Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !Create a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes? Any help is much appreciated !Fetch security events with their underlying log entries
Hello, I am trying to extract all the alerts generated by sentinel including the events that triggered that alert. I have the following query: SecurityIncident | summarize arg_max(TimeGenerated, *) by IncidentName | where ClassificationComment !has "Automatically closed, as the incident is not in scope for monitoring." | where CreatedTime >= startofday(ago(1d)) and CreatedTime < startofday(now()) | sort by CreatedTime | mv-expand AlertIds | extend AlertId = tostring(AlertIds) | join (SecurityAlert | where StartTime >= startofday(ago(30d)) and StartTime < startofday(now()) | summarize arg_max(TimeGenerated, *) by SystemAlertId | project-rename AlertId = SystemAlertId) on AlertId Is this enough to achieve what I need or is there any changes that needs to be made ?
Cross-workspace incident management
Hello Techcommunity, We are looking for a solution to manage incidents in several Sentinel workspaces within the same tenant. 1. We reviewed Azure Lighthouse and it seems to be working only for cross-tenant management 2. We saw the option to mark the workspaces we want to monitor and click on "View incidents" 3. We also considered building the dashboard in a Workbook Could you please say if there is any other option to have a unified dashboard for managing incidents from several Sentinels within the same tenant?
Sentinel Log Sources or asset list Information
In Sentinel as like any other SIEM, how do we get the complete list of log sources which are integrated along with some required fields like Device Vendor, Device Product, Host name/Computer, IP address. Is there any workbook or KQL which provides this information.
User location in Security Alerts/Incidents logs
Dear Community, I´ve been struggling to find a way to pull out location information for user in security incidents logs. The idea is to have this details on alerts and incidents to generate dashboards (workbooks) and reports. Would you be able to enlight me with ideas/insights? Thanks in advance for your help.
DLP Reports
Is there a way to create a report for DLP Alerts so I get a CSV file sent to me weekly? Right now its a manual report that I have to download. I don't see where I can schedule it. I would like to be able to send to my managers a file shows who on what day and what match policy matches were triggered.
Scan Excel/PowerPoint Data sources
Hi, Let's imagine that Excel uses a database or Power BI as a data source (i.e. for a Pivot Table), will Purview scan the Excel file and visualize the lineage so that you can track which Excel document is using which Power BI data set? I know it's possible with Power BI reports to find out which Dataset they are using, but it would be super helpful to find out what data sources the world's most popular BI front-end (Excel) is using 😉 Same with PowerPoint. So you can embed a Power BI report into a PowerPoint document. Will Purview scan the PowerPoint documents and find out which report/visual they use? For Impact Analysis (I would like to change a report, what other components will be affected) this would be very important... Thanks, ThomasAccessing new reports
Viewing reports should not require someone to go to the Settings menu, this location should only be used to do the initial configuration. Download and schedule Microsoft Defender for Identity reports in Microsoft 365 Defender - Microsoft Defender for Identity | Microsoft Learn, makes finding the reports unnecessarily complicated. Viewing reports should not be hidden below Settings menu.
