User Profile
CliveWatson
Former Employee
Joined Nov 07, 2018
User Widgets
Recent Discussions
Re: Palo Alto Syslogs to Sentinel
There is a ASIM parser for Palo Main docs: https://docs.microsoft.com/en-us/azure/sentinel/normalization Parsers page: Azure-Sentinel/Parsers/ASimNetworkSession at master · Azure/Azure-Sentinel - https://github.com/ and the parser itself, where that field is normalized: Azure-Sentinel/ASimNetworkSessionPaloAltoCEF.yaml at master · Azure/Azure-Sentinel - https://github.com/Re: KQL question
SocInABox I just realised the original query was before we had ipv4_lookup(), so does this change improve things (its less code at least)? let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool) ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']; let IPs = CommonSecurityLog |where DeviceVendor == "Fortinet" //filter out private networks |where not(ipv4_is_private(SourceIP)) and not(ipv4_is_private(DestinationIP)) |summarize by SourceIP ; IPs | evaluate ipv4_lookup(IP_Data, SourceIP, network, return_unmatched = true)Re: Extracting items (over x days) where an AIP label has changed from one value to another...
JMSHW0420 Sorry I don't have an example data so this is fake code EmailEvents | where AttachmentCount > 0 // this detects the file and its last timestamp | summarize arg_max(TimeGenerated, *) by SenderMailFromAddress // add one ms to make the new time *after* the record was found | extend endtime = TimeGenerated + 1ms // // now see if the item is in EmailItems within the new time period // join to EmailItems ... by .... // is the email item seen in this new time window? | where TimeGenerated between (endtime .. now()) We could also use a datatable to fake the tables you are using, this is what I think EmailEvents may look like (or the key columns at least) let EmailEvents = datatable(AttachmentCount:int, TimeGenerated:datetime, SenderMailFromAddress:string) [ "0", datetime(2021-11-04T11:36:42.6616095Z),"clive@fake.com", "1", datetime(2021-11-03T12:30:53.4764186Z),"clive@morefake.com", "2", datetime(2021-11-02T12:30:53.4764186Z),"clive@morefake.com" ]; EmailEvents | where AttachmentCount > 0 | summarize arg_max(TimeGenerated, *) by SenderMailFromAddress | extend endtime = TimeGenerated + 1msRe: Sentinel integration with FortiNet firewall and queries
susanthasilva Two things, 1. There are 16 use cases (rules that apply to the Forti data for you to enable) 2. Forti uses CEF (CommonSecurityLog), so you can check what other vendors do in their workbooks or queries and maybe adjust those, typically you only have to alter the DeviceVendor or product columns. However all vendor have unique data so more work maybe needed. CommonSecurityLog | where DeviceVendor == "Fortinet" Also the Azure Firewall Workbook is a good one to look at for examples.Re: how to parse Multiline log from the files and ingest into Azure Sentinel
pavankemi That screen shot helps, but you cant see the Table or Column names to be sure. Using SigninLogs table as an example and the column DeviceDetail You may just be able to pick a row: SigninLogs | where DeviceDetail has "Rich Client" | project DeviceDetail.browser DeviceDetail_browser Rich Client 5.2.2.0 Rich Client 5.2.2.0 Rich Client 5.2.2.0 Other data sources may need parse_json / mv-expand or an example hereRe: How to create a parent/child grids in Workbook
Its done by "exporting parameters" https://github.com/microsoft/Application-Insights-Workbooks/blob/a45ae86cd0a441a37ad9525aff67b249352b3c82/Documentation/Interactivity.md#grid-tile-chart-selections Azure Monitor --> Workbooks --> Public Templates --> Workspace Usage (is one example of a workbook that does this)Re: AzureActivity - When my cosmos account was actually deleted?
Dimitri Artemov To help with these I use the (little known) "Group Columns" feature, then drag and drop a column heading, you can then simply scroll to teh right to see what maybe different in each column (or drag and drop other columns into the group). Ultimately many solutions log multiple rows, often looking almost the same apart from the timestamp. Myself I'd use arg_max to see the last row from each ... | extend p=parse_json(Properties) | extend ResourceDeleted=split(_ResourceId, "/", 8)[0] | summarize arg_max(TimeGenerated,*) by OperationNameValue Note: You can replace the "*" with specific named columns e.g. | summarize arg_max(TimeGenerated,OperationNameValue, ActivityStatusValue, ResourceDeleted) by OperationNameValueRe: Print Job Auditing
Are you getting entries in the local eventlog seen via Eventvwr since you enabled the collection, operations data is normally not on my default and high volume (see "note" in the link), if the file is full it wont be able to send anything? https://social.technet.microsoft.com/wiki/contents/articles/13308.windows-server-2012-troubleshooting-printing.aspx#PrintService_Event_Log_ChannelRe: Cloud App Security data in Azure Sentinel logs
Metzinger35 McasShadowItReporting | where TimeGenerated > ago(30d) | where StreamName has "Global view" //| where AppTags has "sanctioned" | project App_Tag = column_ifexists("AppTags", ""), App_Name = column_ifexists("AppName", "") | summarize Count = toint(dcount(App_Name)) by App_Tag I don'f have this Table but wouldn't you just let the summarize by use the App-Tag or App_name to get a count (are you sure you need dcount() rather than count() ?). My test is this - where the count is all occurrences of the app name BY the app_tag. Usage | project App_Tag = column_ifexists("DataType", ""), App_Name = column_ifexists("Solution", "") | summarize Count_ = toint(count(App_Name)) by App_Tag | top 5 by Count_ desc App_Tag Count_ Operation 46 SecurityEvent 37 Syslog 37 StorageBlobLogs 37 InsightsMetrics 37Re: Create alert based on no. of open incidents
ClemFandango2055 For looking at Incidents this may help Re: How to show amount of query results as entity on incident created in Azure Sentinel - Microsoft Tech Community you then you can use one of the two templates for an example Playbook to send the emailRe: Monitoring Azure VMWare (AVS)
Are these not just VMs, or at least you can get the VM info from Azure Diagnostic or the MMA? https://docs.microsoft.com/en-gb/azure/azure-vmware/introduction#monitoring-your-private-cloud They also have Rest API support: https://docs.microsoft.com/en-gb/rest/api/avs/ and I see a few entries in ARG resources | where type == "microsoft.avs/privateclouds" This would probably be enough to build Rules, Workbooks or automation - but i dont have any AVS to test with.
