Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
1,406 questions with Microsoft Security | Microsoft Sentinel tags
2 answers
One of the answers was accepted by the question author.
Onboarding New clients data sources to my microsoft sentinel
we are running Microsoft sentinel and monitoring our internal data sources, now we want to Onboard New client's data sources to our Microsoft sentinel. Can you take me through this step by step how to do this by best practice. how can I segregate…
Microsoft Security | Microsoft Sentinel
asked 2026-03-18T08:29:17.4266667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(217.60000000000002, 72%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPZ%3C/text%3E%3C/svg%3E)
Phumlani Zwane
20
Reputation points
accepted 2026-04-08T05:58:37.9466667+00:00
Phumlani Zwane
20
Reputation points
1 answer
Azure Sentinel Data Connectors not consistent accross platforms
I noticed that data connectors list in Azure Powershell, Azure Portal and Defender portal are not consistent. Results I got from PowerShell (12 connectors) Defender Portal (3 connectors) Azure Portal (10 connectors) What is the most reliable way to…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-04-01T14:52:22.6766667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(9.6, 94%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EYF%3C/text%3E%3C/svg%3E)
Yasmin, Fitri
356
Reputation points
commented 2026-04-03T07:10:34.89+00:00
Yasmin, Fitri
356
Reputation points
1 answer
MS Sentinel Parsers - User account disable/enable events across local account and Entra contexts
I need an IM parser that can grab Event ID 4772 events, as well as grab "Enable account" operation events from the Azure AuditLog table. Does an out of the box parser exist for this use-case? I can see there's _Im_UserManagement parser for the…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-03-20T15:15:14.9433333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 6%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMT%3C/text%3E%3C/svg%3E)
Matthew Thompson
0
Reputation points
commented 2026-04-01T12:15:33.3666667+00:00
Raja Pothuraju
47,080
Reputation points Microsoft External Staff
Moderator
2 answers
How to fix Microsoft Azure Sentinel to OCI issue , Codeless Connector deployment failed.
Microsoft Sentinel connector failed. Connectivity check failed. ConnectorId: oracle-cloud-infra-connector 63c27576-2a31-4993-9649-dd6fe2b01ce5, Status code:OCI40003
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-01-15T20:01:53.7933333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 88%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
Shailesh Namjoshi
0
Reputation points
commented 2026-04-01T09:50:30.6433333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(76.8, 57.00000000000001%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Nikos Sideris
0
Reputation points
1 answer
What do I use for the Identity provider for Microsoft Sentinel?
I've confirmed everything is configured in AWS, one a few concerns I have is the account ID in the trust policy role and as well as the openId connect. Is this the Identity provider i'm using for SSO with AWS? Or the one I use for Microsoft Sentinel?…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-01-02T19:14:41.62+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 78%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Milt
0
Reputation points
commented 2026-03-31T00:14:38.7033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET8%3C/text%3E%3C/svg%3E)
ToddStafford-8253
0
Reputation points
1 answer
One of the answers was accepted by the question author.
Sentinel Incident KQL
Hi, My exisiting KQL, here i want to include only hostname SecurityIncident | where CreatedTime between (datetime(2026-03-17) .. datetime(2026-03-23)) | where Status contains "Closed" | project IncidentNumber, LastModifiedTime, …
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-03-27T06:24:52.2566667+00:00
SUNOJ KUMAR YELURU
18,166
Reputation points MVP
Volunteer Moderator
commented 2026-03-27T07:51:48.33+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 85%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVS%3C/text%3E%3C/svg%3E)
VEMULA SRISAI
11,330
Reputation points Microsoft External Staff
Moderator
1 answer
Sophos Endpoint Protection Solution Azure App out of date
Having issues configuring the Sophos Endpoint Protection Solution marketplace app: https://marketplace.microsoft.com/en-us/product/azure-applications/azuresentinel.azure-sentinel-solution-sophosep Setup instructions are: STEP 1 - Configuration steps…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2025-10-29T15:41:55.1033333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(214.4, 7.000000000000001%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EOD%3C/text%3E%3C/svg%3E)
Owen Davey
0
Reputation points
answered 2026-03-25T18:12:29.68+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(83.2, 87%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPI%3C/text%3E%3C/svg%3E)
Prathista Ilango
1,065
Reputation points Microsoft Employee
1 answer
Missing Agent Management in Sentinel
My workspace is connected to my sentinel but when I look for the Workspace ID and keys there is nothing there. Can someone please let me know where I can find the workspace ID and Primary and secondary key that is used to connect my Linux rsyslog server.…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-01-06T21:54:45.92+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 88%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Lewis
5
Reputation points
answered 2026-03-24T13:16:13.3233333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 90%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPM%3C/text%3E%3C/svg%3E)
Pauline Mbabu
1,820
Reputation points Microsoft Employee
0 answers
Sentinel Data Lake – Features unavailable for a specific workspace
I have a question regarding the configuration of the Sentinel Data Lake. A specific workspace does not appear under the following workspace scope in the Defender portal: Data lake exploration > KQL queries Could you tell me how to make it appear…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-03-10T01:39:45.9133333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 97%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EQU%3C/text%3E%3C/svg%3E)
QA User
0
Reputation points
commented 2026-03-23T08:06:06.6866667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 10%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESS%3C/text%3E%3C/svg%3E)
Shubham Sharma
12,525
Reputation points Microsoft External Staff
Moderator
1 answer
Sailpoint Identity function failure
Hi Everyone, We have used the built in Sentinel Data connector for Sailpoint IdentityNow. The Sailpoint team have confirmed they followed the access token steps provided in the data connector. We have successfully deployed it with the client ID, secret…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2025-08-21T00:27:32.4533333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 3%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIB%3C/text%3E%3C/svg%3E)
Isabella Baker
0
Reputation points
answered 2026-03-21T13:04:50.71+00:00
Konstantinos Lianos
225
Reputation points Student Ambassador
1 answer
How to fix StreamID must be a valid OCI stream OCID format. This is related to the oracle cloud infrastructure data connector.
I am sending Oracle Audit logs to Azure Sentinel. But i am getting the validation error "StreamID must be a valid OCI stream OCID format" while entering on the details on the connector page. I think the problem is that the connector does not…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2025-08-29T07:15:17.81+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(195.2, 67%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAK%3C/text%3E%3C/svg%3E)
Anurag Kaushal
5
Reputation points
answered 2026-03-21T12:59:14.9066667+00:00
Konstantinos Lianos
225
Reputation points Student Ambassador
2 answers
Intermittent "Missing Heartbeat" Alerts in Sentinel Even Though Logs Show No Gap
Hi everyone, I have an on-premises virtual machine onboarded to Azure Arc and I’m collecting Heartbeat logs using the Azure Monitor Agent (AMA) in Microsoft Sentinel. I created an analytics rule to trigger an alert if a heartbeat is missing for 10…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-03-12T09:49:00.31+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 98%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMA%3C/text%3E%3C/svg%3E)
Muhammad Arif Ahmed
0
Reputation points
commented 2026-03-19T04:20:50.8633333+00:00
VEMULA SRISAI
11,330
Reputation points Microsoft External Staff
Moderator
1 answer
how to properly parse data in custom logs for log analytcis(i have no response from query actually) ?
I have some data, in a txt file. i create my txt with a powershell script who encode in utf8, but anything work when i import the log in log analytics. the data is parse like this in the txt: Time=Date Data1=data Data2=data2 Time=Date Data1=data…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2021-06-24T13:58:30.197+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(179.20000000000002, 62%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAE%3C/text%3E%3C/svg%3E)
ALGOURDIN Erwan
1
Reputation point
answered 2026-03-18T09:07:02.49+00:00
Konstantinos Lianos
225
Reputation points Student Ambassador
1 answer
Azure Monitor Agent-DCR custom path template for filtering Database logs
Hi There! I would like to filter out Database logs using Azure Monitor Agent DCR by custom x-path queries. Is there any readymade x-path queries available to filter the audit logs of Oracle DB, MSSQL DB and MYSQL DB? Thanks in Advance!
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2021-09-03T01:35:28.963+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 81%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENA%3C/text%3E%3C/svg%3E)
Nafila Afrin
111
Reputation points
answered 2026-03-18T08:58:45.7333333+00:00
Konstantinos Lianos
225
Reputation points Student Ambassador
1 answer
Sentinel playbook in Azure Logic Apps retrieves an incident URL that points to an old, deleted resource group instead of the current one
Hi, I'm trying to create a playbook in Azure Logic Apps that uses the "When Azure Sentinel incident creation rule was triggered" step as a trigger. This step is supposed to start when an incident is created and retrieve details about the…
Azure Logic Apps
Azure Logic Apps
An Azure service that automates the access and use of data across clouds without writing code.
3,773 questions
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2021-11-03T18:03:39.057+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 67%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECB%3C/text%3E%3C/svg%3E)
Conor Boland
21
Reputation points
answered 2026-03-18T08:44:25.29+00:00
Konstantinos Lianos
225
Reputation points Student Ambassador
1 answer
how we can automate the Shadow IT Report
how we can automate the Shadow IT Report how we can automate the Shadow IT Report how we can automate the Shadow IT Report how we can automate the Shadow IT…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-03-09T06:40:18.99+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 98%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Akankshakeshri
0
Reputation points
commented 2026-03-18T05:03:58.4066667+00:00
Pauline Mbabu
1,820
Reputation points Microsoft Employee
2 answers
One of the answers was accepted by the question author.
What is the new date for Microsoft sentinel retirement?
What is the new date for Microsoft sentinel retirement?
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-03-16T20:02:23.5566667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(201.6, 43%, 29%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Subramanya, Kiran
20
Reputation points
accepted 2026-03-16T20:10:00.16+00:00
Subramanya, Kiran
20
Reputation points
1 answer
Defender Unified portal migration - Sentinel Workspace is not visible in the Defender portal.
Hi, I'm planning to migrate the existing Sentinel workspace to the Defender portal. I followed the instructions from the Microsoft document and acquired all the necessary rights (Security Administrator + User Access Administrator + Contributor). But…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2026-02-10T13:56:03.38+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 18%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERN%3C/text%3E%3C/svg%3E)
Rajaram N. (Natraj)
0
Reputation points
answered 2026-03-13T19:08:11.2666667+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 22%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETG%3C/text%3E%3C/svg%3E)
Thanmayi Godithi
8,545
Reputation points Microsoft External Staff
Moderator
1 answer
Bug Report: Sentinel Incident Page Crash - "ReactView frame failed to load" (Uncaught error in e.accountName)
Hello, I am experiencing a blocking issue when trying to open specific Incident Details pages in Microsoft Sentinel. The page crashes immediately with the error "ReactView frame failed to load". Technical Error Analysis: Based on the stack…
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2025-12-09T18:38:49.9633333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(54.400000000000006, 68%, 15%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EL%3C/text%3E%3C/svg%3E)
Lucas
35
Reputation points
commented 2026-03-12T15:46:02.63+00:00
Pauline Mbabu
1,820
Reputation points Microsoft Employee
1 answer
Department field shows as “Unknown” in Sentinel Analytics Rule
Hi, When I create and run a query in Microsoft Sentinel, it correctly shows the user’s department. However, after creating a detection rule and reviewing the query results, the Department column appears as “Unknown.” Why does this happen?
Microsoft Security | Microsoft Sentinel
Microsoft Security | Microsoft Sentinel
A cloud-native SIEM solution that provides intelligent security analytics and threat detection across systems
1,406 questions
asked 2025-12-15T11:03:22.9333333+00:00
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(300.8, 46%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EPR%3C/text%3E%3C/svg%3E)
Polina Romanova
0
Reputation points
commented 2026-03-12T15:15:51.88+00:00
Pauline Mbabu
1,820
Reputation points Microsoft Employee