Help Ingesting PingID Logs into Microsoft Sentinel
Hello, Microsoft Sentinel has a Data Connector for PingFederate, however this does not capture other PingIdentity products. Namely, PingID logs. Making this post asking if there are any ways to best implement ingesting PingID logs into Sentinel, as I am unable to find any documentation for PingIdentity or Sentinel that would assist me in coming up with a solution. Thank you for all comments and ideas.
Sentinel and Amazon Web Services S3 WAF
Hello, I'm using Sentinel to fetch AWS WAF logs using the new collector Amazon Web Services S3 WAF . I setup a first collection using the ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-central-1.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel I then add new collection using ARN role and SQS Queue (Francfort Region). arn:aws:iam::XXXXXXXXX:role/OIDC_MicrosoftSentinel https://sqs.eu-west-3.amazonaws.com/XXXXXXX/sqs-aws-cloudwatch-sentinel Adding the second collection erase the first one !! Is it a bug ?? Regards, HA
Qualys Vulnerability management integration with Function app
Hello, I have deployed Qualys VM with sentinel by Azure function app. I am not getting any error, function app is working fine. I am getting blank output: Furthermore, I have not added any filter parameter in environment variables and don't have any idea what could be added here. Since the output is blank Qualys data connector is showing status disconnected. If anyone can help me out please comment below. TIACan we deploy Bicep through Sentinel repo
Hi there, Im new here, but π .... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this π My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI π I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. π Thanks, mal_sec
Sentinel Taxii connector
Hi Everyone, I was experimenting trying to connect Sentinel to Alienvault OTX via the Taxii connector to see if it's worth looking into some extra feeds. Nothing I try seems to work. Has anyone had luck with the TAXII connector with Alienvault or other platforms? The only information I can find for this particular feed are instructions on doing this with a logic app, such as this post -- https://techcommunity.microsoft.com/t5/microsoft-sentinel/alienvault-otx-taxii-feed/m-p/1877695 The python cabby client has no issue grabbing data from this feed. Trying the below (with the correct username of course) results in an error TAXII connector already exists with the same API root URL and Collection ID or inputs are not valid.
Sentinel IP for WEST EUROPE
Hi. I have this issue, where I have Sentinel and need the data connector setup for accessing Github. If my github Org do have IP Allow list enabled this do not work. So I need to find the IP's that the Connector talks out from Azure / Sentinel with when hitting the github service so I can whitelist those. If I take the IP scopes for Sentinel they are quite extensive and it cannot be that I need to whitelist every single Azure monitor/sentinel IP just to get those that Sentinel uses to talk to an API, but how can I find the needed IP's Or is there another way to get Audit logs from Github when there is IP restrictions enabled on the Github organization (in a github cloud enterprice setup)
Help us plan our upcoming "Mastering API Integration with Sentinel and USOP" public webinar
Hello on behalf of the Microsoft SIEM & XDR Engineering organization! On December 5th, 2024, we will host a public webinar on how to effectively integrate APIs with Microsoft Sentinel and the Unified Security Platform. This session will cover when to use APIs, how to set them up, and potential challenges. We will present live demos to guide you through the process. To ensure this webinar is as engaging and relevant as possible for you, weβd love your input to help us create its agenda! Help us plan this webinar Do you have any use cases you think we should feature? Or have you encountered any blockers that you'd like us to address? Weβre eager to find out what content matches your needs the most! Please answer this survey to help us with your input. It will remain open until October 31st, 2024. Take the survey here: https://forms.office.com/r/hrWtm34WFu Join the webinar on December 5th! In addition to helping us plan it, we hope to count on your participation. Register at Register for this webinar at https://aka.ms/MasteringAPISentinelUSOPWebinar. Thank you for your contributions! Naomi Chistis and Jeremey Tan - Microsoft SIEM & XDR TeamNew Survey: Your Input for the Microsoft Sentinel Ecosystem
Survey Link: https://forms.office.com/r/Yy7WWFGyeD Solutions and integrations in the Microsoft Sentinel ecosystem, such as those available in Content Hub, are pivotal in bolstering the security coverage of organizations. As our customers increasingly integrate Microsoft Sentinel with Microsoft Defender XDR, by enabling our unified SOC platform, the importance of this ecosystem only increases. In this brief survey, we seek your suggestions on improving Microsoft Sentinel's ecosystem. Whether it's a feature request, an idea for a new solution, or an enhancement to an existing one, we welcome your feedback. Feel free to submit multiple responses if you have multiple suggestions. Your insights will help us prioritize features that matter most to you. Thank you for your contributions! The Microsoft SIEM & XDR Team Microsoft respects your privacy. Review our online Privacy Statement here: https://privacy.microsoft.com/en-us/privacystatement
