User Profile
ahhann
Copper Contributor
Joined Jan 25, 2022
User Widgets
Recent Discussions
Re: Unified Security Operation Sentinel Vs Defender Tables
Echo to this, not all environment have the budget to ingest Device****** events into Sentinel, given the huge volume of events it produced. Thus you have an option right now to both save cost + correlating the information from Sentinel end, under the Unified SOC portal. You need to look into the monetary benefits of this integration as well, not only technical feasibility. Hope my 2 cent helps.791Views1like1CommentSentinelHealth - Analytic Rules failed to run
Hi Community, anyone know what is the so call "TemporaryIssuesDelay" ? Code: TemporaryIssuesDelay Description: The rule's running was delayed due to temporary issues. Microsoft documentation didn't explain much on the error https://learn.microsoft.com/en-us/azure/sentinel/monitor-analytics-rule-integrity1.2KViews0likes1CommentInaccurate TimeGenerated value in CommonSecurityLog
Hi, I'm facing a weird issue where TimeGenerated value is inaccurate when we use the query condition | where TimeGenerated >= ago() See here: As you can see above, the time is in future time compared to my local time at the right bottom. But if i use | where TimeGenerated between() or if i use the portal GUI Time Range, it able to return the correct TimeGenerated value: We notice this issue after the Linux Log Relay server timezone was changed from JST to UTC, then changed back to JST again. The server has been rebooted 3 times, which i believe the rsyslog and the ama services would take effect on the changes of timezone as well. Urgently need advise on this as it will certainly disrupt our Analytic Rule as well as Hunting query.788Views0likes2CommentsRe: Trend Micro XDR Data connector
Clive_Watson How you even get the rest of the table to appear? I'm using the default API role in the TM Vision One, which is the one with SIEM role, generated simulation alert, Workbench can see those alert. But still no logs appeared in the Sentinel after 12 hours. Documentation on the API account is not details and confusing.1.8KViews0likes0CommentsRe: How to correlate Security Alert Entities further with a WorkList
Thanks for the pointer, got it working: let domain = "@"; let watchlist = (_GetWatchlist("SuspiciousUser") | project SearchKey); SecurityAlert | extend EntitiesDynamicArray=parse_json(Entities) | mvexpand EntitiesDynamicArray | extend Entitytype = tostring(parse_json(EntitiesDynamicArray).Type) | where Entitytype == "account" | extend username=tostring(parse_json(EntitiesDynamicArray).Name) | extend UPN=tostring(parse_json(EntitiesDynamicArray).UPNSuffix) | extend useraccount = strcat(username, domain, UPN) | where useraccount in (watchlist) | project TimeGenerated, DisplayName, useraccount, Entities1.7KViews0likes0CommentsHow to correlate Security Alert Entities further with a WorkList
Hi all, Newbie to Sentinel. In old school SIEM, one can easily correlate specific correlated Security Alert entities with a watchlist via data schema mapping. However for Sentinel, i notice that the Entities in Security Alert comes in multiple nested format, where i cannot do a simple 1 to 1 map to watch list to further correlate. I have a request to further correlate any SecurityAlert | where DisplayName == "Create incidents based on ADB2C Identity Protection Risky Signin" with a watchlist containing high suspicious user, Name + UPN The Entities of the event comes in these format: Entities [{"$id":"3","Url":"[\"unfamiliarFeatures\"]","Type":"url"},{"$id":"4","Address":"1.2.3.4","Type":"ip"},{"$id":"5","Name":"someuser","UPNSuffix":"gmail.com","IsDomainJoined":true,"Type":"account"}] TLDR: How to create an analytic rules to alert any SecurityAlert "Create incidents based on ADB2C Identity Protection Risky Signin" with a WatchList?Solved1.9KViews0likes2Comments
Recent Blog Articles
No content to show