Tag Archives: microsoft
MS Project does not produce the correct end dates on 5 tasks
I have 5 separate tasks which all have the same start dates, same predecessor, same duration and all are 0%, with no Constraint dates with 5 different end dates.
I have 5 separate tasks which all have the same start dates, same predecessor, same duration and all are 0%, with no Constraint dates with 5 different end dates. Read More
Access EntraID-joined Windows Server SMB share as “SYSTEM” from Windows365
Hello,
is it somehow possible for a Windows365 machine to reach a SMB share (configured with Authenticated Users Read on Share+NTFS) on a EntraID-joined Windows Server as the machine itself (SYSTEM)? Specifically there is a scheduled task that runs as SYSTEM on the Windows365 machine that should update a software from the share.
The users itself access the share without problems with their EntraID identity.
Traditionally in an AD environment this was possible, as long as the share allows the Computer Objects to access it (Domain Computers, Authenticated Users), like it is always configured on netlogon/sysvol for the computer GPOs to be applied.
Hello,is it somehow possible for a Windows365 machine to reach a SMB share (configured with Authenticated Users Read on Share+NTFS) on a EntraID-joined Windows Server as the machine itself (SYSTEM)? Specifically there is a scheduled task that runs as SYSTEM on the Windows365 machine that should update a software from the share. The users itself access the share without problems with their EntraID identity. Traditionally in an AD environment this was possible, as long as the share allows the Computer Objects to access it (Domain Computers, Authenticated Users), like it is always configured on netlogon/sysvol for the computer GPOs to be applied. Read More
Why are some comments in my yml pipeline code not green
Some of the comments in my yml / powershell aren’t green but they still act like comments. Minor OCD weirdness and just wondering if anyone else sees this too?
Some of the comments in my yml / powershell aren’t green but they still act like comments. Minor OCD weirdness and just wondering if anyone else sees this too? Read More
How to show blank cell, with an existing formula, when no data is available, yet
How can I get my cells to show blank, with an existing formula, until data in other cells is entered?
This is my current formula =0.1*INT((5+(MOD(E3-D3,6)=0)+TEXT(E3-D3,”[m]”))/6)
– I need to update it so that when the cells it pulls from are empty, the formula doesn’t populate. Currently, when no data is entered in the cells the formula pulls from, it default-populates to 0.10.
Any help is appreciated, thank you!
How can I get my cells to show blank, with an existing formula, until data in other cells is entered? This is my current formula =0.1*INT((5+(MOD(E3-D3,6)=0)+TEXT(E3-D3,”[m]”))/6) – I need to update it so that when the cells it pulls from are empty, the formula doesn’t populate. Currently, when no data is entered in the cells the formula pulls from, it default-populates to 0.10. Any help is appreciated, thank you! Read More
Windows AD, Azure AD
Hello everyone
I connected with Windows AD and Azure AD.
When I create a Windows Account in Windows AD, it is also created in Azure AD.
However, when you join a domain with Azure AD on your PC, you can register a device only with Azure AD, and you can’t register a device with Windows AD.
The User Account is sync, but I think the device is not syncing.
I’ve tried various settings through search, like GPO, device options… but they’re still not working.
How can I sync my device?
I’d like to ask for your help.
Hello everyone I connected with Windows AD and Azure AD. When I create a Windows Account in Windows AD, it is also created in Azure AD. However, when you join a domain with Azure AD on your PC, you can register a device only with Azure AD, and you can’t register a device with Windows AD. The User Account is sync, but I think the device is not syncing. I’ve tried various settings through search, like GPO, device options… but they’re still not working. How can I sync my device?I’d like to ask for your help. Read More
MID Function Help
Hello I am trying to use MID function for returning a 4 digit number from a text string but it isnt always 4 digits. How do I avoid the return result to be 9340 (when its actually 934) or 0004 ( just return a 4) and lastly if all 0000 just return a blank cell
Examples:
1. 7000000001003313150000000000010000000000934000000000
2. 7000000001003313150000000000010000000000004000000000
3. 7000000001003313150000000000010000000000000000000000
Results I would like is
1. 934
2. 4
3. Blank cell
Hello I am trying to use MID function for returning a 4 digit number from a text string but it isnt always 4 digits. How do I avoid the return result to be 9340 (when its actually 934) or 0004 ( just return a 4) and lastly if all 0000 just return a blank cell Examples:1. 70000000010033131500000000000100000000009340000000002. 70000000010033131500000000000100000000000040000000003. 7000000001003313150000000000010000000000000000000000 Results I would like is1. 9342. 43. Blank cell Read More
Power BI Data Analyst Associate
Good evening,
In 2020, I obtained the certification “Analyzing and Visualizing Data with Microsoft Power BI.” I would like to know if it corresponds to the PL300 – PowerBI Data Analyst Associate certification today.
If so, is it possible to get an updated badge?
Thank you.
Good evening,In 2020, I obtained the certification “Analyzing and Visualizing Data with Microsoft Power BI.” I would like to know if it corresponds to the PL300 – PowerBI Data Analyst Associate certification today.If so, is it possible to get an updated badge?Thank you. Read More
Azure Role Assignments Audit Report
Overview:
Azure Administrators often come across challenges while tracking multiple Azure role assignments and removals. At present Azure provides Activity Logs but they make less sense to non-techsavy stakeholders. For example it includes Role Id, Principal Id but doesn’t indicate Role names and Principal names which can make the report more readable. To ensure proper tracking and accountability, we need a comprehensive report that includes the following details:
Initiator and Timestamp
User/Group/Principal assigned/removed
Role assigned/removed
Scope of the Attempt
Pre-Requisites:
Export subscription level Activity Logs to a Log Analytics Workspace. For this navigate to Subscription > Activity log > Export Activity Log > Add Diagnostic Setting
Add Diagnostic Setting to export Administrative logs to a Log Analytic Workspace of your choice and hit the save button:
Navigate to the Workspace and Retrieve the Workspace ID from the overview section, we’ll require this in our script.
Solution:
We have created a solution that retrieves and refines information from the Log Analytic Workspace stored Activity Logs and creates a readable CSV report.
Sample Output:
PowerShell Script:Please replace with appropriate workspace ID(line 32,33) and output CSV file path(line 57, 78). You can provide same values for both at multiple places. Based on the requirement and Log Analytics Retention the no. of days can also be edited(line 6,20)
#Login Azure Account
Add-AzAccount
#Log Analytics query for retrieving Role Assignment addition activities for the past 2 days
$addqr = ‘AzureActivity
| where TimeGenerated > ago(2d)
| where CategoryValue =~ “Administrative” and OperationNameValue =~ “Microsoft.Authorization/roleAssignments/write” and ActivityStatusValue =~ “Start”
| extend RoleDefinition = extractjson(“$.Properties.RoleDefinitionId”,tostring(Properties_d.requestbody),typeof(string))
| extend PrincipalId = extractjson(“$.Properties.PrincipalId”,tostring(Properties_d.requestbody),typeof(string))
| extend PrincipalType = extractjson(“$.Properties.PrincipalType”,tostring(Properties_d.requestbody),typeof(string))
| extend Scope = extractjson(“$.Properties.Scope”,tostring(Properties_d.requestbody),typeof(string))
| extend RoleId = split(RoleDefinition,”/”)
| extend InitiatedBy = Caller
| extend Operation = split(OperationNameValue,”/”)
| project TimeGenerated,InitiatedBy,Scope,PrincipalId,PrincipalType,RoleID=RoleId[4],Operation= Operation[2]’
#Log Analytics query for retrieving Role Assignment removal activities for the past 2 days
$rmqr = ‘AzureActivity
| where TimeGenerated > ago(2d)
| where CategoryValue =~ “Administrative” and OperationNameValue =~ “Microsoft.Authorization/roleAssignments/delete” and (ActivityStatusValue =~ “Success”)
| extend RoleDefinition = extractjson(“$.properties.roleDefinitionId”,tostring(Properties_d.responseBody),typeof(string))
| extend PrincipalId = extractjson(“$.properties.principalId”,tostring(Properties_d.responseBody),typeof(string))
| extend PrincipalType = extractjson(“$.properties.principalType”,tostring(Properties_d.responseBody),typeof(string))
| extend Scope = extractjson(“$.properties.scope”,tostring(Properties_d.responseBody),typeof(string))
| extend RoleId = split(RoleDefinition,”/”)
| extend InitiatedBy = Caller
| extend Operation = split(OperationNameValue,”/”)
| project TimeGenerated,InitiatedBy,Scope,PrincipalId,PrincipalType,RoleID=RoleId[6],Operation= Operation[2]’
#Please replace with appropriate workspace ID
$addqueryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId “<replace with Workspace ID>” -Query $addqr
$rmqueryResults = Invoke-AzOperationalInsightsQuery -WorkspaceId “<replace with Workspace ID>” -Query $rmqr
#Isolating Log Analytics query results
$addqrs = $addqueryResults.Results
$rmqrs = $rmqueryResults.Results
#For each add query result find user/group name and role name to append into the CSV report
foreach ($qr in $addqrs)
{
$rd = Get-AzRoleDefinition -Id $qr.RoleID
if($qr.PrincipalType -eq ‘User’)
{
$prncpl = Get-AzADUser -ObjectId $qr.PrincipalId
}
elseif($qr.PrincipalType -eq ‘Group’){
$prncpl = Get-AzADGroup -ObjectId $qr.PrincipalId
}
else{
$prncpl = Get-AzADServicePrincipal -ObjectId $qr.PrincipalId
}
$qr | Add-Member -MemberType NoteProperty -Name ‘Role’ -Value $rd.Name
$qr | Add-Member -MemberType NoteProperty -Name ‘PrincipalName’ -Value $prncpl.DisplayName
#Replace with appropriate path
$qr | Export-Csv -Path “<Replace Path><FileName.csv>” -NoTypeInformation -Append
}
#For each remove query result find user/group name and role name to append into the CSV report
foreach ($qr in $rmqrs)
{
$rd = Get-AzRoleDefinition -Id $qr.RoleID
if($qr.PrincipalType -eq ‘User’)
{
$prncpl = Get-AzADUser -ObjectId $qr.PrincipalId
}
elseif($qr.PrincipalType -eq ‘Group’){
$prncpl = Get-AzADGroup -ObjectId $qr.PrincipalId
}
else{
$prncpl = Get-AzADServicePrincipal -ObjectId $qr.PrincipalId
}
$qr | Add-Member -MemberType NoteProperty -Name ‘Role’ -Value $rd.Name
$qr | Add-Member -MemberType NoteProperty -Name ‘PrincipalName’ -Value $prncpl.DisplayName
#Replace with appropriate path
$qr | Export-Csv -Path “<Replace Path><FileName.csv>” -NoTypeInformation -Append
}
# End of Script
Hope this helps!
Microsoft Tech Community – Latest Blogs –Read More
Can the size of this be increased?
The item in the image appears too small for me to read clearly. Is it possible to enlarge its size?
The item in the image appears too small for me to read clearly. Is it possible to enlarge its size? Read More
The Screen Saver and Display Shutoff Are Not Activating
Greetings,
I’ve been encountering some issues of late. Interestingly, I managed to resolve the problem while playing Starfield, although it persists when Windows is up and running, even with no applications open.
Any suggestions on what could be the cause?
Appreciate your help.
Greetings, I’ve been encountering some issues of late. Interestingly, I managed to resolve the problem while playing Starfield, although it persists when Windows is up and running, even with no applications open. Any suggestions on what could be the cause? Appreciate your help. Read More
Online and Other Forms of Identification
Hello,
I have recently made the switch to Windows 11 Pro and everything is running smoothly, except for a particular issue with website credentials. Even after selecting ‘save this device,’ it doesn’t seem to make any difference.
Every time I access platforms like YouTube, Google, Netflix, and Amazon, I have to go through the same Multi-Factor Authentication (MFA) process, even though I have saved my login information. For any website where I have an account, my credentials are not being saved. It’s especially frustrating with Netflix, as I receive emails every time a new device is used, despite using the service daily.
Could you please help me identify the cause of this issue and suggest how I can resolve it?
Thank you,
Nacho
Hello, I have recently made the switch to Windows 11 Pro and everything is running smoothly, except for a particular issue with website credentials. Even after selecting ‘save this device,’ it doesn’t seem to make any difference. Every time I access platforms like YouTube, Google, Netflix, and Amazon, I have to go through the same Multi-Factor Authentication (MFA) process, even though I have saved my login information. For any website where I have an account, my credentials are not being saved. It’s especially frustrating with Netflix, as I receive emails every time a new device is used, despite using the service daily. Could you please help me identify the cause of this issue and suggest how I can resolve it? Thank you,Nacho Read More
Can you please help me with the verification process?
Greetings everyone,
I recently updated the security information on my primary account by adding a new phone number since I lost access to the one previously used for verification. I had to endure a 30-day waiting period imposed by Microsoft to complete this process, which has been quite frustrating. Despite the 30 days having passed, the system is still prompting me to wait for access even though it should have been unlocked on December 15th. I am currently unable to make any changes to my security settings. If anyone has advice on how to proceed, I would greatly appreciate it as I am currently facing a bit of a roadblock.
Thank you,
Dale
Greetings everyone, I recently updated the security information on my primary account by adding a new phone number since I lost access to the one previously used for verification. I had to endure a 30-day waiting period imposed by Microsoft to complete this process, which has been quite frustrating. Despite the 30 days having passed, the system is still prompting me to wait for access even though it should have been unlocked on December 15th. I am currently unable to make any changes to my security settings. If anyone has advice on how to proceed, I would greatly appreciate it as I am currently facing a bit of a roadblock. Thank you,Dale Read More
Swapping Places of Navigation and Context Bars in Windows 11 File Explorer
Hello, following a recent update to Windows 11, I observed a significant change in the layout of the file explorer interface. The navigation bar (which includes back, forward buttons, etc.) and the context bar (featuring functions like new, cut, copy, etc.) have exchanged positions. This adjustment has disrupted my muscle memory accustomed to navigating folders in a specific way. Attached is a screenshot for reference.
Would anyone happen to know a solution to revert to the previous layout configuration?
Hello, following a recent update to Windows 11, I observed a significant change in the layout of the file explorer interface. The navigation bar (which includes back, forward buttons, etc.) and the context bar (featuring functions like new, cut, copy, etc.) have exchanged positions. This adjustment has disrupted my muscle memory accustomed to navigating folders in a specific way. Attached is a screenshot for reference. Would anyone happen to know a solution to revert to the previous layout configuration? Read More
PowerShell Inquiry
Hello, I need assistance in adjusting the retention period for virus notifications. I am looking to have the virus notifications saved for a maximum of 1 day due to a few specific reasons.
I tried running the following PowerShell command as an administrator to achieve this:
“`
Set-MpPreference -QuarantinePurgeItemsAfterDelay 1
“`
However, I encountered an error message:
“`
Set-MpPreference : Operation failed with the following error: 0x%1!x!
At line:1 char:2
+ Set-MpPreference -QuarantinePurgeItemsAfterDelay 1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_MpPreference:rootMicrosoft…FT_MpPreference) [Set-MpPreference],
CimException
+ FullyQualifiedErrorId : HRESULT 0xc0000142,Set-MpPreference
“`
I am seeking guidance on how to make this adjustment successfully.
Operating System Version: 23H2 (OS Build 22631.2792)
Hello, I need assistance in adjusting the retention period for virus notifications. I am looking to have the virus notifications saved for a maximum of 1 day due to a few specific reasons. I tried running the following PowerShell command as an administrator to achieve this: “`Set-MpPreference -QuarantinePurgeItemsAfterDelay 1“` However, I encountered an error message: “`Set-MpPreference : Operation failed with the following error: 0x%1!x!At line:1 char:2+ Set-MpPreference -QuarantinePurgeItemsAfterDelay 1+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (MSFT_MpPreference:rootMicrosoft…FT_MpPreference) [Set-MpPreference],CimException+ FullyQualifiedErrorId : HRESULT 0xc0000142,Set-MpPreference“` I am seeking guidance on how to make this adjustment successfully. Operating System Version: 23H2 (OS Build 22631.2792) Read More
Indexer Failing to Honor User Activity Levels for Backoff, Utilizing Full Resources Disregarding Set
Greetings to all!
I am in need of some assistance as I have discovered that my indexer backoff feature has not been functioning as expected. Despite my efforts to enable it through various methods such as adjusting the DisableIndexerBackoff setting in regedit, disabling the Disable Indexer Backoff setting in Group Policy, and restarting the Windows Search service, the indexer is still consuming a significant amount of my PC’s resources at maximum speed. Previously, the indexer used to display a message stating “Indexing speed is reduced because of user activity,” indicating normal functioning, but it no longer does so.
It is essential to mention that I have not made any changes that could have caused this issue. After a few Windows 11 updates and having the indexer backoff disabled for an extended period, when I attempted to enable it, it failed to work properly. This was not the case nearly half a year ago when everything was functioning correctly. I have extensively researched similar issues but have not found a satisfactory solution.
I am seeking advice on how to resolve the problem of the indexer backoff not reducing the indexing speed despite being enabled. Any insights or expertise from those who have encountered a similar issue would be greatly appreciated.
Thank you in advance for your assistance!
Greetings to all! I am in need of some assistance as I have discovered that my indexer backoff feature has not been functioning as expected. Despite my efforts to enable it through various methods such as adjusting the DisableIndexerBackoff setting in regedit, disabling the Disable Indexer Backoff setting in Group Policy, and restarting the Windows Search service, the indexer is still consuming a significant amount of my PC’s resources at maximum speed. Previously, the indexer used to display a message stating “Indexing speed is reduced because of user activity,” indicating normal functioning, but it no longer does so. It is essential to mention that I have not made any changes that could have caused this issue. After a few Windows 11 updates and having the indexer backoff disabled for an extended period, when I attempted to enable it, it failed to work properly. This was not the case nearly half a year ago when everything was functioning correctly. I have extensively researched similar issues but have not found a satisfactory solution. I am seeking advice on how to resolve the problem of the indexer backoff not reducing the indexing speed despite being enabled. Any insights or expertise from those who have encountered a similar issue would be greatly appreciated. Thank you in advance for your assistance! Read More
Question about PowerShell
Hello, I need to adjust the retention period for virus notifications. I would like to temporarily store virus notifications for a maximum of 1 day for various reasons.
I attempted to modify this setting using PowerShell with administrative privileges by running the following command:
> Set-MpPreference -QuarantinePurgeItemsAfterDelay 1
However, I encountered an error:
Set-MpPreference : The operation failed with the following error: 0x%1!x!
At line:1 char:2
+ Set-MpPreference -QuarantinePurgeItemsAfterDelay 1
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (MSFT_MpPreference:rootMicrosoft…FT_MpPreference) [Set-MpPreference],
CimException
+ FullyQualifiedErrorId : HRESULT 0xc0000142,Set-MpPreference
Can someone assist me in making this adjustment?
Operating System Version: 23H2 (OS Build 22631.2792)
Hello, I need to adjust the retention period for virus notifications. I would like to temporarily store virus notifications for a maximum of 1 day for various reasons. I attempted to modify this setting using PowerShell with administrative privileges by running the following command: > Set-MpPreference -QuarantinePurgeItemsAfterDelay 1 However, I encountered an error: Set-MpPreference : The operation failed with the following error: 0x%1!x!At line:1 char:2+ Set-MpPreference -QuarantinePurgeItemsAfterDelay 1+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~+ CategoryInfo : NotSpecified: (MSFT_MpPreference:rootMicrosoft…FT_MpPreference) [Set-MpPreference],CimException+ FullyQualifiedErrorId : HRESULT 0xc0000142,Set-MpPreference Can someone assist me in making this adjustment? Operating System Version: 23H2 (OS Build 22631.2792) Read More
Teams and Area permissions
In a Project I have 3 Teams. In each Teams I have one Area.
I want each member of a team to not be able to create User Story in other teams.
I have TEAM1 with AREA1
I have TEAM2 with AREA2
I have TEAM3 with AREA3
In Project Configuration :
For AREA1 I Deny access to TEAM2 and TEAM3
For AREA2 I Deny access to TEAM1 and TEAM3
For AREA3 I Deny access to TEAM1 and TEAM2
It works very well if a member is only in one Team.
But it don’t work if a member is in 2 Teams : in this case the member can’t access at any User Stoty
Can somebody help me ?
In a Project I have 3 Teams. In each Teams I have one Area.I want each member of a team to not be able to create User Story in other teams. I have TEAM1 with AREA1I have TEAM2 with AREA2I have TEAM3 with AREA3In Project Configuration :For AREA1 I Deny access to TEAM2 and TEAM3For AREA2 I Deny access to TEAM1 and TEAM3For AREA3 I Deny access to TEAM1 and TEAM2It works very well if a member is only in one Team.But it don’t work if a member is in 2 Teams : in this case the member can’t access at any User StotyCan somebody help me ? Read More
All the mail from one mail adress arrive in quarantine with an SCL = 5
All the emails sent to us by our customer (email address removed for privacy reasons) arrive in our quarantine with an SCL score of 5.
However, the email address passes the DMARC tests perfectly (test carried out with https://www.dmarctester.com/).
The domain is not blacklisted, and emails from his colleagues email address removed for privacy reasons and email address removed for privacy reasons arrive with no problem.
The content of the email shouldn’t be the problem either, as an empty email is also quarantined.
What additional diagnostic work can I do to understand why the SCL for each of his emails scores 5?
All the emails sent to us by our customer (email address removed for privacy reasons) arrive in our quarantine with an SCL score of 5. However, the email address passes the DMARC tests perfectly (test carried out with https://www.dmarctester.com/).The domain is not blacklisted, and emails from his colleagues email address removed for privacy reasons and email address removed for privacy reasons arrive with no problem.The content of the email shouldn’t be the problem either, as an empty email is also quarantined. What additional diagnostic work can I do to understand why the SCL for each of his emails scores 5? Read More
Microsoft Sentinel & Cyberint Threat Intel Integration Guide
Microsoft Sentinel & Cyberint IOC Module Integration Guide
In today’s cybersecurity landscape, threat intelligence plays a critical role in identifying and mitigating potential threats. Microsoft Sentinel, a powerful cloud-native SIEM (Security Information and Event Management) solution, provides robust capabilities for security monitoring and incident response.
Integrating Microsoft Sentinel with Cyberint (Cyberint – Threat Intelligence & Digital Risk Protection) module enhances its ability to detect and respond to emerging threats using threat intelligence feeds.
This guide outlines the steps to integrate Cyberint’s module with Microsoft Sentinel, enabling you to leverage enriched threat intelligence data for more effective security operations.
PREQUISITES
1. Ensure you have an active Azure account with sufficient permissions to create resources
2. Active Cyberint account. (To get the API Token & URL)
This blog will guide you through the steps for integrating with Cyberint TI feeds and how to troubleshoot various issues that may arise during integration. Here is a brief summary of the steps needed
Log in to your Azure account.
Create a new Logic App
Ensure that Managed Identity for the Logic app is enabled.
Switch to Code view and paste in the JSON code
Use JSON Lint to verify and validate the Json Format.
Save the Logic App code.
Add a Switch-Case to handle HTTP action redirect status code 307.
Add steps for delay action to handle the Status code 429.
Configure the Logic App to execute daily.
Add Retry Policy if Status code 429 persists.
Grant Microsoft Sentinel Contributor Role to Logic App at the Resource Group Level.
Create a Blank logic app
1. Sign In to Azure Portal
Go to: Azure Portal
Log in with your Azure credentials.
2. Create a new Logic App
Navigate to: All services > Logic Apps
Click: + Add or + Create
Configure Basics:
Subscription: Select your Azure subscription.
Resource Group: Choose or create a new one.
Logic App Name: Enter a unique name.
Region: Choose your preferred region.
Select Type: Choose Logic App (Consumption) for pay-as-you-go pricing.
Click: Review + Create, then Create.
3. Ensure that the Logic app’s Managed Identity
Under the “Settings” section in the navigation bar, select “Identity”
Switch the “Status” slider to “On” and verify that you wish to perform this action.
You will assign role assignments later in the Blog post.
4. Switch to Code View to paste in JSON code
After activating the managed Identity, proceed to the Code view within Logic app.
Under the “Development Tools” section in the navigation bar, select “Logic app code view”
Insert the following code, making sure to substitute the elements marked in yellow with the relevant information specific to your environment.
The information you will need to gather is:
Microsoft Sentinel Subscription ID
Microsoft Sentinel Resource Group Name
Microsoft Sentinel Deployment Region
Cyberint API Token
Cyberint Environment URL
**Utilize the following code provided by CYBERINT to implement the foundational logic structure. Substitute the sections highlighted in Red with the appropriate values.
———————————————————————————————————–
———————————————————————————————————–
{
“definition”: {
“$schema”: “https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#“,
“actions”: {
“Compose”: {
“inputs”: “@split(variables(‘input’), ‘n’)”,
“runAfter”: {
“Initialize_variable”: [
“Succeeded”
]
},
“type”: “Compose”
},
“Filter_array”: {
“inputs”: {
“from”: “@outputs(‘Compose’)”,
“where”: “@not(equals(item(), ”))”
},
“runAfter”: {
“Compose”: [
“Succeeded”
]
},
“type”: “Query”
},
“Follow_redirect_http”: {
“inputs”: {
“method”: “GET”,
“uri”: “@{outputs(‘HTTP’)[‘headers’][‘location’]}”
},
“runAfter”: {
“HTTP”: [
“Failed”
]
},
“type”: “Http”
},
“For_each”: {
“actions”: {
“Parse_JSON_2”: {
“inputs”: {
“content”: “@items(‘For_each’)”,
“schema”: {
“properties”: {
“confidence”: {
“type”: “integer”
},
“description”: {
“type”: “string”
},
“detected_activity”: {
“type”: “string”
},
“ioc_type”: {
“type”: “string”
},
“ioc_value”: {
“type”: “string”
},
“observation_date”: {
“type”: “string”
},
“severity_score”: {
“type”: “integer”
}
},
“type”: “object”
}
},
“runAfter”: {},
“type”: “ParseJson”
},
“Threat_Intelligence_-_Upload_Indicators_of_Compromise_(V2)_(Preview)”: {
“inputs”: {
“body”: {
“indicators”: [
{
“confidence”: “@{body(‘Parse_JSON_2’)?[‘confidence’]}”,
“created”: “@{utcNow()}”,
“description”: “@{body(‘Parse_JSON_2’)?[‘description’]}”,
“external_references”: [],
“granular_markings”: [],
“id”: “indicator–@{guid()}”,
“indicator_types”: [
“@{body(‘Parse_JSON_2’)?[‘detected_activity’]}”
],
“kill_chain_phases”: [
{
“kill_chain_name”: “mandiant-attack-lifecycle-model”,
“phase_name”: “establish-foothold”
}
],
“labels”: [
“cyberint”
],
“lang”: “”,
“modified”: “@{utcNow()}”,
“name”: “@{body(‘Parse_JSON_2’)?[‘ioc_value’]}”,
“object_marking_refs”: [],
“pattern”: “[ipv4-addr:value = ‘@{body(‘Parse_JSON_2’)?[‘ioc_value’]}’]”,
“pattern_type”: “ipv4-addr”,
“spec_version”: “2.1”,
“type”: “indicator”,
“valid_from”: “@{body(‘Parse_JSON_2’)?[‘observation_date’]}”
}
],
“sourcesystem”: “Cyberint”
},
“host”: {
“connection”: {
“name”: “@parameters(‘$connections’)[‘azuresentinel’][‘connectionId’]”
}
},
“method”: “post”,
“path”: “/V2/ThreatIntelligence/@{encodeURIComponent(‘<Microsoft Sentinel workspaceid>’)}/UploadIndicators/”
},
“runAfter”: {
“Parse_JSON_2”: [
“Succeeded”
]
},
“type”: “ApiConnection”
}
},
“foreach”: “@body(‘Filter_array’)”,
“runAfter”: {
“Filter_array”: [
“Succeeded”
]
},
“type”: “Foreach”
},
“HTTP”: {
“inputs”: {
“cookie”: “access_token=<cyberint api token>“,
“method”: “GET”,
“queries”: {
“date”: “@{formatDateTime(utcNow(), ‘yyyy-MM-dd’)}”,
“detected_activity”: “cnc_server”,
“ioc_type”: “ipv4”
},
“uri”: “https://<cyberint environment url>/ioc/api/v1/feed/daily”
},
“runAfter”: {},
“type”: “Http”
},
“Initialize_variable”: {
“inputs”: {
“variables”: [
{
“name”: “input”,
“type”: “string”,
“value”: “@{body(‘Follow_redirect_http’)}”
}
]
},
“runAfter”: {
“Follow_redirect_http”: [
“Succeeded”
]
},
“type”: “InitializeVariable”
}
},
“contentVersion”: “1.0.0.0”,
“outputs”: {},
“parameters”: {
“$connections”: {
“defaultValue”: {},
“type”: “Object”
}
},
“triggers”: {
“Recurrence”: {
“evaluatedRecurrence”: {
“frequency”: “Week”,
“interval”: 1
},
“recurrence”: {
“frequency”: “Week”,
“interval”: 1
},
“type”: “Recurrence”
}
}
},
“parameters”: {
“$connections”: {
“value”: {
“azuresentinel”: {
“connectionId”: “/subscriptions/<azure subscriptionid>/resourceGroups/<Sentinel Resource Group Name>/providers/Microsoft.Web/connections/azuresentinel”,
“connectionName”: “azuresentinel”,
“id”: “/subscriptions/<azure subscriptionid>/providers/Microsoft.Web/locations/<deployment Region>/managedApis/azuresentinel”
}
}
}
}
}
———————————————————————————————————————————————————————————————————————-
5. Utilize Json Lint Validator
Since you have modified the JSON code, it makes sense to double check it. In a new tab or window in your browser, go to JSON Online Validator and Formatter – JSON Lint, paste in your modified code, and then click on the green “Validate JSON” button.
Fix any errors that may show up and repeat the process until the JSON passes. Copy the modified code if you made any changes back into the Logic App.
6. Save the Logic App code
In the Logic App code view page, click on the “Save” button. The Azure portal notifications bell will show that this activity is running. You can click on that to see if any errors have occurred.
7. Implement the Switch Case Action
There is an additional Switch-Case Action required (to handle the Http Action Redirect) to be added once the above code is deployed, follow below instructions to update the above logic app
In the “Development Tools” in the navigation menu, select “Logic App designer” to switch back to the graphical view. Note: You can also get to this view by clicking on the “Edit” button in the “Overview” page.
The Switch action is to be added after the HTTP action:
Use the following steps to add the needed actions
Use Add an action:
2. Search for the “Switch” action and select it:
Add Status Code value to be fetched from previous HTTP step as:
Make sure your Switch action has the “Run After” options ‘Has Failed’ & ‘Is Successful’ checked under the “Settings” tab
3. Click on Add Case button:
Add an exact status code (307) value to Case2 as shown below:
Add new HTTP Action in the case:
Search for the “HTTP” action and select it
We need to fetch the new relocated location from our previous step into this HTTP2 action by using the following string ‘@{outputs(‘HTTP’)[‘headers’][‘location’]}’ respectively as and ensure to use GET method respectively:
Open Http 2 and add string ‘@{outputs(‘HTTP’)[‘headers’][‘location’]}’:
8. Add Additional Delay action
There may be a case where the JSON receives a status code of 429. To resolve that add a for Each loop after parse JSON 2 to resolve it
Click the Add Action button that is directly under the “Parse JSON 2” action.
Search for “Delay” and select it
Set its “Count” to 5 and change the “Unit” to “Second”
More information on the status code 429 can be found at the Official Microsoft Reference links:
1.Microsoft Sentinel – Connectors | Microsoft Learn
2.https://learn.microsoft.com/en-us/azure/logic-apps/handle-throttling-problems-429-errors?tabs=consumption
9. Adjust the recurrence of the Logic App
This Logic App should run daily because Cyberint produces threat intelligence feeds every day; this is a recommended practice compared to the default weekly schedule. Optionally, a specific time of day can be selected for the Logic App to execute.
Select the “Recurrence” trigger at the beginning of the Logic App”
Change the “Interview” to “1” and the “Frequency” to “Day”
If you wish to have this Logic app run at a specific time, use the “At These Hours” and “At These Minutes” fields to specify when you want the Logic App to run as shown in the image below
10. Adding Retry Policy if Status code 429 persist:
In Case if the Logic app still fails due to 429 as depicted below, we will add a retry policy
Follow the steps to add a retry policy:
1. Navigate to Logic app Designer.
2. Get to the Threat Intelligence Upload indicator of Compromise Step in Logic app.
3. Check Settings tab as depicted:
Under Networking select the Retry Policy and select Fixed Interval
Provide the count and Interval as required (the logic app currently have 4 counts 20s of interval)
11. Grant Microsoft Sentinel Contributor Role to Logic App at the Resource Group Level
To resolve the Unauthorized issue at the last step for Logic app, the Logic App’s managed identity will need Microsoft Sentinel contributor rights. Use the following steps to grant this right:
Login to Azure portal(portal.azure.com)
Go to the Microsoft Sentinel’s Resource Group.
Navigate to “Access Control (IAM)”
4. Click on the “Add” button and select “Add role assignment”
5. Select “Microsoft Sentinel Contributor” role and then click the “Next” button at the bottom of the screen
6. Select the “Managed Identity” radio button
7. Click “Select members”
8. Select the correct Subscription
9. In the “Managed Identity” drop down, select “Logic app”
10. Find the name of the Logic App and select it.
11. Click the “Select” button at the bottom of the page.
12. Click the “Review and assign” button at the bottom of the page to assign the permission
The Logic App is now ready to be run daily to ingest the Cyberint Threat Intelligence data.
The verify that the data is being ingested, you can use the KQL below to validate.
ThreatIntelligenceIndicator
| where SourceSystem contains “Cyberint”
Microsoft Tech Community – Latest Blogs –Read More