Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !
KQL to extract URL from TI Feeds
Hello, I need some help to extract a specific field (URL) from URL Haus Database. Example "3430907","2025-02-07 11:02:07","http://chmod0777kk.com/main","online","2025-02-07 11:02:07","malware_download","elf","https://urlhaus.abuse.ch/url/3430907/","anonymous" Needed output http://chmod0777kk.com/main Regards, HACreate a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes? Any help is much appreciated !Fetch security events with their underlying log entries
Hello, I am trying to extract all the alerts generated by sentinel including the events that triggered that alert. I have the following query: SecurityIncident | summarize arg_max(TimeGenerated, *) by IncidentName | where ClassificationComment !has "Automatically closed, as the incident is not in scope for monitoring." | where CreatedTime >= startofday(ago(1d)) and CreatedTime < startofday(now()) | sort by CreatedTime | mv-expand AlertIds | extend AlertId = tostring(AlertIds) | join (SecurityAlert | where StartTime >= startofday(ago(30d)) and StartTime < startofday(now()) | summarize arg_max(TimeGenerated, *) by SystemAlertId | project-rename AlertId = SystemAlertId) on AlertId Is this enough to achieve what I need or is there any changes that needs to be made ?
How to remove string quotes and other things from the parsed syslog message
Hello Sentinel Community, We are ingesting Azure database for Postgresql logs into the log analytical workspace and tried to retrieve the values from the Postgresql log Message coulumn. However, we are getting the values in double quotes and comma from the retrieved values. Below is the sample Pstgresql Message log: Message: 2025-01-22 09:53:35 UTC-6790c01f.259e-FATAL: no pg_hba.conf entry for host "10.150.48.4", user "email address removed for privacy reasons", database "prodxxxx0424", no encryption We used below KQL query and parse kind (mentione below) to get the values of host, user, and database but we got the values like below with double quotes and comma. How to get the values without double quotes. AzureDiagnostics | where Category == "PostgreSQLLogs" | where errorLevel_s == "FATAL" | where Message contains "no pg_hba.conf entry" | parse kind=relaxed Message with * "host" Source_IP "user" UserName "database" DatabaseName Received Values: Thanks, Yugandhar.
The issue with displaying the original query in the newly created scheduled query rule
Hello everyone. I recently started learning Azure Sentinel, and I wanted to create my first custom rule. The rule works as I wanted, but I encountered an issue with displaying the original query. When an incident is created and I go to the "Incident Timeline" and click "Link to LA," my query is shown in an obfuscated form, as shown in the screenshot. Could you please help me figure out how to make the original query visible? Thank you!
