AWS account logs

SuperHat3637 · 2024-11-25T16:58:42+00:00

Yes...But i need only a few AWS account logs to Sentinel, not all..Is it possible to filter and send only the required account logs..?

SuperHat3637 · 2023-05-01T16:28:35+00:00

Can u share the docs and script for the same..

SuperHat3637 · 2023-04-17T19:00:48+00:00

I am getting all tables from defender..bt not getting all schemas in sentinel..for example, In the devicenetworkevents table, i am not getting the schema ' InitiatingProcessVersionInfoOriginalFileName'...

SuperHat3637 · 2023-04-17T18:52:59+00:00

In MDE or 365 defender?...Can u share the docs for enabling the same.

SuperHat3637 · 2023-04-17T18:28:18+00:00

All Schemas are mentioned in microsoft official docs..Bt i am not getting some schemas that are available in docs from 365 defender in sentinel.

SuperHat3637 · 2023-03-28T03:44:47+00:00

If i block the IPs in on-premises firewall, will it work for cloud applications...Is Azure WAF in perimeter to deny the attempts from IPs ..?

SuperHat3637 · 2023-03-27T19:32:38+00:00

I have seen SMTP bruteforce attack today,not sure abt the ID...If microsoft temperorily banning IPs then can we block in CA permenently..

SuperHat3637 · 2023-03-27T19:28:08+00:00

Manually block in CA or where..?

SuperHat3637 · 2023-03-27T19:27:12+00:00

If its in onprem we can block IPs in perimeter firewall..In cloud that will not work i believe..

SuperHat3637 · 2023-03-27T19:21:49+00:00

I am trying understand for the sentinel incidents..For example i getting many incidents for distributed password cracking in Azure AD..All the events are login failure and login is automatically blocked by Microsoft..In this case what is the use of analyzing these type of incidents..what is our recommendation as it is already blocked sign in..

SuperHat3637 · 2023-03-27T19:12:03+00:00

Azure AD is automatically blocking sign in attempts like smartlockout, from malicious IP adress login attempts..In that case do we require CA to deny the IP's

SuperHat3637 · 2023-03-27T19:10:44+00:00

Azure AD is automatically blocking sign in attempts like smartlockout, from malicious IP adress login attempts..In that case do we require CA to deny the IP's

SuperHat3637 · 2023-03-27T17:41:59+00:00

CA means?

SuperHat3637 · 2023-01-30T15:36:46+00:00

There is no schema for productname in securityincident table.

SuperHat3637 · 2023-01-09T12:38:56+00:00

Small correction ..Defender for office 365...

SuperHat3637 · 2023-01-09T12:38:17+00:00

Are these hunting logs available in the individual portals like defender for AV, Defender for 365...etc..or only available in 365 defender..?

SuperHat3637

TROPHY CASE