AMPLS Restrictions Preventing Outbound API Calls in Logic Apps – Any Workarounds?
Hi everyone, I’m encountering an issue where Azure Monitor Private Link Scope (AMPLS) restrictions are preventing Azure Logic Apps from making any outbound API calls, even to Microsoft-owned outbound IP addresses. One specific problem is that when running KQL queries inside a Logic App, the Azure Monitor connector fails because it attempts to access Microsoft outbound IPs, which are blocked by AMPLS restrictions. Since this is happening within Logic Apps itself, I don’t have direct control over these outbound calls. Has anyone found a workaround to allow Logic Apps to function correctly while keeping AMPLS in place? Would Private Endpoints, VNET Integration, or any other configuration help resolve this? Any insights or solutions would be greatly appreciated!
Create a report that contains Alerts and raw events
Hello, is there a way to autoamtically create a report in sentinel that contains security incidents and alerts as well as the raw events that triggered these alerts and be able to send it somewhere for archival purposes? Any help is much appreciated !
Sentinel Integration with Teams: This bot is disabled
Hello, I've integrated Sentinel to sent an Adaptive card (automation playbook template) to Teams every time an incident is triggered. After receiving the event in Teams, if I try to click on "Submit Response" I got the following message in teams 'This bot is disabled. Contact your IT admin for more information. See attached Screenshot Any idea ?? Regards, HA
Logic app to close adminstrative tasks
I am trying to create a logic app that closes adminstrative tasks in sentinel after checking Userprincipalname and IPaddress. It will also check if the userprincipalname exists in a watchlist at the same time. But this didn't seem to work, can i get any help here?
Workspace Manager - Importing analytics to parent for children
Greetings, I have a Central workspace manager Sentinel (no data is ingested). However we have some Sentinel workspaces that have data connectors and data being ingested and are monitored by a SOC. We would like to be able to save analytics to this central workspace and deploy the analytics to the child workspaces. However we cannot save the rule in the central workspace as the table does not exist. For example I have an Okta analytic in a child workspace, where the query will query the Okta_CL table and some of the fields. I have exported it from the child and wish to import to the parent workspace so I can distribute to other children using Workspace manager. However I get an error because the Okta_CL table does not exist and does not have the fields. Does anyone have any ideas of how we can work around this to "force" the analytic to be present in the parent tenant? The children tenant CANNOT be linked in workspace manager. EDIT - Example error below. Status Message: Error in EntityMappings: The given column 'column_name' does not exist. (Code:BadRequest) Regards
Feed data location to run against Sentinel's KQL function
Hi, We have a feed consisting of around 250,000-300,000 entries and will be imported daily. We do not intend to store this data in Sentinel as a table and would like to store it somewhere else (Cosmos, storage, etc.) from where we can grab this data and run it against one of our Sentinel's KQL functions to generate Alerts. Planning to use Logic Apps/Functions to do the above actions. But would like to know what would be the right solution here so that comparing the feed data against KQL function results would be fast and not of high cost Thank you !!Sentinel workbook
We are creating a workbook to list all the active analytics rules with the source table name. We are able to list the analytics rules using Azure resource manager API but unable to display source table name of the rules. Please suggest Also, trying to display the list of analytics rules with zero incident created.
