Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !Create a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes? Any help is much appreciated !Fetch security events with their underlying log entries
Hello, I am trying to extract all the alerts generated by sentinel including the events that triggered that alert. I have the following query: SecurityIncident | summarize arg_max(TimeGenerated, *) by IncidentName | where ClassificationComment !has "Automatically closed, as the incident is not in scope for monitoring." | where CreatedTime >= startofday(ago(1d)) and CreatedTime < startofday(now()) | sort by CreatedTime | mv-expand AlertIds | extend AlertId = tostring(AlertIds) | join (SecurityAlert | where StartTime >= startofday(ago(30d)) and StartTime < startofday(now()) | summarize arg_max(TimeGenerated, *) by SystemAlertId | project-rename AlertId = SystemAlertId) on AlertId Is this enough to achieve what I need or is there any changes that needs to be made ?
Cross-workspace incident management
Hello Techcommunity, We are looking for a solution to manage incidents in several Sentinel workspaces within the same tenant. 1. We reviewed Azure Lighthouse and it seems to be working only for cross-tenant management 2. We saw the option to mark the workspaces we want to monitor and click on "View incidents" 3. We also considered building the dashboard in a Workbook Could you please say if there is any other option to have a unified dashboard for managing incidents from several Sentinels within the same tenant?
Sentinel Log Sources or asset list Information
In Sentinel as like any other SIEM, how do we get the complete list of log sources which are integrated along with some required fields like Device Vendor, Device Product, Host name/Computer, IP address. Is there any workbook or KQL which provides this information.
User location in Security Alerts/Incidents logs
Dear Community, I´ve been struggling to find a way to pull out location information for user in security incidents logs. The idea is to have this details on alerts and incidents to generate dashboards (workbooks) and reports. Would you be able to enlight me with ideas/insights? Thanks in advance for your help.
Sentinel Email Metrics
Hey guys, I am wondering if there is a way to send a daily e-mail regarding multiple Sentinel Metrics? There is a handy Template workbook called "Security Operations Efficiency", that has most of the metrics I would like to have, however, I'd like this to be emailed daily at the start of the day to a distro list of individuals that would be interested in viewing a quick, down and dirty report of what's been going on in the last 24hrs. I have read a lot of posts about doing some of this via a Logic-App, but wasn't sure if there was a quick and efficient way to just pull the data straight from a workbook that already exists to do a similar task. I may have missed it, but if there is a post that covers this, feel free to link it! Thanks for any help you can provide! --Joseph
MacOS devices visibility in Sentinel query
Greetings all. I'm working on a query to see when the users are logged in on their devices. For Windows devices I can get all the information I need, but when I try to get the info for MacOS devices, I don't get any. Is there a query that shows info for MacOS? Any help would be great. Thank you