User Profile
jeremyhAUS
Brass Contributor
Joined 4 years ago
User Widgets
Recent Discussions
PIM Groups prevent permanent assignment
Hi, I am designing a PIM implementation and was planning on leveraging PIM groups for most privileged access management scenarios. I created a group and PIM-enabled it and configured the settings to prevent permanent assignment. However, I find I can still assign permanent members via the normal Entra ID Groups section where you add members to a normal group. Then when I check the PIM section I see a permanent assignment. Is there a way of preventing this? Cheers, Jeremy.616Views0likes1CommentUnable to add AzureAD member to Remote Desktop Users group despite meeting pre-reqs
Hello Hive Mind, I've been trying to pilot the settings described here: https://learn.microsoft.com/en-us/windows/client-management/client-tools/connect-to-remote-aadj-pc I have built a Windows Server 2022 Azure VM which is hybrid joined (although the ultimate target will be on-premises devices that are hybrid joined) and tried to add the requisite members to the local Remote Desktop Users group, but keep getting the "No such global user or group" message when using the instructions in the linked article. I've tried it with a Domain Admin, a local Admin. I've also tried adding the user's AAD SID, which does work, however I was not able to RDP in as that user. Can anyone suggest a remedy or way to troubleshoot? Cheers, Jeremy.994Views0likes0CommentsRe: Sigma rules into content gallery
Clive_Watson I finally got this working as a sort of prototype. Gotchas are: If the rule you put in is malformed in some ways then it can result in ALL templates being missing from Sentinel Web GUI. They are there, just invisible. In my case i had forgotten the -depth parameter to my ConvertTo-Json for the API payload When you use the API to delete the offending Template which has broken everything, it gives you a 404, even when it successfully deletes the Template. Luckily after that everything reappeared. The doco is woeful and I couldn't find anyone having used this API in all my googling. For example, properties.lastPublishDate is listed as a string, but it wont accept 2022/02/12, but will accept 2022-02-12. So clearly there is some input validation going on. Speaking of input validation. It is very hit and miss. If you mess up anything in the embedded ARM template, the API just accepts it with a 200, but the resulting template can screw everything up (see 1 above), or just be missing (not to self Scheduled != Scheuled) Obviously you are limited to the detections that there is a working sigma backend for, but there are over 2000+ rules available which should work at https://github.com/SigmaHQ/sigma/tree/master/rules/windows1.5KViews0likes0CommentsSigma rules into content gallery
Hello Community! I have been trying to work out a nice way to convert sigma rules available here: https://github.com/SigmaHQ/sigma/tree/master/rules Which are compatible with the https://github.com/AttackIQ/pySigma-backend-microsoft365defender into analytic rules in Sentinel. After thinking it through for a while, it seems a much more sensible approach to convert these into rule templates. However it seems that the only way to get rule templates in is via the content gallery. Is that correct? Before I embark on contributing a large pack of analytic rule templates it makes me wonder why this hasn't been done already by someone more capable and enthusiastic than I am, but I can't find much in the way of this. It seems like all the pieces are there, so surely I can't be the first one to have this thought. Can anyone point me to something I am missing? Cheers, Jeremy.SolvedRe: Capturing a single transaction in KQL
Hi andersbe, thanks for your reply, That is essentially what I have done with binning them in 15 minute buckets. The syslog messages all have different timestamps so by using bin(TimeGenerated,15m) it is collating them by bin then TRDIN. Unfortunately sometime the first event is at, say 15:57 and the last one is at 16:02 and so the whole transaction gets split across two bins. What I would really like is the Splunk "transaction" feature which had a "maxspan" parameter that allows you to specify the maximum timespan between the first event and the last event.1.2KViews0likes2CommentsCapturing a single transaction in KQL
Hi, I've got a log coming in which has a transaction ID in it and I'd like to gather the logs into a single event based on the ID. Unfortunately these ID are recycled after a short while, probably within the same day. I was using the make_set aggregation function and trying to tune the maxsize parameter, but there is no single value I can give this which gives me perfect results. I have ended up with the query below, which is almost perfect, but if the transaction crosses the time bin I have specified then it gets split in two. Is there a better way to do this? Syslog | where Facility =~ "mail" , TRNID = extract("TRNID (\\d+)",1,SyslogMessage) | project TimeGenerated, TRNID, SyslogMessage | summarize events=make_set(SyslogMessage,150) by TRNID,bin(TimeGenerated,15m)1.3KViews0likes4CommentsResolving SIDs for non-user objects (e.g. Groups)
Hi, For many Windows Security Auditing events (and WEF events) SIDs for users and groups (and attribute GUIDs) are not resolved. Yet for events like 4624/4625 these fields are resolved to human readable values despite the fact that the values for these fields are still unresolved SIDs in the XML event representation on the source machine. What process is resolving these SIDs and making the events human readable for some events but not others, such as 4627? I know that if I have UEBA turned on I can use the IdentityInfo table to resolve user SIDs, but what about Group, or other object SIDs? Am I left to create my own fact table for this?675Views0likes0CommentsAudit Role Changes in 365 Defender
Hi, I am trying to track down who created a custom role in the Roles section of M365 Defender portal. Can anyone point to where this is audited? I've searched in the Audit section of a Developer tenant I am playing with but haven't come up with anything yet. Ideally I'd like the audit logs for this forwarded to Sentinel, but can't find any documentation about what table they might end up in or what connector I would need to enable to make this happen.Re: Perform a lookup on each value in array
It seems like I have an answer to my own question, but it only lets me pack up one field. If I wanted to keep the GUIDs and the UserName I don't have a solution for this. let FactTable=datatable(Rule:string,IncludeUsers:string) [ "Allow Rule", '["b152239e-e443-4fdd-b989-caae6a46b34f","0366ea79-ca58-4207-9d01-945d9b36c0ca"]', "Deny Rule", '["f569275d-a42c-4282-b41f-fff90eb960cb"]' ]; let DimTable=datatable(userGuid:string,UserName:string) [ "b152239e-e443-4fdd-b989-caae6a46b34f", "Bob", "0366ea79-ca58-4207-9d01-945d9b36c0ca", "Alice", "f569275d-a42c-4282-b41f-fff90eb960cb", "Eve" ]; FactTable | extend innerJson=todynamic(IncludeUsers) | project-away IncludeUsers | mv-expand innerJson to typeof(string) | lookup kind=leftouter DimTable on $left.innerJson==$right.userGuid | summarize Users=make_set(UserName) by Rule Anyone got a solution for this? And while this works in this very simple example, my real data is much messier and has multiple instances of GUIDs I'd like to replace in records with human readable names.1.9KViews0likes2CommentsRe: Perform a lookup on each value in array
Clive_Watson When using mv-expand it duplicates 1 event into many events which allows me to do the lookup simply. After that I want to collapse the duplicated events back into a single event. I'll have to read up what pack_all() does.1.9KViews0likes0CommentsPerform a lookup on each value in array
I have been experimenting with exporting conditional access policies to LA for historical reporting purposes. Each policy has a number of attributes which have arrays of zero or more members containing GUIDs. Such as included/excluded users and groups. I have created some additional tables which will allow me to enrich the data with the user or group display name, however I am having trouble working out the best syntax to achieve this. The pseudocode would read like this: For each guid in the attribute, add a second field with the display name of that guid. So far the best I have been able to do is mv-expand the fact data, do the lookup. I now have the extra field that I want, but now I want to zip the events back up again and am not sure how. If only I could get the lookup command to work inside the mv-apply command, but I can't work that out. Here is an example: let FactTable=datatable(Rule:string,IncludeUsers:string) [ "Allow Rule", '["b152239e-e443-4fdd-b989-caae6a46b34f","0366ea79-ca58-4207-9d01-945d9b36c0ca"]', "Deny Rule", '["f569275d-a42c-4282-b41f-fff90eb960cb"]' ]; let DimTable=datatable(userGuid:string,UserName:string) [ "b152239e-e443-4fdd-b989-caae6a46b34f", "Bob", "0366ea79-ca58-4207-9d01-945d9b36c0ca", "Alice", "f569275d-a42c-4282-b41f-fff90eb960cb", "Eve" ]; FactTable | extend innerJson=todynamic(IncludeUsers) | project-away IncludeUsers | mv-expand innerJson to typeof(string) | lookup kind=leftouter DimTable on $left.innerJson==$right.userGuid Is there a better way of doing this? If not, how do I recombine the events again afterwards?Solved
Recent Blog Articles
No content to show