โŒ

Normal view

There are new articles available, click to refresh the page.
Yesterday โ€” 18 October 2025MicrosoftSentinel

Mapping 3rd Party Syslog Logs to Azure Sentinel UEBA

Hi everyone,

Pretty new to sentinel and ueba.
i have ingested 3rd party logs into Sentinel via syslog connector. One field contains AD-related context that I want to map to UEBA use cases.

Questions:

  • How do I map these custom logs to UEBA entities?
  • Any documentation or samples for mapping syslog data to UEBA?
  • Do I need to normalize the AD field to a specific schema first?

seek any guidence.

submitted by /u/Substantial-Ad-1398
[link] [comments]
Before yesterdayMicrosoftSentinel

Tips for a new security analyst

Hey all.

I've been hired as a junior security analyst by a company a few weeks ago.

I work with Microsoft Defender XDR and the whole suite.

It's been a slow introduction to the environment and it's been going well and today I was finally assigned my first 2 clients/tenants.

My job description says that my duty is to respond in case of alerts/incidents, to harden the environment, patch whatever might need patching and look at the overall security.

But truth be told I'm a bit lost on what to do. I've been given some pretty messy tenants (one of them especially) and I've been trying to implement security measures but my hands are a bit tied on what to do since some of the clients don't really care about security and whenever I try suggesting them to do something (e.g enabling email scanning) they reply to me after days and sometimes don't even care much about what I have to say.

As for alerts and incidents, I haven't really gotten one so far but I've been trying investigating one that happened some time ago but I'm honestly a bit dumb folded.

I don't have access to the endpoints and even if I did, my boss said my only job is to gather as much information as possible, write a report on what happened and recommend security remediations. Sounds easy enough right? But Defender XDR doesn't give much info to begin with. I can only do some simple triage.

Another thing I've been having a hard time with is what to actually do in these tenants and how to build a program of things to do everyday.

I know I might sound like I have no idea what I'm even using but I did study a lot about defender xdr and sentinel (which we don't have) using labs and so on but now that I'm actually here, the ui looks so messy and I swear I feel like I've forgotten everything.

I feel like I'm not doing anything worth being hired for

My boss said that I can take it easy these first few weeks to get used to it but I don't know if this can change.
The senior that was supposed to help me is always busy and always tells me to look stuff up on copilot.

I'm genuinely wondering how to handle this.

Any tips regarding:

- how to handle alerts/incidents with the info defender xdr provides (methods on how to investigate or feautures i might not now)
- a sort of schedule or checklist to follow to ensure these tenants are secured
- any advice from people with experience with this technology/field

Thanks in advance and sorry for the wall of text

submitted by /u/cyberLog4624
[link] [comments]

Accessing ExposureGraphNodes and ExposureGraphEdges via advanced hunting api

Accessing ExposureGraphNodes and ExposureGraphEdges via advanced hunting api

Anyone had any success querying the ExposureGraphNodes/Edges tables using a logic app?

I know they haven't exposed the direct API yet for Exposure Management, but it would be nice to be able to automate the search results and sent to developers (attributing CVEs to source repos for remediation).

https://preview.redd.it/hjazvk7wdxuf1.png?width=1275&format=png&auto=webp&s=7cb01bdc614f2f18c2e742c7db0e0c5def9e6a3b

I can use the tables fine via my user in the Portal.

https://preview.redd.it/nurr2q2ldxuf1.png?width=1359&format=png&auto=webp&s=a806b26f650525cd6c03fd8a3c195281be502afa

submitted by /u/Old-Illustrator2487
[link] [comments]

Scheduled query look back period

I need to create a sentinel analytical rule which check for last 30 days TI IP matching with any of the commonsecuritylog IP today as query is scheduled to run every 24 hours What should be the look back period set for this ? Also if look back period is set for 30 days will it check both TI logs and commonsecuritylog for last 30 days.

I created a test alert where timegenerated was last 7days but look back period was 1h. The alerts were should results of only 1 hour .

How can I create alert which matches with time generated results of the actual query ?

submitted by /u/TechnicalTadpole8359
[link] [comments]

How to see in KQL if someone disabled or deleted an Automation?

I can only see automation rules being triggered (success or failure). I want to create a rule to detect if someone disabled or deleted an automation

query I tried:
SentinelHealth
| where SentinelResourceType in ("Playbook", "Automation rule")

submitted by /u/FiniteStateAutomata
[link] [comments]

Unable to run cross workspace queries

10 October 2025 at 18:03
Unable to run cross workspace queries

Has anyone encountered issues when running cross-workspace queries within the same tenant? I faced this before,it only worked when I referenced the workspace ID instead of the name in the query. Tried importing the JSON again, but the error persists.

https://preview.redd.it/7qlwczw7xcuf1.png?width=814&format=png&auto=webp&s=660d27167991687773d9f8bd5c53eb2a16228ff3

submitted by /u/dutchhboii
[link] [comments]

Single Rule for No logs receiving

Hi everyone,

I currently maintain one Analytics rule per table to detect when logs stop coming in. Some tables receive data from multiple sources, each with a different expected interval (for example, some sources send every 10 minutes, others every 30 minutes).

In other SIEM platforms thereโ€™s usually:

A global threshold (e.g., 60 minutes) for all sources. Optional per-device (DeviceVendor/Computer)/per-table thresholds that override the global value. Is there a recommended way to implement one global rule that uses a default threshold but allows per-source overrides when a particular device or log table has a different expected frequency?

Also, if there are other approaches you use to manage โ€œlogs not receivedโ€ detection, Iโ€™d love to hear your suggestions as well.

This is a sample of my current rule.

let threshold = 1h; AzureActivity | summarize LastHeartBeat = max(TimeGenerated) | where LastHeartBeat < ago(threshold)

submitted by /u/ClassicSkirt9594
[link] [comments]

Office activity logs missing outlook events?

8 October 2025 at 22:45

we have some accounts were office activity from the desktop outlook app is not being logged. Its on accounts with different licenses, including e5, yes logs are all on, have tried disabled/enabled,etc.., they were previously working. The logs also dont come up when using powershell unified search. What ive seen is that emails sent from Mobile outlook or web outlook are logged, but not ones sent from desktop outlook. wondering if anyone else is seeing this?

submitted by /u/inb4bn
[link] [comments]

How to automate running multiple KQL queries monthly and store results (including graphs)?

7 October 2025 at 03:44

Hey everyone,

I have a list of 10 KQL queries that I use for log source decertification in Microsoft Sentinel. Right now, I have to go into Sentinel, run each query manually, fetch the results, take screenshots of the graphs (like ingestion patterns over the last month), and store them as evidence.

What Iโ€™d like to do instead is have a solution that: โ€ขRuns all 10 KQL queries automatically, say once a month โ€ขSaves the results (including visualizations or graphs if possible) โ€ขStores them somewhere accessible, like in a Storage Account, SharePoint, or a report file

I already have the KQLs ready. Whatโ€™s the best way to automate this in Azure? Can I do it using Logic Apps, Azure Functions, or maybe Power Automate with Sentinel API? I already have workbook implemented but I donโ€™t want to use workbook because it does not provide the desired output!

Looking for a clean, repeatable approach that doesnโ€™t require manual intervention each month.

Thanks in advance!

submitted by /u/itsJuni01
[link] [comments]

Domain Controller Security Events to Collect in Sentinel

I am setting up Sentinel to monitor security events from domain controllers on our network. I am just wondering what others are doing in terms of collection. Do you use All, Minimal, Common, in The Data Collection Rule, or some sort of custom selection of event IDs? DC security logs are pretty noisy once configured properly for auditing so I am looking to maximise visibility while at the same time minimize cost. I'd be grateful for any advice or tips. Also what are your favourite analytics rules for detecting threats from the DC logs?

submitted by /u/ShoreOutlaw
[link] [comments]

Sentinel Automation Rule for Non Domain Controller AD Replication โ€“ how to set it up

Hi everyone.

I need some help. Iโ€™m trying to set up an Automation Rule in Microsoft Sentinel for the Non Domain Controller Active Directory Replication rule. The idea is to automatically close the incident when the action is performed by the AD Sync account, but for some reason, the rule isnโ€™t closing the incident.

Hereโ€™s my setup:

  • Trigger: When incident is created
  • Conditions (AND):
    • Analytic Rule name contains Non Domain Controller Active Directory Replication
    • Account NT domain contains ad.connect
    • Hostname equals XYZ
    • IP address equals 10.10.10.10
  • Action: Change status โ†’ Closed

Has anyone run into this issue or know what might be missing?

Edit 1:

Thank you to everyone who tried to help. I managed to make the notes for the correct entities.

In the end, it was just a beginner with a little difficulty. Thank you all.

submitted by /u/Alternative_Brief838
[link] [comments]

[Offer] Discounted Azure Certification Voucher (AZ-104 or Advanced Certs)

Hey everyone,

Iโ€™ve got an extra Azure certification voucher thatโ€™s valid for AZ-104 or any other advanced Azure certification exam.

๐Ÿ‘‰ Iโ€™m willing to give it away for half the official price.
๐Ÿ‘‰ If youโ€™re interested, just DM me and we can work it out.

Cheers!

submitted by /u/Queasy-Box-1575
[link] [comments]

Where did functions move from Sentinel to Defender ?

Hello everyone,
I connected some of my VMs to Microsoft Sentinel to learn a bit about the solution, create analytics rules, Workbooks, etc.

But in the middle of me using Sentinel, functions started "migrating" to Defender portal. And sometimes they are visible in Sentinel, sometimes not, you only get "his page has been moved to the Defender portal for the optimal, unified SecOps experience. Click here to go to the Defender portal๏Ÿ"

Is there some mapping of functions from Sentinel to Defender?

Like I am really missing the "Overview" tab where I could see the number of events, usage, incidents, etc.
It worked for my 5 minutes ago, but now it also moved to Defender.

Where would I find the equivalent of "Overview" in Defender?
Keep in mind, I have no Defender for endpoints, only Windows AMA connectors.

submitted by /u/Delicious-Purple-689
[link] [comments]

SOC Analyst new to Sentinel, need guidance regarding queries

24 September 2025 at 13:22

I'm a new Sentinel user with a basic cybersecurity background. I'm not given much training at all, and my team just got access to Sentinel, so apologies if this sounds dumb.

Boss asked me "write KQL queries and find threats". From the "General > Logs" tab, I wrote some queries about executables in email attachments and odd process activity and found anomalies; boss was happy.

Now I'm asked to start covering as much of the MITRE ATT&CK Enterprise Matrix as I can. At this point I have no idea what I should be doing and I have these questions:

  1. Does Sentinel not already offer basic queries for all of the MITRE techniques? It would seem dumb that every enterprise have to write their own.

  2. I doubt I can run hundreds of queries on my own everyday and analyze the results. What's the workflow to schedule daily queries?

  3. Where to analyze the output of such scheduled queries? How to whitelist certain rows, put alerts?

submitted by /u/Kermody
[link] [comments]

DCR's and ASIM - Questions

I have a couple of questions around DCR's and ASIM.

I know that you can only do ingestion time transformation on azure tables straight from the log analytics workspace.

I have read that you are able to use DCR's for transformations on custom tables within azure. For example, i have just connected the SAP BTP data connector and created a DCR/DCE for this. Ideally there are logs in there that i want to project-away.

I have read the documentation that is outlined here, and know how to apply the transformation.

I have also read that you are able to convert custom logs to ASIM here

It would be good if i could have a standardised schema across all tables (Azure and Custom) whilst dropping logs using DCR's.

Is this what the documentation is suggesting here, has anyone had any real experience with this solution and what do you think.

submitted by /u/Few_Original_4404
[link] [comments]

What is the most painful thing about working with sentinel?

Hey all, I'm a security engineer working on a personal project and I am trying to find out if others have the same pain points as I do when working with Sentinel.

It is a great tool, and I have been working with it for around 6 years now, but recently I am finding things a bit... 'old'.

I would love to hear about your daily struggles, and what you think makes it (sometimes) hard to work with. Any specific examples would be a huge help!

--edit--

I have changed the years from 8 to 6 as i mistyped in my original post

submitted by /u/Few_Original_4404
[link] [comments]
โŒ
โŒ