User Profile

roadruner

Copper Contributor

Joined Oct 29, 2020

10 Posts1 Solution

View All Badges

User Widgets

Recent Discussions

Re: Can a single Syslog Log forwarder VM get logs from multiple Log Sources?
Pending on how much data your sending. and from how many sources... if its a lot i would be scale setting the vm. Last i read one box can do close to 10k eps.. Here i a great link to to an arm template that does the scale set and everything else you need. For redhat and ubuntu. https://github.com/Azure/Azure-Sentinel/tree/master/DataConnectors/CEF-VMSS reference from - https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/scaling-up-syslog-cef-collection/ba-p/1185854
Feb 20, 2022 Place Microsoft Sentinel
1.4KViews
0likes
0Comments
Re: windows DHCP server logs to Sentinel
great thanks , i take it i would see these dhcp logs , under Log Management/Event in Sentinel ?
Nov 05, 2020 Place Microsoft Sentinel
15KViews
0likes
0Comments
Re: windows DHCP server logs to Sentinel
hi, would this be for on prem servers or servers in azure. or both ? how does sentinel know which servers to pull data from ? or is it capturing dhcp events from anywhere? thanks
Nov 04, 2020 Place Microsoft Sentinel
16KViews
0likes
2Comments
Re: windows DHCP server logs to Sentinel
thanks , i saw a similar solution via this url .. i’ll give it a whirl and see what happens https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-windows-events
Nov 03, 2020 Place Microsoft Sentinel
16KViews
0likes
3Comments
windows DHCP server logs to Sentinel
Does anyone know how to ingest Windows DHCP server logs to Sentinel ? thanks
Solved
Nov 03, 2020 Place Microsoft Sentinel
16KViews
0likes
10Comments
Re: Watchlist and query
GaryBushey Thanks! This worked. Just replaced sourceip to destip. and .found the test hits to the list. either way works.
Oct 30, 2020 Place Microsoft Sentinel
6.3KViews
0likes
0Comments
Re: Watchlist and query
GaryBushey Hmm ok, thanks. How can i search one table? say CommonSecurityLog I tried this but no dice. CommonSecurityLog let ClearedIPAddresses=_GetWatchlist('test1'); Heartbeat | join ClearedIPAddresses on $left.ComputerIP == $right.IPAddress
Oct 30, 2020 Place Microsoft Sentinel
6.4KViews
0likes
2Comments
Re: Watchlist and query
GaryBushey Thanks I tracked the error I had, which was the columns. It runs with no errors now. I did run a quick test and hit one of the ip's in watchlist and then ran the query and no results found. Does the query search out all of sentinel? I tried just putting CommonSecurityLog to see if it would just search through those logs, since that's where the hit should be. Here is what i tried, didn't work. CommonSecurityLog let ClearedIPAddresses=_GetWatchlist('test1'); Heartbeat | join ClearedIPAddresses on $left.ComputerIP == $right.IPAddresses
Oct 30, 2020 Place Microsoft Sentinel
6.4KViews
0likes
4Comments
Re: Watchlist and query
GaryBushey Hi, i tried that query with alias of test1 which is alias of watchlist and received an error, let ClearedIPAddresses=_GetWatchlist('test1'); Heartbeat | join ClearedIPAddresses on $left.ComputerIP == $right.IPAddress error is 'join' operator: failed to resolve Column named "IPAddress" my csv file has the name IP Addresses in first cell then next cells below the actual ip addresses. What do you mean by cleared? The ip's I would have in my list would be IOC's, thus checking to see if any machines were hitting them. thanks again
Oct 30, 2020 Place Microsoft Sentinel
6.4KViews
0likes
6Comments
Watchlist and query
new to kql here, is it possible to build a query that search's across logs looking for machines that connected to any of ip addresses in the watchlist? Any examples ? Plan would be to turn that query into a log analytic rule to create events and eventually a playbook. thanks
Solved
Oct 29, 2020 Place Microsoft Sentinel
6.8KViews
0likes
9Comments

Recent Blog Articles

No content to show