User Profile
msef280
Copper Contributor
Joined Mar 05, 2021
User Widgets
Recent Discussions
ASF settings in anti-spam policies Recommendation
Hi Team, I need some help with EOP's "ASF settings in anti-spam policies" settings as we have "standard" option set up so it is auto turned off. Now my questions is if I turn it on then is there any chance that I may not receive legitimate emails as the protection becomes much strict or can I enable some features which won't have major impact on the environment. Any suggestion would be appreciated.1.8KViews0likes1CommentTake Actions On Incidents
Hi Team, So I am new to "Defender" & I did receive an alert but I am confused that on that alert, do I need to take any action I mean how do I know the alert I am getting is being blocked? Alert is something about "unauthorized attempt was made by admin" but I don't see which states that the attack has been blocked610Views0likes0CommentsMonitor Different Tenant Using Microsoft Sentinel
Hi Team, We have license for our current tenant but we are getting a new domain with separate tenant which will be using O365. Can I monitor the new domain using my existing subscription & also what will be the cost for that or it is included with Sentinel?4.1KViews0likes3CommentsRule To Detect Ransomware
Hi, I am trying to build a rule to detect ransomware. I was following the rule "Advanced multistage attack detection" but most of the log sources it has coming from Microsoft products look like although it does have something called "Raw logs from other sources" so does it mean that it will analyze all other data that is coming in my environment? We will be doing a ransomware simulation so I want to create a rule to observe on Sentinel so when the simulation starts, I can track unusual activity. Any suggestion would be appreciated.1.4KViews0likes2CommentsWindows Logs to Sentinel Through Syslog Server
Hi Team, I am trying to send the windows server, security, DNS logs to our syslog server & then push it to Azure Sentinel. If someone can provide me the steps that would be great. We are not using the agent method (data connectors) as our environment is trying to avoid that.2.5KViews0likes1CommentNeed Help With Sentinel Regex
Hi Team, I am trying to capture this following text & when I write this query in Regex101 it does capture but in Sentinel it is not capturing. I know we need to use "extend" command as well but just wondering how I can use REGEX command in Sentinel or if there is any resource I can follow going forward for Sentinel Regex as I do need to extract multiple data sources. Any help would be appreciated. ACTUAL TEXT: ACTUAL TEXT: [ TIME_GENERATED = 1634230921 ] [ RECORD_NUMBER = 1957461798 ] [ EVENT_TYPE = 8 ] [ EVENT_TYPE_TEXT = Success ] [ DOMAIN = HOUDOM ] Query I wrote in REGEX101: \D\sRECORD_NUMBER\s\W\s(\d)+\s\D3.3KViews0likes1CommentAnalytics rule: Successful logon from IP and failure from a different IP
Hi All, I am trying to understand the concept behind the rule "Successful logon from IP and failure from a different IP". So it is triggering multiple alerts & it does match the condition because I see two different ip. Common codes I am seeing "50058, 50126, 50076 & 50173". We do have a vpn in place so one of the ip I do see sometimes coming from vpn. I am trying to find out what will be the best way to check if this is something true-positive or false-positive?9.2KViews0likes4CommentsNot Able To See Sharepoint Logs on Azure Sentinel
Hi Team, We have enabled "Office 365 - Sharepoint" logs but we don't see any logs coming to Sentinel. It shows green status for "data connector" & also "Sharepoint" option is selected but I still don't see any data. Can someone let me know what other things I should check to make sure I am getting the data?3.8KViews0likes2Comments- 7.1KViews0likes0Comments
Re: Raw Logs Download (Sentinel)
Thanks a lot guys for the reply 🙂 So what I am trying to see all 5 events of this alert which I am unable to see. It does tell me that 5 failures happened that's why the alert got created but I am not able to see those 5 events. (see screenshot attached)7.1KViews0likes1CommentRaw Logs Download (Sentinel)
Hi Team, Is there any way I can download the raw log from Sentinel? I am investigating alert from Sentinel default template "Brute force attack against Azure Portal" which has basically my name but I want to see how the alert got generated. I know the threshold is "5" by default but if I can see the logs too then I will be sure that this is how it happened. Still learning Sentinel so any help would be appreciated 🙂7.4KViews0likes5CommentsWrapper Script Installation Giving Error (URL NEEDS TO BE BYPASSED)
We have SSL inspection enabled & we did bypass "https://raw.githubusercontent.com" so this one is working but again next it is going to https://github.com/ & we are receiving same SSL error so we might need to bypass this URL again. Can someone let me know what other URL needs to be bypassed in order to install the agent on Linux. List I have from https://docs.microsoft.com/en-us/services-hub/health/mma-setup which we already included but I believe we still have links missing. If someone can provide the full list that will be great * .ods.opinsights.azure.com * .oms.opinsights.azure.com * .blob.core.windows.net * .azure-automation.net raw.githubusercontent.com682Views0likes0Comments
Recent Blog Articles
No content to show