User Profile
SocInABox
Iron Contributor
Joined Oct 28, 2019
User Widgets
Recent Discussions
How to use KQL to associate alerts with incidents?
There is no method I'm aware of to use KQL to query from an alertID to an incident or vice versa. Please provide kql examples for querying between XDR incidents and alerts. These queries should be independent of the SecurityIncident table which is only available when Sentinel is connected to XDR. Thank you.Re: Scanning Salesforce with Purview / Connector Exception: Can not retrieve access token.
Great to hear! I was also struggling with OAuth all week with PingID and creating a DCE/DCR, but got it working. Understanding 3rd party APIs and all the different authentication methods is certainly a learning curve..144Views0likes0CommentsRe: MS Defender Azure Arc Logic App
Hi Salamat, The Logic App generated $18k in utilization costs? At $0.0.000025 per action, that would take 400 million actions, yes? What was it doing? Or are you saying that's the total P2 costs including Defender for cloud resources ($5/resource), Defender for Server deployment, etc. My approach to Defender for Server is: - Use the Defender for Server cost calculation workbook to 'simulate' your expected costs. - Deploy Defender for Cloud on your resources (i.e. the CSPM part...) - Deploy Defender for Cloud workload protections (i.e. the CWPP part..) - Monitor costs daily/weekly until deployment is complete. And as you suggested, setting cost alerts/caps is a great idea.93Views0likes0CommentsRe: Help Ingesting PingID Logs into Microsoft Sentinel
hi colinc10 I'm also testing out PingID log ingestion. There may be 2 options: - webhook configuration - PingOne supports webhooks - so you'd need to set up a DCE/DCR configuration which uses a SAS token in the url to authenticate - Ping doesn't support OAuth so I think a SAS token/url would be the only way. I'm hoping to try this method this week. - syslog - IF the Ping Federate syslog connector also pulls in the PingID logs then that's a supported method - have you tried this?304Views0likes0CommentsRe: Scanning Salesforce with Purview / Connector Exception: Can not retrieve access token.
Hi Matthias, Are you sure it's not expecting an OAuth connection? In which case you would need to authenticate to get the token and then use the token for the final connection. There are many features still catching up with OAuth on both the Microsoft and 3rd party sides.399Views0likes2CommentsRe: Is there a way to use or convert YARA rule to Sentinel KQL query for detections
related questions: Do you guys know who keeps the best/current yara rules? Which rules would you say have the most value? Identity? EDR? I'd imagine it would be painful to use yara against low level logs like windows events unless they're specific events like powershell.1.6KViews0likes0CommentsRe: Parsing XML in Azure Sentinel
TS-noodlemctwoodle CliveWatson How did you get xml into Sentinel? I'm looking at a flatfile xml which contains linefeeds, so that doesn't work. Do you need to strip out the line feeds in the case of a DCR reading a flat file, then use parse_xml() once the logs are in Sentinel? If so, are there some scripts out there (for windows) for stripping out the linefeeds? Thanks!1.3KViews0likes0CommentsCan Sentinel ingest XML flat files using a DCR?
I have an windows server in Azure that generates xml generated log files. I'd like to use a DCR to pull these logs into Sentinel. I'm familiar with the procedure for pulling flat files into a custom table in Sentinel, however I don't see an option in the DCR for XML files. I've tried both the text file and json file formats, but when the logs come into Sentinel they're split up over multiple rows. How do I pull XML formatted flat files into Sentinel from a Windows server in Azure? Thanks!461Views0likes0CommentsAzure Activity - any good kql queries?
Hi there, just wondering if there are any good Azure Activity queries out there, eg: - User related changes - non-user related changes (managed identities etc) The out of the box sentinel workbooks don't seem to get very granular on Azure activity - just high level metrics. here's an example for tracking user related changes: AzureActivity | extend scope = parse_json(tostring(Authorization)).scope | extend RoleDefinitionId_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).Properties)).RoleDefinitionId) | extend PrincipalId_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(Properties).requestbody)).Properties)).PrincipalId) | where Authorization contains "subscriptions" or scope contains "resourceGroups" | extend resource_ = tostring(parse_json(Properties).resource) | where ResourceProviderValue <> "" | where ResourceProviderValue <> "MICROSOFT.OPERATIONSMANAGEMENT" | where ResourceProviderValue <> "MICROSOFT.OPERATIONALINSIGHTS" | where OperationNameValue <> "MICROSOFT.EVENTGRID/REGISTER/ACTION" | summarize by Caller, CategoryValue, Level, OperationNameValue, ResourceProviderValue, ActivityStatusValue, RoleDefinitionId_, PrincipalId_ (and if there's a kql query for resolving the RoleDefinitionId UUID that would be cool). Your feedback is appreciated!Solved2.1KViews0likes2CommentsCreating an azure activity logging policy via sentinel for 1 or more subscriptions.
Hi there, I have questions about the proper procedure for configuring the Azure Activity Log Connector in Sentinel. The 'old' way, which still seems to work, and it's easy: Activity Log > Export Activity Logs > enable diagnostics for EACH subscription and point to the log analytics workspace - done! The 'new' way: Sentinel > Azure Activity Log Connector > create a policy to pull the logs. It's this 'new' way I have questions about eg are my assumptions correct: - It is NOT recommended to assign this policy at the root tenant level - this will fail unless you apply additional roles to the global admin - correct? - It IS recommended to assign this policy at either a subscription level or a subscription group level - correct? - For any existing subscriptions you may need to apply a remediation as the policy will only apply to NEW resources - correct? Your experience on this matter is appreciated.2KViews0likes2Commentsany examples of using dynamicsummary on sentinel?
Hi there, Has anyone tried using summarization tables in Sentinel? I can't find any examples of how it work and/or kql query examples. reference: https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/dynamicsummary thanks!Solved755Views0likes2CommentsRe: How to get aws cloudwatch alerts using the new sentinel AWS connector.
yes Javaripa , I also mentioned that to Microsoft but with no reply. I don't mind the manual method, however it should be written to work with the CloudWatch best practices alerts and there's nothing in the Microsoft docs for that.1.5KViews1like0CommentsRe: How to get aws cloudwatch alerts using the new sentinel AWS connector.
thanks Clive_Watson Yes I've read that procedure several times but there's nothing in there about setting up the AWS site for Cloudwatch. In fact if you follow that procedure it's very easy to accidentally log EVERYTHING from AWS Cloudtrail and cost you thousands of dollars per month.1.5KViews0likes0CommentsHow to get aws cloudwatch alerts using the new sentinel AWS connector.
Hi there, I'd like to collect AWS cloudwatch logs to Sentinel. (I'm not much of an AWS user but I can get around.) Here's what I'd like to do: #1 - enable AWS Cloudtrail and dump Management logs to an S3 bucket - done #2 - configure an SQS queue so Sentinel can pull events from AWS - done #3 - configure Cloudwatch alerts to monitor specific events as recommended here: https://docs.aws.amazon.com/securityhub/latest/userguide/cloudwatch-controls.html #4 configure Cloudwatch to send alerts to the SQS queue so Sentinel can get them. I think I've done #1 to #3 but I don't know how to do #4. (the Sentinel connector side is done - that was the easy part..) Has anyone configure AWS Cloudwatch to send alerts to Sentinel? Your help is greatly appreciated. Thanks.1.7KViews0likes4Comments
Recent Blog Articles
No content to show