I don’t think I included the one-liner script to install the log analytics agent. It’s in the description!

Can you do a vid of ingesting SQL server logs to sentinel?

Nice video ! Do you have any idea for the firewall log-entries why the DROP/REJECT/ALLOW is not listed ? That would make it lots more usefull to troubleshoot.

unable to login into directory named after workspace ID. All seemed to work on my first install, then I needed to change tenants and rebuild the Linux host running the OMS Agent. After running the install package using the recommended script (from this post), I ran into a permissions issue when attempting to navigate to folder /etc/opt/microsoft/omsagent/workspace_id/conf/ location. I am using the sudo cd command, but getting a permissions denied response. I notice that the folder has the following permissions drwxr-x--- 4 omsagent omiusers 4096 Oct 22 22:59 workspace_id Andy idea on how I overcome what appears to be a folder permissions issue ?

Great video. I was able to get everything wired up accordingly. The workbook doesn't come over by default - this may be due to some change on the MS side, but was able to add the json from GitHub as a custom workbook manually, and it opened up. Interestingly, it's not showing me top URLs or resolving host names for local workstations, and a basic query shows events with where isnotempty(DnsQuery) returns no records. I'm pulling a lot of data in however, particularly from APs. I'm doing this from a UDMP, so not sure if that's responsible for breaking things. I changed the logs on the UDMP from default to verbose to see if that gets me the fields I'm after. Also, I'm not clear how I can get this data over to Defender for Cloud Apps. There's a method to do custom ingestion, but it doesn't seem capable of reusing the feed from sentinel. I think it would be better(?) to get the data into cloud apps and have that push its data over to sentinel, perhaps. Any experience with UDMP or Cloud Apps?

Can you explain how the alerts flow will be

Great Video, Thanks

Bro good going! Very informative thank you so much for sharing your knowledge.

thanks for taking the time to document these steps. Did you need to create a specific firewall rule (e.g. TCP 80 & 443 outbound allow & log) on the Ubiquity system to create the syslog contents ? Or will the "Remote Logging" options shown in the Ubiquiti controller config suffice ?

Nice👍

👍