Forum Widgets
Latest Discussions
Symantec software Disabling Recovery Mode during installations
Security team have been often receiving alert that during the installation of Symantec Encryption Desktop, Windows is using bcdedit.exec to modify the boot configuration, where its disabling windows default system recovery. It might be an expected behavior to ensure no one can bypass the encryption at boot time and It could be a Defense Mechanism. As we're receiving lots of alerts on this, we want to get to the root cause and ensure this is an expected behavior. That way we can have it documented and fine tune our detection. Does any one know if it it would interact with system boot configuration and any mention of bcdedit tasks being used during installation. Command Line: "cmd.exe" /c schtasks.exe /Create /RU %USERNAME% /SC DAILY /TN runBCDEDIT /RL HIGHEST /TR "bcdedit.exe /set recoveryenabled No " & schtasks.exe /run /TN runBCDEDIT & schtasks.exe /Delete /TN runBCDEDIT /F & schtasks.exe /Delete /TN "runBCDEDIT" /FHas anyone integrated VISA Threat Intelligence with Sentinel or any SIEM.
I'm looking to integrate threat intelligence from VISA into Microsoft Sentinel directly and automate the ingestion process. Anyone in the community integrated VISA's threat intelligence platform with their SIEM solution? Thanks in advance!!
Azure Monitor agent sends logs to two LA workspaces in different accounts
Our company has many different Azure accounts and subscriptions. Can we install AMA on one server to support sending logs to LA workspaces under different accounts? For example, logs are sent to East Asia and China (East Asia and China are physically isolated)Audit user accessing entreprise App by SPN sign-in
I'm in a Hybrid Entra ID environment. Some users can use an "Entreprise Application" by utilizing IDs and a certificate. In the activity or sign-in logs, I can find the access entries, but I don't have the information on which user used the app registration or which certificate was used. I would like to have logs that allow me to identify WHO is using an SPN/App registration. Do you have any ideas? Thank you. Here an example: In this screenshot, I can see access made to an app using, for example, an appid+secret/certificate connection. So, it’s "logical" not to see a username since it's not required for this type of connection. However, I would really like to have this information or some indicator to identify which of my users accessed it. Currently, I only have the machine's IP address, but I would like more information. Maybe in Purview or with another service, but I haven't found anything.
KQL- in/has-any usage
For the below query, when I use "contains" for single app its works fine but have bulk AppIDs to check, how can i use "in' here? query fails when I replace contains with in or has-any. please help. thank you. let AppIDList = dynamic(["APPID01", "APPID02", "APPID03"]); resources |wheretype!in~("microsoft.compute/snapshots","microsoft.compute/virtualmachines/extensions") | project subscriptionId, type, resourceGroup, name,AppID = tostring(['tags']['AppID']) //Here AppID is comma sepeated list os AppIDs |whereAppIDin(AppIDList) |joinkind=inner( resourcecontainers |where['type']=="microsoft.resources/subscriptions" |projectsubscriptionId,name,subname=name )on$left.subscriptionId==$right.subscriptionId | project subname, subscriptionId, type, resourceGroup, name
APIM ApiManagementGatewayLogs
Hi! I have published couple of APIs through APIM. Now I try to read some diagnostic logs. While I choose APIM -> Logs -> API Management services -> ApiManagementGatewayLogs -> preview data or fire query: ApiManagementGatewayLogs | where TimeGenerated > ago(24h) | limit 10 I got 'where' operator: Failed to resolve table or column expression named 'ApiManagementGatewayLogs' If issue persists, please open a support ticket. What I'm doing wrong? Thanks, JaniAzure Monitor Alert for low disk space percent and MB
Hello, I am trying to create a KQL query that will alert me if the diskspace percentage exceeds a percentage threshold. But I also want the alert to show how much used space and free space is left in MB. I have the below query that shows the percentage. How can I get it to show theused space and free space is left in MB? Thank you. InsightsMetrics | where Origin == "vm.azm.ms" | where Namespace == "LogicalDisk" and Name == "FreeSpacePercentage" | summarize LogicalDiskSpacePercentageFreeAverage = avg(Val) by bin(TimeGenerated, 15m), Computer, _ResourceIdCan I use regex in a DCR custom text logfile filepath?
Hi, I have about 50 servers attached to a DCR to collect a custom text log into a log analytics workspace custom table. Is it possible or if anyone has experience with using a regex filepath in the DCR situation? The logs are in the same format but paths differs slightly on each servers. There are two structures, but includes the servernames so we have 50 different filepaths: App Server c:\appserver\logs\<server Fully Qualified Name>\server\*.log App Portal c:\appportal\logs\<server Fully Qualified Name>\portal\*.log When I use static paths it works (there's a limit of 20 by the way). I have tried using the following regex filepath nothing comes in: c:\app(server|portal)\logs\SYS[a-zA-Z0-9]{4}wm[0-9]{2}.domain.net\(server|portal)\*.log Can someone confirm with me whether I can use regex in the filepath pattern in the DCR Data Source Tex log setup? If so, how do I get it to work please? Am I missing some escapes somewhere please? Many thanks in advance.
