User Profile
Aman_Khan
Copper Contributor
Joined Jul 06, 2021
User Widgets
Recent Discussions
Re: Onboarding Ivanti Application Control logs to Azure Sentinel
Ended up forwarding Ivanti Logs to a Window Event Collector server: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/forward-on-premises-windows-security-event-logs-to-microsoft/ba-p/3040784 In my case filtered to only event IDs pertaining to AppSense i.e. 9*** .eg. "ForwardedEvents!*[System[(EventID=9000)]]"2.5KViews0likes1CommentSentinel Alert- Querying multiple Entities
Hi team, Trying to build an alert in Sentinel when a phish report is submitted by users, an email containing sender,recipient and subject in sent to ops team. Query I have built in my logic app to run when the alert is received: SecurityAlert | where AlertName =="Email reported by user as malware or phish" | extend Sender=parse_json(Entities)[1].Sender | extend Reported_by =parse_json(Entities)[1].Recipient | extend Subject=parse_json(Entities)[1].Subject | where isnotnull(Reported_by) | project TimeGenerated,Reported_by,Sender,Subject This works fine however, however if the alert contains more then one entities, how can I include all of them in one Query? For example If I wanted to include parse_json(Entities)[0].Sender ,parse_json(Entities)[1].Sender and parse_json(Entities)[2].Sender and so on.. Wildcard does'nt seem to work parse_json(Entities)[*].Sender has'nt worked, is there a way to loop through all entities? Thank you.Solved2.2KViews0likes1CommentOnboarding Ivanti Application Control logs to Azure Sentinel
Hi all, Just wondering if anyone has onboarded https://www.ivanti.com.au/products/application-control logs to Azure Sentinel? -Log source is on-prem (No cloud presence, neither a connector available in Sentinel) -Product does not support Syslog or CEF -To extract logs from central management server you can use a data base query (DbConnect in Splunk World) OR -To extract logs from clients you can extract logs from every client in either XML or CSV format Has anyone on-boarded these logs before or have any suggestions ? Thank youSolved3.1KViews1like2Comments
Recent Blog Articles
No content to show