User Profile
akshay250692
Brass Contributor
Joined May 12, 2022
User Widgets
Recent Discussions
Custom Entity Mapping
I written below KQL with help from community but not able to create custom entity in Set Rule Logic. I need to mapping FailedAttempt field but no option in entity field. let threshold=2; let authenticationWindow = 5m; let Logs = SigninLogs //| where UserPrincipalName == "email address removed for privacy reasons" | where UserPrincipalName == "email address removed for privacy reasons" | where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password"); Logs | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), UserPrincipalName, ResultDescription, AppDisplayName, IPAddress, Location | join kind=inner ( Logs | summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName, IPAddress, Location | where FailedAttempt >= ["threshold"] ) on UserPrincipalName, AppDisplayName, ResultDescription, IPAddress, Location | project-away UserPrincipalName1, AppDisplayName1, ResultDescription1, IPAddress1, Location1 only these field are coming so how can i map faild attemptRe: KQL query
I tried this one n working let threshold=1; let authenticationWindow = 5m; let Logs = SigninLogs | where UserPrincipalName == "email address removed for privacy reasons" | where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password"); Logs | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), UserPrincipalName, ResultDescription, AppDisplayName, IPAddress, Location | join kind=inner ( Logs | summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName, IPAddress, Location | where FailedAttempt >= ["threshold"] ) on UserPrincipalName, AppDisplayName, ResultDescription | project-away UserPrincipalName1, AppDisplayName1, ResultDescription1, IPAddress1, Location1KQL query
Hi Team, we want failed attempt with in 5m duration but query is stopped for last line. Please correct me. let threshold=1; let authenticationWindow = 5m; SigninLogs | where UserPrincipalName == "email address removed for privacy reasons" | where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password") | summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName | where FailedAttempt >= ["threshold"] | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), FailedAttempt, UserPrincipalName, AppDisplayName Last line getting error for TimeGeneratedunable to find logs
Hi Guys, I m writing below KQL but result is showing "nothing". Kindly help me. let ExeList = dynamic(["powershell.exe","cmd.exe","wmic.exe","psexec.exe","cacls.exe","rundll32.exe"]); Event | where EventID==4688 | extend EvData = parse_xml(EventData) | extend EventDetail = EvData.DataItem.EventData.Data | extend CommandLine = EventDetail.[8].["#text"],TargetUserName = EventDetail.[10].["#text"], SubjectUserName = EventDetail.[1].["#text"], TargetUserSid = EventDetail.[9].["#text"], SubjectUserSid = EventDetail.[0].["#text"], NewProcessName = tolower(EventDetail.[5].["#text"]), ParentProcessName = EventDetail.[13].["#text"], SubjectDomainName = EventDetail.[2].["#text"] | where NewProcessName in (ExeList) NewProcessName looks like "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" how to write a last line so let statement match ?how to exclude ip along with port
Hi Team, I have created one rule and want to exclude 2 destination ip along with port destination port 445. how it will write ? Below is my query let deviceIP = (_GetWatchlist('qwe') | project SearchKey); CommonSecurityLog | where DeviceVendor =~ "Palo Alto Networks" and DeviceProduct =~ "PAN-OS" and Activity =~ "THREAT" | where Computer !in (deviceIP) and DeviceCustomString4 == "GP_VPN" or DeviceCustomString4 == "GP_partnervpn" and DeviceAction =~ "alert" | where DeviceEventClassID != "url" and LogSeverity !in ("1", "2", "3") | where DestinationPort != "L" and DestinationIP !in ("x.y.z.x", "q.w.e.r", "a.s.d.f") | parse kind=regex flags=U AdditionalExtensions with * "cat=" Category ';'* | project TimeGenerated, Subtype = DeviceEventClassID, SourceIP, SourceTranslatedAddress, Source_Ports=strcat(SourcePort),SourceUserName, DestinationIP, DestinationTranslatedAddress, DestinationPorts = strcat(DestinationPort), DestinationUserName,Protocol,ApplicationProtocol, RequestURL, Rules=DeviceCustomString1, Category, FirewallNames = Computer, SourceZone = DeviceCustomString4, DestinationZone = DeviceCustomString5 now i have to exclude 2 destination ip (x.d.r.t, c.f.t.y) with destination port (445) i wrote in this way but not worked. | where DestinationPort != "445" and DestinationIP !in (x.d.r.t, c.f.t.y) above line exclude all 445 related logs with any ip. but i just want exclude (x.d.r.t, c.f.t.y) with only 445. if ip (x.d.r.t, c.f.t.y) come with any other port logs should come. or except ip (x.d.r.t, c.f.t.y) all logs come in 445 destination port.Re: call all watchlist column entity in incident.
GBushey This is below query . let Watchlist = (_GetWatchlist('xyz') | project SearchKey); DeviceNetworkEvents | where LocalIP in (Watchlist) or RemoteIP in (Watchlist) below is watchlist column which are IPAddress,Provider and MalwareName. how all column included to above query.call all watchlist column entity in incident.
We have created watchlist which is having 3 column. So if any incident is triggered from watchlist, we should get all entities in incident. We have created watchlist based on ThreatIntel. It have 3 column like IPAddress, MalwareName, Provider. So we have projected in watchlist only "IPAddress" in analytical rule. but we want IPAddress along with MalwareName, Provider in incident. Can someone help to regarding KQL for above situation ?Re: How to combined query with same table.
CommonSecurityLog | where Activity in ("TRAFFIC", "THREAT") | extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions) | extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions) | extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions) up to here i m good. now in same table "commonsecuritylog" there is another activity called "system" in which also "cat" field as already same "cat " field in above query for activity "threat". if i m applying query then it is overlapping system "cat" with threat "cat". so i want to separate column for both "cat" field. so that overlapping will not happen. i want merge above query with below query | whrer activity in ("SYSTEM") | extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions) is it possible ?
