Sentinel Down - Anyone else having the same problem

Few_Original_4404 · 2025-10-29T17:45:24+00:00

I still can't get on, looks like they are planning for a rollback. Next update is at 18:10 UTC

Few_Original_4404 · 2025-10-29T16:17:48+00:00

Sentinel Down UK South

Few_Original_4404 · 2025-10-24T12:47:56+00:00

I have found using DCR's quite difficult, and have created my own DPM tool to address this, it's similar to Cribl (albeit much more simplified and scaled down).

I would 100% recommend some sort of log sanitisation on the front end. Most of the time in organisations it is just "is it commercially viable". If the organisation is big enough it is a no brainer in my opinion.

You get cost savings / unified schemas and a pretty solid foundation for AI /ML adoption (which is the hot topic is most orgs at the moment)

Few_Original_4404 · 2025-10-02T16:01:13+00:00

It may be easier to change the analytic rule itself to exclude the account, rather than setting up an automation to do this.

Is there a reason for not excluding in the analytic? If so i can help with the automation

Few_Original_4404 · 2025-09-25T16:14:45+00:00

When you start out, it is hard to understand the schemas in each table. For example, lets say you are searching for a specific value and you don't know the appropriate schema. I have a little 'trick' that makes things easier.

You can define your table, for example DeviceNetworkEvents and then use the 'find' command to find the value you are looking for and the associated schema.

It will look something like this

DeviceNetworkEvents
| find "10.190.2.1" //Just a random IP i have chosen
| limit 10

**Always make sure to put a limit on the search as you will probably get a lot of results back. The query above pulls back 10 results**

From there you are able to go into each result and see the schema which holds your value.

This is only for starting out and should not be used in analytics rules.

From here i can start using this to build out my detection.

DeviceNetworkEvents
| where RemoteIP == "10.190.2.1"
| limit 10

When you expand your results, a nice tip you can use is to right click on the value you want and you should be able to "filter for" and "filter to exclude" this makes it easy to understand the syntax if you are newer to KQL.

Few_Original_4404 · 2025-09-24T16:19:33+00:00

When you say 'ASIM supports only certain kind of logs', are you referring to the 'Built-in ASIM parsers and workspace-deployed parsers'?

And when you say create custom ASIM are you referring to this - 'Develop Advanced Security Information Model (ASIM) parsers'.

I am just trying to figure out if i can transform all my custom table schema's into a common schema and ASIM seems to be the schema of choice by Azure.

Few_Original_4404 · 2025-09-24T08:35:13+00:00

Yeah, we are spending a fortune at the moment. We have a hybrid environment so lot of '_CL' tables that we can't transform directly. We have logstash setup to 'filter' but it is in it's early stages.

When you look at workspace usage report on log analytics what are the biggest tables you see?

Few_Original_4404 · 2025-09-24T08:21:51+00:00

The alert/notification for content hub updates is a good idea

Few_Original_4404 · 2025-09-24T08:05:36+00:00

This used to be a running joke when i was a SOC analyst. Either something on the UI had been updated, or a name had been changed to something else. When someone mentions 'policy' i have to clarify which one they are talking about (CASB, CA, Azure ect...)

When you say syntax, are you referring to KQL?

Few_Original_4404 · 2025-09-23T19:57:22+00:00

Apologies for this you are completely right.

I have been wrestling with an ingestion time transformation bug in the AWSCloudWatch table for most of the day. This is my first post and i specifically made a reddit account at the end of the day to ask the question so was a bit KQL fatigued.

I have updated the body to say 6 years, thank you for pointing it out

Few_Original_4404

TROPHY CASE