User Profile
SimonR
Brass Contributor
Joined 7 years ago
User Widgets
Recent Discussions
Editing Custom Fields for syslog message extraction
Hi, I am currently creating new custom fields to extract the data from a syslog data source. Having initially setup the three fields I need I've now found a set of messages that do not parse correctly. How can I update the Wizard for the custom field to include this new extraction? Right now the only option I can see is to delete the custom field and start again. This is going to cause me all sorts of problems if we need to check every single possible message from a data source before we create a custom field. Or, alternatively am I just missing something and there is a much easier way to do this?SolvedAzureAD Signin Logs - ObjectID in Identity field
Hi, I've been looking at the AAD Signin Logs for a few things now and I'm finding an issue where sometime the Identity and UserPrincipalName fields contain a users ObjectID rather than their name or UPN. If I resolve the objectid it is an active user in my tenant. It appears that all the records that have this issue have an empty array for AuthenticationDetails. Is anyone else seeing this and how are you handling it for reports/dashboards? I'm being asked why I have GUIDs in my list of active users, I could filter our the records with object ID but don't want to do that if they reflect true user activity.23KViews1like1CommentRe: MACS Log Collector on RHEL not receiving logs
Having logged a support ticket and had it bounce around for all the same things listed in that link we've eventually discovered a corrupt file in the container. Despite redeploying the container multiple times it appears there was an issue with /etc/rsyslog.d/50-default.conf it was inaccessible to things like vi and cat and appeared to prevent the rsyslog process from working correctly. Running touch on the file appears to have corrected the issue and we are now seeing the messages file being populated as expected.1.7KViews0likes0CommentsRe: API Access for Automation
Yes I did, the issue seems to be with the way PowerAutomate Flows are made available in MDCA, the user that connects to MDCA in the Flow trigger has to be the same as the user who wants to be able to see the Playbook as an option in the MDCA console. Currently we are using a service account to write and connect the flows until I can get something else working.1.7KViews0likes0CommentsAPI Access for Automation
Hi, I've built a Power Automate flow that reads alerts from MCAS/MDCA that reviews some of the data in the alert and then closes it as benign if the behaviour is expected. It's all working apart from one thing. Currently it is using an API key I generated for the connection to MCAS so all the alerts are closed in my name, I'm looking for a way to generate an API key for a service principal so that people can see it was closed by automation. Does anyone know if this is possible??SolvedMACS Log Collector on RHEL not receiving logs
Hi I'm in the process of deploying a new log collector on RHEL 7, I've configured it in the MCAS portal and deployed the docker container, I can see it as connected in the console with no data received. Now I've forwarded the logs to the server and I can see them if I run a tcpdump on the REHL host, but I'm not seeing anything in the container. /var/adallom/syslog/rotated/514/ only contains the config.json file and /var/adallom/discoverylogsbackup is empty Is there a way I can see if the container is receiving the messages and why it's not processing them?SolvedRe: Windows Server 2019 not using WPAD file
Reza_Ameri been through this, CrEdge works as expected (it doesn't use WinHTTP to perform WPAD decisions). Weirdly it only appears to be an issue on servers that are promoted to DCs (I think, I need to do some more testing before I am sure)4.5KViews0likes1CommentWindows Server 2019 not using WPAD file
Hi, Has anyone seen an issue where IE is configured to autodetect, downloads the wpad file but then still appears to not use the proxy. I have a Windows 10 machine using CrEdge which works with the same file and installing Chrome on the server also works fine. So I don't think it's the file, this also appears to affect WinHTTP so services using that like powershell and MDE are also trying to go direct. I've confirmed the dns name is resolvable and that the file is present, i've also got a wireshark trace that shows wpad.dat is requested and gets a 200 response with the file I expect.4.7KViews1like6CommentsRe: Separating Logs for RBAC
SoniaCuff I have both the LA agent and the Arc agent installed on both a Windows and Linux box. I've created resource groups to control access to the logs for these servers. When I try and select a scope in Monitor the resource groups do not appear in the selection list, although others do. Each resource group currently only contains the server with the LA and ARC agents on and my (possibly incorrect) assumption what that would allow me to create a boundary for access to the logs each VM is forwarding rather than have everything exposed to the user.4KViews1like0CommentsRe: Separating Logs for RBAC
Ofer_Shezaf thanks for this, I've decided we should definitely use Resource Groups otherwise I think we are going to end up with a mess to sort out later. I've created a resource group for this and added the Collector VM to it and granted my test user Log Analytics Reader and Workbook Contributor to the groups. Now I have what I hope is a really simple issue to resolve. If I use my test user and go to Azure Arc I can see and search logs for that device. However if I go to Monitor with the same account it prompts me to select a scope, but I can't see anything under the subscription. (I would have thought I would see the resource group and the collector VM under that). Am I just missing a permissions somewhere or have I misunderstood how this will all work? Thanks in advance.4KViews0likes5CommentsRe: Separating Logs for RBAC
Ofer_Shezaf Thanks for this, I'm just sorting out Arc now. My plan currently is: 1) Install Arc on Collector1 and grant the NetOps group Log Analytics Reader access to the resource in Azure. 2) Push logs via syslog to Collector1 3) SecOps will be able to query logs via Sentinel along with everything else 4) NetOps will be able to query logs sent by Collector1 using Azure Monitor, but won't see anything else. For example if we created Collector2 for a different team. With regards to the access would you grant the access directly on the resource or do you think it's better to have a separate resource group for the team so they can add Workbooks they want to create?4.1KViews0likes7CommentsRe: Separating Logs for RBAC
Ofer_Shezaf thanks for this, I'd rather not deploy LogStash if I don't have to, the only reason for separate table would be if I couldn't split the logs in any other way, but it looks like resource RBAC might work for us. Based on what I've read from you link, I'd need a separate collector VM for each access boundary. For example if both the firewall and web proxy logs will only be accessed by the Network team then I'll send them via the same Collector VM. Is there a way to set the resource ID on an on-prem collector without using Azure Arc? I'd like to get up and running with this and while Arc maybe a long term solution for us if I can test without it that would be great. Simon4.1KViews0likes9CommentsRe: When is a configuration profile not a configuration profile?!
So I'm going to try and keep posting my progress with this. So far I've realised I'm better having multiple configuration profiles rather than one big baseline one. I'm creating one for each Win10 group of settings. For example I currently have one for Windows10-EndpointProtection-MicrosoftDefenderFirewall and a separate one for Windows10-EndpointProtection-MicrosoftDefenderSmartScreen. I might end up merging some of these in the end but right now I'm applying each of these to my pilot devices and confirming behaviour before moving on. I'm avoiding Security Baseline completely at the moment, although I'd really like to use them there are just too many settings in one place with no way to confirm what's going to change. I'd really like to see a monitor mode for security baseline so I can understand what is going to change if I apply it.1.8KViews0likes1CommentRe: When is a configuration profile not a configuration profile?!
neilcarden Thanks for the reply, I think I'm going to stick with configuration profiles until the Endpoint Management options have been matured. For example, there's no option to set firewall rules in the current EP Firewall policy. It also looks like the Security baseline might be affecting some settings as I applied a whole bunch of stuff as part of a rebuild and somehow got stuck with installing store apps only! Back to applying policies one at a time until I can work out what I broke 😞1.8KViews0likes3CommentsSeparating Logs for RBAC
Hi, I'm in the process of setting up Sentinel with a number of log sources being sent via CEF. It appears that all the logs will go into the CommonSecurityEvents table which I need to separate out. Ideally I'd like to maintain a single Log Analytics workspace and have separate tables for each source (VPN/Firewall,WebGW etc) so I can grant each team access to the tables they need to query. Is there a way to have the CEF events from a specific on-prem collector write to a specific table? Or is there a better to be separating out these log sources in the same workspace?4.2KViews0likes12CommentsWhen is a configuration profile not a configuration profile?!
Apologies if this has been asked here before, I'm starting to setup our endpoint security workloads as part of M365 and have found multiple points of crossover in the Intune console where precedence or differentiation isn't clear. For example, You seem to be able to describe Bitlocker settings in multiple ways: 1) Create a standard Windows Encryption configuration profile under Devices 2) Create a Device Compliance policy under Devices > Compliance Policies 3) Create a Disk Encryption policy under Endpoint Security>Manage 4) Create a Windows 10 Security Baseline under Endpoint Security>Security Baselines Am I right in thinking that 1) and 2) are the original workflows for doing 3) and 4)? So that any work I start doing now should be done in the Endpoint Security node? Does a compliance policy or security baseline actually affect the settings on a device or is it just giving you the non-compliant/compliant flag and it's the Disk Encryption and Configuration Profiles that actually change the settings on the device? Finally has anyone else noticed that when you edit a Disk Encryption policy a bunch of the settings are missing and can't be seen or changed?? Thanks in advance1.9KViews0likes5Comments
Recent Blog Articles
No content to show