analytics
140 TopicsfooUser appearing in Sentinel device logs
Hi, I noticed from an alert in MS Security Center there is an account called fooUser@<domain> that seems to do a lot of client operations outside of what I understand the account is for, which is Intune enrollment in Autopilot. https://call4cloud.nl/2022/09/foouser-meets-the-cosmic-autopilot-user/ But I'm seeing process creations, file creations etc.. This started the 11th of April on a single device and has since escalated to over a hundred. The first device was actually in an Autopilot process when the events started to get logged, but now there are a lot of machines that have been active for a long time where the logs are coming in from as well. The following query is what I used to find the events in Advanced hunting: search in (DeviceEvents,DeviceFileCertificateInfo,DeviceFileEvents,DeviceImageLoadEvents,DeviceInfo,DeviceLogonEvents,DeviceNetworkEvents,DeviceNetworkInfo,DeviceProcessEvents,DeviceRegistryEvents) "fooUser" | sort by TimeGenerated asc Do anyone else see this behavior?Solved22KViews2likes17CommentsIngesting logs from Event Hub
Hey guys, I wanted to give a try to Sentinel. But there is one thing I'd like to clarify before. Our current ingestion pipeline: we are receiving logs into Event Hubs (EH), read them by Logstash and put them into Elastic. According to this article [1] we just need to change (add) the destination as Logstash output and route logs into Log Analytics (LA). And we are good to go. This is what confuses me: EH and LA, both are located in Azure and I hoped to remove Logstash completely from the design: EH -> LA -> Sentinel. Is it possible? Did I miss something here? Or, maybe it is planned in some future? [1]: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-to-go-part1-a-lab-w-prerecorded-data-amp-a-custom/ba-p/1260191Solved11KViews0likes3CommentsKQL query in sentinel for users first activity
Hi all, since I am new to writing queries I would really appreciate your help. I need to write a query that will show a specific users first activity and last activity in a day. I need to also project which activity it was and to sum it all up, I need the results to be in a row for each day. I would really appreciate any suggestions or help. Thank you8.2KViews0likes12CommentsKusto query question, expanding multi-row, getting values from named keys
I want to query the OfficeActivity table and pull out values from the Parameters field. The field is a JSON string, so i know i need to convert to to Dynamic, and then i need to get values for Identity and User etc. I do not know what position the Identity and User appear so i cannot use normal [0] or [1] indexing. I would like the end result to be something like this. TimeGenerated Operation UserId Paramters.Identity Parameters.User Parameters.AccessRights x/x/x/ Add-MailboxPermission Bob John Peter FullAccess7.4KViews0likes7CommentsReached the maximum limit of Analytics Rules of 512 in Sentinel
Hello all, We have 539 toal analytics rules in Sentinel, 478 enabled rules and 61 disabled rules. Today, we noticed that we can't add new scheduled rules in the Analytics section of Sentinel. When we checked the Sentinel workspace's Activity logs, we saw this error message: "The maximum number of Scheduled analytics rules (512) has already been reached for workspace xxxxxx". It looks that Microsoft Sentinel has indeed a Service Limit on the number of Analytics rules of 512 you can have in a workspace, as per this article Microsoft Sentinel service limits | Microsoft Docs We need to add more rules to ensure that our Sentinel is benchmarked against Mitre Att&ck framework. According to Mitre, there are 191 techniques and 385 sub-techniques in the latest Att&ck framework – that’s a total of 576, how are we supposed to have have good analytics insights coverage with the limit of 512? That’s without even considering new ransomware rules, threat intel rules, and general zero-day rules e.g. Log4J etc. We have a single workspace where all data connectors (from other Microsoft solutions, Defender products etc as well as other on-premise Syslog servers). If we consider splitting our rules between two or three workspaces to cover all the Mitre Att&ck techniques and sub-techniques (and other custom rules for our own environment), then we need to duplicate the data across those additional workspaces but we split the rules across multiple workspaces and work with incidents across all workspaces (per this article Work with Microsoft Sentinel incidents in many workspaces at once | Microsoft Docs) - but this means we have to pay for duplication of workspaces storage. This can't be a realistic solution that Microsoft expects us to do! Has anyone faced this challenge and hit this maximum analytics rule limit of 512? Any advice how we might overcome it? Where do we go from here? I am surprised that this topics has not been discussed widely by companies who have mature SOCs based on Sentinel who have considered full benchmarking their Sentinel rules against Mitre Att&ck framework. Any help will be highly appreciated and thanks in advance for any comments.Solved6KViews2likes3Comments'MICROSOFT-CORP-MSN-AS-BLOCK' is violating Conditional Access Policy (CAP)
Hello folks, I have a CAP that prevents log-ins from foreign countries. I have excluded 'United States' in the 'Location' condition as well. I am getting a lot of incidents titled "Attempt to bypass conditional access rule in Azure AD" and when I went to investigate the logs, I found two IP addresses: ["40.71.237.118","40.71.238.151"] common for all the users. VirusTotal lists both of them as MICROSOFT-CORP-MSN-AS-BLOCK. Have you guys faced a similar situation or know the remedy for this?6KViews0likes0CommentsThe remote NGC session was denied.
Hi. I was reviewing sign-in Logs for a user in Sentinel and came across an entry that has the following: ResultType: 1003033 ResultDescription: The remote NGC session was denied. Authentication methond: Passwordless phone sign-in I have tried to search for this result type/description online but cannot find anything about it. Has anyone come across this? Do you know what it is related to??Solved5.4KViews0likes15CommentsInfoblox and Parsing Questions
Hello, Have Infoblox DNS Query/Response logs been tested with Azure Sentinel ? I am testing it and have found that Infoblox DNS seems to generate only Threat Logs in CEF. The other DNS logging categories, such as DNS Queries/Responses, are logged in some non-CEF format over syslog, like the following: ##<166>Dec 23 12:54:05 infoblox1.localdomain named[12821]: client @0x7fbc3c0cc6e0 192.168.80.1#57296 (server1.fwd1): query: server1.fwd1 IN A + (192.168.80.200) I can't even see these logs in the Sentinel Workspace. The logs arrive at the on-repm Syslog Agent and are forwarded to omsagent process over port 25226, but beyond that i don't see them anywhere. The OMSAgent fluentd parsing checks that the incoming message has "CEF or ASA" keywords before processing the message further. Which seems to be a showstopper for the above mentioned syslog message. Please advise: 1. Should we create a custom parser for Infoblox query/response logs or Microsoft has already addressed them ? 2. Does the syslog message(payload) parsing occur at the OMSAgent side or at the Azure Sentinel Workspace side ? 3. By having a vendor connector listed in Azure Sentinel connector list, such as ASA, Fortigate, .., does this mean having "parser" in the background ? I noticed that vendor connectors do query the CommonSecurityLog with filter of "device vendor" , so i don't fully understand the technical meaning of "having a connector for X vendor". 4. How to troubleshoot logs processing and ingestion after the logs are delivered from the syslog daemon to the omsagent daemon? Any troublehsoot files or tables to look into ? Thanks in advance.5.4KViews1like14CommentsThe rule "Attempts to crack distributed passwords in AzureAD" is always detected with the same user.
Hi everyone, I don't know if anyone has had this problem. My problem is that when this rule is detected the same user is always triggered when trying to connect to the "Office 365 Exchange Online" application from a mobile phone and the client application "Exchange ActiveSync". This rule monitors high login attempts from different locations over a period of time of 1 day. We know that this is a false positive, as this is a field technician, and we have checked with the user to verify these actions. As a solution, we have taken the following actions to prevent the alert from being triggered: -Logging out of the application login and logging back in. But the problem persists, I don't know what else to do or what other mitigations I can see with the user. I have looked at the login table and only see that the error is thrown when connecting to the "Office 365 Exchange Online" application. Any ideas? Regards.5.3KViews0likes2CommentsKQL Query for Match IoC from WatchList
Hi all, can you help me to make a query to match IoC that i imported from a csv file in to a a watchlist? My query at the moment is: let Ioc = _GetWatchlist('ioc'); AzureActivity | where CallerIpAddress != '' | extend WhoDidIt = Caller, ResourceName = tostring(parse_json(Properties).resource) | join Ioc on $left.CallerIpAddress == $right.SearchKey | project TimeGenerated, SearchKey, OperationNameValue, Type, SubscriptionId, WhoDidIt, ResourceName, ResourceGroup but my ioc list contains hash, domains, url and i wanto to integrate in my threat hunting query. My ioc list has 2 columns ioc_type and ioc_value. Thanks all, RegardsSolved4.9KViews0likes1Comment