User Profile
m_zorich
Iron Contributor
Joined 5 years ago
User Widgets
Recent Discussions
Re: Send email using playbook to office 365 user by retrieving user email address
Senti1905 There is a native Azure AD connector in Logic Apps, so if you map the AAD User Object Id in your entity mapping you can then use that to get the user information such as email address. First retrieve the entities from the incident, then use the connector to grab the user information. Here is a little mock up for you. You can even grab their display name and pass that into the email too if you wanted.Re: Overview of quarantined/blocked files from Defender for Endpoint
Larssen92 There are two parts to the Defender for Endpoint to Sentinel integration, if you enable all the connectors then the telemetry from the devices go into the Device* tables, such as DeviceProcessEvents or DeviceNetworkEvents. If you didn't mean to ingest all those logs you may want to switch it off because it could cost you a lot of money in ingestion. If you want just actual alerts generated from Defender for Endpoint (say when a file is blocked) then you are after the SecurityAlerts table. This will give you a summary of the time the alert was generated, the name of the alert and the device SecurityAlert | where ProviderName == "MDATP" | project TimeGenerated, AlertName, CompromisedEntity If you wanted to retrieve the details of the particular files you need to parse the 'entities' from the alert, take this as an example SecurityAlert | where ProviderName == "MDATP" | extend x = todynamic(Entities) | mv-expand x | parse-where x with * 'Directory":"' FileDirectory '","' * | parse-where x with * '"Name":"' FileName '","' * | project TimeGenerated, AlertName, CompromisedEntity, FileDirectory, FileName Keep in mind that the entities will be different for the different types of alerts, so for an alert where a file was blocked you are interested in the file, but for an alert that say obfuscated PowerShell, you are interested in the command that was run. If you want to get a summary of the types of alerts you are seeing you can start with SecurityAlert | where ProviderName == "MDATP" | summarize count()by AlertNameRe: Cisco Meraki Solution
Yep you are 100% right, sometimes the data connectors are all encompassing and they will deploy whatever is needed for you (often an Azure function, or API connections or whatever else) and sometimes they are really just a guide on how to go and do it manually. The Meraki stuff is especially confusing, having gone and looked at the content hub listing they are basically totally different. Cisco Meraki Data Connector - connects to your devices themselves and retrieves syslog from them Cisco Meraki Solution on the Content Hub - connects to the Cisco Meraki web portal and retrieves information from thereRe: Cisco Meraki Solution
Hey Dean, having a look through that connector you can do things in any order you want. It is just a function to parse syslog. You can forward syslog using the instructions provided in the data connector (which gets you to install the agent onto a linux vm, then send the Meraki syslog to the vm, the vm then sends it to Sentinel), or you can forward it up any number of other ways (using syslog-ng, or another kind of appliance you may already have). Then just install the function to your workspace - https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Parsers/CiscoMeraki/CiscoMeraki.txt You can install the function without having the logs there yetRe: Sharing sentinel logs with another SIEM
Check out this guidance, you can export from Log Analytics to either a storage account or event hub - https://docs.microsoft.com/en-us/azure/azure-monitor/logs/logs-data-export?tabs=portal The cost of the export itself is free, but you will obviously pay charges on either storage or event hub depending on where you send it too.Re: Security Event 4732 and 4733 is missing details
Fatspiderman the best way is to join the membersid property from your SecurityEvent to the IdentifyInfo table to return the actual account name (requires UEBA enabled as Clive_Watson notes) SecurityEvent | where EventID in ("4732","4733") | where AccountType <> "Machine" | project TimeGenerated, Activity, GroupName=TargetAccount, UserWhoAdded=Account, MemberSid | join kind=inner( IdentityInfo | where TimeGenerated > ago(21d) | summarize arg_max(TimeGenerated, *) by AccountName ) on $left.MemberSid==$right.AccountSID | project TimeGenerated, Activity, GroupName, UserWhoAdded, UserAdded=AccountNameRe: I need to create a sentinel dynamic list
Yep there are lots of ways to achieve that, I would probably start by looking at what format do your firewalls need that IP information in order to ingest it - do they need json or csv or something like that, or can you push the bad IP addresses and domains directly to the devices using an API? If you just want your firewalls to pick up a csv or json file then you could use Logic Apps to run a KQL query that retrieves all the information from your incidents and then exports that list to a csv/json file somewhere (storage account, s3, whatever makes sense for you)
