KQL query in sentinel for users first activity
Hi all, since I am new to writing queries I would really appreciate your help. I need to write a query that will show a specific users first activity and last activity in a day. I need to also project which activity it was and to sum it all up, I need the results to be in a row for each day. I would really appreciate any suggestions or help. Thank you
Integration of Microsoft Sentinel & Microsoft TEAMS for integration of alerts
What are some of the best methods and strategies to start implementing an integration between Sentinel and TEAMS where when there are certain instances or alerts occurring, said alerts can be pinged to certain members on Microsoft TEAMS like through the use of playbooks, automations and setting up a API connection to integrate the two.'MICROSOFT-CORP-MSN-AS-BLOCK' is violating Conditional Access Policy (CAP)
Hello folks, I have a CAP that prevents log-ins from foreign countries. I have excluded 'United States' in the 'Location' condition as well. I am getting a lot of incidents titled "Attempt to bypass conditional access rule in Azure AD" and when I went to investigate the logs, I found two IP addresses: ["40.71.237.118","40.71.238.151"] common for all the users. VirusTotal lists both of them as MICROSOFT-CORP-MSN-AS-BLOCK. Have you guys faced a similar situation or know the remedy for this?
Issue with Sentinel Template Analytic Rule: TI map IP entity to CommonSecurityLog
The template Analytic Rule named "TI map IP entity to CommonSecurityLog" only generates detections when the IOC matches SourceIP. Customers relying on the template rule are not getting detections when the NetworkIP field from ThreatIntelligenceIndicator matches the DestinationIP field from CommonSecurityLog. Problematic KQL from the Analytic Rule: | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP) Issue: Given that every log in CommonSecurityLog should have both SoureIP and DestinationIP, "isnotempty(SourceIP)" will always be true, and the above KQL will only set CS_ipEntity as the SourceIP. DestinationIP is ignored. Quickly developed solution (for Palo-Alto logs in CommonSecurityLog): Note: This rule excludes blocked traffic let dt_lookBack = 1h; let ioc_lookBack = 14d; //Match IOC NetworkIPs on SourceIP let TISourceMatch = ThreatIntelligenceIndicator | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty. // Taking the first non-empty value based on potential IOC match availability | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) | extend CS_ipEntity = SourceIP | extend CommonSecurityLog_TimeGenerated = TimeGenerated) on $left.TI_ipEntity == $right.CS_ipEntity ; //Match IOC NetworkIPs on DestinationIP let TIDestinationMatch = ThreatIntelligenceIndicator | where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now() | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId | where Active == true // Picking up only IOC's that contain the entities we want | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP) // As there is potentially more than 1 indicator type for matching IP, taking NetworkIP first, then others if that is empty. // Taking the first non-empty value based on potential IOC match availability | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity) | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity) // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated | join kind=innerunique ( CommonSecurityLog | where TimeGenerated >= ago(dt_lookBack) | extend CS_ipEntity = DestinationIP | extend CommonSecurityLog_TimeGenerated = TimeGenerated ) on $left.TI_ipEntity == $right.CS_ipEntity ; TISourceMatch | union TIDestinationMatch | where CommonSecurityLog_TimeGenerated < ExpirationDateTime | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity | project CommonSecurityLog_TimeGenerated, TI_ipEntity, SourceIP, DestinationIP, DeviceAction, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, CS_ipEntity, LogSeverity, FlexString2Label, FlexString2 //Exclude traffic blocked by firewall | where DeviceAction !in ('reset-both', 'block-url', 'deny', 'drop') | extend timestamp = CommonSecurityLog_TimeGenerated, IPCustomEntity = CS_ipEntityThe rule "Attempts to crack distributed passwords in AzureAD" is always detected with the same user.
Hi everyone, I don't know if anyone has had this problem. My problem is that when this rule is detected the same user is always triggered when trying to connect to the "Office 365 Exchange Online" application from a mobile phone and the client application "Exchange ActiveSync". This rule monitors high login attempts from different locations over a period of time of 1 day. We know that this is a false positive, as this is a field technician, and we have checked with the user to verify these actions. As a solution, we have taken the following actions to prevent the alert from being triggered: -Logging out of the application login and logging back in. But the problem persists, I don't know what else to do or what other mitigations I can see with the user. I have looked at the login table and only see that the error is thrown when connecting to the "Office 365 Exchange Online" application. Any ideas? Regards.
Send Alert When File in SharePoint is Being Accessed
Hi all, Is there a way to get the list of files which users are accessing or trying to access if they don't have permission inside a specific SharePoint site? And in addition to that is there a way for Sentinel to send alerts only for those users that don't have permission to access files? At the moment I am able to generate a list of users with number of accessed files on that specific SharePoint site: // Users accessing files // Users sorted by number of OneDrive and SharePoint files they accessed. OfficeActivity | where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed") | summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId | sort by AccessedFilesCount desc nulls last
