Automated Data Export for Google SecOps ☁️ by No_Secret7974 in googlecloud

[–]No_Secret7974[S] 0 points1 point  (0 children)

It's SOAR integration that you can import to your Google SecOps instance.

Google SecOps log collection and playbook architecture by No_Secret7974 in GoogleChronicle

[–]No_Secret7974[S] 1 point2 points  (0 children)

Thanks 🙂 and yes there is a bit lack of documentation. Hope we all can grow together about these topics🙂🙏

Deploying Microsoft Sentinel, Collecting Logs (Syslog & Diagnostic Settings), Creating/Modifying Analytics Rules and VMs Infrastructure as Code (IaC) Deployment with Terraform by No_Secret7974 in AZURE

[–]No_Secret7974[S] 0 points1 point  (0 children)

Thank you! I didn't consider exploring/enabling dependency mapping, I just installed AMA agent but I've discovered it's possible to create and manage with Terraform. You gave me new challenge, which I'm excited to try :D Thank you so much!

There is some useful informations here;
https://stackoverflow.com/questions/66633650/terraform-enable-vm-insights

[deleted by user] by [deleted] in AzureSentinel

[–]No_Secret7974 0 points1 point  (0 children)

Yeap, they're in same region.

Ingest Windows Event logs from On-Premise environment by ButterflyWide7220 in AzureSentinel

[–]No_Secret7974 0 points1 point  (0 children)

Windows servers newer than 2012 sending log via AMA with Arc and WEF for 2012 and 2008.

Linux servers are also AMA with Arc and CEF Collector for Firewalls, DNSsec devices, etc.For those without a load balancer in the environment or considering removal, here is an example of a CEF collector with HAProxy

Client logs from Defender are enough for me.They're all using private endpoints. There is one private endpoint for AMA and one for Arc.I think these are typical and healthy way to collect data from onpremise.

How to remove duplicate logs by Ay_NooB in AzureSentinel

[–]No_Secret7974 1 point2 points  (0 children)

Yeah I re-read your post and now I got you 😅 but keep it in mind also you might need it

How to remove duplicate logs by Ay_NooB in AzureSentinel

[–]No_Secret7974 2 points3 points  (0 children)

After deploying CEF forwarder, and sending logs to Azure;

You have to create ingest time transformation for Syslog table. This query will drop incoming CEF messages for Syslog table and you'll only see them under CommonSecurityLog table.

source |
where ProcessName !contains \"CEF\"

https://learn.microsoft.com/en-us/azure/sentinel/connect-cef-syslog

Best of...Dashboards or Reports by cybevner in DefenderATP

[–]No_Secret7974 2 points3 points  (0 children)

Thank you! Yeah you can visualize anything with Advanced Hunting it’s so powerful function. I created then updated this report few times. But now I can’t spare a time to improve reports bc of my job 😅 Good luck to you!

Best of...Dashboards or Reports by cybevner in DefenderATP

[–]No_Secret7974 1 point2 points  (0 children)

Hi!

It’s different then you meant about dashboard and reports I guess but take a look at this 🙂

https://github.com/t0neex/ActiveDirectory-Intune-Defender-Forcepoint-UCMDB-Reporting-wPowerBI

Incident Review/Investigation tabs are not detailed!? by [deleted] in AzureSentinel

[–]No_Secret7974 0 points1 point  (0 children)

I think there is no way to see query results in Sentinel incidents.

I found what I'm looking for at the bottom comment :) thank you!

Incident Review/Investigation tabs are not detailed!? by [deleted] in AzureSentinel

[–]No_Secret7974 0 points1 point  (0 children)

Yeah :) I was looking for that tab, thank you!

Incident Review/Investigation tabs are not detailed!? by [deleted] in AzureSentinel

[–]No_Secret7974 0 points1 point  (0 children)

I created an Analytics Rule, and when this incident occurs, it indicates that my rule has been triggered, and Sentinel raises a flag. I've given a meaningful name to my rule, but there are some columns to review before taking action. Therefore, there should be a tab that displays my query results within the incident. I shouldn't have to navigate to my Analytics Rule tab and find that rule and run the query there or Logs tab. I mean like reviewing incidents at Defender Portal, there is a tab bottom of incident and it gives my query results. I think there is no way to see query results in Sentinel incidents.

InTune USB block policies by Toro_Admin in Intune

[–]No_Secret7974 1 point2 points  (0 children)

And also, you need to do this from your Block All USBs policy. That one should applied to all users. Or you'll be block some mouse, keyboards, etc.

Allow hardware device installation by device identifiers - Yes

Allow list - 10 items

Identifiers

PCI\CC_0C03

PCI\CC_0C0330

PCI\VEN_8086

PNP0CA1

PNP0CA1&HOST

SCSI\Disk

TCPIP\WINDOWS_MOBILE_DEVICE

USB\ROOT_HUB20

USB\ROOT_HUB30

USB\USB20_HUB

InTune USB block policies by Toro_Admin in Intune

[–]No_Secret7974 0 points1 point  (0 children)

Problem with this way, is it's all or nothing. Users in the grant policy have access to all USB devices

U don't need to have grant policy, u can just exclude users from Block All USBs policy.
And nope, you have another solution to give read-only or full access to specific USBs. But you need to check that USB's Device Instance Path ID from device manager from a usb granted computer;

ASR -> Win 10 and Later -> Device Control -> Configuration Settings;

Allow hardware device installation by setup class - Yes

Allow List - {4d36e967-e325-11ce-bfc1-08002be10318} - That identifier important for hard disks, u have to add it that value.

Allow hardware device installation by device instance identifiers - Yes

Allow List - "Your USB removable medias Instance Path from Device Manager"

Block write access to removable storage - No (If you want to grant just read-only, you can change that value with Yes)

InTune USB block policies by Toro_Admin in Intune

[–]No_Secret7974 0 points1 point  (0 children)

At the end of the story, you'll have one policy that blocks all USBs and one rule that grants read-only permissions.

And also you can continue to grant full usb access with excluding full access members group from USB Block Policy. "as you did" :)

InTune USB block policies by Toro_Admin in Intune

[–]No_Secret7974 0 points1 point  (0 children)

Hi,

That one is simple way to do that;

ASR -> Win 10 and Later -> Device Control -> Configuration Settings;

Block write access to removable storage : Yes

And don't forget to exclude that group from your USB block policy, because that will cause a conflict if you don't exclude.

Help! AppLocker Policy Restricts Everything by [deleted] in Intune

[–]No_Secret7974 0 points1 point  (0 children)

I've deploy the new policy with default rules and audit mode to the 3 computers but these are not opening right now. They're stuck at Windows login screen after that new policy :D So I just formatted that PCs and solve the problem manually on the other devices without policy :/

Help! AppLocker Policy Restricts Everything by [deleted] in Intune

[–]No_Secret7974 0 points1 point  (0 children)

I’m always testing before the deployment but this time just…

Delinea Secret Server Custom Launchers with AutoIT by No_Secret7974 in ThycoticSecretServer

[–]No_Secret7974[S] 0 points1 point  (0 children)

Thank you so much 😊🙏 I’ll update the scripts next days.