Forum Widgets
Latest Discussions
AMPLS Restrictions Preventing Outbound API Calls in Logic Apps β Any Workarounds?
Hi everyone, Iβm encountering an issue where Azure Monitor Private Link Scope (AMPLS) restrictions are preventing Azure Logic Apps from making any outbound API calls, even to Microsoft-owned outbound IP addresses. One specific problem is that when running KQL queries inside a Logic App, the Azure Monitor connector fails because it attempts to access Microsoft outbound IPs, which are blocked by AMPLS restrictions. Since this is happening within Logic Apps itself, I donβt have direct control over these outbound calls. Has anyone found a workaround to allow Logic Apps to function correctly while keeping AMPLS in place? Would Private Endpoints, VNET Integration, or any other configuration help resolve this? Any insights or solutions would be greatly appreciated!Juniper SRX 340 logs not read by rsyslog
I have configured Juniper SRX 340 Junos logs to be forwarded to a centralized syslog server before reaching Microsoft Sentinel. I can see the Juniper logs on the syslog server while doing a TCPDUMP but, the same logs are not ready by rsyslog. The same syslog server is also receiving the logs from Cisco ASA. The rsyslog is able to read the ASA logs with no issues and further forward them to Sentinel through AMA agent. I don't have any filters applied in rsyslog.conf file and I'm capturing everything (*.*) all syslog facility and severity to a log file but, still the Juniper logs are not recognized by rsyslog. Please help on resolving this issueBug in stand-alone MS Sentinel MITRE tactics
I setup a new Analytic rule where I had selected multiple tactics/techniques combinations. When I create an incident from that rule, only one of the tactics/techniques actually show up in the stand-alone MS Sentinel UI as well as in the SecurityIncident table. It isn't even the first one I selected; it is the last one. I did double check the Analytic rule and all the tactics/techniques are selected. If I look at the incident using the MS Sentinel REST API, it does show that all the tactics/techniques are there as well as if I look in the M365 portal (I have my MS Sentinel instance linked). Heck, even the Graph Query will show them all (after expanding the incident to show the alerts as well). Has anyone noticed this recently? Is it a bug or another new "feature"?
Can we deploy Bicep through Sentinel repo
Hi there, Im new here, but π .... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this π My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI π I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. π Thanks, mal_secWhy maximum supported DataFlow count is 10 in DCR?
Is there any technical reason why a DCR can support maximum 10 dataflows? There are already 10 ASim tables. If we want to combine standard tables with ASim tables in one DCR, that is currently not possible. It makes the process complicated. Also is that the same reason why designated ASim table count is currently 10? :)
Sentinel IP for WEST EUROPE
Hi. I have this issue, where I have Sentinel and need the data connector setup for accessing Github. If my github Org do have IP Allow list enabled this do not work. So I need to find the IP's that the Connector talks out from Azure / Sentinel with when hitting the github service so I can whitelist those. If I take the IP scopes for Sentinel they are quite extensive and it cannot be that I need to whitelist every single Azure monitor/sentinel IP just to get those that Sentinel uses to talk to an API, but how can I find the needed IP's Or is there another way to get Audit logs from Github when there is IP restrictions enabled on the Github organization (in a github cloud enterprice setup)Is it possible to set up this playbook for a specific rule incident alarm?
I was wondering if a specific playbook setting is possible for the rules below RuleName : New Azure Sentinel incident - Authentication Attempt from New Country Read UserPrincipalName, set_IPAddress value when alarm occurs Automatically send mail to each user by identifying the user-specific mail address with UserPrincipalName and changing the recipient, ip value according to the specified mail form
RestApiPoller Paging Question
Hi, RestApiPoller Paging question from setting up a new Codeless Connector against one API. I'm currently polling this API with an Azure function and would like to cut it over to CCP. The API supports iterating through pages via querying it with pageNumber and pageSize parameters. For example, I can query pageNumber=1, pageNumber=2 and so forth. The API returns a pageCount value as part of a successful response. There is no next page or next link in the response. I can't see anything in the NextPageToken section of the API on how to handle this. Any suggestions? API is called by sending a POST with the following in the body. { "interval": "", "pageNumber": 0, "pageSize": 0 } Successful response received is: { "data": [ ], "pageSize": 0, "pageNumber": 0, "total": 0, "pageCount": 0 }
