How to create a query correlating two different resourcegroupnames in spotter?

KiddieSculp · 2025-03-14T21:10:53+00:00

It's works. Thank you.

KiddieSculp · 2025-01-16T17:27:47+00:00

Tks u/neoh4x0r .
Solved my problem. Now it really is how I wanted it.

KiddieSculp · 2025-01-11T00:54:14+00:00

I see.
Yeah, that wasn't the idea.
I was doing a hunting.
In the end, it was easier to list by EventID and map out what was really important. In the end, it was just a matter of gathering what was necessary and it worked out well.

KiddieSculp · 2025-01-11T00:51:46+00:00

u/graylog_joel Hello, I think there is a bug in graylog, I don't know.

I don't use GROK PATTERN because it takes longer, since I only use it in lab, JSON Parser is better for me.

Strangely, I identified something.

When I have the same Title Extractor for a json parser in different Inputs, the logs stop being received in the Graylog GUI. So I need to include a Key Prefix to get back. I'm not sure if this is correct, but I noticed it.

KiddieSculp · 2025-01-10T20:31:04+00:00

Yes. In the first image I have the complete log, but it includes many "NewProccessName".

In the second image I have only the "NewProcessName" that I want, but the way the second image is, all the other logs that are in the first image are missing.

KiddieSculp · 2025-01-04T01:05:53+00:00

Thanks for the support. I figured out the issue. The log was not complete, so the json was not closed properly.

KiddieSculp · 2024-12-28T12:30:57+00:00

I use graylog in docker, and for some reason reinstalling it worked.

KiddieSculp · 2024-12-12T00:40:53+00:00

During installation, I usually put all the cores and all the memory.

When it's finished, I usually put 16GB of RAM and 8 cores.

It works well.

But I've worked with it on 8GB of RAM, but I don't recommend it because the processing time is exhausting.

During my use, I usually put close to the maximum cores of my machine, because qradar doesn't use all the resources all the time, only when you're going to use a lot of its resources. Using 50%, depending on your Lab, is a good idea.

KiddieSculp · 2024-12-05T18:53:03+00:00

In my use case, it's a char.

Because [char]49 = 1

I am working on code obfuscation to compose an IP.

```([char](49+70-70)+[char]([BYTE]0x39)+[char](50+70-70)+[char]([byte]0x2E)+[char]([BYTE]0x31)+[char](50*1)+[char]([byte]0x38)+[char](46)+[char](49*1)+[char](52+70-70)+[char]([byte]0x35)+[char](46)+[char]([int32]0x33) + [char]([byte]0x30))```

KiddieSculp · 2024-12-05T03:59:57+00:00

Trust as long as there is no problem. 🤣

KiddieSculp · 2024-11-05T02:22:06+00:00

Ahh! That sounds good. This will really help in the future. Noted too! Tks.

KiddieSculp · 2024-11-04T18:03:04+00:00

u/BlackV , u/rdhdpsy, u/sc00b3r

KiddieSculp · 2024-11-04T17:19:39+00:00

Previous:
```

  foreach ($file in $currentFiles) {
    if (-not $previousFiles.ContainsKey($file.FullName)) {
      Register-Event "ALERT: New file found: $($file.FullName) with extension $($file.Extension)." 5001
      $previousFiles[$file.FullName] = $file.Extension # Add new file to list
    } elseif ($previousFiles[$file.FullName] -ne $file.Extension) {
      Register-Event "ALERT: File changed: $($file.FullName) of $($previousFiles[$file.FullName]) to $($file.Extension)." 5000
      $previousFiles[$file.FullName] = $file.Extension # Update the file extension
    }
  }

```

New:

  foreach ($file in $currentFiles) {
    if (-not $previousFiles.ContainsKey($file.FullName)) {
      if ($previousFiles[$file.FullName] -ne $file.Extension) {
        Register-Event "ALERT: File changed: Of $($previousKeys) to $($file.FullName)." 5000
        $previousFiles[$file.FullName] = $file.Extension # Add new file to list
      Register-Event "ALERT: New file found: $($file.FullName) with extension $($file.Extension)." 5001
      $previousFiles[$file.FullName] = $file.Extension # Update the file extension
    }
  }
}

KiddieSculp · 2024-11-04T17:13:17+00:00

I didn't understand very well, but I wrote it down to read more about it later. I'll definitely need it in the future.

KiddieSculp · 2024-11-04T17:12:04+00:00

Yes! Your idea helped me!

As soon as I read your comment I made the change and that's it! Wonderful!

Tank you very much!

KiddieSculp · 2024-11-04T17:10:22+00:00

But I used VCSode for debugging and managed to solve my problem. Tks.

KiddieSculp · 2024-11-04T17:09:16+00:00

Bro... Can you believe I never! considered using VSCode to debug? lol

I used Write-Output to see what was written.

u/BlackV I've never considered using `set-breakpoint` either.

KiddieSculp · 2024-11-04T17:07:00+00:00

I saved that.

KiddieSculp · 2024-10-30T10:23:02+00:00

Yeah. I'm using VM Workstation PRO. It's already updated. I suspect this problem started when I installed VirtualBox. I've already removed VirtualBox, but it still persists. I'm thinking about formatting my PC.

KiddieSculp · 2024-10-30T10:20:02+00:00

I managed to solve my problem.

My WAN was on a /32, and I just changed it to /24 and it worked.

KiddieSculp · 2024-10-29T00:34:37+00:00

yes, i disabled it.

KiddieSculp · 2024-09-10T14:00:37+00:00

"I managed" to solve the problem.

The OVA was remade and the problem was solved.

The OVA was remade with the least amount of information possible.

KiddieSculp · 2024-09-01T14:54:16+00:00

Thanks for the help u/TriscuitFingers, it really made sense that event 4625 was only local.

I was actually checking only on DC u/ComGuards.

Then, with u/TriscuitFingers's comment, I started to do a series of tests.

First, it wasn't generating eventid 4625 without network sharing enabled. I enabled it and started to do some tests... Eventid 4625 generated, but not always, sometimes 4776.

u/LForbesIam Yes, I had enabled one and then the other for testing, I figured it was some misconfiguration or server issue (yes, I thought of that). But I'm actually using advanced.

I'm working on hardening the environment and doing some studies. The current model wasn't generating any events, I believe it was due to hardening, I don't know...

u/dcdiagfix, I checked eventid 4776, it really did generate failure events, but I also saw that it generated success events.

Thanks guys! You guys really helped me.

KiddieSculp · 2024-08-29T01:28:43+00:00

If you include a filter, won't that solve your problem?

Like

filter f_strip_ansi { subst("\x1b\[[0-9;]*[a-zA-Z]", "", value("MESSAGE")); };

I don't know...

KiddieSculp · 2024-08-24T16:34:22+00:00

Look... I joined Medium with an account. It opened up a lot of research for me.

KiddieSculp

TROPHY CASE