User Profile
endakelly
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Dynamic json keys in AuditLogs
I'm trying to get consistent columns from some AuditLogs. The problem is that the json key values are dynamic and change constantly and even the number of json keys can vary. The data I want to extract is in an array called modifiedProperties which is inside another array called TargetResources. ModifiedProperties always has a json key value of 1 which is fine but the items inside have varying json key values. Here is some scrubbed sample output: modifiedProperties [ 0 {"displayName":"WID","oldValue":null,"newValue":"\"\""}, 1 {"displayName":"Active","oldValue":null,"newValue":"\"\""}, 2 {"displayName":"WorkerID","oldValue":null,"newValue":"\"\""}, 3 {"displayName":"UserID","oldValue":null,"newValue":"\"\""}, 4 {"displayName":"BusinessTitle","oldValue":null,"newValue":"\"\""}, 5 {"displayName":"Company","oldValue":null,"newValue":"\"\""}, 6 {"displayName":"CountryReferenceFriendly","oldValue":null,"newValue":"\"\""}, 7 {"displayName":"CountryReferenceNumeric","oldValue":null,"newValue":"\"\""}, 8 {"displayName":"CountryReferenceTwoLetter","oldValue":null,"newValue":"\"\""}, 9 {"displayName":"LocalReference","oldValue":null,"newValue":"\"\""}, 10 {"displayName":"Municipality","oldValue":null,"newValue":"\"\""}, 11 {"displayName":"PostalCode","oldValue":null,"newValue":"\"\""}, 12 {"displayName":"PreferredFirstName","oldValue":null,"newValue":"\"\""}, 13 {"displayName":"PreferredLastName","oldValue":null,"newValue":"\"\""}, 14 {"displayName":"PreferredNameData","oldValue":null,"newValue":"\"\""}, 15 {"displayName":"StatusHireDate","oldValue":null,"newValue":"\"\""}, 16 {"displayName":"WorkerType","oldValue":null,"newValue":"\"\""}, 17 {"displayName":"BusinessUnit","oldValue":null,"newValue":"\"\""}, 18 {"displayName":"OfficeSite","oldValue":null,"newValue":"\"\""}, 19 {"displayName":"ManagementLevel","oldValue":null,"newValue":"\"\""}, 20 {"displayName":"CostCenter","oldValue":null,"newValue":"\"\""}, 21 {"displayName":"FormattedAddress","oldValue":null,"newValue":"\"\""} ] Say I want to get the newValue for the attribute UserID. I can do this with | extend UserIDfield=parse_json(parse_json(TargetResources)[0].modifiedProperties[3]). The issue I encounter is that UserID is not always the third item, it could be any one of them and the number of attributes also changes so it's not in a predictable range. Is there a way I can convert modifiedProperties into columns in a consistent way that is not hard coded?1.2KViews0likes1CommentHow can I track Windows Update installation dates with Common Events and without Update Management?
We currently have servers forwarding logs to Azure via Security Center and the Microsoft Monitoring Agent. To reduce costs our log level is set to Common Events and we're using the North Europe region. Does anyone know of a way to track the installation dates of Windows Updates in this scenario? Ideally we'd be using Update Management via an Automation account but this is not yet available in the North Europe region and Event 19 from the Windows Event Log is not included in the Common Events tier. Update and UpdateSummary queries don't have installation dates and generate multiple events for a single update being installed.9.2KViews0likes2CommentsSharePoint/OneDrive activity app@sharepoint
I've just noticed that in the last 24 hours we are seeing a lot of users office activity in SharePoint and OneDrive be replaced by the UserId mailto:app@sharepoint There is a common theme here in that the users in question all have user agents of Zget/6.0r.208.232253_84 repos/sm/branches/6.0r $Id: .label 232254 2020-05-27 16:36:08Z build $ Has anyone come across this before?1.5KViews0likes1CommentRe: Office operations missing username
I've managed to figure this out. A fresh set of eyes will do you good for any problem. It's the samaccountname it seems which you can find via Exchange powershell. Get-Mailbox -Identity username@domain.com | fl Running this command to search by SamAccountName will output the user. This didn't work for me initially because I was using double quotes but you need to use single quotes to stop the dollar sign from being expanded into a variable https://stackoverflow.com/questions/17452401/escaping-dollar-signs-in-powershell-path-is-not-working get-mailbox -resultsize unlimited | where-object {$_.SamAccountName -eq '$1ABCD0-EFGH23456'} I'm thinking now there could be a way to leverage some of the steps in this blog article to automatically link this attribute to a username via Exchange 365. https://techcommunity.microsoft.com/t5/azure-sentinel/enriching-azure-sentinel-with-azure-ad-information/ba-p/1288805 What you will see as well if you expand the Office Activity logs is that there will often be a similar event logged just before or just after which will have the actual username in it anyway.1.1KViews0likes0CommentsLogic Apps vs Playbooks and new Sentinel incident trigger
Can someone explain to me the difference between playbooks and logic apps? It seems to me that every playbook is a logic app but not every logic app is really a playbook. To my mind a playbook should be the automated response that kicks off when an event occurs like an incident being created so the playbook view should only show logic apps with specific triggers. The cross pollination of names and functionality here is confusing - though par for the course in Microsoft products in general. I've just tried to use the new "When Azure Sentinel incident creation rule was triggered" trigger that's just entered preview but I cannot seem to add it to the automated response for my analytics rules even though it's listed in my playbooks. Anybody had any luck with this actually working?7.3KViews1like2CommentsRe: Matching SharePoint machine ID to Intune
The plot thickens on this one. So I was investigating another incident this morning and copied the machine id and checked it against Intune. Looking at the hardware properties for the users machines I found an attribute called UDID which is a perfect match 😄 Problem is, this attribute is not exposed in the graph api from what I can see so far using the https://graph.microsoft.com/v1.0/users/UPN/managedDevices query (same with beta). This device was a Mac and this attribute looks to be unique to them. No attributes for Windows have matching Machine IDs. Machine ID is only an attribute on the FileSyncDownloadedFull operation which isn't a massive deal but it would be nice to be able to correlate Machine IDs with FileDelete and FolderDelete operations too so you can be sure if a mass delete happened from a managed device or not. Is it possible to have this UDID attribute exposed to the graph api or is there another query I should be using?8.6KViews0likes4CommentsRe: Matching SharePoint machine ID to Intune
Thijs Lecomte Here is the query: OfficeActivity | where TimeGenerated > ago(15m) | where OfficeWorkload == "SharePoint" | where Operation in ("FileDeleted", "FileSyncDownloadedFull", "FolderDeleted", "FileDownloaded") | summarize count() by bin(TimeGenerated, 15m), Operation, UserId, Site_Url, ClientIP | where count_ > 100 | extend AccountCustomEntity = UserId | extend IPCustomEntity = ClientIP | extend URLCustomEntity = Site_Url The info generated here is the same as what I can see in the Audit Logs in Security and Compliance center. Basically we're alerting for excessive downloads or deletions that might indicate malicious activity.8.6KViews0likes2CommentsRe: Matching SharePoint machine ID to Intune
Thijs Lecomte I was hoping that but it doesn't appear to be the case from what I can tell. I have a machine ID like this 547f88ef-15d4-407d-88bd-75d0edf8c7bc but my Azure AD / Intune device has an ID in a similar format that is completely different. None of my devices appear to match this string.8.7KViews0likes4CommentsMatching SharePoint machine ID to Intune
I am looking at some sharepoint logs for an alert but I cannot tell if the machine being used is one that is managed by our Intune or not. The machine ID from the sharepoint logs does not correspond to any format in Intune. Is it possible to match these in some way or figure out if the machine is managed from SharePoint logs?8.8KViews0likes11CommentsRe: SpoolsProvisioning Application Account - High-risk Office Operatoins
ReganDangerCarey I see this a lot. For us, it's usually a result of an integration with our HCM system e.g. creation of a new mailbox for a new hire. We've had alerts generated by other accounts in the Exchange backend that Azure support assured me were normal (and therefore could be ignored). I have a playbook that runs every five minutes to close incidents that only contains this account as the account entity. SecurityAlert | where TimeGenerated > ago(5m) | where DisplayName == "Rare and potentially high-risk Office operations" | extend Name_One = tostring(parse_json(Entities)[0].Name) | extend Name_Two = tostring(parse_json(Entities)[1].Name) | where Name_One == "SpoolsProvisioning-ApplicationAccount" | where isempty(Name_Two) This would also work with the "A response to an Azure Sentinel incident has been generated" trigger I imagine but I've not tested it.11KViews1like3CommentsRe: SharePointFileOperation via devices with previously unseen user agents
Christian Bourque Account and IP are defined in the query as custom entities so they should appear in the incident view. You could manually edit the query to add Site_URL as the custom entity for URL to get this information. I have a similar rule to this I've created for operations in SharePoint and I was able to define certain columns as custom entities to make them show in the incident view.10KViews1like3CommentsOffice operations missing username
We get the odd alert through for rare office operations that doesn't seem to have any information on the user or mailbox the operation was performed on. I suspect this may be because the user or mailbox in question has been deactivated but I cannot be sure. We have other logs showing the usernames properly. Here is a sample of an Add-MailboxPermission command that demonstrates this (data has been scrubbed): [ { "Name": "Identity", "Value": "mailbox the permissions will allow access to" }, { "Name": "User", "Value": "<Organisation Exchange Id>\\$001ABC-D12EF3GH4I56" - this normally shows a username }, { "Name": "AccessRights", "Value": "FullAccess" }, { "Name": "InheritanceType", "Value": "All" } ] Does anyone know what this $001ABC-D12EF3GH4I56 parameter is called and how I could map it to an actual user? I cannot seem to find a matching string in Exchange properties.1.1KViews0likes1CommentUser Entity Behaviour Analytics Preview for Sentinel - Licensing Question
I am interested in signing up for this feature but I wanted to check if there are any specific licences to enable this. We don't have MTP or anything like that. Is that required to use this feature? I get the impression that this would be really useful in enriching the data we see in Sentinel incidents but I want to make sure it's actually available to us in our current licensing. Thanks, Enda2.5KViews0likes5CommentsRe: AWS CloudTrail - "whois" Organization Whitelist
Siedlarczyk95 This may be along the lines of what you are looking for. I wanted to create tickets in an ITSM for alerts in Sentinel and instead of having to constantly lookup the location and owner of the IP addresses, I used a rest api call via Logic Apps to get the IP owner https://ipapi.co/8.8.8.8/org so this could be added to the ticket on creation. This won't necessarily let you alert for non-Amazon IPs since the alert would've already occurred. I also wanted to get information on where connections to our Cisco ASA were coming from geographically so I used another logic app to lookup IPs for their location, owner etc. For this you would need a csv file in blob storage with the defined headers you are looking for e.g. IP, Location, Owner I used a recurringly triggered logic app to run a log analytics query to get a list of IPs and then conditionally check the csv for the IP to make sure it wasn't already there (to avoid going over the api rate limit looking up IPs twice). If the IP isn't in the file, you would then call the api and add the information as a new line to the csv file. You could then use externaldata to lookup this information in log analytics and create alerts based on a query that excludes Amazon owned IPs. I used the code below to generate a map showing the places connections were being made from to our ASA. The URL for the blob was generated by clicking on generate SAS under the storage account > containers > file. externaldata(ip:string, country_code:string) [h"https://my.blob.core.windows.net/mycontainer/iplookup.csv?sp=sharedaccesssignature"] | join kind= inner ( CommonSecurityLog | where TimeGenerated {TimeRange} | extend day=dayofmonth(TimeGenerated) | where Message contains "%ASA: Group <GroupPolicy_VPN> User" | parse Message with *"> User <" User ">"* | parse Message with *"> IP <" ConnectingIP ">"* ) on $left.ip == $right.ConnectingIP | distinct User, country_code | summarize count(User) by country_code1.9KViews0likes0Comments
Recent Blog Articles
No content to show