User Profile
AndreasSky
Copper Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Re: DNS Logs Onboarding
CliveWatsonThank you for those news. Can't say I was excited to see the solution as is. May I please bother you on another related question? Does the DNS solution (that has a "malicious" field) evaluate the ...maliciousness of a DNS lookup as it is now or is it just future planning? I haven't been able to trigger a reaction from it.8.5KViews0likes0CommentsRe: Selective Logs per MMA (Log) Agent?
GaryBusheyThank you for the immediate answer. Am I correct (as I haven't used Arc before) that the machine needs to be Arc-enabled just on the free tier to deploy/manage this agent? Does the Linux AMA one support Syslog/CEF similarly to the MMA one or should we use MMA for Syslog/CEF forwarding?1.7KViews0likes4CommentsSelective Logs per MMA (Log) Agent?
Hello everyone! Am I correct to assume there's currently no way to ether select a subset of stuff (say only DNS, only IIS, only Security) from each agent individually or by group? I don't see anything as an option anywhere... but I just want to double check. AndreasSolved1.7KViews0likes6CommentsRe: DNS Logs Onboarding
CliveWatsonThis is indeed NEEDED (and very well hidden... I'm not mentioning anything because it is tagged as "preview" solution)... to get logs from client requests to pop into Sentinel. My original question and now answer is: On the sub-step mentioned on the guide(DNS Logging and Diagnostics | Microsoft Docs- Step To enable DNS diagnostic logging - Substep 5) to enable the analytics, if you click on "do not overwrite" the file grows forever (very very bad for production)... AND it displays into Event Viewer. If you set a limit though (like 102400 == 100MB) then log is overwritten and it still works FINE for Sentinel BUT... you can't see the logs inside event viewer any more. This is a non-issue on production. My suggestion for new implementations: Activate Analytics as on the guide and do an nslookup to check if you get a log inside eventviewer, then follow your link and mess about with the solution config (needed!!!), then do another nslookup and see if the log comes to sentinel. The moment you start seeing logs flowing to Sentinel you can go back into event viewer, disable analytics on DNS for a second and change to overwrite logs as needed (set a 100-1000MB limit depending on the server load) and re-enable (needs a disable else it crashes). You will lose the view from event viewer but your server won't get filled with useless logs. If you ever re-register/update the agent you need to mess with the DNS solution Config again on the workspace to make it work again btw! Thank you all for your tips. In the end... a Lab and lots of trial/error did it. This solution certainly needs better documentation. If anyone from MS sees this I'd be glad to help while I have it recent and can reproduce for snapshots etc for your guide. Best, Andreas8.5KViews0likes2Comments- 8.6KViews0likes4Comments
Attach Playbook (example: send email) to Advanced Multistage Attack Detection (Fusion)
Since we can't edit or copy the default "Advanced Multistage Attack Detection" Analytics rule, how are we supposed to attach any Logic App to it firing up? Say if we want to send an email or something. Andreas1.3KViews0likes2CommentsRe: DNS Logs Onboarding
GaryBusheyThat's ok. I appreciate the answer in any case! I will keep experimenting on Lab Servers but I am unsure of using in production as-is. Anyone else that maybe has played/uses it regularly? Does the log file grow forever? How is this handled on your servers?8.6KViews0likes0CommentsRe: DNS Logs Onboarding
GaryBusheyHmmm I see... I have done so but I didn't see DNS Lookups come through until I also enabled those steps... but I also had to go to the DNS solution and play with settings a bit to have them load up and that happened after I already followed the previous steps... Do you think these steps are not necessary any more and just installing MMA + playing with DNS Analytics Solution would have done it?8.6KViews0likes2CommentsDNS Logs Onboarding
Hello Everyone! Me and my team are starting to onboard On-Prem stuff and we thought DNS would be an easy one 🙂 From what I gather from guide, Windows Server 2016 has already some analytics enabled but the guide says to turn them on and actually set the logfile to never overwrite (DNS Logging and Diagnostics | Microsoft Docs- Step To enable DNS diagnostic logging - Substep 5). Isn't this an issue for Production Domain Controller Servers? Furthermore, are the steps under "Using ETW consumers" needed to collect logs with the Sentinel/Log Analytics Agent? The "DNS Analytics" solution too? Thanking you all in advance for the assist! AndreasSolved8.7KViews0likes9Comments
Recent Blog Articles
No content to show