Fetching alerts from Sentinel using logic apps
Hello everyone, I have a requirement to archive alerts from sentinel. To do that I need to do the following: Retrieve the alerts from Sentinel Send the data to an external file share As a solution, I decided to proceed with using logic apps where I will be running a script to automate this process. My questions are the following: -> Which API endpoints in sentinel are relevant to retrieve alerts or to run kql queries to get the needed data. -> I know that I will need some sort of permissions to interact with the API endpoint. What type of service account inside azure should I create and what permissions should I provision to it ? -> Is there any existing examples of logic apps interacting with ms sentinel ? That would be helpful for me as I am new to Azure. Any help is much appreciated !Create a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes? Any help is much appreciated !
Sentinel and Amazon Web Services S3 WAF
Hello, I'm using Sentinel to fetch AWS WAF logs using the new collector Amazon Web Services S3 WAF . I setup a first collection using the ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-central-1.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel I then add new collection using ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-west-3.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel Adding the second collection erase the first one !! Is it a bug ?? Regards, HA
Issue while deploying Sentienl Rules
I know that when deleting a Sentinel rule, you need to wait a specific amount of time before it can be redeployed. However, in this tenant, we've been waiting for almost a month and are still getting the same deployment error ('was recently deleted. You need to allow some time before re-using the same ID. Please try again later. Click here for details'). I still want to use the same ID ect. Does anyone have any idea or similar issue why it's still not possible after waiting for about a month?
Integrating Jira with Sentinel via HTTP connector
Hello Community, I am having issues integrating Jira with Sentinel. I am connecting Sentinel incidents with Jira via the HTTP connector. The Jira V3 connector was not working due to an error regarding the reporter field, which I have no control over. My question is, why is the HTTP Connector not posting the incident when I manually run the playbook with an incident? It shows the run was successful, but the incident is not posted in the Jira queue.GCP IAM Connector
Hi, I've been trying to use the GCP IAM connector in Sentinel. I have enabled the cloud logging api, enabled the audit logs, created a service account, with the following roles - Cloud API Gateway Management Service Agent Cloud API Gateway Service Agent Logging Admin Monitoring Alert Policy Editor Monitoring Services Editor Private Logs Viewer. Created a key and downloaded the json. Installed the the GCPIAM function with the required parameters but get a 403 error. Exception while executing function: Functions.AzureFunctionGCPIAM ---> Microsoft.Azure.WebJobs.Script.Workers.Rpc.RpcException : Result: Failure Exception: Forbidden: 403 POST https://logging.googleapis.com/v2/entries:list?prettyPrint=false: The caller does not have permission Has anyone else had this issue?
Get entities for every alert that Sentinel Incident has with the REST API
Hi everyone, i want to try to follow up on this discussion - https://techcommunity.microsoft.com/t5/microsoft-sentinel/get-entities-for-a-sentinel-incidient-by-api/m-p/1422643 We are using the recommended in that post "expansionId" to fetch entities for specific alerts, as per documentation Sentinel Incidents API returns "summed" list of entities for Incidents (all entities from all alerts that are part of the same Incident). This is the expansion id we use for alert related entities: "98b974fd-cc64-48b8-9bd0-3a209f5b944b" I wanted to check, are there any updates regarding this"expansionId" option since? How safe is to still use the expansion ids and alert's entities is particular? Also, maybe there is a better way now to fetch entities per each alert in Incident via Sentinel REST API? Thanks in advance!
Slack slackbot messages using interactivity for Microsoft Sentinel incident actions
Hi, I am just wondering if anyone has managed to integrate Microsoft Sentinel Incidents with Slack to send slackbot messages using 'interactivity'. Similar to the Sentinel/MS Teams Adaptive Card feature where you get an adaptive card in teams and you can hit buttons with actions such as 'Change Severity', 'Change Status', 'Assign Owner' etc etc. I am wondering if anyone has managed to achieve this same functionality with Slack. The closest I have found is this GitHub repo which uses a Webhook: https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Send-Slack-Message-Webhook/incident-trigger/images/SlackMessage.png I have tried this but to no avail. Any insights would be appreciated,
Threat Monitoring for GitHub Connector broken - 403 error
Hello, I can deploy successfully the connector and all the other components, but when I put the Org name and the API key I get this error: The permission in Github is the one requested and I even added +80 Azure IPs to our allowlist. Still get the same error. Appreciate any help.
