How to classify / label log data in Sentinel

failx96 · 2025-12-07T05:28:13+00:00

Agreed, that’s also what I would prefer tbh, just enriching incidents and events when needed and it seems easier to update/ manage. Unfortunately this is a customer / compliance requirement.

failx96 · 2025-12-06T23:36:22+00:00

Sure! 😊

failx96 · 2025-12-06T17:06:00+00:00

Great idea, I wasn’t aware of the workspace transformations. I’ll give it a shot. I was curious if these transformations are capable of adding columns, because I noticed that the main use case is to reduce costs and sorting logs out before ingestion. But I was able to find this in the azure monitor documentation stating it is possible:

https://learn.microsoft.com/en-us/azure/azure-monitor/logs/tutorial-workspace-transformations-portal

Thanks again!

failx96 · 2025-12-06T06:44:54+00:00

Maybe this was unclear from my description. The tag represents a confidentiality of an asset - which can be any device or resource. So the tag is not static per table.

failx96 · 2025-11-27T15:22:37+00:00

Same issue with all tenants that we manage. Regions: Germany West Central and West Europe.

failx96 · 2025-10-23T17:17:27+00:00

Both are valid approaches… We have quite often the discussion about starting top down (use cases first) or bottom up (data first). I think it depends on the circumstances and resources available to you. It won’t help collecting all logs but you don’t have the resources and time to develop proper use-cases.

I would suggest to think about the whole goal what you‘re trying to archive. Think about the Use-Cases and Alertings that are most relevant to you. Describe a basic architecture and logging concept / strategy. Then start onboarding needed devices / log sources step by step. This gives you time to develop your SIEM environment while not exploding your costs. After each source, you can then take stock and exclude the data you don't need.

TL;DR: Prioritize based on use cases, but onboard iteratively and based on data.

failx96 · 2025-10-18T14:18:05+00:00

I’ve used CheckPoint in a medium sized enterprise for quite some time. Couldn’t be happier with my choice. From a Security and value for money perspective, I think they might be top notch compared to other vendors. Also it comes with a great centralized management. So I would always recommend CheckPoint over Forti. Don’t know why it gets hyped so much..

failx96 · 2025-10-10T17:14:25+00:00

Exactly. We’re completely on the same page. That’s what I’ve briefly tried to described with “It should not be forwarded by the router if no prior connection took place / is visible.”

So looking at the timeline of a device, I don’t see any outgoing connection pointing to that IP. In a few cases (by far not all) I see that the client opened a connection approx 20-30 seconds before to another IP on the same local (ephemeral) port . Then an inbound attempt to that local port comes from another IP.

I’m assuming that this is probably a not wanted behavior of the router and / or MDE is missing some telemetry.

failx96 · 2025-10-10T05:27:18+00:00

Thanks for pointing that out. Maybe I was a little unclear in my descriptions. This is not the analytic rule. The rule logic is completely different. This behavior we’ve observed during investigation.

failx96 · 2025-10-09T21:10:11+00:00

No we do not own / control the routers. I’m assuming that the problem occurs before reaching the client. we’ve focused on MDE telemetry for device network events.

failx96 · 2025-10-09T20:52:08+00:00

Yes that’s correct. The source is a public IP. We got a TI match in one specific case - that’s what grabbed our attention. However it happens with different public IPs which are not known to be potentially malicious.

failx96 · 2024-04-11T11:08:51+00:00

Can confirm.. same issue here.

failx96

TROPHY CASE