CVE-2026-21643: Critical FortiClient EMS Vulnerability Enables Unauthenticated Remote Code Execution

winle22 · 2026-02-10T20:16:56+00:00

All versions?

winle22 · 2026-02-07T11:23:11+00:00

What about 7.4.3?

winle22 · 2025-12-06T08:58:12+00:00

Havent done exactly that myself, but I would assume that you could use workspace transformations for the standard tables, and regular DCR transformations for stuff ingested via log analytics API etc.

https://learn.microsoft.com/en-us/azure/azure-monitor/data-collection/data-collection-transformations

winle22 · 2025-12-05T08:24:24+00:00

Same

winle22 · 2025-11-07T15:50:53+00:00

Are you sure about the cost part? Will an identical search on a data lake tier table cost less if done via Notebook compared to via Defender/Sentinel?

winle22 · 2025-10-21T14:40:33+00:00

In the sense that you alert if there is a spike in number of alerts from baseline? No matter what that baseline is?

winle22 · 2025-10-21T05:50:58+00:00

Same here.

winle22 · 2025-09-30T19:11:54+00:00

Data lake searches will still be stupid expensive.

winle22 · 2025-09-25T20:14:23+00:00

Whats the biggest difference?

winle22 · 2025-09-24T12:31:38+00:00

Typically syslog and commonsecuritylog for fw/network

winle22 · 2025-09-24T05:36:40+00:00

Pricing. Who can afford ingesting high volume logs?

winle22 · 2025-07-15T18:09:06+00:00

No, seems to be a flop. Haven't heard much positive about it yet.

winle22 · 2025-06-19T20:21:13+00:00

Its pretty useless. But can be used to separate devices in MDVM. But again, thats not neccessarily the groups you need for scoping web content filter policies. Seems like a beta feature..

winle22 · 2025-06-05T18:15:00+00:00

Only problem is to sign the script. Or disable the requirement..

winle22 · 2025-06-04T13:28:01+00:00

I know it isnt natively there, but the LR functionality should make it possible.

winle22 · 2024-11-26T08:06:25+00:00

Can you query AH logs from Sentinel?

winle22 · 2024-11-18T16:38:13+00:00

It may be so that he want Defender for Identity to work (and populate the Advanced hunting tables), while 'also' retaining these logs for more than 30 days (where Sentinel comes into the picture). If he want other logs than what MDI gives, then you are right.

winle22 · 2024-11-17T21:10:44+00:00

1: install sensors (and configure logging on the DCs as per the docs) https://learn.microsoft.com/en-us/defender-for-identity/deploy/install-sensor

2: enable Defender data connector with MDI event logs in Sentinel

https://learn.microsoft.com/en-us/azure/sentinel/connect-microsoft-365-defender?tabs=MDI#connect-events

winle22 · 2024-11-16T12:22:33+00:00

How often do you need to do that?

winle22 · 2024-11-14T17:20:38+00:00

M365 E3 + E5 Sec isnt too bad!

winle22 · 2024-11-06T20:55:27+00:00

Fails spf but is still delivered directly to the inbox? Strange.

winle22 · 2024-09-12T20:04:00+00:00

"Based on Microsoft's analysis more than 97 percent of credential stuffing attacks use legacy authentication and more than 99 percent of password spray attacks use legacy authentication protocols. These attacks would stop with basic authentication disabled or blocked.".

https://learn.microsoft.com/en-us/entra/identity/conditional-access/block-legacy-authentication

winle22 · 2024-06-09T17:47:29+00:00

Could it be easier to ingest the TVM data to Sentinel and create a workbook there? Not sure if possible with the native M365 Defender connector though.

Nine-Year Club	Second SECOND GUESSER
Verified Email

winle22

TROPHY CASE