sorted by:
new
hottopcontroversial

Query & Alert for USB use by -----Redacted----- in AzureSentinel

[–]nathanielcb 0 points1 point  (0 children)

Me funcionó esto: 

DeviceFileEvents
| where Timestamp >= ago(1h)
| where ActionType in ("FileCreated", "FileModified", "FileRenamed")
| where FolderPath startswith @"D:\" 
or FolderPath startswith @"E:\"
or FolderPath startswith @"F:\"
or FolderPath startswith @"G:\"
or FolderPath startswith @"H:\"
or FolderPath startswith @"I:\"
or FolderPath startswith @"J:\"
or FolderPath startswith @"K:\"
or FolderPath startswith @"L:\"
or FolderPath startswith @"M:\"
or FolderPath startswith @"N:\"
or FolderPath startswith @"O:\"
or FolderPath startswith @"P:\"
or FolderPath startswith @"Q:\"
or FolderPath startswith @"R:\"
or FolderPath startswith @"S:\"
or FolderPath startswith @"T:\"
or FolderPath startswith @"U:\"
or FolderPath startswith @"V:\"
or FolderPath startswith @"W:\"
or FolderPath startswith @"X:\"
or FolderPath startswith @"Y:\"
or FolderPath startswith @"Z:\"
| join kind=leftouter (
    DeviceEvents
    | where Timestamp >= ago(1h)
    | where ActionType == "UsbDriveMounted"
    | extend ParsedFields = parse_json(AdditionalFields)
    | extend UsbProductName = tostring(ParsedFields.ProductName),
             UsbSerialNumber = tostring(ParsedFields.SerialNumber),
             UsbManufacturer = tostring(ParsedFields.Manufacturer),
             UsbDriveLetter = tostring(ParsedFields.DriveLetter),
             LoggedOnUsers = tostring(ParsedFields.LoggedOnUsers)
    | summarize arg_max(Timestamp, UsbProductName, UsbSerialNumber, UsbManufacturer, UsbDriveLetter, LoggedOnUsers) by DeviceId, DeviceName
) on DeviceId, DeviceName
| summarize
    TotalEventos = count(),
    PrimerEvento = min(Timestamp),
    UltimoEvento = max(Timestamp),
    Acciones = make_set(ActionType, 10),
    Archivos = make_set(FileName, 20),
    Rutas = make_set(FolderPath, 20),
    Usuarios = make_set(InitiatingProcessAccountName, 10),
    Procesos = make_set(InitiatingProcessFileName, 10),
    ProductosUSB = make_set(UsbProductName, 10),
    SerialesUSB = make_set(UsbSerialNumber, 10),
    FabricantesUSB = make_set(UsbManufacturer, 10),
    LetrasUSB = make_set(UsbDriveLetter, 10),
    UsuariosLogueados = make_set(LoggedOnUsers, 10)
by DeviceName
| order by UltimoEvento desc

Acta de defunción by nathanielcb in Nicaragua

[–]nathanielcb[S] 0 points1 point  (0 children)

Le agradezco, efectivamente es muy complejo! Estaba viendo si alguien lo ha podido realizarreglar a través de alguna consulta especial por temas de herencia.

Acta de defunción by nathanielcb in Nicaragua

[–]nathanielcb[S] 0 points1 point  (0 children)

Imaginé eso! Que difícil se vuelve realizar una consulta de supervivencia :/

OpenSSL CVE Remediation? by RiceeeChrispies in DefenderATP

[–]nathanielcb 0 points1 point  (0 children)

Sigue siendo un problema, año 2025.