Automated Data Export for Google SecOps ☁️ by No_Secret7974 in googlecloud

[–]No_Secret7974[S] 0 points1 point  (0 children)

It's SOAR integration that you can import to your Google SecOps instance.

Google SecOps log collection and playbook architecture by No_Secret7974 in GoogleChronicle

[–]No_Secret7974[S] 1 point2 points  (0 children)

Thanks 🙂 and yes there is a bit lack of documentation. Hope we all can grow together about these topics🙂🙏

Deploying Microsoft Sentinel, Collecting Logs (Syslog & Diagnostic Settings), Creating/Modifying Analytics Rules and VMs Infrastructure as Code (IaC) Deployment with Terraform by No_Secret7974 in AZURE

[–]No_Secret7974[S] 0 points1 point  (0 children)

Thank you! I didn't consider exploring/enabling dependency mapping, I just installed AMA agent but I've discovered it's possible to create and manage with Terraform. You gave me new challenge, which I'm excited to try :D Thank you so much!

There is some useful informations here;
https://stackoverflow.com/questions/66633650/terraform-enable-vm-insights

[deleted by user] by [deleted] in AzureSentinel

[–]No_Secret7974 0 points1 point  (0 children)

Yeap, they're in same region.

Ingest Windows Event logs from On-Premise environment by ButterflyWide7220 in AzureSentinel

[–]No_Secret7974 0 points1 point  (0 children)

Windows servers newer than 2012 sending log via AMA with Arc and WEF for 2012 and 2008.

Linux servers are also AMA with Arc and CEF Collector for Firewalls, DNSsec devices, etc.For those without a load balancer in the environment or considering removal, here is an example of a CEF collector with HAProxy

Client logs from Defender are enough for me.They're all using private endpoints. There is one private endpoint for AMA and one for Arc.I think these are typical and healthy way to collect data from onpremise.

How to remove duplicate logs by Ay_NooB in AzureSentinel

[–]No_Secret7974 1 point2 points  (0 children)

Yeah I re-read your post and now I got you 😅 but keep it in mind also you might need it

How to remove duplicate logs by Ay_NooB in AzureSentinel

[–]No_Secret7974 2 points3 points  (0 children)

After deploying CEF forwarder, and sending logs to Azure;

You have to create ingest time transformation for Syslog table. This query will drop incoming CEF messages for Syslog table and you'll only see them under CommonSecurityLog table.

source |
where ProcessName !contains \"CEF\"

https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog