User Profile

nafejeries

Copper Contributor

Joined Apr 30, 2020

6 Posts

View All Badges

User Widgets

Recent Discussions

Re: Getting Windows Events
I have add the firewall path from Advanced settings, but still the events are not flowing.
May 22, 2020 Place Microsoft Sentinel
1.9KViews
0likes
1Comment
Getting Windows Events
Hi folks, I'm trying to create a query to hunt newly created "Allowed Ports" in windows firewall on a vm. The monitoring agent is installed and running, but un-fortunately event id 2004/ firewall rule created is not considered a Security Event from MS 🙂 reference below https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events My questions: 1- How to hunt for 2004 events ? 2- if we install sysmon on the vm, how to push these events to Azure Sentinel ? btw: I'm aware of the Windows Firewall connector in Azure Sentinel, but this is for different case. Thanks
Solved
May 22, 2020 Place Microsoft Sentinel
2KViews
0likes
2Comments
Remove custom logs from Azure Sentinel
Hi folks, I have connected Logstash datasource to Azure Sentinel, I'm pushing the logs to a custom log tabe as "SQLAuthenticationLogs_CL". I would like to know how to: 1- Clear these custom logs 2- Remove the customer table Thanks
Solved
May 04, 2020 Place Microsoft Sentinel
5.5KViews
0likes
1Comment
Re: Slow performance after connected to multi threat feeds
CliveWatson Hi It was around after-noon. No, not access denied, - showing "Error" in the workbooks - configuring analytics rules slow - writing some KQL was taking long, +40 seconds, then I stopped it. simply, It was a performance issue and that was my lab. Simply, my configurations were: 1- connect to 10 feeds from Limo Anomali, using the STIX connector, around 61k log alerts from these feeds within 24hrs 2- enable most of the analytics rules for TI, most of them to run every 1 hours for logs from 14 days. The Engineering team can replicate these config and see 🙂
May 01, 2020 Place Microsoft Sentinel
1.3KViews
0likes
0Comments
Slow performance after connected to multi threat feeds
Hi folks, I understand Threat Intelligence connector is still in (Preview) mood. however, I would like to share my experience with slow performance/ unstable workbooks. I have connected 10 feeds from Limo (Anomali), after 24hrs, I can see 61k feed events. which is something normal. after that, I could not query, run a workbook or edit the configurations, I was seeing error in the dashboards. I end up deleting my log-analytics workspace and shift to new instance. Please let me know how to avoid such thing in the future. Thank you
Apr 30, 2020 Place Microsoft Sentinel
1.3KViews
0likes
2Comments

Recent Blog Articles

No content to show