I am searching for EventID 4738 logs in the SecurityEvents table in sentinel. This log has several fields which contain either the new value if it was changed, or "-" if it wasn't changed. I ...

I'm working with Microsoft Sentinel and need to create monitoring queries to track the health status of data connectors. Specifically, I want to: Identify unhealthy or disconnected data connectors ...

I have set up the AMA firewall data connector in Azure and the associated DCR. I've installed the agent on a test endpoint. I've read the guidance on "Set Up the Azure Monitor Agent on Windows ...

For one of our client we have onboarded 500+ custom detection rules in Microsoft Defender, as they were migrating from another EDR solution to Defender. Now client ask is, they have created a new ...

I am trying to trigger the following KQL query in a custom scheduled Analytics Rule... It is to identify ANY Global Administrator and verify if they have committed any activity (Sign-in) over the last ...

I am trying to create a user defined function to store as a global function. This has to accept two field parameters and spit out a table. I managed to get it to work as an inline function. let ...

I'm working on setting Microsoft Sentinel connect to my VM for my personal projects using Terraform. I have successfully configured my Log Analytics Workspace, Sentinel, and VM Extension. However, ...

I am trying to import Microsoft Entra ID logs from Tenant1 and Tenant2 into a Azure Log Analytics Workspace that is deployed in my main tenant. To achieve this, I attempted to use Azure Event Hub on ...

I am using the EmailUrlInfo table in XDR Advanced hunting, when you click on a URL you get more information, including a "Threat intelligence verdict" which tells you if Defender deems the ...

Issue Summary I'm are trying to manually trigger a Microsoft Sentinel Scheduled Analytics Rule using the triggerRuleRun API, but it always fails with the following error: { "errors": { &...

I have tried implementing Auxiliary logs, but unable to ingest logs to auxiliary table, how it works? I have tried log ingestion via text and json file but unable to receive logs to log analytic ...

I would like to make a rule that will check if a user is a privileged account or not. To do this, there's a watchlist with account name templates (e.g. adm.;aadz-;kaadmin;t0_). The final aim is to ...

I would like to integrate my Azure Purview with Azure Sentinel. I have followed the steps described in the official documentation at this "https://learn.microsoft.com/en-us/purview/register-scan-...

I am attempting to deploy an ARM Template (execution using PowerShell) for any Analytic Rule to a Microsoft Sentinel instance. I have been following this link: https://learn.microsoft.com/en-us/azure/...

We recently received found a risky signin for a user (e.g. IP address was pointing at some location different from actual location) and following investigation it was discovered the user had clicked ...