Microsoft Sentinel on Anything About IThttps://www.verboon.info/tags/microsoft-sentinel/Recent content in Microsoft Sentinel on Anything About ITHugoen-usSat, 06 Sep 2025 15:32:18 +0000Collect Microsoft Entra Connect Sync Audit Eventshttps://www.verboon.info/2025/09/collect-microsoft-entra-connect-sync-audit-events/Sat, 06 Sep 2025 15:32:18 +0000https://www.verboon.info/2025/09/collect-microsoft-entra-connect-sync-audit-events/<p>Microsoft Entra Connect Sync now includes an admin audit logging capability that is enabled by default. This gives organizations visibility into configuration changes performed by Global Administrators, Hybrid Administrators, and local server administrators.</p> <p>In this post, we walk through how to forward those Microsoft Entra Connect Sync audit events into Microsoft Sentinel for centralized monitoring and investigation.</p> <h2 id="check-the-microsoft-entra-connect-sync-version">Check the Microsoft Entra Connect Sync Version</h2> <p>In the Entra portal, go to Entra Connect &gt; Connect Sync &gt; Microsoft Entra Connect Health &gt; Sync Services &gt; your service &gt; Microsoft Entra Connect Servers &gt; your server &gt; Properties &gt; Synchronization.</p>Monitoring Windows built-in local security Groups with Microsoft Defender XDR or Sentinelhttps://www.verboon.info/2024/02/monitoring-windows-built-in-local-security-groups-with-microsoft-defender-xdr-or-sentinel/Sun, 04 Feb 2024 21:50:36 +0000https://www.verboon.info/2024/02/monitoring-windows-built-in-local-security-groups-with-microsoft-defender-xdr-or-sentinel/<h1 id="windows-built-in-local-security-groups">Windows Built-in local security groups</h1> <p>Windows has several built-in local security groups that are designed to manage permissions and access rights on a computer. These groups are predefined by Windows, and each group has specific rights and permissions. The exact groups available can vary depending on the version of Windows you&rsquo;re using or the features that are enabled, but here&rsquo;s a general overview of the most commonly found built-in local security groups in Windows systems:</p>How to analyze Microsoft Sentinel Daily Cap Alerts - AADNonInteractiveUserSignInLogshttps://www.verboon.info/2022/05/how-to-analyze-microsoft-sentinel-daily-cap-alerts-aadnoninteractiveusersigninlogs/Fri, 20 May 2022 20:18:50 +0000https://www.verboon.info/2022/05/how-to-analyze-microsoft-sentinel-daily-cap-alerts-aadnoninteractiveusersigninlogs/<p>To avoid unplanned costs for Microsoft Sentinel, it is recommended to set a daily cap and create an analytics rule that triggers an alert when the daily cap is reached. Microsoft has published general guidance for monitoring costs <a href="https://learn.microsoft.com/azure/sentinel/billing-monitor-costs">here</a>.</p> <p>In the past months I have deployed a number of Microsoft Sentinel instances and in many cases the root cause for reaching the daily cap was related to data ingested into the AADNonInteractiveUserSignInLogs table. When analyzing the data we often found an individual user that created an unusually high amount of events. This can happen for various reasons such as:</p>