Category: Microsoft Sentinel | Microsoft Community Hub

Recent Discussions

Minemeld Threat Intel Integration to Sentinel
Hello guys, I have deployed a Minemeld server in Azure, I'm pulling free threat intel in there. Processing it, then using the Microsoft Security Graph extension to forward it to Microsoft. Turned the Threat Intel Connector on and now I have the Threat Intel in the LogAnalytics space. There are two issues I have, in order: 1. Currently, with threat intel of type IP, I get the IP in a field called ExternalIndicatorID. A sample value for this is: IPv4:36.119.0.0-36.119.255.255 . As you can see, we have IPv4: then a range of IPs follows. The problem is this is something that's very impractical to use from an analytics point of view. I have to write the query in such a way to ignore the "IPv4:" and then also be able to interpret range. This is impractical and the preview Threat Intel rules offered by Microsoft do not use that field. They instead use NetworkIP, NetworkDestinationIP, NetworkSourceIP ....whichever of the three they find with a value. For me however, those values are empty. Apparently this is something that must be changed with the Minemeld processor so that it does not merge IPs and generate ranges. I have not found a way to do that. Has anyone managed to do that or otherwise any other workarounds to be able to consume Minemeld IP Threat Intel in Sentinel? 2. The second thing and I'm not completely sure here as nr 1 was a much bigger priority, is the Microsoft Security Graph extension for Minemeld only able to consume URLs, Domains and IPs? No emails, hashes, etc? I have also asked on Palo Alto's board, however I'm really curious and could use a hand from someone who managed to already do this. Thank you!
GabrielNecula
Copper Contributor
Apr 10, 2020 Place Microsoft Sentinel
7.9KViews
0likes
31Comments
Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered
Hi i am attempting to use the trigger "When Azure Sentinel incident creation rule was triggered" that's in preview. but the playbook is not triggered even if i know that i have a new incident in Sentinel what's missing from the configuration?
erlendoyen
Copper Contributor
Aug 12, 2020 Place Microsoft Sentinel
17KViews
0likes
30Comments
Error when running playbook Block-AADUser-Alert
Hello, I have personal account and I am trying Microsoft Sentinel. My senario is when user account (not admin) changes his authentication method, an alert is triggered and then I run built-in playbook Block-AADUser-Alert to disable this account. I get following error when running this playbook: { "error": { "code": "Request_ResourceNotFound", "message": "Resource '[\"leloc@hoahung353.onmicrosoft.com\"]' does not exist or one of its queried reference-property objects are not present.", "innerError": { "date": "2022-05-13T03:06:46", "request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798", "client-request-id": "84bab933-eb79-4352-9bdf-e6d5444a1798" } } } I have tried to assign all required permissions (User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All), authorized api connection,.. but it can not solve the issue. Would anyone help advise how to solve ? Is it because of personal account ? Best Regards, An
Solved
myprofile490
Copper Contributor
May 13, 2022 Place Microsoft Sentinel
soar
5.8KViews
0likes
29Comments
Join Our Azure Sentinel Community
Visit Our Blog Now that we have announced Azure Sentinel, we'd like to invite you to speak directly to our engineering team. We believe that the best way to improve our products is by having no barrier between you and the people that create them. That's why we need your participation in our community. As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining conference call discussions, or attending in-person events. To try out Azure Sentinel, log into your Azure Portal and then click here to join the preview. Join Us To join our community, click here, and then click the join button and the heart icon for Azure Sentinel, as pictured below. Stay Updated via our Blog To keep up-to-date on all our major announcements, please visit our blog at https://aka.ms/AzureSentinelBlog. Check Out our GitHub Repository We have queries, detections, playbooks, and more on our GitHub repository at https://aka.ms/AzureSentinel/GitHub and we'll be investing significant efforts developing this content. We welcome contributions and hope you benefit from the shared expertise of our entire community. Additional Security Groups Here's a list of other security-related groups you may want to join. Azure Azure Security Center Azure Security and Identity Enterprise Mobility + Security Azure Advanced Threat Protection and ATA Azure Information Protection Microsoft Cloud App Security Microsoft Graph Security API Security, Privacy & Compliance. Windows Defender Advanced Threat Protection Find us on LinkedIn We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free to connect with me. Webinars and Private Preview Calls We hold regular webinars and calls where we provide technical training, preview forthcoming features, gather feedback, and host discussions. Many of these allow you to join private previews. Meeting invitations for the calls are posted here in this group, so please check back regularly. Our latest Azure Sentinel webinar can be found at https://aka.ms/AzureSentinelWebinar. We hope to hear from you soon!
Solved
Ryan Heffernan
Microsoft
Feb 22, 2019 Place Microsoft Sentinel
26KViews
44likes
28Comments
Azure Sentinel Logic App Action Incident ID
I am looking at the Azure Sentinel action in Logic Apps (AKA Playbooks) and I notice that when I try to do something like "Add a Label" or "Write a Comment" most of the fields (Subscription ID, Resource Group, and Workspace ID) can be obtained from the Sentinel trigger but I do not see any place to get the Incident ID. Would this Logic App be triggered before the Incident is created and that is why there is no Incident ID? In any event, how would you get the Incident ID in order to use these actions? I see there is an entry to get all the Incidents but I don't see any way to accurately figure out which one to use.
Solved
GaryBushey
Bronze Contributor
Sep 23, 2019 Place Microsoft Sentinel
10KViews
1like
26Comments
API for Sentinel Alerts and Cases
Where can I find docs to query new alerts and cases and interact with then in Azure Sentinel.
punkrokk
Copper Contributor
Mar 01, 2019 Place Microsoft Sentinel
11KViews
0likes
22Comments
mv-expand - I cannot make it work!!
Can anyone spare anytime to give me a basic example of how to use mv-expand please, so that I can then expand on it! (See what I did there ) I just don't get it. I understand that it can be used to extract a value from an array, but in my fiddling it's not happening. I have looked at the docs but the examples just don't relate\click with me. I've been enjoying TeachJing Youtube lessons - but I haven't found one that covers this command. I'm just looking for the most minimal lines so I can build from it. Many thanks (Soz for the stupid question!)
Solved
CodnChips
Brass Contributor
Feb 04, 2022 Place Microsoft Sentinel
14KViews
0likes
20Comments
I am trying to create a watchlist that displays specific alerts from different business units
here is the query below. I would like to be able to determine which specific business unit server an alert was generated into Azure sentinel but I am unable to create a tag that includes a watchlist that provides the expected result. Please help Heartbeat | lookup kind=leftouter _GetWatchlist('MBSFQDN_01') on $left.Computer == $right.SearchKey | project UNIT, Computer
caitlin2250
Copper Contributor
Jun 26, 2021 Place Microsoft Sentinel
5.6KViews
0likes
20Comments
Sentinel & Cisco Meraki?
Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel? Just checking for any gotcha's...
David Caddick
Iron Contributor
Mar 16, 2020 Place Microsoft Sentinel
28KViews
2likes
20Comments
Multiple Subscriptions in Sentinel
Hello all, Can I set up a central Azure Sentinel to monitor multiple subscriptions? Or is one Azure Sentinel recommended per subscription? Best Christian
christian-knipping
Copper Contributor
Mar 28, 2019 Place Microsoft Sentinel
21KViews
3likes
19Comments
How to export incidents in azure sentinel
Hi Team, I have need to export the incidents to excel. Is this possible ? Basically i want to summarize the no of incidents triggered for curtain time period and do further analysis on this. Thanks
Pavan_Gelli
Copper Contributor
Dec 17, 2019 Place Microsoft Sentinel
24KViews
0likes
19Comments
Data Connector - Analytics Rule
Hi everyone, I want to have a analytic rule / Automation Rule that everytime that a certain connector (e.g Some Firewall Connector) is down, to receive a Alert in Sentinel. I've been searching for various alternatives but until now can't find anything that i can put working in my organization. Anyone as some suggestion, on what you implemented before and that is working right now ? Thank you.
Solved
miguelfac
Copper Contributor
Jun 21, 2023 Place Microsoft Sentinel
alerts
KQL
playbooks
siem
3.9KViews
0likes
18Comments
Azure Sentinel Automation (Preview) - Issue with Permission assignment
Hi @AzureSentinel Team, I believe this is a bug unless there is any reason to do so. At Azure Sentinel Automation (Preview) when tried to assign permission for logic app I am getting the error below. Pls Note: Although i am the owner of subscription i am not able to assign the permission whereas only global admin with subscription ownership can do this role assignment. Saving automation rule 'TEST 1' failed. Error: Caller is missing required playbook triggering permissions on playbook resource '/subscriptions/xxx/resourceGroups/yyy/providers/Microsoft.Logic/workflows/logicapp1', or Azure Sentinel is missing required permissions to verify the caller has permissions Thanks.
PrashTechTalk
Brass Contributor
May 11, 2021 Place Microsoft Sentinel
13KViews
0likes
18Comments
TiIndicators not showing up in ThreatIntelligenceIndicator Logs
It seems that around July 2nd, 7/2/2020, 9:17:26.272 PM UTC, all of our custom TiIndicators stopped showing up in our ThreatIntelligenceIndicator logs. All of the logic apps are running successfully and POSTing to the SecGraphApi - with the correct responses. We can also send a GET to the API with the newly created TiIndicator ID and verify that the indicator exists. When searching the logs we are not seeing anything, however. The indicators retrieved by the built in TAXII data connector are still in the logs. We have tested this with the standard POST method the to API as well as the new MS Graph Security - Create TiIndicator/Create Multiple TiIndicator actions in the LogicApps. We have also tested in a separate tenant.
JBUB_Accelerynt
Brass Contributor
Jul 07, 2020 Place Microsoft Sentinel
3.8KViews
2likes
18Comments
fooUser appearing in Sentinel device logs
Hi, I noticed from an alert in MS Security Center there is an account called fooUser@<domain> that seems to do a lot of client operations outside of what I understand the account is for, which is Intune enrollment in Autopilot. https://call4cloud.nl/2022/09/foouser-meets-the-cosmic-autopilot-user/ But I'm seeing process creations, file creations etc.. This started the 11th of April on a single device and has since escalated to over a hundred. The first device was actually in an Autopilot process when the events started to get logged, but now there are a lot of machines that have been active for a long time where the logs are coming in from as well. The following query is what I used to find the events in Advanced hunting: search in (DeviceEvents,DeviceFileCertificateInfo,DeviceFileEvents,DeviceImageLoadEvents,DeviceInfo,DeviceLogonEvents,DeviceNetworkEvents,DeviceNetworkInfo,DeviceProcessEvents,DeviceRegistryEvents) "fooUser" | sort by TimeGenerated asc Do anyone else see this behavior?
Solved
OJA
Copper Contributor
Apr 19, 2023 Place Microsoft Sentinel
alerts
analytics
microsoft defender for endpoint
threat hunting
22KViews
2likes
17Comments
ARM template for deploying a workbook template to Microsoft Sentinel
Hello, I am attempting to deploy an ARM Template (execution using PowerShell) for any Analytic Rule to a Microsoft Sentinel instance. I have been following this link: https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate#next-steps. I am struggling with ensuring the Workbook is deployed to the Microsoft Sentinel workbook gallery and NOT the Azure Monitor one. The link includes a sample ARM template where you can add <templateData> (JSON code), which represents the workbook you wish to deploy. I get it working to deploy to the Azure Monitor workbook gallery but not for it to be present in the Microsoft Sentinel one. Jason
Solved
JMSHW0420
Iron Contributor
Dec 16, 2024 Place Microsoft Sentinel
analytics
automation
Workbooks
520Views
0likes
15Comments
The remote NGC session was denied.
Hi. I was reviewing sign-in Logs for a user in Sentinel and came across an entry that has the following: ResultType: 1003033 ResultDescription: The remote NGC session was denied. Authentication methond: Passwordless phone sign-in I have tried to search for this result type/description online but cannot find anything about it. Has anyone come across this? Do you know what it is related to??
Solved
Extraordinaire20
Copper Contributor
Jan 18, 2023 Place Microsoft Sentinel
analytics
investigation
Log Data
5.7KViews
0likes
15Comments
Azure Sentinel | Azure B2C
Can you let me know if Azure Sentinel supports (out of the box) connections to Azure B2C Logs. The document states that Azure Sentinel can ingest Azure AD sign-in and audit logs but was not sure for Azure B2C. Regards, Adrian
Solved
Adrian Gordon
Copper Contributor
Mar 05, 2019 Place Microsoft Sentinel
6.7KViews
2likes
15Comments
Sentinel data Connector Health Status -email notification
Hey guys, I have created a playbook for monitoring sentinel data connectors health and an email notification is setup if there is no logs received for any connector in last 48 hrs . It is fully functional and I able to fetch last event time and data type associated with connectors. Below snap show the data I am populating over the email in tabular format. I am using query based playbook and it is worth mentioning the query here which I am using to populate the data through logic app. union withsource=TableName1 * | where TimeGenerated > ago(2d) | project TimeGenerated, TableName1, DeviceVendor,ProviderName | summarize last_log = datetime_diff("second", now(), max(TimeGenerated)),last_event_received = max(TimeGenerated) by TableName1, DeviceVendor,ProviderName | project ['Table Name'] = TableName1, ['Latest Record Created'] = last_log, ['Time'] = last_event_received, DeviceVendor, ProviderName But, when I am trying to populate list of all the datatypes/datasets . It is not getting populated as it is time frame dependent. So, I am unable to know which datatype is missing if there is no logs generated in that particular time frame. Moreover, if someone don't know how many datatypes have been integrated then its very difficult to know which data type is not receiving logs as multiple device logs can be configured under common security logs or syslog datatypes . I am facing these two issues : 1. Please help me how I can populate all the datatype irrespective of time frame using KQL. 2. Also, I want to populate the data connector name associated with datatype but I was not lucky enough to create a KQL query for that as I don't know how connector name is mapped with data types. Any help or suggestion to fix above issues will be appreciated.
cyberHardik
Copper Contributor
May 31, 2021 Place Microsoft Sentinel
3.8KViews
0likes
15Comments
Get entities for a Sentinel Incidient by API
Hi, I'm trying to get some information about incidents in Sentinel via the API (https://github.com/Azure/azure-rest-api-specs/blob/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview/SecurityInsights.json) I can successfully query incidents via ".../providers/Microsoft.SecurityInsights/incidents And when I query the relations of the incident via "..../providers/Microsoft.SecurityInsights/incidents/{incidentId}/relations" I get SecurityAlert where I can see there is 1 account and 1 IP involved with the SecurityAlert { "Total Account Entities": "1", "Total IP Entities": "1" } I was hoping to get the Entity information by getting the relations of the SecurityAlert Entity, but then I only get the Incident as relation. However when I query the entities via "..../providers/Microsoft.SecurityInsights/entities" I see the Account Entity and the IP Enity and the information of them, But I can’t see the SecurityAlert event. Is there a way so I can get the related entities of the Incident / SecurityAlert(s) via the API?
Solved
SanderWannet
Copper Contributor
May 28, 2020 Place Microsoft Sentinel
11KViews
2likes
15Comments

Recent Discussions

Minemeld Threat Intel Integration to Sentinel

Playbook (Logic App) - trigger - When Azure Sentinel incident creation rule was triggered

Error when running playbook Block-AADUser-Alert

Join Our Azure Sentinel Community

Azure Sentinel Logic App Action Incident ID

API for Sentinel Alerts and Cases

mv-expand - I cannot make it work!!

I am trying to create a watchlist that displays specific alerts from different business units

Sentinel & Cisco Meraki?

Multiple Subscriptions in Sentinel

How to export incidents in azure sentinel

Data Connector - Analytics Rule

Azure Sentinel Automation (Preview) - Issue with Permission assignment

TiIndicators not showing up in ThreatIntelligenceIndicator Logs

fooUser appearing in Sentinel device logs

ARM template for deploying a workbook template to Microsoft Sentinel

The remote NGC session was denied.

Azure Sentinel | Azure B2C

Sentinel data Connector Health Status -email notification

Get entities for a Sentinel Incidient by API

Events

Recent Blogs

Integrating Fluent Bit with Microsoft Sentinel

Introducing Threat Intelligence Ingestion Rules

Resources

Share

Tags