Category: Microsoft Sentinel | Microsoft Community Hub

Recent Discussions

Affected rows stateful anomaly on database vs. Response rows stateful anomaly on database
Is there a difference between the two scheduled rules, "Affected rows stateful anomaly on database" and "Response rows stateful anomaly on database"? I can see that they have different descriptions: - Affected rows stateful anomaly on database - To detect anomalous data change/deletion. This query detects SQL queries that changed/deleted a large number of rows. - Response rows stateful anomaly on database - To detect anomalous data exfiltration. This query detects SQL queries that accessed a large number of rows. This tells me the alerts query should be different. However, when I compare the two they are exactly the same.
Solved
lfg524
Copper Contributor
Feb 21, 2025 Place Microsoft Sentinel
alerts
analytics
45Views
0likes
2Comments
KQL to match URL FW LOGS and Threatfox URL feeds
Hi all, I try to match RequestURL field (in CommonSecurityLog) from a Fortigate FW with URL Haus live feeds. The query does not produce any errors but it doesn't match anything. let ThreatFox = externaldata(URL: string ) ["https://threatfox.abuse.ch/export/csv/recent/"] with (format="txt", ignoreFirstRecord=True); let ThreatFoxUrl = ThreatFox | where URL contains "url" | extend URL = replace_string(URL, "\"", "") | extend parse_csv(URL) | extend URL = URL[2]; CommonSecurityLog | where RequestURL has_any (ThreatFoxUrl) The following query is working fine with HASH let MalwareBazaarMISP = externaldata(SHA256: string) ["https://bazaar.abuse.ch/export/txt/sha256/recent"] with (format="txt", ignoreFirstRecord=True); let SHA256Regex = '[a-f0-9]{64}'; let MaliciousSHA256 = materialize ( MalwareBazaarMISP | where SHA256 matches regex SHA256Regex | distinct SHA256 ); DeviceProcessEvents | where SHA256 has_any (MaliciousSHA256) Rehards, HA
Solved
HA13029
Brass Contributor
Feb 14, 2025 Place Microsoft Sentinel
analytics
KQL
78Views
0likes
7Comments
SecurityIncident access from Sentinel tenants
Hello, My company's business model follows the Sentinel MSP with visibility to Customer Sentinel via Lighthouse. All the incidents from across the Customer Sentinels are located on the Sentinel MSP (since the detection rules reside on the Sentinel MSP). Although it might not be the usual MSP model (hosting incidents in the MSP Sentinel), we want to provide visibility to our Customers regarding their Incidents (with all updates) in a dashboard. Is there a possibility we can have a solution for this?
Solved
un1claudiu
Copper Contributor
Feb 06, 2025 Place Microsoft Sentinel
Dashboards
siem
96Views
0likes
5Comments
Query to Fetch Sentinel Admin Activities from Sentinel
Hello, I would like to know if there is a specific query available to fetch Sentinel admin activities directly from Sentinel itself. Thank you!
Solved
Rayen
Copper Contributor
Jan 13, 2025 Place Microsoft Sentinel
data collection
KQL
Log Data
siem
52Views
0likes
1Comment
Fetch Sentinel admin activity
Hello, I would like to know if there is a specific query available to fetch Sentinel admin activities directly from Sentinel itself. Thank you!
Solved
Rayen
Copper Contributor
Jan 13, 2025 Place Microsoft Sentinel
analytics
data collection
Log Data
monitoring
playbooks
43Views
0likes
1Comment
ARM template for deploying a workbook template to Microsoft Sentinel
Hello, I am attempting to deploy an ARM Template (execution using PowerShell) for any Analytic Rule to a Microsoft Sentinel instance. I have been following this link: https://learn.microsoft.com/en-us/azure/azure-monitor/visualize/workbooks-automate#next-steps. I am struggling with ensuring the Workbook is deployed to the Microsoft Sentinel workbook gallery and NOT the Azure Monitor one. The link includes a sample ARM template where you can add <templateData> (JSON code), which represents the workbook you wish to deploy. I get it working to deploy to the Azure Monitor workbook gallery but not for it to be present in the Microsoft Sentinel one. Jason
Solved
JMSHW0420
Iron Contributor
Dec 16, 2024 Place Microsoft Sentinel
analytics
automation
Workbooks
520Views
0likes
15Comments
Cannot access aka.ms/lademo
Hello team, I am Nikolas. I am learning KQL for Microsoft Sentinel. As far as I know, we can access the aka.ms/lademo for demo data. However I cannot access the demo. I tried using VPN, access page from many other devices with different IP address different account. But it does not work. Can you help to confirm if this link is still accessible. I can access the resource last week, but not this week. I am looking forward to hearing from you.
Solved
NikolasMS
Copper Contributor
Dec 06, 2024 Place Microsoft Sentinel
KQL
kusto
Log Data
220Views
1like
2Comments
Automating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD attribute). The thinking is, the manager is more likely to know if the files that are being downgraded are sensitive, personal or inconsequential and can alert us if they are sensitive and we need to investigate further. I have a KQL query that provides the results, I have created an analytics rule that runs the query every 24 hours and generates an alert, but when it comes to the Playbook i'm not sure how/if I can extract the fields/attributes from the results so I can use them to generate the email(s). I want the manager to only get the results for the people in their team/department, not the results for everyone in the company, so I would expect separate emails will be sent to each manager daily, rather than the same email going to multiple managers. Is what I am trying to do feasible, and if so, am I going about it the right way? Any advice appreciated.
Solved
Cameron_Stephens
Copper Contributor
Nov 01, 2024 Place Microsoft Sentinel
automation
KQL
playbooks
224Views
0likes
7Comments
Issue in Uninstallation of AMA for Arc Enabled Windows server
Dear Community, As a troubleshooting, I want to uninstall the AMA agent from Azure arc enabled server, I tried "Uninstall" from Azure arc machine - Extension - Uninstall but it went into "Deleting" state for 2 days. Then i tried uninstallation using the Powershell but again it went to "deleting" state. I tried removing and adding the Machine to and from DCR and Azure Arc again and then tried again still it shows deleting state only. So, i tried uninstallation direct from server using command azcmagent extension remove --name AzureMonitorWindowsAgent the got the below error, From my test machine i copied the "HandlerManifest.json" file and put in the same folder where error is showing above, Json file has this content as shown below Now after this i tried "azcmagent extension remove --name AzureMonitorWindowsAgent" command again and got the error, Please help in uninstalling this AMA agent. Thanks, Mahesh
Solved
JohnWickXV
Copper Contributor
Oct 29, 2024 Place Microsoft Sentinel
azure
data collection
siem
227Views
0likes
2Comments
Sysmon /operational is not in Event table
Hi Team, Need to create usecase base on Sysmon /operational and with Event ID = 1. But Sysmon is not configured. Usecase is based on process. It is github usecase. Need to create with the help of defender table. Windows Binaries Lolbins Renamed KQL : Event | where EventLog =~ "Microsoft-Windows-Sysmon/Operational" and EventID==1 | parse EventData with * 'Image">' Image "<" * 'OriginalFileName">' OriginalFileName "<" * | where OriginalFileName has_any (procList) and not (Image has_any (procList)) | parse EventData with * 'ProcessGuid">' ProcessGuid "<" * 'Description">' Description "<" * 'CommandLine">' CommandLine "<" * 'CurrentDirectory">' CurrentDirectory "<" * 'User">' User "<" * 'LogonGuid">' LogonGuid "<" * 'Hashes">' Hashes "<" * 'ParentProcessGuid">' ParentProcessGuid "<" * 'ParentImage">' ParentImage "<" * 'ParentCommandLine">' ParentCommandLine "<" * 'ParentUser">' ParentUser "<" * | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated) by EventID, Computer, User, ParentImage, ParentProcessGuid, ParentCommandLine, ParentUser, Image, ProcessGuid, CommandLine, Description, OriginalFileName, CurrentDirectory, Hashes | extend HostName = iif(Computer has '.',substring(Computer,0,indexof(Computer,'.')),Computer) , DnsDomain = iif(Computer has '.',substring(Computer,indexof(Computer,'.')+1),'') Now same usecase need to be configured with the help of defender table "DeviceProcessEvents". But don't now how to find out Image information which is in Event Table.
Solved
akshay25june
Copper Contributor
Oct 10, 2024 Place Microsoft Sentinel
KQL
187Views
0likes
3Comments
azure lighthouse Query
Hi All, I am in the process of creating the ARM template to deploy the Azure light house in our environment. I am pretty new to this platform. Request everyone support to understand the design and concept of Sentinel. As far as I am aware to deploy the Multi-tenant, we require to set up the Azure Light house. On referring the KB article, to create the ARM template, there was an field called "Delegated scope" where we need to choose either "subscription" or "resource" group. I would like to understand the difference between them. Kindly support
Solved
venkataramanan6224
Copper Contributor
Sep 30, 2024 Place Microsoft Sentinel
siem
405Views
0likes
2Comments
KQL query to ignore placeholders
Hi Team, Can you please provide me a query to ignore account filed that has "-\- "
Solved
Nimantha_Deshappriya
Copper Contributor
Sep 27, 2024 Place Microsoft Sentinel
KQL
364Views
0likes
2Comments
Define workbook export parameter default value
I have a number of Sentinel workbook queries where I click on a value in the 1st query which is then exported as a parameter to be used in a 2nd query. This is working great except when the workbook is first loaded, because I haven't clicked on anything in the 1st query, the 2nd query displays the following error. How can I specify a default value to satisfy the query until I click on a value? Query could not be parsed at ')' on line [2,21] Token: ')' Line: 2 Position: 21 The first 2 lines of the 2nd query look like this: let ActivityType = dynamic({AType}); CloudAppEvents | where... Any help to resolve this error is appreciated.
Solved
Cameron_Stephens
Copper Contributor
Aug 20, 2024 Place Microsoft Sentinel
KQL
480Views
0likes
2Comments
KQL extend command does not seems to work in workbook
Hi all, I have an issue with the extend command in a custom workboook. The following KQL query parses Palo Alto Logs and to extract specific field (like PanOSSourceUserName, etc) and creating new column (same name). CommonSecurityLog | where DeviceProduct == "PAN-OS" | where DeviceEventClassID == "GLOBALPROTECT" | extend PanOSSourceUserName=extract("PanOSSourceUserName=([A-Z,a-z.]+@+[A-Z,a-z.]+)",0,AdditionalExtensions) | extend PanOSSourceRegion=extract("PanOSSourceRegion=([A-Z,a-z.]+)",0,AdditionalExtensions) | extend PanOSPublicIPv4=extract("PanOSPublicIPv4=([0-9.]+)",0,AdditionalExtensions) | project-away ExtID, LogSeverity, Activity When I run this KQL query again the log (Sentinel Dashboard-> General -> Logs), I got the expected result. If I edit a Workbook (then Add query), and run the same KQL query, the new column (like PanOSSourceUserName, etc) are not created ! Is it normal ?? Any idea ? Regards, HA
Solved
HA13029
Brass Contributor
Jul 25, 2024 Place Microsoft Sentinel
Dashboards
KQL
kusto
Log Data
557Views
0likes
2Comments
CommonSecurityLog and DCR Table Tranformation
Hi all, I'm trying to filter incoming event coming from a firewall (Fortigate) into the CommonSecurityLog Table using DCR Transformation. The idea is FW-->AMA Agent--->DCR Transormation (filter messsage)--->CommonSecurityLog On the CommuonSecurityLog Table, I click on 'Edit Transformation' and apple the following filter in the Transformation Editor source | where DestinationPort != 53 and DestinationPort != 123 | where DeviceAction != "deny" Unfortunately, these kind of logs still appears into the CommonSecurityLog when performing KQL queries... Am I missing something ? Any idea ? Regards, HA
Solved
HA13029
Brass Contributor
Jul 19, 2024 Place Microsoft Sentinel
data collection
Log Data
704Views
0likes
3Comments
Domain name lookup from query results
Hi, I have a beacon detection query that will give me a list of domains the users were successfully communicating over a certain interval. From the domain names generated in the result, I want to perform whois lookup of every domain and alert on those created in last 30 days. I am looking for suggestions on the best way to implement whois lookup from the query results. Thank you !!
Solved
abon13
Brass Contributor
Jul 08, 2024 Place Microsoft Sentinel
apis
azure
siem
soar
threat hunting
738Views
0likes
2Comments
Parameterized function in cross workspace queries
Hi, I'm looking to get some input on a query I'm working on. The thought is to create a query for each customer in our Lighthouse tenant, then be able to query a function named for the customer, so for example, CustomerA("SigninLogs") | where Identity contains "someperson" However, when calling the function above, I'm getting the following error. Is there some limitation with the workspace command or where am I doing wrong?
Solved
SHoydal
Copper Contributor
Jun 19, 2024 Place Microsoft Sentinel
KQL
511Views
0likes
2Comments
Create an Incident when an email arrives, Downloading attachment and saving in a blob storage
I'm working on a Logic App in Azure Sentinel designed to automatically create incidents whenever an email arrives with a specific subject line. However, I'm encountering an error when trying to create the incident. code: 400, Could you please advise on what might be causing this error and how I can troubleshoot it? Thanks in advance for your assistance!
Solved
Mobile_Walk_In
Copper Contributor
Jun 12, 2024 Place Microsoft Sentinel
automation
playbooks
667Views
0likes
3Comments
Result in the Sentinel GUI (Incidents) / No results in logs (query)
Hey guys, I have a problem understanding how Sentinel works. In my Sentinel, I can search for incidents dating back to the year 2022. However, when I try to find the same incidents with a Kusto query, it returns no results. Interestingly, when I attach a tag to one of these old incidents, it pops up in my query search. It feels like there are other tables that we cannot query or some settings are not correctly configured in my instance. Does anyone know where I can find some information about this issue? Big thanks, Joe
Solved
JoePander
Copper Contributor
Jun 06, 2024 Place Microsoft Sentinel
alerts
kusto
siem
636Views
0likes
4Comments
Palo Alto Global Protect Logs Missing Most information
Hi all, I've integrated Palo Firewall with MS Sentinel. For most log type (Traffic, Threat, System), everything is working fine. But for GlobalProtect log type, it's missing almost all valuable values (no username, authentication status (failed or success), Portal Name, Gateway Name, etc... I used to following URL to defines CEF format. https://github.com/pemontto/Palo-Alto-CEF/blob/master/10.0/globalprotect.txt PS: PANOS version 11.x Any idea ?? Regards, HA
Solved
HA13029
Brass Contributor
May 31, 2024 Place Microsoft Sentinel
integration
Log Data
1.2KViews
0likes
6Comments

Recent Discussions

Affected rows stateful anomaly on database vs. Response rows stateful anomaly on database

KQL to match URL FW LOGS and Threatfox URL feeds

SecurityIncident access from Sentinel tenants

Query to Fetch Sentinel Admin Activities from Sentinel

Fetch Sentinel admin activity

ARM template for deploying a workbook template to Microsoft Sentinel

Cannot access aka.ms/lademo

Automating label downgrade email notifications

Issue in Uninstallation of AMA for Arc Enabled Windows server

Sysmon /operational is not in Event table

azure lighthouse Query

KQL query to ignore placeholders

Define workbook export parameter default value

KQL extend command does not seems to work in workbook

CommonSecurityLog and DCR Table Tranformation

Domain name lookup from query results

Parameterized function in cross workspace queries

Create an Incident when an email arrives, Downloading attachment and saving in a blob storage

Result in the Sentinel GUI (Incidents) / No results in logs (query)

Palo Alto Global Protect Logs Missing Most information

Events

Recent Blogs

Integrating Fluent Bit with Microsoft Sentinel

Introducing Threat Intelligence Ingestion Rules

Resources

Share

Tags