AMA vs MMA which one should we go ahead???
Hello there, we have an issue with one of the Azure sentinel clients, where the cost has considerably increased due to a particular Event ID generating alot of traffic. Event ID 4663: Attempt to access an object” has highest count of “8263330” within 24 hours We dont want to just filter out this event all togather since this event ID is important specially for monitoring of OS level executables which at times attackers exploit/misuse. Going through the documentation, I see that AMA has capability to filter the event IDs using the XPath queries. I went through one of the blog post that says that when using AMA instead of MMA, we need to consider below: AMA can co-exist with MMA however, we will receive two heartbeats from one endpoint, one for each agent AMA will also collect logs and MMA as well, so rather than reducing logs, we will be having more logs coming in. I have customer who already has MMA installed and I cannot just ask him to uninstall all the MMA agents and install AMA agents from scratch? any easy resolution for this problem? We have new customers coming in and I dont want to end up in the same situation, so shall we start using AMA agent, is it stable enough as compared to MMA? or recommended by Microsoft to move ahead instead of MMA.? I dont see AMA agent installed within sentinel portal, only MMA is there. so from where can i download this?? I need answers on the above queries, any help will be much appreciated? Thanks Fahad.
Integration of Microsoft Sentinel & Microsoft TEAMS for integration of alerts
What are some of the best methods and strategies to start implementing an integration between Sentinel and TEAMS where when there are certain instances or alerts occurring, said alerts can be pinged to certain members on Microsoft TEAMS like through the use of playbooks, automations and setting up a API connection to integrate the two.
how can I do in KQL to compare if a value contains another value in the same table in KQL?
Hi everyone, I used the default rule "SharePointFileOperation across devices with previously unseen user agents" and I need to enhance the rule so that if the "USER_ID" column contains a variable I created. This variable performs a replacement of the above name with regex and removes the values beyond the "@". I have tried to make a "contain" expression but it doesn't work...is there another way...? let threshold = 5; let szSharePointFileOperation = "SharePointFileOperation"; let szOperations = dynamic(["FileDownloaded", "FileUploaded"]); let starttime = 14d; let endtime = 1d; let historicalActivity = OfficeActivity | where TimeGenerated between(ago(starttime) .. ago(endtime)) | where RecordType =~ szSharePointFileOperation | where Operation in~ (szOperations) | where isnotempty(UserAgent) | summarize historicalCount = count() by UserAgent, RecordType, Operation; let ReplacedData = OfficeActivity | where TimeGenerated between(ago(starttime) .. ago(endtime)) | where RecordType =~ szSharePointFileOperation | where Operation in~ (szOperations) | extend replaced=replace_regex(UserId, @'([^\\]*)@gmail.com', @'\1') | project replaced; let recentActivity = OfficeActivity | where RecordType =~ szSharePointFileOperation | where Operation in~ (szOperations) | where TimeGenerated > ago(endtime) | where isnotempty(UserAgent) | summarize min(Start_Time), max(Start_Time), recentCount = count() by UserAgent, RecordType, Operation; let RareUserAgent = recentActivity | join kind = leftanti (historicalActivity) on UserAgent | order by recentCount desc, UserAgent // More than 5 downloads/uploads from a new user agent today | where recentCount > threshold; //OfficeActivity OfficeActivity | where TimeGenerated > ago(endtime) | where RecordType =~ szSharePointFileOperation | where Operation in~ (szOperations) | where isnotempty(UserAgent) | where Site_Url contains (ReplacedData) | join kind= inner (RareUserAgent) on UserAgent, RecordType, Operation | where Start_Time between(min_Start_Time .. max_Start_Time) | summarize StartTimeUtc = min(min_Start_Time), EndTimeUtc = max(max_Start_Time) by RecordType, Operation, UserAgent, UserType, UserId, ClientIP, OfficeWorkload, Site_Url, OfficeObjectId, UserAgentSeenCount = recentCount | extend timestamp = StartTimeUtc, AccountCustomEntity = UserId, IPCustomEntity = ClientIP, URLCustomEntity = Site_Url | extend replaced=replace_regex(UserId, @'([^\\]*)@gmail.com', @'\1') | order by UserAgentSeenCount desc, UserAgent asc, Operation asc, UserId asc, replaced Any idea how to get this query to work correctly. Or another way to come up with a solution. Thanks. Regards.
KQL query to detect the disablement and deletion of Automation Rules
Hi Community, We want to create a KQL-query that detects whether an automation rule has been disabled. The only way to partially do that at the moment is the AzureActivity table. The problem with that table is that is does not specify whether a rule has been ENABLED or DISABLED. As far as we can see, it does not have a unique identifier for disable or enable. Both log outputs are the same: Does anyone of you have a solution for this problem? Thanks in advance 🙂 Greetings, KevinWatchlists: failed to resolve scalar expression
Hi Techies, We want to use a watchlist inside a KQL query which is supposed to be simple, but we are actually struggling a bit with the following issue "'project' operator: Failed to resolve scalar expression named 'emailAddress'". According to the documentation it should look something like this, but it is not working correctly: Our watchlist looks like this: Sentinel Docs: EDIT: The problem has been solved. We have an invisible space character inside our deployment script which caused the problem. Thanks everyone for helping out, and thanks Clive_Watson for leading us in the right direction.
