User Profile
CliveWatson
Former Employee
Joined 7 years ago
User Widgets
Recent Discussions
Re: Palo Alto Syslogs to Sentinel
There is a ASIM parser for Palo Main docs: https://docs.microsoft.com/en-us/azure/sentinel/normalization Parsers page: Azure-Sentinel/Parsers/ASimNetworkSession at master · Azure/Azure-Sentinel - https://github.com/ and the parser itself, where that field is normalized: Azure-Sentinel/ASimNetworkSessionPaloAltoCEF.yaml at master · Azure/Azure-Sentinel - https://github.com/9.5KViews0likes0CommentsRe: KQL question
SocInABox I just realised the original query was before we had ipv4_lookup(), so does this change improve things (its less code at least)? let IP_Data = external_data(network:string,geoname_id:long,continent_code:string,continent_name:string ,country_iso_code:string,country_name:string,is_anonymous_proxy:bool,is_satellite_provider:bool) ['https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv']; let IPs = CommonSecurityLog |where DeviceVendor == "Fortinet" //filter out private networks |where not(ipv4_is_private(SourceIP)) and not(ipv4_is_private(DestinationIP)) |summarize by SourceIP ; IPs | evaluate ipv4_lookup(IP_Data, SourceIP, network, return_unmatched = true)5KViews1like1CommentRe: Extracting items (over x days) where an AIP label has changed from one value to another...
JMSHW0420 Sorry I don't have an example data so this is fake code EmailEvents | where AttachmentCount > 0 // this detects the file and its last timestamp | summarize arg_max(TimeGenerated, *) by SenderMailFromAddress // add one ms to make the new time *after* the record was found | extend endtime = TimeGenerated + 1ms // // now see if the item is in EmailItems within the new time period // join to EmailItems ... by .... // is the email item seen in this new time window? | where TimeGenerated between (endtime .. now()) We could also use a datatable to fake the tables you are using, this is what I think EmailEvents may look like (or the key columns at least) let EmailEvents = datatable(AttachmentCount:int, TimeGenerated:datetime, SenderMailFromAddress:string) [ "0", datetime(2021-11-04T11:36:42.6616095Z),"clive@fake.com", "1", datetime(2021-11-03T12:30:53.4764186Z),"clive@morefake.com", "2", datetime(2021-11-02T12:30:53.4764186Z),"clive@morefake.com" ]; EmailEvents | where AttachmentCount > 0 | summarize arg_max(TimeGenerated, *) by SenderMailFromAddress | extend endtime = TimeGenerated + 1ms756Views0likes1CommentRe: Sentinel - Windows Forwarded Events Connector Ingestion issue
Take a look at https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/testing-the-new-version-of-the-windows-security-events-connector/ba-p/2483369 and especially the Get-WinEvent to test that xpath is working4.1KViews0likes3CommentsRe: Sentinel integration with FortiNet firewall and queries
susanthasilva Two things, 1. There are 16 use cases (rules that apply to the Forti data for you to enable) 2. Forti uses CEF (CommonSecurityLog), so you can check what other vendors do in their workbooks or queries and maybe adjust those, typically you only have to alter the DeviceVendor or product columns. However all vendor have unique data so more work maybe needed. CommonSecurityLog | where DeviceVendor == "Fortinet" Also the Azure Firewall Workbook is a good one to look at for examples.13KViews0likes1CommentRe: how to parse Multiline log from the files and ingest into Azure Sentinel
pavankemi That screen shot helps, but you cant see the Table or Column names to be sure. Using SigninLogs table as an example and the column DeviceDetail You may just be able to pick a row: SigninLogs | where DeviceDetail has "Rich Client" | project DeviceDetail.browser DeviceDetail_browser Rich Client 5.2.2.0 Rich Client 5.2.2.0 Rich Client 5.2.2.0 Other data sources may need parse_json / mv-expand or an example here2.7KViews0likes1CommentRe: billing and limit the log size
Billing is actually logged by Bytes used. So if you send 10 Bytes of billable data, that would be billed as a proportion of the per GB listed on the pricing site https://azure.microsoft.com/en-us/pricing/details/monitor/ e.g. if you think 1GB/day == $2.30 and you only send 0.5GB, you will be charged $1.15 etc... You can set a billing cap https://docs.microsoft.com/en-us/azure/azure-monitor/logs/manage-cost-storage#manage-your-maximum-daily-data-volume Please read the NOTE and WARNING sections on that page, as certain data used by Security isn't blocked by the cap for good reason896Views1like0CommentsRe: How to create a parent/child grids in Workbook
Its done by "exporting parameters" https://github.com/microsoft/Application-Insights-Workbooks/blob/a45ae86cd0a441a37ad9525aff67b249352b3c82/Documentation/Interactivity.md#grid-tile-chart-selections Azure Monitor --> Workbooks --> Public Templates --> Workspace Usage (is one example of a workbook that does this)1.6KViews0likes1CommentRe: AzureActivity - When my cosmos account was actually deleted?
Dimitri Artemov To help with these I use the (little known) "Group Columns" feature, then drag and drop a column heading, you can then simply scroll to teh right to see what maybe different in each column (or drag and drop other columns into the group). Ultimately many solutions log multiple rows, often looking almost the same apart from the timestamp. Myself I'd use arg_max to see the last row from each ... | extend p=parse_json(Properties) | extend ResourceDeleted=split(_ResourceId, "/", 8)[0] | summarize arg_max(TimeGenerated,*) by OperationNameValue Note: You can replace the "*" with specific named columns e.g. | summarize arg_max(TimeGenerated,OperationNameValue, ActivityStatusValue, ResourceDeleted) by OperationNameValue669Views0likes0CommentsRe: Sentinel doesn't accept my Security Administrator role
Please check you Access Control (IAM) for the Log Analytics workspace, you need WRITE access (Log Analytics contributor role). These settings work top to bottom, so you need WRITE to the Workspace 1st, then the next two, you need all to have green ticks.2.2KViews0likes1CommentRe: Print Job Auditing
Are you getting entries in the local eventlog seen via Eventvwr since you enabled the collection, operations data is normally not on my default and high volume (see "note" in the link), if the file is full it wont be able to send anything? https://social.technet.microsoft.com/wiki/contents/articles/13308.windows-server-2012-troubleshooting-printing.aspx#PrintService_Event_Log_Channel2.4KViews0likes1CommentRe: Cloud App Security data in Azure Sentinel logs
Metzinger35 McasShadowItReporting | where TimeGenerated > ago(30d) | where StreamName has "Global view" //| where AppTags has "sanctioned" | project App_Tag = column_ifexists("AppTags", ""), App_Name = column_ifexists("AppName", "") | summarize Count = toint(dcount(App_Name)) by App_Tag I don'f have this Table but wouldn't you just let the summarize by use the App-Tag or App_name to get a count (are you sure you need dcount() rather than count() ?). My test is this - where the count is all occurrences of the app name BY the app_tag. Usage | project App_Tag = column_ifexists("DataType", ""), App_Name = column_ifexists("Solution", "") | summarize Count_ = toint(count(App_Name)) by App_Tag | top 5 by Count_ desc App_Tag Count_ Operation 46 SecurityEvent 37 Syslog 37 StorageBlobLogs 37 InsightsMetrics 372.3KViews0likes1CommentRe: Create alert based on no. of open incidents
ClemFandango2055 For looking at Incidents this may help Re: How to show amount of query results as entity on incident created in Azure Sentinel - Microsoft Tech Community you then you can use one of the two templates for an example Playbook to send the email1.1KViews0likes1CommentRe: Monitoring Azure VMWare (AVS)
Are these not just VMs, or at least you can get the VM info from Azure Diagnostic or the MMA? https://docs.microsoft.com/en-gb/azure/azure-vmware/introduction#monitoring-your-private-cloud They also have Rest API support: https://docs.microsoft.com/en-gb/rest/api/avs/ and I see a few entries in ARG resources | where type == "microsoft.avs/privateclouds" This would probably be enough to build Rules, Workbooks or automation - but i dont have any AVS to test with.1.8KViews0likes0Comments
Recent Blog Articles
How to align your Analytics with time windows in Azure Sentinel using KQL (Kusto Query Language)
One of the key things you do in Azure Sentinel is look at data. The data is stored in Azure Monitor Logs (Log Analytics), each row of stored data has a column called TimeGenerated that contains a UT...53KViews1like8Comments