Unusual user agent found in table AADNonInteractiveUserSignInLogs
Hello, Investigating the registers of the table "AADNonInteractiveUserSignInLogs", I have found a user-agent "Rich Client 4.40.0.0", which investigating via web I have not found information about it, neither I have knowledge of what this user-agent is about. Has anyone seen this in a case related to Azure log-ins? Regards.
Searching Historical Logs for Threat Intelligence Matches.
Hello all, I was just wondering what the best or most efficient way to search logs for threat intelligence IOCs was, I saw a previous post explaining how to do it if you would like to search a large amount of values via watchlist but I would like to do it only for threat intelligence IOCs, I have a search below that works for IP addresses and can also be applied to file hashes. ThreatIntelligenceIndicator | where isnotempty(NetworkIP) | summarize by ThreatIntelIP=NetworkIP | join ( Network_MetaParser | where isnotempty(SrcIpAddr) | summarize by SrcIpAddr, DstIpAddr, EventProduct, DvcAction, DstPortNumber, NetworkProtocol, TimeGenerated ) on $left.ThreatIntelIP == $right.DstIpAddr My question is regarding URL/Domain names. How do I search my logs for any URLs/domains that match or contain the URL/Domain values from threat intelligence. I've tried doing something like the below but it doesn't seem to work. Any suggestions would be greatly appreciated! | summarize by URL | where isnotempty(URL) | where URL has_any (ThreatIntelligenceIndicator)
Escape character in KQL?
Hello guys, I have a problem where I'm unable to escape characters in my KQL query. We are ingesting some custom windows event logs that are being "normalized" in XML format. However, when sentinel normalizes these events, it puts all of them nested fields. Does this for some of the Azure logs as well. However, usually I can retrieve some data from those by using the following query AzureActivity | where OperationName == "signin" | expand Identity == OperationName.AdditionalFields.LoginIdentity So basically using the expand I extract identity field that is nested within other 2 fields. This works fine, however, the log I'm working with has numbers as field. So when I try the same thing but with AzureActivity | where OperationName == "signin" | expand Identity == OperationName.01.LoginIdentity It errors, it doesn't like that "01" part and query wont run, not that because 01 doesn't exist because it does but because its an integer? not sure. So I am trying to escape the "01" part. See below for the log example that might help explaining So in the image above, I want to extract fields like operation, processIdentity etc. So then I can use this fields for further filtering or use it to build a workbook. So then in my query I can say, WindowsEvent | where EventID = "7777" | where processIdentity = "identity" any help apricated 🙂
Azure Activity Data Connector
Hi All, My organization is currently working to stand up Sentinel and we are implementing our data connectors. However, we are unable to enable the Azure Activity data connector. All policies are written correctly and should be sending to Sentinel, but it is saying not connected. Any recommendations?
Sentinel Demo environment setup
Hello All, I have been trying to set up a sentinel demo lab. I saw an article in the community hub which explains how to set up sentinel lab using ARM templates. However, when I am uploading the template, it is throwing me an error. Can someone please help me with this issue? Article I referred: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-to-go-part1-a-lab-w-prerecorded-data-amp-a-custom/ba-p/1260191 Template used: https://gist.github.com/Cyb3rWard0g/27b32e085607fb84816d24831f03a17e
Disaster Recovery Design for Microsoft Sentinel
I would like to know if there is a recommended design for disaster recovery of Sentinel SIEM like placing another Log Analytic workspace in a paired region. then pointing the DR servers to report to this LAW. If in case I need a live DR then do I have to replicate the log analytic workspace to the other paired region and what is the best method to do this replication? Thanks
