Parsing syslog
1. i am ingesting firewall logs as syslog and trying to parse out the fields accordingly using the split command, i have a problem that the beginig of the logs is not piped and i have made the split in 2 occasions. as you can see in the attached pic the FWD|UDP|p4| fields are nit parsed out. this is the _raw syslog message: Security F180 Block: FWD|UDP|p4|192.168.x,x|67|00:15:5d:0f:c4:01|255.255.255.255|68|bootpc||LAN-2-INTERNET|4017|0.0.0.0|0.0.0.0|0|1| 2. can you show me the same using normal regex i cant see in MSFT doc how to do it the old way 🙂 3. should i do the parsing on search time of the query? doesnt it increase the search time?
Searching Historical Logs for Threat Intelligence Matches.
Hello all, I was just wondering what the best or most efficient way to search logs for threat intelligence IOCs was, I saw a previous post explaining how to do it if you would like to search a large amount of values via watchlist but I would like to do it only for threat intelligence IOCs, I have a search below that works for IP addresses and can also be applied to file hashes. ThreatIntelligenceIndicator | where isnotempty(NetworkIP) | summarize by ThreatIntelIP=NetworkIP | join ( Network_MetaParser | where isnotempty(SrcIpAddr) | summarize by SrcIpAddr, DstIpAddr, EventProduct, DvcAction, DstPortNumber, NetworkProtocol, TimeGenerated ) on $left.ThreatIntelIP == $right.DstIpAddr My question is regarding URL/Domain names. How do I search my logs for any URLs/domains that match or contain the URL/Domain values from threat intelligence. I've tried doing something like the below but it doesn't seem to work. Any suggestions would be greatly appreciated! | summarize by URL | where isnotempty(URL) | where URL has_any (ThreatIntelligenceIndicator)
Need Clarification on "Update user" operation in Audit Log
Hello Sentinel Community, I recently came across an event in my Azure Sentinel instance that I'm seeking clarification on. The event shows an operation labeled "Update user" and the display name as "StrongAuthenticationPhoneAppDetail identified by Azure MFA StrongAuthenticationService." Could someone please help me understand what this event signifies and what type of activity the end user might have performed? Specifically, I'm curious about the implications of the "Update user" operation and how it relates to Azure Multi-Factor Authentication (MFA) settings. Any insights or guidance on where to find more information would be greatly appreciated.More than 10 failed logins per user and device
Hello I have been working with a query that is very useful but I want it to show me the username of the person as well as the device used. I am using a pre built query I found to detect more than 10 failed logins. As well I want to be able to search for a specific name of a person in our company. Thanks. Here is the query that I have been using. // Sample query to detect If there are more then 10 failed logon authentications on high value assets. // Update DeviceName to reflect your high value assets. // For questions @MiladMSFT on Twitter or email address removed for privacy reasons DeviceLogonEvents | where ActionType == "LogonFailed" | summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn | where LogonFailures > 10 | project LogonFailures, DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn | sort by LogonFailures desc
