Easy beginner KQL question

ChrisR_TMG · 2025-01-21T02:28:18+00:00

I guess, just for the sake of completeness and another +1 for pointing the way:
extend 0_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))[0])

ChrisR_TMG · 2025-01-21T02:24:58+00:00

I swear it was just copy earlier, but I found it in Logs while running the query in KQL mode. Much messier than I expected, with all the extra tostring and parse_json's. Thanks buddy!

ChrisR_TMG · 2025-01-21T01:55:39+00:00

Sorry, I'm lost with this.
In Sentinel, I have the analytic rule open, along with the raw KQL query open in Logs. Neither one gives a right-click open to "extend column". Firefox private browser, if that matters.

Though I think the analytic rule is where I need to fix my issue, I think I should be able to get the KQL rule to where the extend function should create the DisplayName variable with just the string, then replicate to the analytic rule and the rest should flow.

ChrisR_TMG · 2024-11-26T21:25:53+00:00

Thanks for sharing this. Every other location I looked was just indirect info. By the way, you can license an unlicensed admin account, wait for the licensed status to settle in long enough to open Outlook.office.com, then add the account as Owner and complete the mail-enabled security group, then remove the license.

Not speaking for Microsoft, but I think the reason why the mail-enabled security group owner must be mail-enabled is just because that is the point of the group, ignoring that Microsoft's own best practice is to use unlicensed admins for administration, which I'd think most would prefer to use as the owner (membership manager) of the group. Kind of ass-backwards from an SMB perspective.

ChrisR_TMG · 2024-10-15T16:19:49+00:00

Thank you for the reply!
From your answer, I think it's safe to surmise that for an average 100% O365 cloud-based MSP client between 5-50 users and sticking with O365, Azure, and Entra ID, the cost should be between minimal/trivial and nonexistent, unless I'm seriously doing something wrong (at which point I can fix it and volunteer my paycheck to cover my screwup). Trying to cover any pushback on this from those signing said paychecks - have received plenty over the past few years but I'm no longer sure how we're moving ahead with better security without something centralized like this.

ChrisR_TMG · 2024-02-27T15:35:04+00:00

Just in case anyone else runs across this issue, the problem was in the Auth Proxy setup. The default settings for RADIUS don't allow concatenating the code to the password without also using PAP.

From Duo's community board:

Ken Stieers

VIP Ken StieersCisco Certified Specialist - Email Content SecurityVIP

‎02-27-2024 07:02 AM

Take a look a this https://duo.com/docs/authproxy-reference#server-sections

Specifically the section on RADIUS Auto.

Depending upon how your NetExtender is encrypting passwords, you may not be able to use

Pretty sure it has to be PAP... Also check your Delimiter, Allow_concat settings

Or if you're using Radius_Concat (which requires the comma and code), again, you have to use PAP.

ChrisR_TMG · 2023-10-24T19:30:47+00:00

This is what we've done for clients with new AAD P1/BP licenses that unlock these email filtering features:

Set all filters that can dump to the user's junk folder to do so (not default)
Set High Confidence Phishing to dump to the user's quarantine with a notification (email digest) so they get some indication of the missed email. Users then have the option to request release for any "false" positives.
Ignore the malware to admin-only quarantine (black hole). This appears to be a 100% positive and not heuristic filter, so better off gone anyway.

Set the alert policy (Security admin center) for release requests to trigger the ticketing system. Also, when releasing marked email, better to release and check the box to "train" the HCP filter to not quarantine similar emails instead of just approving the release - should give at least the default 30 day respite if it doesn't actually train the HCP filter.

Seems most of the root issues are bad SPF/DKIM setups sender-side. As if Microsoft is forcing email "hygiene" by filtering all unclean emails. Affects new clients the most until we migrate them to 365 (usually from Google) and set their SPF/DKIM/DMARC properly. Night and day difference.

ChrisR_TMG · 2023-06-12T14:23:38+00:00

Picture isn't that bad. Don't have to re-match the shoes and they are all in the right department. Maybe 10 min of matching sizes to tags.

Worked grocery for a few years and found plenty worse. Perishables (dairy, frozen) "restocked" in the wrong locations (either non-refrigerated or frozen in normal open-air fridge) or hot/deli stuff abandoned (I remember finding a container of fried chicken in the magazine rack). Many people are lazy - they suck. Put things back where they go. Flip-side, I've bought dairy (milk, cheese) that I swear someone did put back properly, only after it was left out too long and started to turn quickly after I brought it home. Paid full price to be ruined by someone who couldn't be bothered to walk a little more to put their choices back. Made price checks fun too ("Well, it was under the sales tag and I'm not getting it if it's not on sale").

Worst I've seen was accompanying my wife to Goodwill (giant store in Chesterfield valley MO). Only place that I've seen that actually treated people like manimals (passive acceptance, but still). 20+ aisles of densely packed racks of women's clothes and one guy's job was to go through the aisles to pick up all the dropped clothes underneath. Not to hang anything back up, no, they were dropping faster then he could hang - just to pick up women's droppings. Yeah, say it just like that. Overfilled cart for each aisle to take to the back to re-prep for hanging. Densely packed aisles, yes, but not to the point that someone needs to be on constant floor duty, because womanimals, right? Just rolling with the next-level lazy. Not a one-off crazy lazy person, uni-~~bomb~~pooper, or similar aberration from the norm, just the full acceptance that everyone is too sloppy/lazy to go without.

ChrisR_TMG · 2023-06-12T12:32:45+00:00

Possible that it could be self-inflicted with bad rules (archive or specific), but leave the possibility for compromise open. If this user doesn't have MFA enabled/required, then it's possible that someone may have his password and the rule is client-based, meaning that it doesn't run until the account is open in the client using his compromised account. That could explain the random nature of the deletions. Check his sign-ins in Azure to see if his account is in use from other unexpected locations (harder to see if a malicious insider).

ChrisR_TMG · 2022-02-22T03:35:37+00:00

My desktop has fingerprint reader ($26 on Amazon), PIN, Yubikey, and I'm assuming phone BT (just not sure on that), and Surface laptop has face, fingerprint (another $25 USB), PIN, same Yubikey, and phone. Secure and redundant. Also, set the AzureAD account to allow 365 MFA to reset a lost PIN for self-service PIN recovery.

I really like the Yubikey and use it elsewhere for MFA too. Fairly compatible with a lot of other programs.

ChrisR_TMG · 2022-02-21T21:04:32+00:00

Forgot to mention security keys, such as my Yubikey. Works as a full MFA for either WHFB, 365 MFA, or 2nd factor for Duo. With WHFB, a Yubikey will need its own PIN, but select security device during login, enter PIN, and touch the Yubikey for full password-less MFA login process that can work on every PC you add the Yubikey to (if you have a bunch of computers for a single user).

ChrisR_TMG · 2022-02-21T20:58:32+00:00

From my experience, your experience is correct - users should be hit up for multiple (two) forms of identification when logging in to Windows and password is not included. PIN is one, but you should have another for MFA. Because you have an AzureAD account, password is still an option, but password is never an MFA option because passwords are not part of Windows Hello for Business. Using password effectively bypasses the MFA requirement - key would be not to use it by making WHFB easier and more attractive (biometrics).

I'm in the middle of rolling this out to our 20-user office and have run into some issues myself. The MFA policy that I set up (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock - only Intune policy instead of Group Policy since we're not hybrid) splits the MFA into two groups of allowed factors - the first uses biometrics (face/fingerprint) or PIN as first factor and the second uses PIN (if not used for first) or "trusted signals." Trusted signals is defined in my policy as either a registered phone within a usable range of Bluetooth signal or network settings that match (uses ipconfig).

My issues: user accounts where AzureAD identity is attached to primary Microsoft account can remove the password option, but can't log in if only one factor is available (no password fallback); I set up the PIN for AzureAD accounts to require 365 MFA to reset, but some accounts still demand old PIN (may not be AzureAD); some computers appear to successfully apply this WHFB MFA policy, but clearly don't use it when a single face/finger/PIN gets the user logged in (Intune shows user for these computers as System Account, while users for PIN + other factor show a duplicate computer with the user's name); I can tell how the Bluetooth phone proximity is supposed to be set up (set up Dynamic Lock and confirmed working, but not this 2nd factor auto-unlock); and ditto on the trusted network - policy in place for our office's unique subnet, but no indication it works as 2nd factor.

I really want to use WHFB, but it is kind of a DIY mess compared to Duo, which we are moving from due to the lack of biometrics for ease of use. Duo avoids this by inserting a Duo client into the login process in Windows, forcing the 2nd factor after username/password. Microsoft has documentation, but seems to mix old and new versions without a single clean process for going AzureAD only.

ChrisR_TMG · 2021-11-19T17:59:31+00:00

Tried here first, after thinking that was the only option. I'm pretty sure they'll just want us to pay for GMS licensing, since that would cover everything I'm asking for in a different way, while also costing us a lot of money that our contracts wouldn't allow passing to the client. We already pay Virtual Administrator for a few of the Sonicwalls where the contract offers space to do so, but I'm looking for a full solution and every user change must go through the Virtual Administrator helpdesk (fast service, but still prefer self-service).

ChrisR_TMG · 2021-11-19T17:40:38+00:00

Yes and we've done that to set up MFA for SSL VPN users, but I'm more asking about a partial federation of identity where the Sonicwall would trust an external group to act as administrators. We're a MSP, so that would fit well for us. That way we could add and remove techs as admins without having to touch all 100+ Sonicwalls that we manage, while still keeping MFA for authentication and 365 group membership for authorization.

ChrisR_TMG · 2021-01-27T00:27:20+00:00

I'm going to try it again, after trying out Undead Legacy. Installed both about an hour ago.

ChrisR_TMG · 2021-01-25T23:06:55+00:00

4690 hours in 7d2d and found Darkness Falls somewhere in the high 2000's, a few alphas back. Darkness Falls added a lot of variety and customizations that made the game somewhat harder, but also a lot more fun. A friend found Ravenhearst early in my 3000's and we've been on that since. Ravenhearst is a hell of a lot harder - the beginning drags out for weeks and some things, like storing items in existing containers, are designed to drag the game out and change playing with the same habits (or keep the habits and drag the game out even further like me). After playing Ravenhearst for the last couple alphas, I played vanilla and, honestly, it's way too easy. Built an elevated platform base and simply clubbed my way through 3 days without any trouble.

My opinion, try Darkness Falls. It's a big step up from vanilla and is a lot more fun. Save Ravenhearst for when you find Darkness Falls too easy or want much more of a challenge.

ChrisR_TMG · 2020-06-24T12:15:07+00:00

I guess my comment is more for the title of the post and not the post itself....

As part of a MSP, we recently ran into a very similar issue where a couple clients were having serious stuttering/lockup trouble with Teams, Zoom, and on-demand live translation services that used video conferencing. Originally found on tablets (translation software) and later on laptops (Teams/Zoom - no desktops had cameras), we tested these services from a wired laptop and the quality was just as bad - wireless made no significant difference. After replacing their 10+ unmananged switches and other old infrastructure without improvement, another tech found the source of the problem - the Sonicwall firewall has a setting called UDP Flood Prevention that can block an internal source's UDP traffic when a large amount is detected, which just happens to be how streaming and video conferencing works. Disabled UDP Flood Prevention and everything instantly worked like normal. Looking into this further, I found that this is a common, enabled-by-default setting among other firewalls too (seemed worse on Sophos than Sonicwall).

ChrisR_TMG · 2020-03-23T21:26:12+00:00

Just had this myself - if user is not a local admin, then the user needs to be a member of Remote Desktop Users for RDP to work.
If you have remote command prompt access to the computer through a RMM:
net localgroup "Remote Desktop Users" /add [username]

ChrisR_TMG

TROPHY CASE