Lookup data from the last == ingestion_time()
Howdy! In "Analytics rule wizard - Create a new Scheduled rule" under Query scheduling you have to fill out "Lookup data from the last" What time field is Sentinel looking at when determine which events to include in the lookup data? Is it ingestion_time()? Is it TimeGenerated? How does it know?New Blog Post | What are DEV-#### indicator designations for detections?
What are DEV-#### indicator designations for detections? - Azure Cloud & AI Domain Blog (azurecloudai.blog) I had this question come up today, but I’ve been asked a few times before recently, so I believe it’s prudent to supply and explanation and guidance on what to do with these. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we reach a high confidence about the origin or identity of the actor behind the activity. Once it meets the criteria, a DEV is converted to a named actor. Here’s an example of one in Microsoft Sentinel… Original Post: New Blog Post | What are DEV-#### indicator designations for detections? - Microsoft Tech Community
AMA vs MMA which one should we go ahead???
Hello there, we have an issue with one of the Azure sentinel clients, where the cost has considerably increased due to a particular Event ID generating alot of traffic. Event ID 4663: Attempt to access an object” has highest count of “8263330” within 24 hours We dont want to just filter out this event all togather since this event ID is important specially for monitoring of OS level executables which at times attackers exploit/misuse. Going through the documentation, I see that AMA has capability to filter the event IDs using the XPath queries. I went through one of the blog post that says that when using AMA instead of MMA, we need to consider below: AMA can co-exist with MMA however, we will receive two heartbeats from one endpoint, one for each agent AMA will also collect logs and MMA as well, so rather than reducing logs, we will be having more logs coming in. I have customer who already has MMA installed and I cannot just ask him to uninstall all the MMA agents and install AMA agents from scratch? any easy resolution for this problem? We have new customers coming in and I dont want to end up in the same situation, so shall we start using AMA agent, is it stable enough as compared to MMA? or recommended by Microsoft to move ahead instead of MMA.? I dont see AMA agent installed within sentinel portal, only MMA is there. so from where can i download this?? I need answers on the above queries, any help will be much appreciated? Thanks Fahad.
