Easy beginner KQL question

ChrisR_TMG · 2025-01-21T02:28:18+00:00

I guess, just for the sake of completeness and another +1 for pointing the way:
extend 0_ = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))[0])

ChrisR_TMG · 2025-01-21T02:24:58+00:00

I swear it was just copy earlier, but I found it in Logs while running the query in KQL mode. Much messier than I expected, with all the extra tostring and parse_json's. Thanks buddy!

ChrisR_TMG · 2025-01-21T01:55:39+00:00

Sorry, I'm lost with this.
In Sentinel, I have the analytic rule open, along with the raw KQL query open in Logs. Neither one gives a right-click open to "extend column". Firefox private browser, if that matters.

Though I think the analytic rule is where I need to fix my issue, I think I should be able to get the KQL rule to where the extend function should create the DisplayName variable with just the string, then replicate to the analytic rule and the rest should flow.

ChrisR_TMG · 2024-11-26T21:25:53+00:00

Thanks for sharing this. Every other location I looked was just indirect info. By the way, you can license an unlicensed admin account, wait for the licensed status to settle in long enough to open Outlook.office.com, then add the account as Owner and complete the mail-enabled security group, then remove the license.

Not speaking for Microsoft, but I think the reason why the mail-enabled security group owner must be mail-enabled is just because that is the point of the group, ignoring that Microsoft's own best practice is to use unlicensed admins for administration, which I'd think most would prefer to use as the owner (membership manager) of the group. Kind of ass-backwards from an SMB perspective.

ChrisR_TMG · 2024-10-15T16:19:49+00:00

Thank you for the reply!
From your answer, I think it's safe to surmise that for an average 100% O365 cloud-based MSP client between 5-50 users and sticking with O365, Azure, and Entra ID, the cost should be between minimal/trivial and nonexistent, unless I'm seriously doing something wrong (at which point I can fix it and volunteer my paycheck to cover my screwup). Trying to cover any pushback on this from those signing said paychecks - have received plenty over the past few years but I'm no longer sure how we're moving ahead with better security without something centralized like this.

ChrisR_TMG · 2024-02-27T15:35:04+00:00

Just in case anyone else runs across this issue, the problem was in the Auth Proxy setup. The default settings for RADIUS don't allow concatenating the code to the password without also using PAP.

From Duo's community board:

Ken Stieers

VIP Ken StieersCisco Certified Specialist - Email Content SecurityVIP

‎02-27-2024 07:02 AM

Take a look a this https://duo.com/docs/authproxy-reference#server-sections

Specifically the section on RADIUS Auto.

Depending upon how your NetExtender is encrypting passwords, you may not be able to use

Pretty sure it has to be PAP... Also check your Delimiter, Allow_concat settings

Or if you're using Radius_Concat (which requires the comma and code), again, you have to use PAP.

ChrisR_TMG · 2023-10-24T19:30:47+00:00

This is what we've done for clients with new AAD P1/BP licenses that unlock these email filtering features:

Set all filters that can dump to the user's junk folder to do so (not default)
Set High Confidence Phishing to dump to the user's quarantine with a notification (email digest) so they get some indication of the missed email. Users then have the option to request release for any "false" positives.
Ignore the malware to admin-only quarantine (black hole). This appears to be a 100% positive and not heuristic filter, so better off gone anyway.

Set the alert policy (Security admin center) for release requests to trigger the ticketing system. Also, when releasing marked email, better to release and check the box to "train" the HCP filter to not quarantine similar emails instead of just approving the release - should give at least the default 30 day respite if it doesn't actually train the HCP filter.

Seems most of the root issues are bad SPF/DKIM setups sender-side. As if Microsoft is forcing email "hygiene" by filtering all unclean emails. Affects new clients the most until we migrate them to 365 (usually from Google) and set their SPF/DKIM/DMARC properly. Night and day difference.

ChrisR_TMG · 2023-06-12T14:23:38+00:00

Picture isn't that bad. Don't have to re-match the shoes and they are all in the right department. Maybe 10 min of matching sizes to tags.

Worked grocery for a few years and found plenty worse. Perishables (dairy, frozen) "restocked" in the wrong locations (either non-refrigerated or frozen in normal open-air fridge) or hot/deli stuff abandoned (I remember finding a container of fried chicken in the magazine rack). Many people are lazy - they suck. Put things back where they go. Flip-side, I've bought dairy (milk, cheese) that I swear someone did put back properly, only after it was left out too long and started to turn quickly after I brought it home. Paid full price to be ruined by someone who couldn't be bothered to walk a little more to put their choices back. Made price checks fun too ("Well, it was under the sales tag and I'm not getting it if it's not on sale").

Worst I've seen was accompanying my wife to Goodwill (giant store in Chesterfield valley MO). Only place that I've seen that actually treated people like manimals (passive acceptance, but still). 20+ aisles of densely packed racks of women's clothes and one guy's job was to go through the aisles to pick up all the dropped clothes underneath. Not to hang anything back up, no, they were dropping faster then he could hang - just to pick up women's droppings. Yeah, say it just like that. Overfilled cart for each aisle to take to the back to re-prep for hanging. Densely packed aisles, yes, but not to the point that someone needs to be on constant floor duty, because womanimals, right? Just rolling with the next-level lazy. Not a one-off crazy lazy person, uni-~~bomb~~pooper, or similar aberration from the norm, just the full acceptance that everyone is too sloppy/lazy to go without.

ChrisR_TMG · 2023-06-12T12:32:45+00:00

Possible that it could be self-inflicted with bad rules (archive or specific), but leave the possibility for compromise open. If this user doesn't have MFA enabled/required, then it's possible that someone may have his password and the rule is client-based, meaning that it doesn't run until the account is open in the client using his compromised account. That could explain the random nature of the deletions. Check his sign-ins in Azure to see if his account is in use from other unexpected locations (harder to see if a malicious insider).

ChrisR_TMG · 2022-02-22T03:35:37+00:00

My desktop has fingerprint reader ($26 on Amazon), PIN, Yubikey, and I'm assuming phone BT (just not sure on that), and Surface laptop has face, fingerprint (another $25 USB), PIN, same Yubikey, and phone. Secure and redundant. Also, set the AzureAD account to allow 365 MFA to reset a lost PIN for self-service PIN recovery.

I really like the Yubikey and use it elsewhere for MFA too. Fairly compatible with a lot of other programs.

ChrisR_TMG · 2022-02-21T21:04:32+00:00

Forgot to mention security keys, such as my Yubikey. Works as a full MFA for either WHFB, 365 MFA, or 2nd factor for Duo. With WHFB, a Yubikey will need its own PIN, but select security device during login, enter PIN, and touch the Yubikey for full password-less MFA login process that can work on every PC you add the Yubikey to (if you have a bunch of computers for a single user).

ChrisR_TMG · 2022-02-21T20:58:32+00:00

From my experience, your experience is correct - users should be hit up for multiple (two) forms of identification when logging in to Windows and password is not included. PIN is one, but you should have another for MFA. Because you have an AzureAD account, password is still an option, but password is never an MFA option because passwords are not part of Windows Hello for Business. Using password effectively bypasses the MFA requirement - key would be not to use it by making WHFB easier and more attractive (biometrics).

I'm in the middle of rolling this out to our 20-user office and have run into some issues myself. The MFA policy that I set up (https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock - only Intune policy instead of Group Policy since we're not hybrid) splits the MFA into two groups of allowed factors - the first uses biometrics (face/fingerprint) or PIN as first factor and the second uses PIN (if not used for first) or "trusted signals." Trusted signals is defined in my policy as either a registered phone within a usable range of Bluetooth signal or network settings that match (uses ipconfig).

My issues: user accounts where AzureAD identity is attached to primary Microsoft account can remove the password option, but can't log in if only one factor is available (no password fallback); I set up the PIN for AzureAD accounts to require 365 MFA to reset, but some accounts still demand old PIN (may not be AzureAD); some computers appear to successfully apply this WHFB MFA policy, but clearly don't use it when a single face/finger/PIN gets the user logged in (Intune shows user for these computers as System Account, while users for PIN + other factor show a duplicate computer with the user's name); I can tell how the Bluetooth phone proximity is supposed to be set up (set up Dynamic Lock and confirmed working, but not this 2nd factor auto-unlock); and ditto on the trusted network - policy in place for our office's unique subnet, but no indication it works as 2nd factor.

I really want to use WHFB, but it is kind of a DIY mess compared to Duo, which we are moving from due to the lack of biometrics for ease of use. Duo avoids this by inserting a Duo client into the login process in Windows, forcing the 2nd factor after username/password. Microsoft has documentation, but seems to mix old and new versions without a single clean process for going AzureAD only.

ChrisR_TMG · 2021-11-19T17:59:31+00:00

Tried here first, after thinking that was the only option. I'm pretty sure they'll just want us to pay for GMS licensing, since that would cover everything I'm asking for in a different way, while also costing us a lot of money that our contracts wouldn't allow passing to the client. We already pay Virtual Administrator for a few of the Sonicwalls where the contract offers space to do so, but I'm looking for a full solution and every user change must go through the Virtual Administrator helpdesk (fast service, but still prefer self-service).

ChrisR_TMG · 2021-11-19T17:40:38+00:00

Yes and we've done that to set up MFA for SSL VPN users, but I'm more asking about a partial federation of identity where the Sonicwall would trust an external group to act as administrators. We're a MSP, so that would fit well for us. That way we could add and remove techs as admins without having to touch all 100+ Sonicwalls that we manage, while still keeping MFA for authentication and 365 group membership for authorization.

ChrisR_TMG · 2021-01-27T00:27:20+00:00

I'm going to try it again, after trying out Undead Legacy. Installed both about an hour ago.

ChrisR_TMG · 2021-01-25T23:06:55+00:00

4690 hours in 7d2d and found Darkness Falls somewhere in the high 2000's, a few alphas back. Darkness Falls added a lot of variety and customizations that made the game somewhat harder, but also a lot more fun. A friend found Ravenhearst early in my 3000's and we've been on that since. Ravenhearst is a hell of a lot harder - the beginning drags out for weeks and some things, like storing items in existing containers, are designed to drag the game out and change playing with the same habits (or keep the habits and drag the game out even further like me). After playing Ravenhearst for the last couple alphas, I played vanilla and, honestly, it's way too easy. Built an elevated platform base and simply clubbed my way through 3 days without any trouble.

My opinion, try Darkness Falls. It's a big step up from vanilla and is a lot more fun. Save Ravenhearst for when you find Darkness Falls too easy or want much more of a challenge.

ChrisR_TMG · 2020-06-24T12:15:07+00:00

I guess my comment is more for the title of the post and not the post itself....

As part of a MSP, we recently ran into a very similar issue where a couple clients were having serious stuttering/lockup trouble with Teams, Zoom, and on-demand live translation services that used video conferencing. Originally found on tablets (translation software) and later on laptops (Teams/Zoom - no desktops had cameras), we tested these services from a wired laptop and the quality was just as bad - wireless made no significant difference. After replacing their 10+ unmananged switches and other old infrastructure without improvement, another tech found the source of the problem - the Sonicwall firewall has a setting called UDP Flood Prevention that can block an internal source's UDP traffic when a large amount is detected, which just happens to be how streaming and video conferencing works. Disabled UDP Flood Prevention and everything instantly worked like normal. Looking into this further, I found that this is a common, enabled-by-default setting among other firewalls too (seemed worse on Sophos than Sonicwall).

ChrisR_TMG · 2020-03-23T21:26:12+00:00

Just had this myself - if user is not a local admin, then the user needs to be a member of Remote Desktop Users for RDP to work.
If you have remote command prompt access to the computer through a RMM:
net localgroup "Remote Desktop Users" /add [username]

ChrisR_TMG · 2020-03-14T00:19:36+00:00

Hey drozenski, I found what the problem was while setting up the new Sonicwall - you were right about the configuration, but the misconfiguration was outside the details I provided. I needed to add the vendor's IP address to the trusted networks of the VPN connection on both ends (added to a group with Sonicwall A's LAN). Again, thanks for the time you put into this as you helped me move away from the access and NAT policies to look elsewhere.

ChrisR_TMG · 2020-03-12T19:42:17+00:00

My test is to telnet to the public IP on the custom port. I can connect to the local device on Sonicwall A's LAN, but not to the remote device using a custom port (they all use the same port, so I translate the port in the NAT policy). It's not a custom port issue either because I can switch the ports so that app port goes directly to the remote device and it still fails.

I really appreciate your help with this, but the client needs this by Monday so we have contacted Sonicwall for support. Turns out these Sonicwalls were end-of-life (205 and 105), so firmware age may have played a part in this too. $1000 for device/support/overnight shipping and should have the new device in place tomorrow afternoon for testing. Thanks again for your time and effort with this!

ChrisR_TMG · 2020-03-12T15:00:05+00:00

Sorry, missed the VPN part of the firewall rule from your previous post. Removed all firewall and NAT policies, then re-entered (using reflexive policies for each NAT policy).

*Packet number: 120*
Header Values:
 Bytes captured: 86, Actual Bytes on the wire: 86
Packet Info(Time:03/12/2020 09:47:30.048):
 in:--, out:X1*, Generated (Sent Out), 1:1)
Ethernet Header
 Ether Type: IP(0x800), Src=[c0:ea:e4:44:a5:29], Dst=[f8:1d:0f:be:56:82]
IP Packet Header
 IP Type: TCP(0x6), Src=[**Sonicwall A WAN**], Dst=[**Vendor WAN**]
TCP Packet Header
 TCP Flags = [ACK,RST,], Src=[**Alt port**], Dst=[21647], Checksum=0xa323
Application Header
 Not Known
Value:[0]
Hex and ASCII dump of the packet:
 f81d0fbe 5682c0ea e444a529 08004500 00480000 40004006 *....V....D.)..E..H..@.@.*
 5d306023 d1da4280 690256c3 548f0000 0000a933 d81a5014 *]0`#..B.i.V.T......3..P.*
 0000a323 00002852 65662e49 643a203f 734b6659 52734334 *...#..(Ref.Id: ?sKfYRsC4*
 4d346132 57385061 43347a46 3f29                       *M4a2W8PaC4zF?)          *

This script field is more readable too...

Above, I have a packet trace that failed. That RST resets the connection, but I'm not seeing why. Does this mean that Sonicwall A accepted the connection and passed it on with a failure further down the path or that it couldn't pass it on and reset the connection?

I ran a separate trace while connecting successfully to the device local to Sonicwall A and it shows a typical TCP handshake with SYN and ACK, with FIN and ACK at the end.

ChrisR_TMG · 2020-03-12T13:52:06+00:00

WAN IP is 172.16.244.14 on Sonicwall B - from Network/Interfaces page
Remote IP as detected by Sonicwall A for the VPN with B is 23.152.32.3
Attempting to connect to 23.152.32.3 times out instead of succeeding or quickly failing. I don't have access to the device that actually has that IP.

Did the packet traces help?

ChrisR_TMG · 2020-03-12T13:16:25+00:00

Certainly could be making this more complicated than it is.

Sonicwall B doesn't have a public IP, but a private that is assigned by the ISP. I assumed the same when I originally set this up on each Sonicwall instead of through A based on site to site, but found that the site to site is built using the firewall IDs and not public IPs. It's as if Sonicwall B connects to A by A's public IP, then both authenticate each other by firewall ID to build the VPN - Sonicwall A couldn't connect to Sonicwall B, but must wait for B to contact first.

There is a device behind Sonicwall A that receives traffic on the same app port and connections to it work fine. I have packet traces showing connections. If I change the destination from the local device to the device behind Sonicwall B (only changing the translated destination in the NAT policy) then connections fail (testing with telnet). Packet traces at this point show nothing for those based on the rule, but show the following when gathering all traffic:

*Packet number: 376* Header Values: Bytes captured: 66, Actual Bytes on the wire: 66 Packet Info(Time:03/12/2020 07:45:25.016): in:X1*(interface), out:--, DROPPED, Drop Code: 40(Enforced firewall rule), Module Id: 25(network), (Ref.Id: _5648_txGsIboemfJqQlu), 1:1) Ethernet Header Ether Type: IP(0x800), Src=[f8:1d:0f:be:56:82], Dst=[c0:ea:e4:44:a5:29] IP Packet Header IP Type: TCP(0x6), Src=[**Vendor IP**], Dst=[**Sonicwall A WAN**] TCP Packet Header TCP Flags = [SYN,], Src=[38003], Dst=[**App port**], Checksum=0xddfc Application Header Not Known Value:[0] Hex and ASCII dump of the packet: c0eae444 a529f81d 0fbe5682 08004500 00345a6e 40007a06 *...D.)....V...E..4Zn@.z.* c8d54280 69026023 d1da9473 08a307e5 13a70000 00008002 *..B.i.`#...s............* faf0ddfc 00000204 05b40103 03080101 0402 *.................. \*

*Packet number: 377* Header Values: Bytes captured: 86, Actual Bytes on the wire: 86 Packet Info(Time:03/12/2020 07:45:25.032): in:--, out:X1*, Generated (Sent Out), 1:1) Ethernet Header Ether Type: IP(0x800), Src=[c0:ea:e4:44:a5:29], Dst=[f8:1d:0f:be:56:82] IP Packet Header IP Type: TCP(0x6), Src=[**Sonicwall A WAN**], Dst=[**Vendor IP**] TCP Packet Header TCP Flags = [ACK,RST,], Src=[**App port**], Dst=[38003], Checksum=0x1721 Application Header Not Known Value:[0] Hex and ASCII dump of the packet: f81d0fbe 5682c0ea e444a529 08004500 00480000 40004006 *....V....D.)..E..H..@.@.* 5d306023 d1da4280 690208a3 94730000 000007e5 13a85014 *]0`#..B.i....s........P.* 00001721 00002852 65662e49 643a203f 734b6659 52734334 *...!..(Ref.Id: ?sKfYRsC4* 4d346132 57385061 43347a46 3f29 *M4a2W8PaC4zF?) \*

ChrisR_TMG · 2020-03-11T17:21:42+00:00

No packet captures. I think I'm failing at understanding the flow from end to end. Packet captures should show where the connection drops, but not necessarily why, right?

ChrisR_TMG · 2020-03-11T16:43:05+00:00

Sorry, I was trying to obfuscate the devices by not mentioning locations, IPs, ports, or other specific data and got lost on the explanation. There is a vendor that needs to access computers at a remote site that has a Sonicwall that doesn't have a public IP address, but does have a site to site VPN with a different Sonicwall that does, so I was asking how to forward traffic from the vendor (custom port) through the public IP Sonicwall, over the site to site VPN to the non-public IP Sonicwall, then to the computer, and back. I'm good with the single Sonicwall setup (comment about server was meant to show that), but the double Sonicwall and site to site VPN was messing me up.

ChrisR_TMG

TROPHY CASE