User Profile
EtienneFiset
Brass Contributor
Joined 3 years ago
User Widgets
Recent Discussions
Logic app - Escaped Characters and Formatting Problems in KQL Run query and list results V2 action
I’m building a Logic App to detect sign-ins from suspicious IP addresses. The logic includes: Retrieving IPs from incident entities in Microsoft Sentinel. Enriching each IP using an external API. Filtering malicious IPs based on their score and risk level. Storing those IPs in an array variable (MaliciousIPs). Creating a dynamic KQL query to check if any of the malicious IPs were used in sign-ins, using the in~ operator. Problem: When I use a Select and Join action to build the list of IPs (e.g., "ip1", "ip2"), the Logic App automatically escapes the quotes. As a result, the KQL query is built like this: IPAddress in~ ([{"body":"{\"\":\"\\\"X.X.X.X\\\"\"}"}]) Instead of the expected format: IPAddress in~ ("X.X.X.X", "another.ip") This causes a parsing error when the Run Query and List Results V2 action is executed against Log Analytics. ------------------------ Here's the For Each action loop who contain the following issue: Dynamic compose to formulate the KQL query in a concat, since it's containing the dynamic value above : concat('SigninLogs | where TimeGenerated > ago(3d) | where UserPrincipalName == \"',variables('CurrentUPN'),'\" | where IPAddress in~ (',outputs('Join_MaliciousIPs_KQL'),') | project TimeGenerated, IPAddress, DeviceDetail, AppDisplayName, Status') The Current UPN is working as expected, using the same format in a Initialize/Set variable above (Array/String(for IP's)). The rest of the loop : Note: Even if i have a "failed to retrieve" error on the picture don't bother with that, it's just about the dynamic value about the Subscription, I've entered it manually, it's working fine. What I’ve tried: Using concat('\"', item()?['ip'], '\"') inside Select (causes extra escaping). Removing quotes and relying on Logic App formatting (resulted in object wrapping). Flattening the array using a secondary Select to extract only values. Using Compose to debug outputs. Despite these attempts, the query string is always malformed due to extra escaping or nested JSON structure. I would like to know if someone has encountered or have the solution to this annoying problem ? Best regardsRe: Missing details in Azure Activity Logs – MICROSOFT.SECURITYINSIGHTS/ENTITIES/ACTION
Thanks. Unfortunately, I’ve already completed all of these steps, but the data is still strangely missing. I submitted a suggestion in a pull request to Microsoft about it. One interesting thing is that I can see the same activities, but I’m not able to reproduce them manually. I can see all other types of operations triggered by manual actions—just not these ones. It seems like they might be generated automatically…Missing details in Azure Activity Logs – MICROSOFT.SECURITYINSIGHTS/ENTITIES/ACTION
The Azure Activity Logs are crucial for tracking access and actions within Sentinel. However, I’m encountering a significant lack of documentation and clarity regarding some specific operation types. Resources consulted: Audit logs for Microsoft Sentinel Entities API reference – Microsoft Sentinel Operations list – Microsoft Sentinel REST API My issue: I observed unauthorized activity on our Sentinel workspace. The Azure Activity Logs clearly indicate the user involved, the resource, and the operation type: "MICROSOFT.SECURITYINSIGHTS/ENTITIES/ACTION" But that’s it. No detail about what the action was, what entity it targeted, or how it was triggered. This makes auditing extremely difficult. It's clear the person was in Sentinel and perform an activity through it, from search, KQL, logs to find an entity from a KQL query. But, that's all... Strangely, this operation is not even listed in the official Sentinel Operations documentation linked above. My question: Has anyone encountered this and found a way to interpret this operation type properly? Any insight into how to retrieve more meaningful details (action context, target entity, etc.) from these events would be greatly appreciated.How to get the Protection History from a device
Hello, I would like to get the Protection History without the user intervention. I don't understand why is not in the device page in Microsoft 365 Defender initially... I tried to find a way to doing it in the Advanced hunting, but it's new for me, if some one have the command, thanks in advance. I tried with the Live response, but you can only use the CMD(Is it a way to initiate the Live response with Powershell ?) run a powershell script and tried to get the output file, but i got every time the error : Empty file, even if i doing a -outfile with my PP script and tried to get this specific file... Someone can help me please 🙂 ? ThanksDefender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,Zapped - AIR investigation failed
Hello, We had some AIR related to zapped malicious email, but all the steps in the investigation log are failed. And I don't find any way to restarting it or what I can do to fix it ? Note : I know i can go in threat explorer and create a manual remediation/investigation. But after 10 AIR failed like that, i suppose that this functionality has an issue and need to be fixed. The automated zero-hour purge is important. ThanksRe: Enable RDP to take remote of Intune managed devices, Firewall blocking the connection
GerardoHernandez Hey guys, we fixed our issue with the create of a new group to apply for a new Defender firewall policy accepted this : "The firewall allows RDP connection only with the private network or with the same domain via NTLMv2 authentication." So need to turn on 2 profile through firewall as private network and domain accepting the outbound connection through NTLMv2 or your own config.
