siem
387 TopicsDCR xPath - Nomenclature modification?
Hello, I have a question regarding the custom (xPath) configuration when creating a DCR for Windows Security Events via AMA Below is the xPath I was using until now to exclude the following EventIDs 4689, 5449 and 5145. It was working perfectly fine: Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145)]] Today I wanted to modify it to exclude another EventID, but got an error mentionning that "the event log you have specified is not a valid xPath": Raw xPath: Security!*[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] I tried to remove the "Security" channel from the xPath as below: *[System[(EventID!=4689 and EventID!=5449 and EventID!=5145 and EventID!=4625)]] But this throws an error: Did the xPath nomenclature update or is there a new way to exclude specific Event IDs that I missed? Is anyone facing the same issue? Thanks in advance.444Views0likes10CommentsIssue while deploying Sentienl Rules
I know that when deleting a Sentinel rule, you need to wait a specific amount of time before it can be redeployed. However, in this tenant, we've been waiting for almost a month and are still getting the same deployment error ('was recently deleted. You need to allow some time before re-using the same ID. Please try again later. Click here for details'). I still want to use the same ID ect. Does anyone have any idea or similar issue why it's still not possible after waiting for about a month?247Views1like1CommentIntegrating Jira with Sentinel via HTTP connector
Hello Community, I am having issues integrating Jira with Sentinel. I am connecting Sentinel incidents with Jira via the HTTP connector. The Jira V3 connector was not working due to an error regarding the reporter field, which I have no control over. My question is, why is the HTTP Connector not posting the incident when I manually run the playbook with an incident? It shows the run was successful, but the incident is not posted in the Jira queue.207Views0likes1CommentSplunk eventstats equivalent in kql?
is there an equivalent eventstats command in kql similar to splunk? If not, is there a way to achieve same result in kql? eventstats command generates summary statistics from fields in your events and saves those statistics into a new field. The eventstats command places the generated statistics in new field that is added to the original raw events.25Views0likes1CommentLocal IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs?
Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can't be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention. To make sure this also wasn't some kind of correlation to device, I checked the logs further and it's happening where IsManagedDevice == false and even anonymous file access. Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream? Sample KQL: // Query 1 OfficeActivity | where TimeGenerated >=ago(30d) | where ipv4_is_private( ClientIP ) | where IsManagedDevice == false | summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP // Query 2 OfficeActivity | where TimeGenerated >=ago(60d) | where isnotempty( ClientIP ) and ipv4_is_private( ClientIP ) | summarize count() by bin(TimeGenerated, 1d)4.1KViews2likes8CommentsLogic app to close adminstrative tasks
I am trying to create a logic app that closes adminstrative tasks in sentinel after checking Userprincipalname and IPaddress. It will also check if the userprincipalname exists in a watchlist at the same time. But this didn't seem to work, can i get any help here?211Views0likes1CommentIssue in Uninstallation of AMA for Arc Enabled Windows server
Dear Community, As a troubleshooting, I want to uninstall the AMA agent from Azure arc enabled server, I tried "Uninstall" from Azure arc machine - Extension - Uninstall but it went into "Deleting" state for 2 days. Then i tried uninstallation using the Powershell but again it went to "deleting" state. I tried removing and adding the Machine to and from DCR and Azure Arc again and then tried again still it shows deleting state only. So, i tried uninstallation direct from server using command azcmagent extension remove --name AzureMonitorWindowsAgent the got the below error, From my test machine i copied the "HandlerManifest.json" file and put in the same folder where error is showing above, Json file has this content as shown below Now after this i tried "azcmagent extension remove --name AzureMonitorWindowsAgent" command again and got the error, Please help in uninstalling this AMA agent. Thanks, Mahesh135Views0likes1Comment