addresses. One specific problem is that when running KQL queries inside a Logic App, the Azure Monitor connector fails because it attempts to access Microsoft outbound IPs, which are blocked by AMPLS restrictions. Since this is happening within Logic Apps itself, I don’t have direct control over these outbound calls. Has anyone found a workaround to allow Logic Apps to function correctly while keeping AMPLS in place? Would Private Endpoints, VNET Integration, or any other configuration help resolve this? Any insights or solutions would be greatly appreciated!
Sergi
Copper Contributor
Mar 04, 2025
playbooks
siem
soar
50Views
0likes
3Comments
AMPLS Restrictions Preventing Outbound API Calls in Logic Apps – Any Workarounds?
Hi everyone, I’m encountering an issue where Azure Monitor Private Link Scope (AMPLS) restrictions are preventing Azure Logic Apps from making any outbound API calls, even to Microsoft-owned outbound IP addresses. One specific problem is that when running KQL queries inside a Logic App, the Azure Monitor connector fails because it attempts to access Microsoft outbound IPs, which are blocked by AMPLS restrictions. Since this is happening within Logic Apps itself, I don’t have direct control over these outbound calls. Has anyone found a workaround to allow Logic Apps to function correctly while keeping AMPLS in place? Would Private Endpoints, VNET Integration, or any other configuration help resolve this? Any insights or solutions would be greatly appreciated!
Sergi
Copper Contributor
Mar 04, 2025
playbooks
6Views
0likes
0Comments
Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !
Zorghost
Copper Contributor
Feb 22, 2025
alerts
apis
automation
azure
data collection
75Views
0likes
4Comments
Affected rows stateful anomaly on database vs. Response rows stateful anomaly on database
Is there a difference between the two scheduled rules, "Affected rows stateful anomaly on database" and "Response rows stateful anomaly on database"? I can see that they have different descriptions: - Affected rows stateful anomaly on database - To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows. - Response rows stateful anomaly on database - To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows. This tells me the alerts query should be different. However, when I compare the two they are exactly the same.
Solved
lfg524
Copper Contributor
Feb 21, 2025
alerts
analytics
45Views
0likes
2Comments
Questions on Implementing Forced Password Resets Using Sentinel Playbooks
Hello! I am working on automating a forced password reset at the next login using Sentinel playbooks. I have a couple of questions and would love some help with this: How can I set this up so that users are required to reset their passwords upon their next login? I've noticed there isn't much information available online about this process. Are there alternative methods or suggestions for achieving this? Why might this approach not be commonly recommended, and are there any additional insights that could be helpful? Thank you!
Christinem12345
Copper Contributor
Feb 17, 2025
automation
playbooks
60Views
0likes
3Comments
KQL to match URL FW LOGS and Threatfox URL feeds
Hi all, I try to match RequestURL field (in CommonSecurityLog) from a Fortigate FW with URL Haus live feeds. The query does not produce any errors but it doesn't match anything. let ThreatFox = externaldata(URL: string ) ["https://threatfox.abuse.ch/export/csv/recent/"] with (format="txt", ignoreFirstRecord=True); let ThreatFoxUrl = ThreatFox | where URL contains "url" | extend URL = replace_string(URL, "\"", "") | extend parse_csv(URL) | extend URL = URL[2]; CommonSecurityLog | where RequestURL has_any (ThreatFoxUrl) The following query is working fine with HASH let MalwareBazaarMISP = externaldata(SHA256: string) ["https://bazaar.abuse.ch/export/txt/sha256/recent"] with (format="txt", ignoreFirstRecord=True); let SHA256Regex = '[a-f0-9]{64}'; let MaliciousSHA256 = materialize ( MalwareBazaarMISP | where SHA256 matches regex SHA256Regex | distinct SHA256 ); DeviceProcessEvents | where SHA256 has_any (MaliciousSHA256) Rehards, HA
Solved
HA13029
Brass Contributor
Feb 14, 2025
analytics
KQL
78Views
0likes
7Comments
Create a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes? Any help is much appreciated !
Zorghost
Copper Contributor
Feb 12, 2025
alerts
apis
automation
KQL
Reports
127Views
0likes
7Comments
Help Ingesting PingID Logs into Microsoft Sentinel
Hello, Microsoft Sentinel has a Data Connector for PingFederate, however this does not capture other PingIdentity products. Namely, PingID logs. Making this post asking if there are any ways to best implement ingesting PingID logs into Sentinel, as I am unable to find any documentation for PingIdentity or Sentinel that would assist me in coming up with a solution. Thank you for all comments and ideas.
colinc10
Copper Contributor
Feb 12, 2025
analytics
azure
data collection
integration
79Views
0likes
2Comments
KQL to extract URL from TI Feeds
Hello, I need some help to extract a specific field (URL) from URL Haus Database. Example "3430907","2025-02-07 11:02:07","http://chmod0777kk.com/main","online","2025-02-07 11:02:07","malware_download","elf","https://urlhaus.abuse.ch/url/3430907/","anonymous" Needed output http://chmod0777kk.com/main Regards, HA
HA13029
Brass Contributor
Feb 08, 2025
KQL
75Views
0likes
2Comments

Resources

Tags

siem404 Topics
KQL279 Topics
data collection225 Topics
Log Data200 Topics
analytics143 Topics
azure137 Topics
automation126 Topics
integration122 Topics
kusto113 Topics
playbooks110 Topics

Share