Kusto query question, expanding multi-row, getting values from named keys
I want to query the OfficeActivity table and pull out values from the Parameters field. The field is a JSON string, so i know i need to convert to to Dynamic, and then i need to get values for Identity and User etc. I do not know what position the Identity and User appear so i cannot use normal [0] or [1] indexing. I would like the end result to be something like this. TimeGenerated Operation UserId Paramters.Identity Parameters.User Parameters.AccessRights x/x/x/ Add-MailboxPermission Bob John Peter FullAccess
The rule "Attempts to crack distributed passwords in AzureAD" is always detected with the same user.
Hi everyone, I don't know if anyone has had this problem. My problem is that when this rule is detected the same user is always triggered when trying to connect to the "Office 365 Exchange Online" application from a mobile phone and the client application "Exchange ActiveSync". This rule monitors high login attempts from different locations over a period of time of 1 day. We know that this is a false positive, as this is a field technician, and we have checked with the user to verify these actions. As a solution, we have taken the following actions to prevent the alert from being triggered: -Logging out of the application login and logging back in. But the problem persists, I don't know what else to do or what other mitigations I can see with the user. I have looked at the login table and only see that the error is thrown when connecting to the "Office 365 Exchange Online" application. Any ideas? Regards.
How to use 'When Azure Sentinel incident creation rule was triggered' trigger in playbook
Hi team I have been wondering can this trigger 'When Azure Sentinel incident creation rule was triggered' be used?? I am unable to select the playbook having this trigger in any alert rule created under Azure Sentinel analytics. Can someone please help me out with this. I just want a playbook to be triggered using this trigger and post the incident details to Slack
Add Service Principal
I have noticed an "Add service principal" operation in the Azure audit log. I asked my team about it, but they also don't know about this operation. In normal operations, we can find the actor in the "Initiated by" field. However, in this event, there is no "Initiated by" actor specified. Instead, the "Identity" field displays "Microsoft Azure AD Internal - Jit Provisioning." Is this automatically added by Azure?Send Alert When File in SharePoint is Being Accessed
Hi all, Is there a way to get the list of files which users are accessing or trying to access if they don't have permission inside a specific SharePoint site? And in addition to that is there a way for Sentinel to send alerts only for those users that don't have permission to access files? At the moment I am able to generate a list of users with number of accessed files on that specific SharePoint site: // Users accessing files // Users sorted by number of OneDrive and SharePoint files they accessed. OfficeActivity | where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed") | summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId | sort by AccessedFilesCount desc nulls last
Incidents from Analytics Rule template
Hi all! I have a limited knowledge on Sentinel and the MS products and tools but trying hard to understand the whole puzzle. We have a splunk server acting as a SIEM which ingests data from Sentinel via webhook (this is out of my scope ATM). There are a few types of incidents which I cannot find on "threat management -> incidents". This is the case of "URL Added to Application from Unknown Domain". I can find it on "Analytics -> Rule templates". Its source is Azure Active Directory but on the bottom of the rule details there is a note: You haven't used this template yet; You can use it to create analytics rules. One or more data sources used by this rule is missing. This might limit the functionality of the rule. Also, a config item is " Create incidents from this rule: Enabled" The way I understand this is: "Rule templates" don't generate incidents by itself so a rule must be created using the template and, if the template is configured to create incidents from the rule, then an incident would be created and it would be possible to find it in "threat management ->incidents". Am I right or otherwise, the rule template can create the incident without a rule? Anyway, why I cannot find the incident whitin the inciedent list? How could this incident went through splunk? Thanks in advance for your knowledge 🙂 best regards
