Recent Discussions
Everything Azure Sentinel connectors
Hi Everyone, I have finalized my blog series on ingesting data to Azure Sentinel and thought you might find a summary useful. Even if you don't find the event, or enrichment, source in one of the built-in connectors, good chances that Sentinel does support it, and if not, Sentinel has a broad array of tools to create custom connectors. Here are the relevant blog posts to guide you to find your connector or develop a custom one: Using the agent to collect telemetry from on-prem and IaaS server Collecting Azure PaaS services logs The Syslog and CEF source configuration grand list Creating Custom Connectors ~ OferPrivate preview for automated playbook activation on an alert
Hi Everyone, Encountered this? I am happy to announce that we have started private for automated playbook activation. If you would like to fire up a playbook when an alert rule triggers, contact me to be included in the preview. Thanks ~ OferTime Series analysis and visualization in Azure Sentinel
I have posted couple of blogs around Time Series analysis and visualization on security event log data sources in Azure Sentinel Blog 1: Introduction to Time Series, Step by step guide on compiling queries, configure alerts and investigate the results. Data Source : Windows Event Log - Process Execution Data https://techcommunity.microsoft.com/t5/Azure-Sentinel/Looking-for-unknown-anomalies-what-is-normal-Time-Series/ba-p/555052 Blog 2: Visualization and interpreting Time Series Data. Data Source- Palo Alto Network Traffic Logs https://techcommunity.microsoft.com/t5/Azure-Sentinel/Time-Series-visualization-of-Palo-Alto-logs-to-detect-data/ba-p/666344 As always, Feedbacks or questions are welcome.Public Preview: Improved Data Connector
We’ve improved the data connector for Azure Sentinel and we’d like you to try it out. You can participate in the public preview by visiting the Azure Sentinel “Data connectors” page. Screenshots, explanations, and other details can be found in our documentation at https://docs.microsoft.com/en-us/azure/sentinel/connect-data-sources. The data connector’s new interface includes better visualization for status and permissions, improved search, and better instructions. We’d love to get your feedback at https://aka.ms/ASDCvNext.
Detailed Email Alerts
One area that I haven't seen covered is how to get more detail into email alerts that may be generated as the result of a playbook execution. You can get basic alert information but no information on the event data. I configured this playbook which will run the query that is part of the analytic rule and send those in an email formatted as an HTML table. This is the JSON schema: { "properties": { "Query": { "type": "string" }, "Query End Time UTC": { "type": "string" }, "Query Period": { "type": "string" }, "Query Results Aggregation Kind": { "type": "string" }, "Query Start Time UTC": { "type": "string" }, "Search Query Results Overall Count": { "type": "string" }, "Total Account Entities": { "type": "string" }, "Total Host Entities": { "type": "string" }, "Total URL Entities": { "type": "string" }, "Trigger Operator": { "type": "string" }, "Trigger Threshold": { "type": "string" } }, "type": "object" } Hope this is helpful for some of you.Using Jupyter Notebooks for CyberSecurity Hunting
We've start a blog companion to the #AzureSentinel Community. I've recently posted 2 articles on using Jupter Notebooks in Azure Sentinel for hunting and investigation. Security Investigation with Azure Sentinel and Jupyter Notebooks – Part 1 Security Investigation with Azure Sentinel and Jupyter Notebooks – Part 2 (3rd and final part coming shortly). Also check out this article if Jupyter is new to you Why Use Jupyter for Security Investigations? Also check out shainw's article on Azure Sentinel: Performing Additional Security Monitoring of High-Value Accounts. Feedback (including requests for future subjects) is very much welcome. Ian
Problems with Playbooks - Request Header Fields Too Large
Hi all, Since this afternoon my Playbooks are not working anymore. I have a few Playbooks that are being triggered by Automations Rules. The first step in the Playbook is the Sentinel Incident Trigger. Second step is the "Get Incident" which gets the incident details with the Incident ARM ID from step 1. The second step is not working anymore and I get with every Playbook "Status Code: 431" and as output: { "StatusCode": 431, "ReasonPhrase": "Request Header Fields Too Large", "Content": "", "Headers": { "Pragma": [ "no-cache" ], The same error happens with a Playbook where I add a comment to the Incident. Status code is also 431 and stops the Playbook. Anybody any solution/help to fix this? Thanks in advance!
How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'?
Hi everyone. How to add 'Microsoft-Windows-Sysmon' events to table 'SysmonEvent'? I've try to setup it in my env w/ Win10, but Sysmon logs collected to 'Events' table only. What I did wrong? Environment: - Azure Sentinel instance - Data collector Security Events - Minimal. - Advanced settings: * Connected Sources Windows Agent (64 bit) installed on Win10 * Data Windows events 'Microsoft-Windows-Sysmon/Operational'Azure Sentinel Webinar
We're hosting a webinar on Azure Sentinel. You can learn more and register here: https://aka.ms/AzureSentinelWebinar. Here's the topic: Modernize Security Operations with New Azure Sentinel Thursday, March 21, 2019 10:00 AM - 11:00 AM Pacific Time As the value of digital information increases, so do the number and sophistication of cyberattacks. Traditional security information and event management (SIEM) products are failing to protect today's infrastructure from the volume and speed of threats—but there’s a new solution. Join this webinar to hear from Microsoft security experts how built-in artificial intelligence (AI) and automation are transforming security operations through a new cloud service, Microsoft Azure Sentinel. You’ll also discover how: Cloud-native SIEM services let you focus on security operations rather than infrastructure setup and maintenance. Built-in advanced analytics capabilities help you discover complex threats and accelerate threat responses. Integrated automation and orchestration simplifies your security operations center (SOC) and increases productivity of your employees.PFSense logs showing up very nicely in Azure Sentinel dashboard
Hey guys, Just wanted to share that I finally managed to get my dashboard working and reflecting my PFSense Firewall logs. Here is how I achieved it. Setup syslog collector on Debian VM Configure the Linux syslog agent Send syslog from firewall to Linux so that it can send it to the log-analytic securely. With log-analytics I was able to parse and extract unique values out of the firewall logs. In my dashboard I grabbed any IPs I blocked on which interface. Once I have the right queries, it was a bit difficult using a base dashboard and injecting queries. I had to clone another sentinel dashboard and then make it my own. A lot of details I left out, but this is just an overall idea on how I achieved it. Just wanted to mention a few challenges I had Making a dashboard was not as easy as I thought, guides around making a dashboard is not documented as well as I hoped. I had to really just mess around and finally just cloned another one and worked from there. Its best to download it and just modify the json file yourself. Thanks to Jon for the tip. It was a bit difficult getting all the syslog to go into log-analytics, but eventually it worked and I honestly don't know how I did it. The problem was specifying the right facility. You HAVE to know the kusto query language, you will run into challenges if you don't know more than the basics. Unfortunately I don't have the playbooks and other stuff turned on so I can't build automation using logic apps but hopefully it comes in the future. If you noticed the big blue peak in my WAN interface chart, that was a port scan on my firewall. Maybe some automation to identify that port scan is occurring and block that IP automatically using the playbook.
Possible data sources
Hey there, The product is amazing, very promising with great features, looking forward to setup entire SIEM on it. Our company has zero on prem solution, it’s a cloud native organisation. It would be highly appriciated if you consider pull log via REST Api method that would help us to introduce integration with Cloudflare Salesforce AWS Cloudtrail AWS S3 Also any plan or a way to pull Azure Sql logs? Does it work if i just enable log analytics streaming? Many thanks in advance!
UEBA: tables missing in azure sentinel logs
Hi all, so I noticed that cross different tenants the amount of UEBA tables in Azure sentinel are not the same. I assume that you normally have 4 tables: - BehaviorAnalytics - IdentityInfo - UserAccessAnalytics - UserPeerAnalytics This is wat i encountered in on 2 different tenants with the same settings: For some reason on an other tenant the identityinfo table is missing. I have checked the entity behavior settings and all 4 of data sources are enabled. Any idea's? Kind Regards LouisMicrosoft Defender ATP Azure Sentinel Connector omits lot of important Alert information
Hi It is sad to see Microsoft defender ATP Connector at Azure Sentinel does not get all the required alert information as compared to Graph API. Details like User information, IP Information, Threat Category & Threat Family are omitted. Building any custom playbook to get these data is additionally charged although ingestion of Microsoft data is free. Connector needs improvement. Thanksdemo/showcase environment?
Hi, Is there -or are there plans to create- a kind of demo/showcase environment that has all connectors active & has dummy data in it that we can use as a sales tool to convince customers & to assist in training our team? The huge scope of technologies and the lack of live data makes it hard to create one yourself. Regards, BartMeetup: Deep dive into the new Azure Sentinel service!
If you are based in London or will be there on October 23, our Azure Sentinel team will co-host a free “Deep dive into the new Azure Sentinel service” Meetup in the month of October. Meetup name: Deep dive into the new Azure Sentinel service Cost: Free Date: October 23rd, 2019 Time and Duration: 18:00 – 21:00 Location: The Microsoft Reactor London, 70 Wilson St. - London, UK Registration: https://lnkd.in/gvRTgpz There is a maximum capacity of 100 attendees, so if interested we suggest registering now.
Recent Blogs
- This guide will walk you through the steps required to integrate Fluent Bit with Microsoft Sentinel. Beware that in this article, we assume you already have a Sentinel workspace, a Data Collection En...Feb 14, 2025
- Microsoft Sentinel just rolled out a powerful new public preview feature: Ingestion Rules. This feature lets you fine-tune your threat intelligence (TI) feeds before they are ingested to Microsoft Se...Feb 14, 2025
