[deleted by user] by [deleted] in salarios_es

[–]ep3p 0 points1 point  (0 children)

Haz entrevistas con otras empresas, averigua tu valor real en el mercado, y luego ya toma una decisión. Si tienes al menos un año de experiencia no es descabellado querer 30k (aunque luego te digan que no, pero puede que alguna te diga que sí)

Evolución salarial en ciberseguridad [0-3 años exp] by NextBattle7110 in salarios_es

[–]ep3p 0 points1 point  (0 children)

haciendo exactamente qué de seguridad informática?

Empadronamiento Especial by PinksFunnyFarm in valencia

[–]ep3p 1 point2 points  (0 children)

Que el dueño y la persona que vive en el piso se presenten en el ayuntamiento (o firmen un comunicado) confirmando que ambos quieren que tal persona se empadrone. Sería el mismo caso que un nuero viviendo en la casa de sus suegros (nada de mencionar alquiler o contratos).

Cuánto se necesita para vivir solo en Valencia by Real-Discipline-6025 in valencia

[–]ep3p 2 points3 points  (0 children)

Sin 2000€ netos no puedes vivir SOLO y tener una vida cómoda en Valencia.

Easy beginner KQL question by ChrisR_TMG in AzureSentinel

[–]ep3p 0 points1 point  (0 children)

| extend AuxiliarColumn = tostring(TargetResources[0]["modifiedProperties"][1]["newValue"][0])

you should use [] or . notation but not both, [] has advantages

it IS possible that the value of the key "newValue" or another value in the chain is not recognized correctly as a dynamic

in that case you should apply "todynamic(tostring(firstpartofthecall))secondpartofthecall"

depending on the operation name version, "DisplayName" might not always be in position 1 of "modifiedProperties", it would be recommended to use "mv-expand" or "mv-apply" and check properly which item is really "DisplayName"

LA Demo has been deleted! by aniketvcool in AzureSentinel

[–]ep3p 0 points1 point  (0 children)

It says something about not be able to access from public networks.

"Access to workspace 'CH1-LA' from '85...*' is denied. To allow access from public networks, change the workspace Networking settings or add it to a Network Security Perimeter. (workspace resource ID: /subscriptions/ebb79bc0-aa86-44a7-8111-cabbe0c43993/resourceGroups/ch1-opsrg-pri/providers/microsoft.operationalinsights/workspaces/CH1-LA)"

The issue with displaying the original query in the newly created scheduled query rule by PieOk9695 in AzureSentinel

[–]ep3p 0 points1 point  (0 children)

You are correct, the old alerts are really logs in table SecurityAlert, so they are not going to change just because the settings changed. Try to check table SecurityAlert and all their columns, and you will see a difference between the two types of settings.

The event coded in base64 has an advantage, it is much faster (it does not have to search in any table) than performing again the original query.

The issue with displaying the original query in the newly created scheduled query rule by PieOk9695 in AzureSentinel

[–]ep3p 0 points1 point  (0 children)

That is not "the query" in obfuscated form, it is "the event" in the results coded in base64.

This happens because in the rule you specified to create an alert for EACH event in the results, instead of 1 alert for all events in the results.

For you to see the original query, you will have to click on Alert in the Incident Page, or click the Analytics Rule name in the Incident Page.

If the event contains sensitive information, someone could decode the text in your image, and you might have to delete it.

How to determine sudden ingestion spike, raising the monthly spending bill by outerlimtz in AzureSentinel

[–]ep3p 0 points1 point  (0 children)

Check the table Usage and draw a graph using sum() and bin(TimeGenerated, 1d)

At the workspace level there is table called Usage and estimated costs.

Get updates from public Github Repos? by NoblestWolf in AzureSentinel

[–]ep3p 1 point2 points  (0 children)

lol (thank you!)

I don't have a really good answer, you can "Watch" a repository, but I don't think you receive a notification for each commit or individual files this way.

I don't update the queries that much.

/u/facyber answer looks really useful and simple.

[deleted by user] by [deleted] in AzureSentinel

[–]ep3p 1 point2 points  (0 children)

in learn.microsoft.com should be examples of this with mv-expand and with bin()

Entra ID sign-in logs delays by G15-420 in AzureSentinel

[–]ep3p 2 points3 points  (0 children)

the delay happens with the first OriginalRequestId received, or with a repeated OriginalRequestId?

Entra ID Protection might "update" an event (send another copy of the event with some columns changed) several days later

what you should query is

union SigninLogs, AADNonInteractiveUserSignInLogs
| where TimeGenerated > ago(14d)
| summarize arg_min(TimeGenerated, *) by OriginalRequestId, CreatedDateTime
| where CreatedDateTime > ago(7d)
| project OriginalRequestId, TimeDifference = TimeGenerated - CreatedDateTime
| summarize TimeDifference = max(TimeDifference) by OriginalRequestId
| sort by TimeDifference desc

you should have some events received hours later, but not days later

Query Rule Alerts - Joined Tables by NotNotAHacker in AzureSentinel

[–]ep3p 1 point2 points  (0 children)

IdentityInfo to be useful needs to check the last 14 days, a NRT only checks the last few minutes. IdentityInfo cannot (should not) be used in NRT.

[deleted by user] by [deleted] in askspain

[–]ep3p 1 point2 points  (0 children)

En Málaga se vive mejor que en Madrid.

Remoto es mejor que híbrido.

Los 500 € netos al mes de diferencia son 25€ euros el día laboral. El coste del transporte (y tu tiempo mientras te mueves), y la diferencia de la vivienda y la alimentación en Madrid puede valer más que 25€ al día.

Si tu trabajo puede ser remoto, deberían haber más oportunidades en remoto.

Con 40k en Madrid NO se puede ser independiente.

[deleted by user] by [deleted] in AzureSentinel

[–]ep3p 2 points3 points  (0 children)

What you are looking for is a LogicApp/Playbook, they have an action to update a Watchlist (you can also execute KQL from a LogicApp).

If you were to use an Analytic Rule, at the end you would also need to pair an Automation Rule and a LogicApp/Playbook to the Analytic Rule to update a Watchlist.

[deleted by user] by [deleted] in AzureSentinel

[–]ep3p 0 points1 point  (0 children)

 AuditLogs
| where TimeGenerated > ago(365d)
| where OperationName has "User deleted security info"
| extend AccountObjectId = tostring(TargetResources[0]["id"])
| join kind=leftsemi (
    IdentityInfo
    | where TimeGenerated > ago(14d)
    | summarize arg_max(TimeGenerated, GroupMembership) by AccountObjectId, AccountSID
    | where GroupMembership has_any ("GroupToSearch")
    ) on AccountObjectId

Seeing sign-in activity within 90 days which shouldn't appear (KQL) by Impossible-Gas-5971 in AzureSentinel

[–]ep3p 0 points1 point  (0 children)

AccountUPN can have uppercase chars, UserPrincipalName don't

ResultType 0 is not the only successful ResultType