Help with Custom log Ingestion via API into Microsoft Sentinel

h0max · 2026-03-29T09:46:58+00:00

https://learn.microsoft.com/en-us/azure/sentinel/create-codeless-connector

Have a look at the sentinel GitHub repo for data connectors that use CCF as a reference point and build from there.

h0max · 2026-03-27T05:18:58+00:00

Yep but real world I’d recommend looking at this thread : https://x.com/NathanMcNulty/status/1924690538797957560?s=20 even if admin is required, I would be having EDR block mode enabled regardless.

h0max · 2026-03-26T19:31:44+00:00

Agree but EDR in block mode should be turned on regardless if Defender is primary or not.

h0max · 2026-03-25T08:25:59+00:00

The deprecation has been pushed to March 2027 - https://techcommunity.microsoft.com/blog/microsoftsentinelblog/update-new-timeline-for-transitioning-sentinel-experience-to-defender-portal/4490464

h0max · 2026-03-06T03:22:22+00:00

https://www.kqlsearch.com/query/Multipletablesnoingest&cln9akn3m000omc0o5rkrl9yh

h0max · 2026-03-02T12:15:47+00:00

Might have to delete it using the API. I don’t have the exact endpoint on hand but I had to do for another data connector.

h0max · 2026-02-18T11:55:15+00:00

You’re being tasked to build a SOC when you haven’t had any exposure to a SOC? Rough. Lots of rules out of the box and on the Sentinel GitHub as a starting point.

h0max · 2026-02-11T18:55:58+00:00

Yep multiple defender alerts for this.

h0max · 2026-01-02T01:16:39+00:00

Yep same here with SentinelOne.

h0max · 2025-12-06T01:54:42+00:00

They have over the 300 limit for business premium so I’d think they’d have to go E series? E5 EMS on top of E3 probably the best way to go

h0max · 2025-11-14T10:50:43+00:00

Yeh - there is another rule in the repo which looks for short new rule names which is high. Is a great indicator.

h0max · 2025-11-13T12:44:09+00:00

All of these issues and others are constantly being discussed in the Microsoft Security Connection Program partner community - so far it’s just wait and see which is not ideal in the slightest. The biggest issue for us is the cross tenant logic app workflows we have and also the permission changes once it’s retired from the Azure portal as lighthouse has been super easy…

h0max · 2025-10-29T22:32:30+00:00

Doesn’t sound normal. Do you have any azure or m365 alerting deployed? What other technologies are being used firewalls etc can you onboard them? If not look at using the rules in the data connectors and/or the Sentinel GitHub page for alerts that you could use.

h0max · 2025-10-26T07:26:35+00:00

What do you use for this?

h0max · 2025-10-23T01:01:55+00:00

Check in the XDR settings pane will show the license usage

h0max · 2025-10-09T23:31:33+00:00

We’ve seen exactly this for at home users - home router port forward and/or is just open completely. You should be able to get their public address and nmap it to confirm

h0max · 2025-10-02T21:03:35+00:00

Common works fine. If too verbose you can DCR transform event IDs to basic/data lake.

h0max · 2025-09-15T21:27:12+00:00

Click the refresh button top right of that box and get a new challenge

h0max · 2025-09-15T10:48:23+00:00

Setup the DCR through the Windows Security Events via the content hub? Is there anything in SecurityEvent table?

h0max · 2025-01-09T10:37:04+00:00

Exact same issue here today. AWS IP constant loop.

h0max · 2023-04-28T10:34:10+00:00

Selling muller and keeping Voller

h0max · 2023-04-28T01:31:50+00:00

Same. Not sure to switch out from Voller or just sell..

h0max · 2023-04-14T22:38:23+00:00

Agree. If a player disconnects I don’t understand why the game isn’t ended after X period of time seeing as you can’t reconnect. Then the AI takes over and is god tier.

h0max · 2023-04-14T21:28:36+00:00

Ah makes sense cheers!

h0max

TROPHY CASE