User Profile
akshay250692
Brass Contributor
Joined 3 years ago
User Widgets
Recent Discussions
Custom Entity Mapping
I written below KQL with help from community but not able to create custom entity in Set Rule Logic. I need to mappingFailedAttempt field but no option in entity field. let threshold=2; let authenticationWindow = 5m; let Logs = SigninLogs //| where UserPrincipalName == "email address removed for privacy reasons" | where UserPrincipalName == "email address removed for privacy reasons" | where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password"); Logs | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), UserPrincipalName, ResultDescription, AppDisplayName, IPAddress, Location | join kind=inner ( Logs | summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName, IPAddress, Location | where FailedAttempt >= ["threshold"] ) on UserPrincipalName, AppDisplayName, ResultDescription, IPAddress, Location | project-away UserPrincipalName1, AppDisplayName1, ResultDescription1, IPAddress1, Location1 only these field are coming so how can i map faild attemptKQL query
Hi Team, we want failed attempt with in 5m duration but query is stopped for last line. Please correct me. let threshold=1; let authenticationWindow = 5m; SigninLogs | where UserPrincipalName == "email address removed for privacy reasons" | where ResultDescription has_any ("Invalid username or password", "Invalid on-premise username or password") | summarize FailedAttempt = count() by ResultDescription, UserPrincipalName, AppDisplayName | where FailedAttempt >= ["threshold"] | summarize StartTimeUtc = min(TimeGenerated), EndTimeUtc = max(TimeGenerated) by bin(TimeGenerated, authenticationWindow), FailedAttempt, UserPrincipalName, AppDisplayName Last line getting error forTimeGeneratedunable to find logs
Hi Guys, I m writing below KQL but result is showing "nothing". Kindly help me. let ExeList = dynamic(["powershell.exe","cmd.exe","wmic.exe","psexec.exe","cacls.exe","rundll32.exe"]); Event | where EventID==4688 | extend EvData = parse_xml(EventData) | extend EventDetail = EvData.DataItem.EventData.Data | extend CommandLine = EventDetail.[8].["#text"],TargetUserName = EventDetail.[10].["#text"], SubjectUserName = EventDetail.[1].["#text"], TargetUserSid = EventDetail.[9].["#text"], SubjectUserSid = EventDetail.[0].["#text"], NewProcessName = tolower(EventDetail.[5].["#text"]), ParentProcessName = EventDetail.[13].["#text"], SubjectDomainName = EventDetail.[2].["#text"] | where NewProcessName in (ExeList) NewProcessName looks like "C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" how to write a last line so let statement match ?how to exclude ip along with port
Hi Team, I have created one rule and want to exclude 2 destination ip along with port destination port 445. how it will write ? Below is my query let deviceIP = (_GetWatchlist('qwe') | project SearchKey); CommonSecurityLog | where DeviceVendor =~ "Palo Alto Networks" and DeviceProduct =~ "PAN-OS" and Activity =~ "THREAT" | where Computer !in (deviceIP) and DeviceCustomString4 == "GP_VPN" or DeviceCustomString4 == "GP_partnervpn" and DeviceAction =~ "alert" | where DeviceEventClassID != "url" and LogSeverity !in ("1", "2", "3") | where DestinationPort != "L" and DestinationIP !in ("x.y.z.x", "q.w.e.r", "a.s.d.f") | parse kind=regex flags=U AdditionalExtensions with * "cat=" Category ';'* | project TimeGenerated, Subtype = DeviceEventClassID, SourceIP, SourceTranslatedAddress, Source_Ports=strcat(SourcePort),SourceUserName, DestinationIP, DestinationTranslatedAddress, DestinationPorts = strcat(DestinationPort), DestinationUserName,Protocol,ApplicationProtocol, RequestURL, Rules=DeviceCustomString1, Category, FirewallNames = Computer, SourceZone = DeviceCustomString4, DestinationZone = DeviceCustomString5 now i have to exclude 2 destination ip (x.d.r.t, c.f.t.y) with destination port (445) i wrote in this way but not worked. | where DestinationPort != "445" and DestinationIP !in (x.d.r.t, c.f.t.y) above line exclude all 445 related logs with any ip. but i just want exclude(x.d.r.t, c.f.t.y) with only 445. if ip(x.d.r.t, c.f.t.y) come with any other port logs should come. or except ip (x.d.r.t, c.f.t.y) all logs come in 445 destination port.call all watchlist column entity in incident.
We have created watchlist which is having 3 column. So if any incident is triggered from watchlist, we should get all entities in incident. We have created watchlist based on ThreatIntel. It have 3 column like IPAddress, MalwareName, Provider. So we have projected in watchlist only "IPAddress" in analytical rule. but we want IPAddress along withMalwareName, Provider in incident. Can someone help to regarding KQL for above situation ?How to combined query with same table.
Hi Guys, I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is going to overlap. thats why i have to run query with "OR" operator so Threat "cat" field will not overlap with System "cat" field. Please help me. . CommonSecurityLog | where Activity in ("TRAFFIC", "THREAT") | extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions) | extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions) | extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions) combined with "OR" condition | where Activity == "SYSTEM" | extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)how to add custom field in "CommonSecurityLog" Table
Hi Guys, I am adding new column in CommonSecurity Table. But i am having issue in kql quey. Please help me. This is Palo alto related logs. As "cat" field is in both Threat and System. So it is going to overlap. thats why i have to run query with "OR" operator so Threat "cat" field will not overlap with System "cat" field. Please help me. . CommonSecurityLog | where Activity in ("TRAFFIC", "THREAT") | extend SessionEndReason_CF = extract('reason=([^;]+)',1, AdditionalExtensions) | extend ThreatContentName_CF = extract('cat=([^;]+)',1, AdditionalExtensions) | extend thr_category_CF = extract('PanOSThreatCategory=([^;]+)',1, AdditionalExtensions) combined with "OR" condition | where Activity == "SYSTEM" | extend EventID_CF = extract('cat=([^;]+)',1, AdditionalExtensions)
