openaev icon indicating copy to clipboard operation
openaev copied to clipboard
Published 1 month ago verified publisher icon OpenAEV-Platform

Microsoft Sentinel collector not working

Open EllynBsc opened this issue 1 year ago • 2 comments

Description

Microsoft Sentinel collector not working, we don' have have the right prevention detection on Sentinel

EllynBsc avatar Oct 18 '24 09:10 EllynBsc

Need to re align for the Detection & Prevention expectations:

  • The Detection expectation is validated BUT on the log it seems we have a Prevention case
  • The agent has the status MAYBE_PREVENTED

Logs on Sentinel Action A. Validate the alert.

  1. Contact the user who ran the tool to verify whether the activity was legitimate and inspect the endpoints for suspicious behavior.
  2. Locate unfamiliar processes in the process tree. Check files for prevalence, their locations, and digital signatures.
  3. Submit relevant files for deep analysis and review file behaviors.
  4. Identify unusual system activities with system owners.

B. Scope the incident. Find related devices, network addresses, and files in the incident graph.

C. Contain and mitigate the breach. Stop suspicious processes, isolate affected devices, decommission compromised accounts, or reset passwords, block IP addresses and URLs, and install security updates.

D. Contact your incident response team, or contact Microsoft support for investigation and remediation services.

Code

if "Action" in extended_properties and extended_properties["Action"] in [
            "blocked",
            "quarantine",
            "remove",
        ]:
            return True
        return False

RomuDeuxfois avatar Oct 23 '24 09:10 RomuDeuxfois

Don't forget to build a check list on what to implement to be a valid collector -> usefull for Crowdstrike and the others one

RomuDeuxfois avatar Oct 29 '24 14:10 RomuDeuxfois