User Profile
tipper1510
Brass Contributor
Joined Sep 22, 2020
User Widgets
Recent Discussions
Unified Portal - Sentinel incident losing set tactics
Hi, Just trialling the unified portal, and incidents in Sentinel seem to lose any tactics set via the analytic rule. Plus the resulting incident has a slightly different title, assume after being converted to 'Defender speak'. We have a standard rule TI MAP IP entity for Office365 and the incident is TI Map IP entity for Office365 involving one user and the tactic is missing even though its in the original rule? Anyone else experiencing the same? Regards, TimString functions within playbooks
Hi, Have the following string that I need to tidy up: "hostname","{\r\n \"LastLog\": [\r\n \"2024-06-25T16:15:35.751991Z\"\r\n ]\r\n}" so it can have hostname 2024-06-25 16:15:35 I have attempted to combine replace statements with no luck... Any ideas.. Many thanks, TimRe: Use of TimeRange parameter in workbooks
Hi Chris, Thanks for the reply's. I think so 🙂 Need to be able to define TimeRange:start 14 days ago and TimeRange:end 7 days ago as my defined time period. As when certain workbooks are used exact dates and times are used in the TimeRange parameter. Regards, TimRe: New Threat Intelligence Upload Indicators API data connector
Thanks for that. All the documentation for a TIP connections suggests its the same, so tested by disconnecting the original TI Platform data connector thinking the new data connector would pick up the existing app reg but no... Regards, TimAzure Web App and Integration of KeyVault
Hi, Attempting to use an web app to support the integration of an HTTPS forwarder for Prisma logs. Have created a key vault to store the workspace id and primary key for the workspace and have turned on the system identity. The managed identity has the required access to retrieve from the key vault. The issue is where does the key vault get defined within the web app? Any help would be much appreciated. Many thanks, TimUninstall/rebuild 365 Defender
Hi, We deployed 365 Defender over a year ago now on a dev tenant to understand the exact deployment steps for the various suites. Is there a way to uninstall so the latest deployments can be re-run as I know there are differences now due to updates being made... Thanks.....KQL to show missing or added devices between a time period
Hi, Currently using the following kql on various tables to check whether the number of devices has changed between the current week and the previous. Syslog | summarize count_ = dcount(Computer) by bin(TimeGenerated, 7d) | order by TimeGenerated asc | serialize | extend Type = "syslog" | extend changeInCount = count_ - prev(count_,1) | extend changeInPct = (changeInCount * 100) / prev(count_,1) Has anyone done something similar but where a difference is found the device name(s) can be shown... Any help with this would be much appreciated. Regards, TimKQL to count current enabled, disabled analytic rules
Hi, Would like some help in an KQL query to count the number of enabled and disabled analytic rules for entry into a workbook. Plus a simple count of connected data connectors so the number reflects the overview number and not all the enabled data types. Many thanks, Tim
