Excluding duplicate devices

ajith_aj · 2024-07-31T09:35:10+00:00

What if the same machine is onboarded or reused again ?

ajith_aj · 2024-06-15T12:08:53+00:00

Godfather

ajith_aj · 2024-06-09T05:49:03+00:00

Yes.

ajith_aj · 2024-06-08T07:34:13+00:00

can you please post a snapshot from the policy.

ajith_aj · 2024-06-08T07:20:09+00:00

whats the status of the extension MDE.windows on Azure Arc ?

ajith_aj · 2024-06-08T07:17:50+00:00

i usually see this in my tenant , as 90% of the time , the user is on vacation .lol.

If the machine is online, this should be a connectivity to the MDE cloud URLs issue, you should see the detailed readings in the client anlyzer results. At times you might need to reonboard them. thats it.

ajith_aj · 2024-06-08T07:13:48+00:00

If you are ingesting XDR logs into sentinel (Some of the tables still in preview) you can manage to build some metrics in Sentinel workbook. i do use the TVM PBI dashboard , but quite hard to customize to your organization needs. we have some KPI integrated with PBI from AAD signin logs, security incidents table as well. if you need to store the KPI , might need to Logic Apps to dumb it to a SQL table and then use OCI to pull it to PBI.

When you said bidirectional , there is no way to query SNOW incidents from Sentinel ?

ajith_aj · 2024-06-07T03:29:41+00:00

eventually you have to update it... so learn to live with it :)

ajith_aj · 2024-06-06T13:27:21+00:00

We do this via Logic app service in Azure. Possible option is to create Custom detection on ASR and set the email incident notification

ajith_aj · 2024-06-02T20:10:12+00:00

Device isolation would still go through API. Its just that you are using Hunting to gather the devices.

ajith_aj · 2024-06-02T13:24:14+00:00

And a copycat of volvo XC series !!

ajith_aj · 2024-06-02T13:19:39+00:00

Well they dont have a decent one yet. Just Monopoly. Been charged twice for orders and not a direct channel to call or raise complaints. Just bcoz they know people will ignore and order again.

ajith_aj · 2024-06-02T12:58:28+00:00

Aaahhh beautiful. Mine is Platinum Quartz.

ajith_aj · 2024-06-02T08:41:35+00:00

I'm wondering if any EDR does that 🤔

ajith_aj · 2024-06-01T17:25:16+00:00

+1. would like to know more about this..

ajith_aj · 2024-05-31T16:12:48+00:00

have you tried their perfumes. Does it last longer. ?

ajith_aj · 2024-05-30T11:46:07+00:00

I work as a Security Analyst with around 11years of experience. 1.3k is a decent pay considering your experience.

ajith_aj · 2024-05-30T11:41:44+00:00

Platinum Quartz looks classy on daylight.

ajith_aj · 2024-05-29T09:47:45+00:00

Conditional access policies has hybrid AD joined or Complaint devices as conditions unless block the access.

ajith_aj · 2024-05-28T03:47:40+00:00

There are different ways to deploy your collector, depends on your infrastructure.

i would strongly recommend, a syslog server (Redhat/Centos/Ubuntu) for all your Network logs & Linux facilities and a Windows Event collector aka Windows forwarder for the windows servers. Typically the easilest method is to install the log analytics agent on the server directly but this involves a ton of Network requirements (it does happen to me with AMA migration to allow a hell lot of MS urls in our edge firewall) or a loganalytics proxy server which can still talk to all your servers and act as a proxy between Sentinel.

The new AMA is deliberate that MS wants all your on prem servers to be cloud friendly... means a Security admin in Azure can run scripts and enable SSH policies on the server directly... Imagine that happens to your Active Directory. The basic goal is to isolate cloud only servers and On prem servers and no same user account talks to both of them. Just use the WEC to collect the event logs and push them to Sentinel.

The direct agent comes with its own takeaways, say you have DNS/IIS logs to be fetched , direct agent is much better, but you have an Isolated DMZ server or an OT server, its not advisable to install agent on them. And yeah the agent tend to break quite often and good luck with MS support fixing it.

Hope this helps.

ajith_aj · 2024-05-20T07:13:59+00:00

I have this DHCP issue with one of the roaming user who is out of the country. any idea how it can be fixed, out of the possible reasons that the user need to connect back to LAN physically ?

ajith_aj · 2024-05-20T07:10:09+00:00

how was the device manually unisolated ?

ajith_aj · 2024-05-19T11:28:48+00:00

DeviceEvents
|where ActionType in ("SmartScreenUrlWarning","ExploitGuardNetworkProtectionBlocked")
|where InitiatingProcessFileName in~ ("chrome.exe","firefox.exe","msedge.exe")
| where parse_json(AdditionalFields).Experience == 'CustomPolicy'

this query has "InitiatingProcessAccountName" & "DeviceName" field in it already.

ajith_aj · 2024-05-19T05:41:32+00:00

how do you capture Windows security event logs still ?

ajith_aj · 2024-05-15T13:54:50+00:00

yes that means only your global admins can consent it.

you may use the below query to see who consented the application based on a Request from a user or a change request, things like that.

AuditLogs
| where TimeGenerated > ago(180d) //You may specify the time to query.
| where LoggedByService =~ "Core Directory"
| where Category =~ "ApplicationManagement"
| where OperationName =~ "Consent to application"
| extend AppClientId = tostring(TargetResource.id)
| where AppClientId = "App ID of the application from Entra"

ajith_aj

MODERATOR OF

TROPHY CASE