You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/sentinel/ama-migrate.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -11,11 +11,11 @@ ms.author: yelevin
11
11
12
12
This article describes the migration process to the Azure Monitor Agent (AMA) when you have an existing, legacy [Log Analytics Agent (MMA/OMS)](/azure/azure-monitor/agents/log-analytics-agent), and are working with Microsoft Sentinel.
13
13
14
-
The Log Analytics agent is [retired as of **31 August, 2024**](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). If you are using the Log Analytics agent in your Microsoft Sentinel deployment, we recommend that you migrate to the AMA.
14
+
The Log Analytics agent is [retired as of 31 August, 2024](https://azure.microsoft.com/updates/were-retiring-the-log-analytics-agent-in-azure-monitor-on-31-august-2024/). If you are using the Log Analytics agent in your Microsoft Sentinel deployment, we recommend that you migrate to the AMA.
15
15
16
16
## Prerequisites
17
17
18
-
Start with the [Azure Monitor documentation](/azure/azure-monitor/agents/azure-monitor-agent-migration) which provides an agent comparison and general information for this migration process.
18
+
Start with the [Azure Monitor documentation](/azure/azure-monitor/agents/azure-monitor-agent-migration), which provides an agent comparison and general information for this migration process.
19
19
20
20
This article provides specific details and differences for Microsoft Sentinel.
21
21
@@ -29,9 +29,9 @@ Each organization will have different metrics of success and internal migration
29
29
30
30
1. Run a proof of concept to test how the AMA sends data to Microsoft Sentinel, ideally in a development or sandbox environment.
31
31
32
-
1. To connect your Windows machines to the [Windows Security Event connector](data-connectors/windows-security-events-via-ama.md), start with **Windows Security Events via AMA** data connector page in Microsoft Sentinel. For more information, see [Windows agent-based connections](connect-services-windows-based.md).
32
+
1. To connect your Windows machines to the [Windows Security Event connector](data-connectors/windows-security-events-via-ama.md), start with the **Windows Security Events via AMA** data connector page in Microsoft Sentinel. For more information, see [Windows agent-based connections](connect-services-windows-based.md).
33
33
34
-
1. Go to the **Security Events via Legacy Agent** data connector page. On the **Instructions** tab, under **Configuration** > Step 2,**Select which events to stream**, select **None**. This configures your system so that you won't receive any security events through the MMA/OMS, but other data sources relying on this agent will continue to work. This step affects all machines reporting to your current Log Analytics workspace.
34
+
1. Go to the **Security Events via Legacy Agent** data connector page. On the **Instructions** tab, under **Configuration** > **Step 2** >**Select which events to stream**, select **None**. This configures your system so that you won't receive any security events through the MMA/OMS, but other data sources relying on this agent will continue to work. This step affects all machines reporting to your current Log Analytics workspace.
35
35
36
36
> [!IMPORTANT]
37
37
> Ingesting data from the same source using two different types of agents will result in double ingestion charges and duplicate events in the Microsoft Sentinel workspace.
Copy file name to clipboardExpand all lines: articles/sentinel/normalization-schema-dns.md
+1Lines changed: 1 addition & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -339,6 +339,7 @@ The following table lists known discrepancies:
339
339
| Microsoft DNS Server Collected using the DNS connector and the Log Analytics Agent | The connector doesn't provide the mandatory DnsQuery field for original event ID 264 (Response to a dynamic update). The data is available at the source, but not forwarded by the connector. |
340
340
| Corelight Zeek | Corelight Zeek may not provide the mandatory DnsQuery field. We have observed such behavior in certain cases in which the DNS response code name is `NXDOMAIN`. |
341
341
342
+
342
343
## Handling DNS response
343
344
344
345
In most cases, logged DNS events don't include response information, which may be large and detailed. If your record includes more response information, store it in the [ResponseName](#responsename) field as it appears in the record.
Copy file name to clipboardExpand all lines: articles/sentinel/skill-up-resources.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -276,8 +276,8 @@ Microsoft Sentinel supports two new features for data ingestion and transformati
276
276
-[**Logs ingestion API**](/azure/azure-monitor/logs/logs-ingestion-api-overview): Use it to send custom-format logs from any data source to your Log Analytics workspace and then store those logs either in certain specific standard tables, or in custom-formatted tables that you create. You can perform the actual ingestion of these logs by using direct API calls. You can use Azure Monitor [data collection rules](/azure/azure-monitor/essentials/data-collection-rule-overview) to define and configure these workflows.
277
277
278
278
-[**Workspace data transformations for standard logs**](/azure/azure-monitor/essentials/data-collection-transformations-workspace): It uses [data collection rules](/azure/azure-monitor/essentials/data-collection-rule-overview) to filter out irrelevant data, to enrich or tag your data, or to hide sensitive or personal information. You can configure data transformation at ingestion time for the following types of built-in data connectors:
279
-
- Azure Monitor Agent (AMA)-based data connectors
280
-
- Data connectors that use diagnostics settings
279
+
- Azure Monitor Agent (AMA)-based data connectors ([Syslog and CEF](connect-cef-syslog-ama.md) | [Windows DNS](connect-dns-ama.md) | [Custom](connect-custom-logs-ama.md) )
280
+
-[Data connectors that use diagnostics settings](connect-services-diagnostic-setting-based.md)
281
281
-[Service-to-service data connectors](data-connectors-reference.md)
Copy file name to clipboardExpand all lines: articles/sentinel/tutorial-enrich-ip-information.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -70,7 +70,7 @@ Microsoft Sentinel includes ready-made, out-of-the-box playbook templates that y
70
70
71
71
1. Edit the **Playbook name** by adding to the end of the suggested name "*Get-VirusTotalIPReport*". This way you'll be able to tell which original template this playbook came from, while still ensuring that it has a unique name in case you want to create another playbook from this same template. Let's call it "*Get-VirusTotalIPReport-Tutorial-1*".
72
72
73
-
1. Leave the **ENable diagnostics logs in Log Analytics unchecked.
73
+
1. Leave the **Enable diagnostics logs in Log Analytics** option unchecked.
74
74
75
75
1. Select **Next : Connections >**.
76
76
@@ -94,23 +94,23 @@ Microsoft Sentinel includes ready-made, out-of-the-box playbook templates that y
94
94
95
95
## Authorize logic app connections
96
96
97
-
Recall that when we created the playbook from the template, we were told that the Azure Log Analytics Data Collector and Virus Total connections would be configured later.
97
+
Recall that when we created the playbook from the template, we were told that the Azure Log Analytics Data Collector and Virus Total connections would be configured later.
98
98
99
99
:::image type="content" source="media/tutorial-enrich-ip-information/7-authorize-connectors.png" alt-text="Screenshot of review information from playbook creation wizard.":::
100
100
101
101
Here's where we do that.
102
102
103
103
### Authorize Virus Total connection
104
104
105
-
1. Select the **For each** action to expand it and review its contents (the actions that will be performed for each IP address).
105
+
1. Select the **For each** action to expand it and review its contents, which include the actions that will be performed for each IP address. For example:
106
106
107
107
:::image type="content" source="media/tutorial-enrich-ip-information/8-for-each-loop.png" alt-text="Screenshot of for-each loop statement action in logic app designer.":::
108
108
109
-
1. The first action item you see is labeled **Connections** and has an orange warning triangle.
109
+
1. The first action item you see is labeled **Connections** and has an orange warning triangle.
110
110
111
111
If instead, that first action is labeled **Get an IP report (Preview)**, that means you already have an existing connection to Virus Total and you can go to the [next step](#next-step-condition).
112
112
113
-
1. Select the **Connections** action to open it.
113
+
1. Select the **Connections** action to open it.
114
114
1. Select the icon in the **Invalid** column for the displayed connection.
115
115
116
116
:::image type="content" source="media/tutorial-enrich-ip-information/9-virus-total-invalid.png" alt-text="Screenshot of invalid Virus Total connection configuration.":::
@@ -243,7 +243,7 @@ If you're not going to continue to use this automation scenario, delete the play
243
243
1. Mark the check box next to your automation rule in the list, and select **Delete** from the top banner.
244
244
(If you don't want to delete it, you can select **Disable** instead.)
245
245
246
-
## Next steps
246
+
## Related content
247
247
248
248
Now that you've learned how to automate a basic incident enrichment scenario, learn more about automation and other scenarios you can use it in.
0 commit comments