Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
2 answers
Is it possible to Store logs outside MS - For Recovery Purposes
I am updating some recovery plans - and I am thinking of a situation where my Sentinel Instance is compromised. and there is a requirement to restore certain components to return to normal asap. so if a new blank instance was created how can I restore…
Microsoft Sentinel
asked 2025-04-29T15:20:20.6433333+00:00
Robert Smith
0
Reputation points
commented 2025-05-02T17:19:50.73+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(192, 22%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESD%3C/text%3E%3C/svg%3E)
Sakshi Devkante
3,335
Reputation points Microsoft External Staff
1 answer
One of the answers was accepted by the question author.
Best practices when finetuning TI Map rules in Sentinel.
Hi All, Are there any best practices when configuring or finetuning the TI rules in Sentinel? We have the rules enabled now ootb and they are generating a lot of noise. Can I know how organizations usually monitor these rules? Are they fine-tuned to…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-30T07:36:13.2833333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 53%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shahani Silva
20
Reputation points
commented 2025-05-02T04:15:20.9566667+00:00
Shahani Silva
20
Reputation points
0 answers
Microsoft sentinel not ingesting M365 connector data
Greetings, we have this situation where the data connector for M365 isn't ingesting logs to sentinel. The connector shows as connected, but no logs are being ingested From the health data, they give this message: "Tenant does not exist in the O365…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-05-01T11:58:52.87+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 79%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBD%3C/text%3E%3C/svg%3E)
Brandon DeVane
0
Reputation points
asked 2025-05-01T11:58:52.87+00:00
Brandon DeVane
0
Reputation points
0 answers
Microsoft Sentinel | Data connectors - AWS
The script provided by Microsoft does now work and fails in various places like with tags etc. I would like to know if others are facing this issue? "28/04/2025 12:43","Executing: aws iam create-role --role-name OIDC_SentinelIAMRole2…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(19.2, 55.00000000000001%, 11%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAA%3C/text%3E%3C/svg%3E)
2 answers
Connect data to Microsoft Sentinel using data connectors Salesforce
I need help integrating SaleForce and Wiz into my siem.
Viva Connections
Viva Connections
A Microsoft Viva module that provides a gateway to a modern engagement experience.
106 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
24,382 questions
asked 2025-02-10T14:57:39.59+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 30%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDJ%3C/text%3E%3C/svg%3E)
Dunham, Jermey
0
Reputation points
answered 2025-04-29T09:09:16.5966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pauline Mbabu
830
Reputation points Microsoft Employee
1 answer
Sentinel_Not able to create playbook 'Fortinet-FortiGate-ResponseOnBlockIP' using in-built Data Connector
Hi, I am trying to create a playbook that uses the built-in template 'Fortinet-FortiGate-ResponseOnBlockIP'. I was able to create the connector/API and it seems to be connected as shown in the image.. The location of the connector is Australia East. Now…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-27T10:56:46.32+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(204.8, 16%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAS%3C/text%3E%3C/svg%3E)
Austin Smith
0
Reputation points
answered 2025-04-29T08:03:04.6166667+00:00
Luis Arias
8,591
Reputation points
2 answers
Troubleshoot disconnected state of Sentinel data connector for Cisco AMP
Follow the steps for ARM deployment according to https://learn.microsoft.com/en-us/azure/sentinel/data-connectors/cisco-secure-endpoint-amp?source=recommendations Connector was deployed but it is in the disconnected state. All parameters in ARM…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-27T04:14:49.9733333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 15%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Al2020s
0
Reputation points
answered 2025-04-28T17:45:12.9933333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(153.6, 74%, 24%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Jyotishree Moharana
795
Reputation points Microsoft External Staff
2 answers
What is the App Registration quota or limit to query different applications?
Hi everyone, I've been searching through the documentation, but I haven't found specific details about quota limitations for App Registrations, especially when ingesting data into different Azure services like Azure Log Analytics tables or Azure Data…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 13%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EE%3C/text%3E%3C/svg%3E)
0 answers
How to post log data to sentinel from a custom application
Hi! I am working on a multi-tenanted cloud application. Some customers will wish certain log entries to be passed to Microsoft Sentinel. Most competitor products (Elastic, Splunk, ...) seem to offer an HTTP API which may be used, ie we can just perform…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-06T20:39:29.24+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(92.8, 73%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAG%3C/text%3E%3C/svg%3E)
Andy Gibson
0
Reputation points
commented 2025-04-26T07:29:31.3033333+00:00
Clive Watson
7,636
Reputation points MVP
1 answer
One of the answers was accepted by the question author.
Analytic Rules not triggering but data is on log analytics
Hi Guys, I'm try to resume the question. I created an analytics rule for a specific situation. If I take the KQL and put it in the Analytics Log, it returns the records I want. But it doesn't trigger the incident at all. I have several incidents…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-24T18:19:52.8333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(169.60000000000002, 34%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAM%3C/text%3E%3C/svg%3E)
Arthur Moreth
20
Reputation points
commented 2025-04-26T01:54:45.44+00:00
Arthur Moreth
20
Reputation points
1 answer
One of the answers was accepted by the question author.
MS Sentinel Cisco Meraki (using REST API) Data Connector Can't Edit Data Parser
Hello, I'm new MS Sentinel. I've installed the Cisco Meraki (using REST API) Data Connector and its status shows "Connected". I can see data coming in. However, I keep getting a message that I need to edit the Cisco Meraki Data Parser to…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 80%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
1 answer
Need to configure a new deployment to enable Jamf Protect for Microsoft Sentinel integration (deprecated in Jamf Protect)
Hello, I´m starting to configure from marketplace and creating a new Need to configure a new deployment to enable Jamf Protect for Microsoft Sentinel integration as the old configuration from Jamf protect is showing as Deprecated, so I need some help to…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-21T23:13:28.8833333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 31%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDR%3C/text%3E%3C/svg%3E)
Diego Rios
0
Reputation points
commented 2025-04-24T07:28:02.4966667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(102.4, 55.00000000000001%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Sanoop M
2,815
Reputation points Microsoft External Staff
0 answers
Why does an automatic Log Analytic Workspace/Resource Group keep getting created?
Hi, I am trying to add 1Password as a data connector into Microsoft Sentinel, following this article: https://support.1password.com/1password-sentinel-integration/ I am deploying 1Password using an Azure custom template/deployment, and I am specifying…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-18T19:51:18.5+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 3%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECD%3C/text%3E%3C/svg%3E)
Ciaran Doherty
0
Reputation points
commented 2025-04-21T19:11:02.5933333+00:00
Luis Arias
8,591
Reputation points
1 answer
MFA KQL query to detect events where a user account was created more than 90 days ago, and it works as expected when run manually. However, the query doesn’t seem to work when configured in a scheduled rule
We have written an MFA KQL query to detect events where a user account was created more than 90 days ago, and it works as expected when run manually. However, the query doesn’t seem to work when configured in a scheduled rule. Could you please help us…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-14T06:18:53.6566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(118.4, 5%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJW%3C/text%3E%3C/svg%3E)
Jatin Wadhwa
0
Reputation points
commented 2025-04-18T21:50:15.18+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju
21,380
Reputation points Microsoft External Staff
1 answer
One of the answers was accepted by the question author.
Microsoft Sentinel where clause failing for more than one character
I'm having difficulty searching a field for a value in KQL. The field I am searching I get by decoding a base64 encoded string using the built in function base64_decode_tostring(). The string I am decoding is: …
Azure Data Explorer
Azure Data Explorer
An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.
561 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2022-10-12T16:36:22.197+00:00
Liam Jones
146
Reputation points
accepted 2025-04-17T15:02:04.1666667+00:00
Liam Jones
146
Reputation points
1 answer
One of the answers was accepted by the question author.
"Log4j vulnerability exploit aka Log4Shell IP IOC involving one user"
Hi how do we go about resolving ( The detection rule "Log4j vulnerability exploit aka Log4Shell IP IOC involving one user" in Microsoft Sentinel identifies potential exploitation attempts of the Log4Shell vulnerability (CVE-2021-44228) by…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-15T17:19:19.45+00:00
Zenzele Mdakane
20
Reputation points
accepted 2025-04-16T20:28:11.2666667+00:00
Zenzele Mdakane
20
Reputation points
1 answer
Duplicate SecurityEvent logging after migrating from MMA to AMA
Greetings, I added a few extra tags to this as we are not quite sure of why we cannot Disconnect or Delete the Security Events Via the Legacy Agent Connector from our Sentinel environment. All Azure VMs have been migrated from the MMA (Legacy) agent to…
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,529 questions
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
Microsoft Defender for Identity
Microsoft Defender for Identity
A Microsoft service that helps protect enterprise hybrid environments from multiple types of advanced, targeted cyberattacks and insider threats.
254 questions
asked 2024-12-06T20:24:41.8566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 76%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
mpls
135
Reputation points
commented 2025-04-16T13:57:25.2766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 82%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
Jonas Hosni
0
Reputation points
2 answers
Amazon Web Services S3 connectors
We have Microsoft Sentinel, and we need to integrate with Amazon Web Services S3 connectors, but we are getting the error with the role
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-03-27T13:08:27.1466667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 4%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
Kirolos Mena
5
Reputation points
answered 2025-04-16T11:37:57.6933333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 28.000000000000004%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECK%3C/text%3E%3C/svg%3E)
Catherine Kyalo
1,305
Reputation points Microsoft Employee
1 answer
i am need help creating a KQL query to find out when and who created a new user
i am need help creating a KQL query to find out when and who created a new user
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-09T07:20:45.3333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 87%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPS%3C/text%3E%3C/svg%3E)
Peter Snydert
0
Reputation points
commented 2025-04-16T09:17:59.2566667+00:00
Clive Watson
7,636
Reputation points MVP
1 answer
How do I get rid of the enormous "Get your SIEM and XDR in one place" graphic in the Sentinel overview page?
When I open Microsoft Sentinel, it defaults to the Overview (Preview) page. However, there is a persistent HUGE infographic which tells me to "Get your SIEM and XDR in one place". I've already done that... months ago. How do I get rid of…
Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,268 questions
asked 2025-04-11T20:38:25.8833333+00:00
Rich Fleming
0
Reputation points
commented 2025-04-16T07:33:18.5+00:00
Sanoop M
2,815
Reputation points Microsoft External Staff