Forum Widgets
Latest Discussions
Log Forwarder - r-syslog TLS Encryption
Good day to all, We are working on the configuration of TLS rsyslog service encryption and decided to try with a self-signed certificate. We walked through this manual: RSyslog Documentation - rsyslog (created a CA, issued certificates, keys, etc.) but had no success. We did the configuration only on the server side (log forwarder) and not on the client. The log source is a Cortex XDR cloud platform, so we cannot configure anything on its side. From the Cortex XDR manual: "If your Syslog receiver uses a self-signed CA,Browseand upload your self-signed Syslog receiver CA." We uploaded the certificate, but it doesn't. work. Cortex XDR cannot verify the connection. Forwarding unencrypted logs works perfectly. Has anybody configured TLS rsyslog?I would kindly appreciate any advice on it.mikhailfJan 17, 2025Steel Contributor1.7KViews0likes2CommentsHow to integrate Beyond Trust Logs With Sentinel
Hi All, How to integrate Beyond Trust Logs With Sentinel, do we have a data connector? As checked, there is not data connector for this. please let me know and also what are the logging level required at beyond trust side.Sand_Sentinel87Jan 15, 2025Copper Contributor84Views0likes3CommentsAutomating label downgrade email notifications
I've been asked to investigate scheduling a query to run once a day that searches for label downgrade activities and sends an email with a list of events to the user's manager (according to the AD attribute). The thinking is, the manager is more likely to know if the files that are being downgraded are sensitive, personal or inconsequential and can alert us if they are sensitive and we need to investigate further. I have a KQL query that provides the results, I have created an analytics rule that runs the query every 24 hours and generates an alert, but when it comes to the Playbook i'm not sure how/if I can extract the fields/attributes from the results so I can use them to generate the email(s). I want the manager to only get the results for the people in their team/department, not the results for everyone in the company, so I would expect separate emails will be sent to each manager daily, rather than the same email going to multiple managers. Is what I am trying to do feasible, and if so, am I going about it the right way? Any advice appreciated.SolvedCameron_StephensJan 13, 2025Copper Contributor190Views0likes7CommentsBug in stand-alone MS Sentinel MITRE tactics
I setup a new Analytic rule where I had selected multiple tactics/techniques combinations. When I create an incident from that rule, only one of the tactics/techniques actually show up in the stand-alone MS Sentinel UI as well as in the SecurityIncident table. It isn't even the first one I selected; it is the last one. I did double check the Analytic rule and all the tactics/techniques are selected. If I look at the incident using the MS Sentinel REST API, it does show that all the tactics/techniques are there as well as if I look in the M365 portal (I have my MS Sentinel instance linked). Heck, even the Graph Query will show them all (after expanding the incident to show the alerts as well). Has anyone noticed this recently? Is it a bug or another new "feature"?GaryBusheyJan 12, 2025Bronze Contributor27Views0likes0CommentsParsing syslog
1. i am ingesting firewall logs as syslog and trying to parse out the fields accordingly using the split command, i have a problem that the beginig of the logs is not piped and i have made the split in 2 occasions. as you can see in the attached pic theFWD|UDP|p4| fields are nit parsed out. this is the _raw syslog message: Security F180 Block: FWD|UDP|p4|192.168.x,x|67|00:15:5d:0f:c4:01|255.255.255.255|68|bootpc||LAN-2-INTERNET|4017|0.0.0.0|0.0.0.0|0|1| 2. can you show me the same using normal regex i cant see in MSFT doc how to do it the old way 🙂 3. should i do the parsing on search time of the query? doesnt it increase the search time?omripJan 12, 2025Copper Contributor17KViews0likes6CommentsHaving issues with Run-MDEAntiVirus Playbook
Hi, I'm having issues getting the Run-MDEAntiVirus playbook working. I have created it using the Github template, assigned the managed instance rights to Sentinel and the Defender ATP. When it is triggered I get the following error message. From what I can see the post command is not sending over the MDATPDeviceId. The information from the entries Get-Hosts does provide the host and the MDATPDeviceId information so I'm a little lost on what is going on. Could anyone help me please? Regards MikeMikePalmer75Jan 10, 2025Brass Contributor2KViews0likes3CommentsMicrosoft Teams Flow Bot
Anyone able to use Azure Sentinel --> Logic App with MS Teams Flow Bot to post message in a channel ? I haven't figure how to do it and although my logic app Post a message to Teams works - when my action is Post a message as the Flow Bot in a channel always failsakefallonitisJan 08, 2025Brass Contributor49KViews0likes8CommentsThe issue with displaying the original query in the newly created scheduled query rule
Hello everyone. I recently started learning Azure Sentinel, and I wanted to create my first custom rule. The rule works as I wanted, but I encountered an issue with displaying the original query. When an incident is created and I go to the "Incident Timeline" and click "Link to LA," my query is shown in an obfuscated form, as shown in the screenshot. Could you please help me figure out how to make the original query visible? Thank you!TvobyJan 08, 2025Copper Contributor62Views0likes1Comment
Resources
Tags
- siem394 Topics
- KQL273 Topics
- Data Collection218 Topics
- Log Data197 Topics
- Analytics138 Topics
- azure132 Topics
- integration120 Topics
- automation120 Topics
- kusto112 Topics
- playbooks106 Topics