User Profile
wootts
Iron Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Last used software - 30 days
Hi All I am trying to find a way to get a list of devices that have not used a particular piece of software in the last (by example 30 days) .. recommendations in the main lists X amount of users have not used this particular software .. but how do I get that list / query that to get a list of software, when last used (not last seen on device) ... any thoughts welcome .. If it could also bring back paths to where loaded that would be helpful.... tksTVM - Exposure Score
Hey all - hope all well. Potential stupid question - but here goes. The exposure score is currently derived from the device groups and as such can be used to track exposure baselines as it goes / up / down as per (yesterday patch tuesday by example) .... however, is there a way of getting an exposure score for a certain number of assets that do not sit in a specific device group ie - overall exposure score for a set number of devices that form part of a bigger batch in one device group ( by example only ) or from tags that have been applied to certain devices. If not - what are the exact numbers on each device that are used to then average that score when all added into a device group . tks in advance1.1KViews0likes3CommentsTVM Reporting
Hi All I am wanting to increase the information that comes from the TVM module within defender. Whilst I appreciate the reports are present, I want to be able to "by example only" push out on a regular basis vulnerabilities that were "first seen" on a particular date and from there set a plan to remediate - ie critical vulnerabilies being from first seen + 30 days. further to this, whilst I can run a KQL query in hunting to look for vulnerabilies by device group (by example) things like remediation, path, evidence, computer, IP .... trying to get them all in once place is proving a little difficult - hence reaching out to all of you.... any thoughts all.... Mark1.5KViews0likes0CommentsDevice Groups assignment (defender)
Morning all, QQ - I am wanting to assign devices to a particular group - however the devices do not follow a specific rule that we can automate ( due to naming convention ). Is there a way to manually add devices to a group or add via tagging etc. I cannot find the answer to this in the previous similar questions so thought as the platform has progressed such alot there may be a simple fix to this that I am missing. cheers - Mark1.8KViews0likes2CommentsRe: TVM Refresh
thanks for the information - will make sure to use this, it is probably something I have missed but having assets that have not as yet updated since 16th december seems odd - so was more wondering on the refresh rate and also when MDE will allow rescanning of assets to see if vulnerabilities have been updated - such as most platforms do...3.5KViews0likes2CommentsDisassociate a incorrectly linked set of alerts that forma an incident
Morning all In M365D - when a series of alerts create two distinct incidents - there is clearly a way of adding "linked incidents" to an existing incident - is there a way of Un-Linking or Disassociating an incorrectly linked set of alerts that form an incident. See image attached. many thanks1.1KViews1like1CommentTVM Refresh
Hi Team is there a way to force a retest / review of vulnerbilities highlighted during the patching and updating of issues. whilst i see there is a 4 hour window when the scans are repeated (this is helpful if something is online of course). But with the data containing disconnected hosts and therefore old data it would be good to see what is current and WHAT came is the latest information. this is probably covered elsewhere but could not find it. TksSolved4KViews0likes6CommentsAlerts to Incidents
Hi team I have raised an incident - but whilst I wait for an update - we have M365D connected to Sentinel - this is populating alerts in the securityalerts table - but no alerts are being populated in the SecurityIncident table. what would be the probably cause of this ... I suspect something simple but causing some confusion. tks1.2KViews0likes2CommentsRe: Automation and Metrics
Cheers Gary - I was hoping to be able to grab the metadata - or similar that is appended to it when updated. Yes there is a closing comment but no tag - but will push that aspect also. Assumption being that will then make it possible to do some stats ....1.3KViews0likes1Commentanomaly detections linked to rules
Hey all Working on anomaly based detections linked to scheduled rules - ie - using the rules which generated security alerts, thus security incidents to then do a look up against the anomaly table (blade). Has anyone worked on this ... we have a few ideas but the lack of consistency across the anomaly table compared with the other blades is making it "difficult" we have this as an idea - for account and then one for IP ... any thoughts..... essentially looking to compliment security incidents with any information linked to the user / ip etc in an automated way - rather than manual lookup or notebook...... et mySecurityIncidentTable = SecurityIncident | where TimeGenerated > ago(24h) | extend myAlertIds = tostring(AlertIds[0]) | join (SecurityAlert | extend mySystemAlertId = tostring(SystemAlertId)) on $left.myAlertIds == $right.mySystemAlertId; // let Username1Table = mySecurityIncidentTable | extend UsernameBase = split(split(ExtendedProperties, '"User Name":')[1], '"')[1] | where isnotempty(UsernameBase) | extend Username = iff(UsernameBase contains @"\\", split(UsernameBase, @"\\")[1], UsernameBase); // let Username2Table = mySecurityIncidentTable | extend UsernameBase = split(split(ExtendedProperties, '"Client principal name":')[1], '"')[1] | where isnotempty(UsernameBase) | extend Username = iff(UsernameBase contains @"\\", split(UsernameBase, @"\\")[1], UsernameBase); // let UsernameTable = Username1Table | union Username2Table | extend Username = tostring(Username); // let UsernameUPNTable = UsernameTable | join IdentityInfo on $left.Username == $right.AccountName; // UsernameUPNTable | join (Anomalies | where TimeGenerated > ago(7d)) on $left.AccountUPN == $right.UserPrincipalName ================================================================= let mySecurityIncidentTable = SecurityIncident | where TimeGenerated > ago(24h) | extend myAlertIds = tostring(AlertIds[0]) | join (SecurityAlert | extend mySystemAlertId = tostring(SystemAlertId)) on $left.myAlertIds == $right.mySystemAlertId; // let IPAddress1Table = mySecurityIncidentTable | extend IPAddress = split(split(ExtendedProperties, 'Client IP address":')[1], '"')[1] | where isnotempty(IPAddress); // let IPAddress2Table = mySecurityIncidentTable | extend IPAddress = split(split(ExtendedProperties, 'IP Addresses":')[1], '"')[1] | where isnotempty(IPAddress); // let IPAddress3Table = mySecurityIncidentTable | extend IPAddress = split(split(ExtendedProperties, 'Attacker IP":')[1], '"')[1] | where isnotempty(IPAddress); // let IPAddress4Table = mySecurityIncidentTable | extend IPAddress = split(split(ExtendedProperties, 'Victim IP":')[1], '"')[1] | where isnotempty(IPAddress); // let IPAddressTable = IPAddress1Table | union IPAddress2Table, IPAddress3Table, IPAddress4Table | extend IPAddress = tostring(IPAddress); // Anomalies | extend IPAddress = tostring(Entities[0].Address) | join IPAddressTable on IPAddres490Views0likes0CommentsAutomation and Metrics
Hi All I am trying (and failing) to look for a way to pull some information that will show (by example) Number of Security Alerts Number of Security Incidents And then a pivot that says - X were created but Y were auto closed due to sentinel automation rules. Is this something someone has already done or considered. tks in advance1.3KViews0likes3CommentsRe: Notebook could not be saved error
Hi - I had the exact same issue - and was correctly pointed to it being a browser issue - first of all try and do the same in an alternative browser - and then use the same broswer and reset the cookies status - as that is where the problem lay .... cookies and saving ....1.7KViews0likes1Comment
Recent Blog Articles
No content to show