# Security # Tips # Microsoft [Azure AD Authentication and authorization error codes](https://docs.microsoft.com/en-us/azure/active-directory/develop/reference-aadsts-error-codes#:~:text=UserStrongAuthClientAuthNRequiredInterrupt%20%2D%20Strong%20authentication%20is%20required%20and%20the%20user%20did%20not%20pass%20the%20MFA%20challenge.) MFA Number matching ``` a new security feature called number matching will be enabled which will replace the current Microsoft Authenticator Approval method (push notification). This enhancement is being implemented to protect users against multi-factor authentication (MFA) fatigue attacks (also known as MFA spamming). Why does this matter? MFA fatigue attacks rely on a user’s ability to approve a simple SMS or push notification that doesn’t require the user to have context of the session being authenticated. According to Microsoft, the use of simple approvals such as “click to approve” or “enter your PIN to approve” has resulted in a corresponding rise in MFA attacks; this security upgrade will address this identified vulnerability. What will number matching entail? During the MFA process, users will be prompted to enter a randomly generated number from the login screen to verify the session/application being authenticated. This change will also show the application that is requesting MFA along with the location from where it is accessed. ``` # Microsoft Sentinel # Ingestion Lag ``` | where ingestionTime > 5m ``` Setting: * Run query every 5m * Lookup data from the last 24 hours * Stop running query after alert disabled # Rule Sample ### Log Analytics: > Logs ### Rules > Analytics ```java OfficeActivity | where ingestion_time() > ago(5m) | where tolower(OfficeWorkload) matches regex "onedrive|sharepoint" and tolower(Operation) matches regex "filesyncdownload|filedownload" and UserId != "app@sharepoint" | summarize initial_time = min(TimeGenerated), end_time = max(datetime_add("Second",1,TimeGenerated)), operation=make_set(Operation,5), workload=make_set(OfficeWorkload,5), file_name=make_set(SourceFileName,5), file_count=dcount(OfficeId) by bin(TimeGenerated,5m),UserId, ClientIP | project-rename src_ip=ClientIP, src_user=UserId | where file_count>500 ``` # Union Alert ```sql // The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert. set query_now = datetime(2022-03-23T02:57:37.9729472Z); let Alert1 = SecurityAlert | where AlertName == "Unfamiliar sign-in properties" | extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"]) | extend Alert1Time = TimeGenerated | extend Alert1 = AlertName | extend Alert1Severity = AlertSeverity ; let Alert2 = SecurityAlert | where AlertName == "Atypical travel" | extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"]) | extend Alert2Time = TimeGenerated | extend Alert2 = AlertName | extend Alert2Severity = AlertSeverity | extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City)) | extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City)) | extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address) | extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address) ; Alert1 | join kind=inner Alert2 on UserPrincipalName | where abs(datetime_diff('minute', Alert1Time, Alert2Time)) <=10 | extend TimeDelta = Alert1Time - Alert2Time | project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress | extend AccountCustomEntity = UserPrincipalName | extend IPCustomEntity = CurrentIPAddress ``` # Splunk to Sentinel Logic bin time [doc](https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/binfunction) > | summarize initial_time = min(TimeGenerated), end_time = max(datetime_add("Second",1,TimeGenerated)) by bin(TimeGenerated,15m), src_user # Microsoft Security [![](https://resource.madsprite.com/uploads/images/gallery/2022-05/scaled-1680-/image-1652800402396.png)](https://resource.madsprite.com/uploads/images/gallery/2022-05/image-1652800402396.png) [![](https://resource.madsprite.com/uploads/images/gallery/2022-05/scaled-1680-/image-1652798390227.png)](https://resource.madsprite.com/uploads/images/gallery/2022-05/image-1652798390227.png) [![](https://resource.madsprite.com/uploads/images/gallery/2022-05/scaled-1680-/image-1652891794214.png)](https://resource.madsprite.com/uploads/images/gallery/2022-05/image-1652891794214.png) # Qradar # Ignore when another rule matches When a building block or rule matches it's specific fields, do not fire matched events ``` and NOT when a subset of at least this number of these rules, in order, from the same|different source IP to the same destination IP, over this many seconds ``` # Qradar expiring whitelist Use AQL filter query ``` username LIKE 'testUser' and LONG(DATEFORMAT(starttime, 'yyyyMMdd')) < 20190429 ``` # Qradar global whitelist Use Routing Rules with **forwarding > bypass correlation** For IP ranges, use Network Hierarchy. # Reference Maps [http://www.siem.su/docs/ibm/Technical_remarks/Reference_Data_Collections_Technical_Note.pdf] # ArcSight # Splunk # Splunk Use Case tracker ```sql | rest splunk_server=local count=0 /services/saved/searches | where disabled=0 | rename action.correlationsearch.label as csearch_label, alert.suppress.period as Throttling, alert.suppress.fields as "Grouped By", action.notable.param.rule_title as "Notable Title", action.notable.param.drilldown_search as "Drilldown Search", updated as "Last Updated", actions.email.to as "Email Recipients" | search "Notable Title"="*TUC*" | convert num(Throttling) | eval "Throttling (Days)"=Throttling/86400 | table csearch_label, "Notable Title", description, search, "Drilldown Search", "Throttling (Days)", "Grouped By", cron_schedule, dispatch.earliest_time, dispatch.latest_time, author, actions, "Email Recipients", "Last Updated" ``` # Splunk total run time ```sql (index=_audit host=* action=search sourcetype=audittrail search_id!="rsa_*") | eval user = if(user="n/a", null(), user) | eval search_id=replace(search_id, "'(.*)'", "\1") | eval search=if(isnull(savedsearch_name) OR savedsearch_name=="", search, savedsearch_name) | stats min(_time) as _time, values(user) as user, max(total_run_time) as total_run_time, first(search) as search, first(apiStartTime) as apiStartTime, first(apiEndTime) as apiEndTime by search_id ``` # Splunk Drill Down Events ```sql earliest=$initial_time$ latest=$end_time$ index=$index$ EventCode=4624 NOT Logon_Type IN ("5") host=$orig_host$ ``` > orig_action_name orig_host orig_rid orig_sid # Splunk Results Token fieldsummary # LogRhythm # LogRhythm Or/And Previous OR PREVIOUS works like an OR statement in parenthesis. a AND b OR PREVIOUS c would look like a && (b || c) # Mitre Framework # Cybersecurity Strategy Security Topics and Theories. # Cybersecurity Mesh Architecture [![](https://resource.madsprite.com/uploads/images/gallery/2022-05/scaled-1680-/image-1652202226995.png)](https://resource.madsprite.com/uploads/images/gallery/2022-05/image-1652202226995.png) [![](https://resource.madsprite.com/uploads/images/gallery/2022-05/scaled-1680-/image-1652202603481.png)](https://resource.madsprite.com/uploads/images/gallery/2022-05/image-1652202603481.png) # NTLM Brute Force https://www.varonis.com/blog/investigate-ntlm-brute-force > More specifically, you will need to use Event ID 8004 in Event Viewer to identify the actual device that is on the receiving end of these NTLM brute force attack attempts. Locating the victim device will be the first step in the remediation process. > 8004 events are typically not enabled by default and may require configuration changes in specific Domain Controller group policies to enable logging. # Databricks # Databricks Training Partner Databricks training - https://www.databricks.com/learn/training/login # Work # Jira Story Prompts ``` You are a jira scrum leader, you are to help write out story descriptions together. Below is an explanation of the stories format. User story template and examples User stories are often expressed in a simple sentence, structured as follows: “As a [persona], I [want to], [so that].” Breaking this down: "As a [persona]": Who are we building this for? We’re not just after a job title, we’re after the persona of the person. Max. Our team should have a shared understanding of who Max is. We’ve hopefully interviewed plenty of Max’s. We understand how that person works, how they think and what they feel. We have empathy for Max. “Wants to”: Here we’re describing their intent — not the features they use. What is it they’re actually trying to achieve? This statement should be implementation free — if you’re describing any part of the UI and not what the user goal is you're missing the point. “So that”: how does their immediate desire to do something this fit into their bigger picture? What’s the overall benefit they’re trying to achieve? What is the big problem that needs solving? For example, user stories might look like: As Max, I want to invite my friends, so we can enjoy this service together. As Sascha, I want to organize my work, so I can feel more in control. As a manager, I want to be able to understand my colleagues progress, so I can better report our sucess and failures. This structure is not required, but it is helpful for defining done. When that persona can capture their desired value, then the story is complete. We encourage teams to define their own structure, and then to stick to it. Ask what I'm doing in my next story, reformat it to fit the user stories style and it should be written in context of someone non-technical reading it. ```