Event banner

Accelerate Splunk SIEM migrations to Microsoft Sentinel with the built-in SIEM Migration Experience

Event Ended
Wednesday, Sep 18, 2024, 09:00 AM PDT
Online

Event details

Join us to learn how you can simplify and accelerate the migration of your SIEM from Splunk to Microsoft Sentinel using the SIEM migration experience. In this session, we will see how to leverage and...
TrevorRusher
Updated Dec 27, 2024
microsoft sentinel
Jayendran's avatar
Jayendran
Iron Contributor
Sep 12, 2024

Hi ,

 

My question is not directly related to SIME Migration but related to sentinel connectivity to AML Notebooks for hunting. Please execuse me if its not the right forum to put my query here

 


I have a difficult to connect sentinel with notebook as my azure machine learning workspace and the storage account connected with aml is restricted with firewall. Whenever we try to connect sentinel with aml workspace we get the error like below for the API call

 

 

https://abc12121.workspace.eastus2.api.azureml.ms/notebook/v2.0/subscriptions/<>/resourceGroups/<>/providers/Microsoft.MachineLearningServices/workspaces/<>/storage/sasurl?expirationInMinutes=30&containerId=391ff5ac-6576-460f-ba4d-7e03433c68b6

 

 

 

{
"error": {
"code": "UserError",
"severity": null,
"message": "Request authorization to storage account failed. Storage account might be behind a VNET.",
"messageFormat": null,
"messageParameters": null,
"referenceCode": null,
"detailsUri": null,
"target": null,
"details": [],
"innerError": {
"code": "ForbiddenError",
"innerError": null
},
"debugInfo": null,
"additionalInfo": null
},
"correlation": {
"operation": "ce8d08a6cb9c01e94b25b85a2ea152d4",
"request": "eeb011e918368db4"
},
"environment": "eastus2",
"location": "eastus2",
"time": "2024-08-20T13:28:00.3418504+00:00",
"componentName": "notebook-instance",
"statusCode": 403
}

 

 

We created a ms support ticket (tracking ID for reference  2407030040011151) 4 months back and its not moving forward effectively. So far the response we receive is its a design limitation that we need to remove the private endpoint on SA https://learn.microsoft.com/en-us/azure/sentinel/notebooks-hunt?tabs=private-endpoint#launch-a-notebook-in-your-azure-machine-learning-workspace 

even after removing the private endpoint (but keeping the limited IP of sentinel in the firewall) its still giving the same error 

 

Could you please help me with my 2 queries below

 

  • Whether sentinel aml notebook integreation required a storage acccount to by a Public one without any restiction on firewall IPs ? - This is currently not captured properly in the documentation

 

  • What is the purpose of this API (Which is failing now) ? or Why a SAS token is needed as most of the authentications were Managed Identity based ?

 

Thanks !

Jayendran

 

 

  • TrevorRusher's avatar
    TrevorRusher
    Icon for Community Manager rankCommunity Manager
    Sep 18, 2024
    Hey Jayendran, This question is not related to the topic of the AMA, so unfortunately we can't help you here. Best of luck with MS Support.
Date and Time
Sep 18, 20249:00 AM - 10:00 AM PDT