Azure Sentinel

Options
2,014
Matt_Lowe on 04-13-2020 03:04 PM
99.4K
Ofer_Shezaf on 04-12-2020 04:05 PM
4,312
Ofer_Shezaf on 04-12-2020 01:15 PM
4,057
Chris Boehm on 04-10-2020 03:00 PM
14.1K
Cristhofer Munoz on 04-06-2020 06:51 AM
4,275
Sarah Fender on 04-03-2020 11:31 AM
5,266
Cristhofer Munoz on 04-03-2020 09:52 AM
3,189
robeving on 04-03-2020 08:18 AM
10.3K
ianhelle on 04-01-2020 01:53 PM
3,271
sarahyo on 03-31-2020 06:25 PM
4,820
Clive Watson on 03-31-2020 05:56 AM
24.3K
Pete Bryan on 03-30-2020 02:22 PM
20.2K
Cyb3rWard0g on 03-27-2020 04:01 PM
2,404
Clive Watson on 03-27-2020 10:56 AM
2,090
PaulFCollins on 03-26-2020 05:36 AM
5,692
rinure on 03-23-2020 09:44 PM
5,698
Cristhofer Munoz on 03-23-2020 09:50 AM
2,879
rinure on 03-19-2020 03:50 PM
30.7K
Alp Babayigit on 03-05-2020 05:38 AM
14.1K
Javier Soriano on 03-05-2020 02:34 AM
8,784
Jon_Shectman on 02-26-2020 07:24 PM
4,101
Cristhofer Munoz on 02-21-2020 01:25 PM
4,475
Nicholas DiCola (SECURITY JEDI) on 02-20-2020 04:13 PM
47.2K
Stefan Simon on 02-13-2020 06:04 AM
10.4K
Jason Wescott on 02-11-2020 01:32 PM
5,103
Pete Bryan on 02-03-2020 10:00 AM
41.4K
Javier Soriano on 01-28-2020 12:28 AM
10.2K
Ofer_Shezaf on 01-19-2020 04:12 AM
25.3K
nirgafni on 01-06-2020 12:39 AM

Latest Comments

This should pull the trick let allowlist = datatable (WorkstationName:string, TargetUserName:string) [ 'x','a' ,'y', 'b' ,'z','c' ]; let allowlistconcat = toscalar (allowlist | summarize make_list(strcat(WorkstationName, "|", TargetUserName))); SecurityEvent | where AccountType =~"User" and EventID ...
0 Likes
@Matt_Lowe Thanks for sharing this ... I'm using this to move logs to storage from sentinel and want to use SP instead of user. Do you know what specific permissions I need to assign to the SP? I tested it with AAD SP with higher privileges with some observations... - On the connection steps it does...
0 Likes
Thanks for the writeup! This seems to cross over a lot with a recent PR on the Github repo that leverages Azure functions instead of a Logic App. It covers Message Blocked, Message Delivered, Clicks Blocked, and Clicks Permitted logs and uses 4 separate tables ProofPointMessageBlocked_CL, ProofPoint...
0 Likes
@Stefan Simon , I`m not able to find the categories Office 365 ... and ThreatManagement.When I run the query to display all alerts I see alerts from ASC and Sentinel but nothing related to Office365. I see the malware in Quarantine in the O365 portal I can`t grab this via API Calls.
0 Likes
Thank you for Sharing with the Community 
0 Likes