Local IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs?
Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some 10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services? This can't be related to the customer since we see the same thing across up to 37 tenants/customers. This includes FileDownloaded operations which is what caused alerts and brought the issue to our attention. To make sure this also wasn't some kind of correlation to device, I checked the logs further and it's happening where IsManagedDevice == false and even anonymous file access. Is anyone else seeing this and can anyone from Microsoft confirm whether this is a mistake or bug somewhere upstream? Sample KQL: // Query 1 OfficeActivity | where TimeGenerated >=ago(30d) | where ipv4_is_private( ClientIP ) | where IsManagedDevice == false | summarize min(TimeGenerated), max(TimeGenerated), Operations=make_set(Operation), NumberUsers=dcount(UserId), make_set(UserId), UserAgents=make_set(UserAgent) by ClientIP // Query 2 OfficeActivity | where TimeGenerated >=ago(60d) | where isnotempty( ClientIP ) and ipv4_is_private( ClientIP ) | summarize count() by bin(TimeGenerated, 1d)
ASIM built-in functions in Sentinel, are they updated automatically?
Are the ASIM built-in functions in Sentinel automatically updated? For example, the built-in parsers such for DNS, NetworkSession, and WebSession. Do the built-in ones receive automatic updates or will the workspace-deployed versions of these parsers be the most up-to-date? And if true, would it be recommended to use workspace-deployed version of parsers that already come built-in?
Question about ingestion costs (ingestion time transformation)
So the ingestion time transformation is anounced here: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/ingestion-time-transformations Does this mean we can send data directly to our workspace and have it filtered there without having to filter using a logstash or azure monitor agent? (as explained here: https://docs.microsoft.com/en-us/azure/sentinel/best-practices-data ) Or do they serve a different purpose ? So: to lower our ingestion costs, can we use ingestion-time transformations in stead of the current solutions?
Microsoft Defender Vulnerability Management Data in Sentinel
Anyone know when Microsoft Defender Vulnerability Management data will be available in Microsoft Defender XDR connector in Sentinel? If it won't be available soon, what is the best way to collect Vulnerability Management data to Sentinel? Thanks
Cannot access aka.ms/lademo
Hello team, I am Nikolas. I am learning KQL for Microsoft Sentinel. As far as I know, we can access the aka.ms/lademo for demo data. However I cannot access the demo. I tried using VPN, access page from many other devices with different IP address different account. But it does not work. Can you help to confirm if this link is still accessible. I can access the resource last week, but not this week. I am looking forward to hearing from you.
Sending IIS logs to sentinel
Hi everyone, We have multiple on-prem windows application servers to forward IIS logs to sentinel. Can we go with WEF and install AMA in WEF to send IIS logs to sentinel or do I need to onboard each windows server to Azure through Azure arc for AMA installation? Any suggestions would be highly appreciated. Thanks
Windows event logging to SIEM (Sentinel)
I am working in a landscape where several old systems are active. Yes, it's a concern that receives attention and is being addressed, but it's separate from this question. For the SOC we need Event logging in SIEM, and thus Sentinel. We only need logging from a few servers, according to our MSSP, as the other logging is already collected by MDE & MDI agents or other log-collection methods. So the setup of the additional logging has the focus on a small amount of systems (max 10). Note, that these systems are OnPrem in our data center. Azure ARC with AMA is the option we want to go for in the end, but we do not want to introduce such new technology (as ARC in general, is not in use in the environment) overnight. But logging needs to be collected before the end of this month due to compliance requirements. So, we have two other options: using the MMA agent, which we know will be EoS August this year, but is an agent that some admins have experience with within the test/dev environment. No MMA is enabled in production. It will introduce some risks as we must install an agent on old unstable systems. But it is an option. Another method could be using a WEC (windows event collector), which will collect/receive the logging from the system in scope (again, this is a small set of systems). This WEC will be enabled on an Azure Windows server, which allows us to enable AMA on it. The advantage of it, is that we do not need to install software on the old systems. Of course, we need a configuration adjustment to get the logging from these systems. Assuming WEF (windows event forwarder) has less impact than, eg. installing MMA. Main question: will I face compatibility issues if I collect the data via WEC and ingest it into Sentinel via the AMA agent installed on the WEC server, over using MMA on the remote systems? Thanks for any response
