User Profile
Princely
Copper Contributor
Joined 4 years ago
User Widgets
Recent Discussions
Alternative to using 'top' operator with a calculated variable
I was wondering of anyone knows a workaround to using the 'top' operator along with a variable calculated at runtime. As can be seen by running the sample query below, Sentinel doesn't seem to like a calculated value being passed as an argument to top and returns a "'top' operator: Failed to resolve scalar expression named 'a'" error . Commenting out the last line indicates the value of 'a' is being displayed in the query result. let x=5; let y =2; SecurityAlert | summarize count() by AlertName | extend a = x-y | top a by count_ asc I need this functionality for playbook automation to isolate hosts. I want to be able to cap the isolation to a limit(for e.g. 5) per day and every time the rule query is run(i.e. if the query returns 10 hosts only isolate the first 5 if there were no hosts isolated in the past day). I think the 'top' operator would fit this requirement however I am seeing the error mentioned above. I am trying to get number of hosts that can be isolated based on the number previously isolated in the past day and the number of results returned by current query run. This is calculated by subtracting the number of hosts isolated in the past day from the limit and returning only those number of hosts to be isolated(for e.g. if 2 hosts have been isolated in the past 24 hours, and current query run returns 5 hosts only the first 3 should get isolated since the limit is 5). I was wondering if there is another way of accomplishing this ? Thanks, Princely DmelloSolved1.2KViews0likes2CommentsSeeing multiple instances of 'InBoundHostVerticalPortScan' on domain controllers.
While going through the timeline of a domain controller in Defender, I came across multiple occurrences of 'InBoundHostVerticalPortScan' events which seemed suspicious. Searching for this event indicates this was seen sourcing from multiple internal hosts. This eventseems to look for multiple connection attempts to ports from a source IP within a time threshold which is what I’m seeing for the dns.exe(dns resolution), lsass.exe(authentication), svchost.exe -k RPCSS(network services) processes. Can I get a confirmation if this is correct? Is it possible to know what criteria is being used to generate the event as the activity itself doesn'tseem like a vertical port scan. As we are seeing a single port on the domain controller(for e.g. port 53 fordns.exe) being accessed by multiple hosts for the events generated. I have included an event screenshot for reference.1.7KViews0likes1CommentAdding ASR rule exclusions based on command line
Hello, I was wondering if it is possible to exclude a process from being blocked if a specific file is observed in its command-line ? We have a situation where the ''AsrPsexecWmiChildProcessAudited'' rule is triggering on "WmiPrvSE.exe" launching "msiexec.exe" process. Looking at the command-line for"msiexec.exe" indicates it is launching a known legitimate file "xxx.msi". It would not be a good idea to exclude"msiexec.exe" as it can be used to arbitrarily execute any code.Would adding an ASR rule exclusion on the"xxx.msi" file exclude the event in the scenario mentioned above from being blocked? The existing documentation doesn't seem to cover this scenario: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus?view=o365-worldwide Thanks, PrincelySolved6KViews0likes2CommentsDefender not correctly reporting ASR rule status.
Hello , I am using the following query to get the statistics on ASR rules on a host and their status: DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-2500", "scid-2501", "scid-2502", "scid-2503", "scid-2504", "scid-2505", "scid-2506", "scid-2507", "scid-2508", "scid-2509", "scid-2510","scid-2511","scid-2512","scid-2513","scid-2514") | summarize arg_max(Timestamp, IsCompliant, IsApplicable,Context) by DeviceName, ConfigurationId //Uncomment next line if you want a report on only devices where Auditing is not enabled //| where Context contains "Off" | extend Test = case( ConfigurationId == "scid-2500", "BlockMailExe", ConfigurationId == "scid-2501", "BlockOfficeChildProc", ConfigurationId == "scid-2502", "BlockOfficeExe", ConfigurationId == "scid-2503", "BlockOfficeInjection", ConfigurationId == "scid-2504", "BlockJavaScriptVBScriptExe", ConfigurationId == "scid-2505", "BlockObfuscatedScripts", ConfigurationId == "scid-2506", "BlockOfficeMacroW32API", ConfigurationId == "scid-2507", "BlockUntrustedExecutables", ConfigurationId == "scid-2508", "AdvancedRansomwareProtection", ConfigurationId == "scid-2509", "BlockCredentialStealing", ConfigurationId == "scid-2510", "BlockProcPSexecWMI", ConfigurationId == "scid-2511", "BlockUnsignedEXEonUSB", ConfigurationId == "scid-2512", "BlockOfficeCommunicationChildProc", ConfigurationId == "scid-2513", "BlockAdobeReaderChildProc", ConfigurationId == "scid-2514", "BlockWMIPersist", "N/A"), Result = case(IsApplicable == 0, "N/A", Context contains "Audit" , "AUDITED", "OFF") | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed) by DeviceName | evaluate bag_unpack(Tests) This is however returning results indicating there are no ASR rules in block mode. But running the following query indicates there are ASR block events being generated: DeviceEvents | where ActionType startswith 'Asr' | summarize EventCount=count() by ActionType What could be the reason for the incorrect reporting? Regards, Princely DmelloSolved4.6KViews0likes3CommentsIs it safe to disable the 'Microsoft Defender for Endpoint' connector in Sentinel
We recently noticed that the 'Microsoft Defender for Endpoint' connector is no longer sending logs to Sentinel instances for the clients we manage. These now seem to be forwarded through the 'Microsoft 365 Defender (Preview)' connector. However, I am seeing Sentinel instances where the'Microsoft 365 Defender (Preview)' connector has not been enabled still receiving MDE logs. I was wondering if it is safe to enable the 'Microsoft 365 Defender (Preview)' connector and disable the'Microsoft Defender for Endpoint' connector or if that would affect the log forwarding ? Regards, Princely Dmello777Views0likes0CommentsUnable to save query to alert on no sensor data as a custom detection rule
Hello, I am trying to create a custom alert for an agent not reporting sensor data usingthe following query, which runs fine but there is an error in it per MDE, which wont let me save this as a custom detection rule: 'Can't save detection rule The query contains syntax errors and cannot be used to create a detection rule. Please fix errors in the query and try again.' KQL Query: DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ('scid-2000', 'scid-2001') | extend Test = case( ConfigurationId == "scid-2000", "SensorEnabled", ConfigurationId == "scid-2001", "SensorDataCollection", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD") | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed), DeviceName = any(DeviceName) by DeviceId | evaluate bag_unpack(Tests) | where SensorEnabled == "GOOD" and SensorDataCollection == "BAD" | summarize by DeviceName, DeviceId Can someone point out something I am missing here ? Thanks, Princely Dmello2.2KViews0likes1CommentUnusual user names being granted full access to mailboxes in OfficeActivity logs
We are seeing logs in the 'OfficeActivity' table in Sentinel with usernames of the type 'NAMPRXXXXX\\$XXX-XXX' being granted full access permissions to mailboxes by admin users. This is not a valid username we are able to identify. I tried searching for these 'NAMPRXXXXX\\$XXX-XXX' usernames in 'OfficeActivity' table for the past 60 days with no other results. I am guessing these usernames are being generated dynamically. Is it possible to get more information on what these 'NAMPRXXXXX\\$XXX-XXX' usernames are and if they correspondto a valid user account ?SolvedDoes the 'Hide Alert' option in Defender remove the data from the corresponding table?
We are trying to suppress an alert based on command-line containing a specific file name which doesn't seem to currently be possible. We were planning to instead suppress alerts based on the Processname and create a custom detection rule to exclude command-lines containing the specific file name and alert on the rest. My question is, will the alert data still be present in the 'AlertInfo', 'AlertEvidence' tables after creating the suppression rule with the 'Hide Alert' option or should we be using the "Resolve Alert" option instead?1.3KViews0likes0Comments
Groups
Recent Blog Articles
No content to show