Searching Historical Logs for Threat Intelligence Matches.
Hello all, I was just wondering what the best or most efficient way to search logs for threat intelligence IOCs was, I saw a previous post explaining how to do it if you would like to search a large amount of values via watchlist but I would like to do it only for threat intelligence IOCs, I have a search below that works for IP addresses and can also be applied to file hashes. ThreatIntelligenceIndicator | where isnotempty(NetworkIP) | summarize by ThreatIntelIP=NetworkIP | join ( Network_MetaParser | where isnotempty(SrcIpAddr) | summarize by SrcIpAddr, DstIpAddr, EventProduct, DvcAction, DstPortNumber, NetworkProtocol, TimeGenerated ) on $left.ThreatIntelIP == $right.DstIpAddr My question is regarding URL/Domain names. How do I search my logs for any URLs/domains that match or contain the URL/Domain values from threat intelligence. I've tried doing something like the below but it doesn't seem to work. Any suggestions would be greatly appreciated! | summarize by URL | where isnotempty(URL) | where URL has_any (ThreatIntelligenceIndicator)
Sentinel Demo environment setup
Hello All, I have been trying to set up a sentinel demo lab. I saw an article in the community hub which explains how to set up sentinel lab using ARM templates. However, when I am uploading the template, it is throwing me an error. Can someone please help me with this issue? Article I referred: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/azure-sentinel-to-go-part1-a-lab-w-prerecorded-data-amp-a-custom/ba-p/1260191 Template used: https://gist.github.com/Cyb3rWard0g/27b32e085607fb84816d24831f03a17e
Add Service Principal
I have noticed an "Add service principal" operation in the Azure audit log. I asked my team about it, but they also don't know about this operation. In normal operations, we can find the actor in the "Initiated by" field. However, in this event, there is no "Initiated by" actor specified. Instead, the "Identity" field displays "Microsoft Azure AD Internal - Jit Provisioning." Is this automatically added by Azure?How to enable collection Process command line for windows server
I tried to search for “process command line” detail in Window event ID 4688 via Sentinel. However, it seems that Sentinel is not recording the “process command line” log. How can I enable the collection of “process command line” in Window event?
