Microsoft Sentinel Parsing tips – Whitespace control

This post will be a part of a multiple posts to cover data parsing in Microsoft Sentinel.


Kusto is a powerfull query language and easy to adopt.

Even if Kusto is very powerfull, working with custom log sources is, sometimes, a mess. Some parsers requires more effort and some are very simple.

In general, when it’s possible to use operators like “parse” (link) function or “parse-kv” (link) it’s very welcome. However, the reality has a different challenge for us.

In this post we want to share a quick pro tip to solve the mystic of hidden whitespaces

The challenge of whitespaces

Whitespaces ” ” exists everywhere, the challenge is how it’s presented in log analytics.

Log analytics does a lot for the user in terms of nicely present data. It actually removes duplicate whitespaces, as well as leading and trailing whitespace.

This could result in problems like failing parsers, regex and string operators like “==”, “startswith”, “endswith” etc will fail. Especially if it’s not consistent.

Marking the string in the output view does not show the extra whitespaces

Copying the text and paste into a text-editor will not show it either like in below example where we copied the output into VS Code (we can only see one dot to show one whitespace between foo and bar)

However, the double whitespaces are interpreted during execution, and it’s only in the presentation view the extra is removed. As in below example, we used split on ” ” to show the existence of the double whitespace.

When working with multiple log sources you don’t want to search and see if they exist (which may change during the log source life cycle), you rather want a way to always make the log to look good in your parser.


To properly address this (if there aren’t any good ways to change the audit settings of the system sending the logs)

To handle the duplicate white spaces we use the replace_regex function (link here) and use the whitespace “\s” with the quantifier “+” which means one or multiple times and replace it with a space ” “.

This will search for spaces (one or more) and replace it with a single, because we don’t want to remove single spaces. And by using the same column name “SyslogMessage” we will actually reuse the same column for our clean output.

Please note that this will not change the message in the database, only during execution.

Doing this gives us the following output.

The next step is that we want to remove the leading and trailing whitespaces. If we for instance expect the first character to be a value, the leading whitespace could make our parser to fail or an analytic rule.

We have seen occasions where this happens from time to time and not all messages in a log source.

To fix the leading and trailing whitespaces we use another regex to look for start of string and end of string. But this time we want to replace with “nothing/null” which is why we can’t use this regex in the first cleaning.

In the second run we use the same column name again to cleanup the SyslogMessage. There is a best practice to always keep the original message, however, this is to solve an error from the log source and not to alter the SyslogMessage.

The regex starts with an anchor “^” to define the start of the string and followed by a whitespace “\s” since we cleaned all double whitespaces we don’t need to use the quantifier. To handle the trailing whitespace we use the OR operand “|” and check for a whitespace “\s” followed by the anchor “$” to determine the end of the string. If we get any hits it will be replaced with null and we have a clean string.

By adding these 2 lines of code to the parser, we will avoid running into strange issues which could take some time to troubleshoot.

| extend SyslogMessage = replace_regex(SyslogMessage,@"\s+",@" ") //Remove duplicate whitespaces
| extend SyslogMessage = replace_regex(SyslogMessage,@"^\s|\s$",@"") //Remove leading and trailing whitespaces

Happy Hunting!

Defender performance analyzer

Sometimes when real-time protection and on-demand scanning takes a bit of time. It’s sometimes difficult to see exactly what it’s doing and what takes time.

A new set of PowerShell cmd-lets have been released which allows us to do a performance recording of defender, New-MpPerformanceRecording and Get-MpPerformanceReport, and troubleshooting performance.

When showing the help of the cmd-let we can see that there are two parameters

  • -RecordTo <string>: The path of the outputfile
  • -Seconds <int>: Number of seconds to run the recording

The seconds parameter is useful when running none-interactive sessions against multiple devices

Using the performance recorder

In PowerShell, we use the command New-MpPerformanceRecording and specify the output .etl file.

New-MpPerformanceRecording -RecordTo .\scan.etl

This will start the recorder

We can press Enter at any time to stop the recording and Ctrl-C if we want to abort.

The output file is saved and we can now open it with the cmd-let Get-MpPerformanceReport

The cmd-let allows us to look at the data in different ways

  • -TopFiles
  • -TopScansPerFile
  • -TopProcessesPerFile
  • -TopScansPerProcessPerFile
  • -TopExtensions
  • -TopScansPerExtension
  • -TopFilesPerExtension
  • -TopScansPerProcess
  • etc…


Get-MpPerformanceReport -Path .\scan.etl -TopFiles 1

Another example of output

Since it’s a ETL file we can actually open it with any ETL viewer, however, the result is not presented to us in the same way

Using PerfView as an example of opening etl files

We can see that Windows Performance Recorder is used under the hood

IMPORTANT, If you plan to use this troubleshooting to find paths for exclusions, be very careful. You might accidently open up your device to threats. If you are not 100% certain of your exclusions, please ask for help!

Happy Hunting!

/Sec-Labs Team

SANS Threat Hunting Summit – Link list

Thank you for attending our session at Sans Threat Hunting & IR Summit in London.

Here are some resources as promised during our session which may help.

Threat Hunting

Power Automate / Logic Apps

Azure Automation:


Auditing and Logs



Free Training resources

Happy Hunting!

follow us on twitter @mattiasborg82 and @stefanschorling

Azure Sentinel is now GA

Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available

azure sentinel

Some of the new features are:

  • Workbooks are replacing dashboards, providing for richer analytics and visualizations
  • New Microsoft and 3rd party connectors

Detection and hunting:

  • Out of the box detection rules: The GitHub detection rules are now built into Sentinel.
  • Easy elevation of MTP alerts to Sentinel incidents.
  • Built-in detection rules utilizing the threat intelligence connector.
  • New ML models to discover malicious SSH access, fuse identity, and access data to detect 35 unique threats that span multiple stages of the kill chain. Fusion is now on by default and managed through the UI
  • Template playbooks now available on Github.
  • New threat hunting queries and libraries for Jupyter Notebooks


  • The interactive investigation graph is now publicly available.
  • Incidents support for tagging, comments, and assignments, both manually and automatically using playbooks.

MSSP and enterprise support:

  • Azure Lighthouse for multi-tenant management
  • RBAC support

For further information:

Product page:

Happy Hunting

MDATP Long Term Retention with Azure Storage Account

 Microsoft Defender ATP is a great tool for enhancing your Detection capabilities and once you find incidents you can work with the Hunting capabilities we have blogged about earlier. The challenge we often face is that the Hunting Data is only available for 30 days so if you need to go back further that data is not available.

Microsoft is now introducing two new built-in methods of storing that data for longer than 30 days, currently in preview

  • Azure Storage Account
  • Azure Event Hub

And from these you can then access the data and do what you like with it.

In this blog we will walk you through how you can set these up the Storage Account integration.

Storage Account Integration

Azure Portal

So first off let’s start with setting up a Storage Account in the Azure Portal

1. Create a storage account

2. Select your Subscription and Resource Group if you have one or create it.

3. Give your storage account a name and select your desired storage settings.

4. Configure Advanced settings as you need. In my case I used the defaults.

5. Add Tags if you are using it and review the settings and complete the creation, Let the creation complete and go to the newly created storage account.

6. To configure the integration we need to get our resource ID so open properties of the Storage Account and copy the resource ID information.

Resource Provider and onboarding consent

We also need to make sure we have microsoft.insights registered as a resource provider you can configure that this way.

1. In the Azure Portal, go to – Subscriptions > Your subscription > Resource Provider

2. On the microsoft.insights recourse provider click register if its not already registered.

3. A Tenant Admin has also to give concent to the onboarding application. you can do this by clicking on the follwoing link and logging on with the desired Tenant rights.

Now we can move to the security center portal and continue configuring the integration.

MDATP Portal

In the MDATP Console go to

1. Interoperability > Data Export Settings

2. Click on Add data export settings

The wizard to export data will show up and here we have a few options.

1. Give it a Name

2. We need to have the Storage Account Resource ID from our Storage account which we stood up in the earlier steps. It can be found under properties on the storage account in the Azure Portal.

3. Check the Event Types you want to Store in your Storage Account

4. Click Save

Once you have saved Events will start being sent to your Storage Account and if you browse the blob in the Azure Portal you will see the different events categories.

If you click through one of them you will see that they are stored in an order of “tenantid\year\month\date\hour\minute\”

The schema of the JSON files is build in the following structure



                    “time”: ” <The time WDATP received the event>

                    “tenantId”: ”  <Your tenant ID>

                    “category”: ” <The Advanced Hunting table name with ‘AdvancedHunting-‘ prefix>

                    “properties”: { <WDATP Advanced Hunting event as Json> }



Automate response with Defender ATP and Microsoft Flow

So now when we have cool products (more or less builtin) we need to start working with them and not be required to look in the portals 24/7.

This post will demonstrate an example on how to use approval in email to isolate machines with new alerts.

Microsoft Flow is very easy to use to create business flows for all kind of products. You can manage anything which has an API.

Microsoft has released connectors for many solutions and by drag n drop you can create flows to make your life a lot easier.

This flow used in this blog post is just to be able to show something useful.

  • Start by browsing to and create a new flow
  • Search for WDATP and select the Trigger “Triggers when a Windows Defender ATP alert accurs (preview)”

We will then add an action to “Get single alert preview”, this will give us more information to use later.

In below picture we can see some of the dynamic content we can add to next step in the flow

We can also add a condition. In this example we use condition for alert severity (high or medium).

We also want to add an approver step.

For some reason the Approval type is in Swedish for me. You have 2 default options and one custom option
Options are “Everyone must approve” or “First one to approve”.

Based on the response from the approval step we continue the flow with a condition to go ahead if the responder choose to approve the action.

We add the action “Isolate machine (preview)” and configure that along with a send email action.

Running the Flow

If you need to change your flow you can re-run it using the same data as used previously

After the approval we get the status message send to all approvers

We can see that our test machine was successfully isolated

In the flow test overview

From the ATP console we now have the option to release the machine from isolation, collect investigation package etc

Dynamic content


Pro tips:

  • Use get alert to be able to add more dynamic content to use in subsequent steps
  • Use get machine to be able to get more information like IP, Computername etc
  • Start building your automated playbooks. This will save you time

BlueHatIL 2019 its a wrap!

So, this year I had the opportunity to participate in Microsofts conference  BlueHatIL in Tel Aviv, it’s a two day event that is packed with 18 sessions and other activities, this year you could team up in building Zumo Boats in this amazing Maker Studio. Outside of that there was a CTF Challenge to get into a secret room and in there the CTF Continued.All sessions got their own poster that where available to get for delagates but they where also part of the amosphere in the venue where they here put on walls and places around the venue.


Day 1

The AMDFlaws Story: Technical Deep Dive

To Kick off day one  Ido Li On and Uri Farkas took us through their research on flaws, they had over 8 months and 7 engineers researched the platform and found 13 vulnerabilities. One of them was related to the PSP Controller. As the found out issues with how the firmware was signed they where able to patch the Firmware and get their code in there and more or less Game Over. For those of you who don’t know the PSP it’s the Platform Security Processor and it controls many things early on. So, with this they could actually bypass features like Credential Guard as they had ownership of the components. On stage they demoed a custom version of Mimikatz where they where able to extract Credentials from a machine running Credential Guard.


Supply Chain Security: “If I were a Nation State…”

To follow up on this intro Andrew “bunnie” Huang had a great session on Supply Chain Security. The session gave examples of different Supply Chain Attacks either by replacing components, implanting new components in the hardware and a very thorough example of different technicies to do this. Bunnie showed several x-ray pictures on how hard this could be to detect, and some are more or less impossible to spot with the your bare eye.

Here is a simple example of Memory Cards he had analyzed showing Memory Cards with different chips on them from the same vendor, some of them didn’t behave like expected 😉. Possible Supply Chain Attack from a Nation State?

So, with that said, what components do you have in your equipment? Vendor approved, or Nation State approved.

After a a busy lunch with great food and some more work on the CTF it was time to listen to Benjamin Delpy and Ulf Frisk among others.

You (dis)liked mimikatz? Wait for kekeo

The man the myth the MimiKatz had a session on his tool Kekeo where he showed many cool features to impersonate users and how to exploit Kerberos. Some of the explotation included impersonation of users using smartcards, Changing password of a user without knowing the old password etc. A very good session with lots of humor and good insights on his tool Kekeo and Kerberos.

You can find the tools here


Practical Uses for Hardware-assisted Memory Visualization

As far as I am aware I was the only Swedish delegate on BlueHatIL except for the speaker Ulf Frisk, I had a chance to sit down and talk to Ulf, its always nice to run into other Swedish people in the Security Community. Ulf has over the years built his tool PCILeech a open source tool to read and write System Memory on remote devices. This is something that is done over PCIe. During BlueHatIL he presented some new features where you remotely over the network could read and write to the System Memory on the remote machine. Some really scary and awesome stuff.

You can read some really amazing blog postes on DMA at Ulfs Blog

Keynote – Offenses in Cyber Offense

The day ended with a Moderated Keynote with Citizen Lab and Associated Press on some of the recent cases of cyber espionage on citizens and public persons. Also a very loaded session with accusations flying back and forth on Nation State attacks.If you want to read up more on some of the reports Citizen Lab has produced you can find them here.  Some of their research covers the “Pegasus” Spyware that an Israeli company is selling to Nation States and others.


Day 2

Keynote -Modern Day Hypnosis: Weaponizing Data to Influence the Public

After a brief Microsoft Intro, the Day two Keynote started with Christopher Wylie also know as the Cambridge Analytica Whistleblower in a moderated session on how Weaponizing of Data Can influence the Public.

A session where he explained how data is used to manipulate the public and how its used to target individuals and influence and build “bubbles”. Very interesting but became very political from time to time. A lesson i learnt here is that these bubbles are used way beyond Online but also flow down and are used to form offline influencing “bubbles”.

No Code No Crime: UPnP as an Off-the-Shelf Attacker’s Toolkit

x0rz showed some of his reasearch on UPnP, still in 2019 there are many devices out there that have UPnP available against the internet. An easy search on Shodan will give you thousands of devices that you remotely can control and trigger port openings on routers. And by doing this you could control the device to allow traffic in to the local LAN and you could even open up a session and establish your TCP IP Session and then close the port again so when someone checks for open ports they will not see any open ports but they could possibly have an TCP Session going through their router without their knowledge. Most of the devices where geographically in Asia but quite some devices in Europe still. Personally I think its very sad to see that this is still out there as vulnerabilities and risks around UPnP has been known for years, but still fascinating.

PE-sieve: An Open-Source Process Scanner for Hunting and Unpacking Malware

In the session on PE-sieve Hasherezade showed how her tool could help in Malware Analysis and gave some helping guidance on how to use the tool. Simply the tool unpacks Malware and analysis changes to the system and gives you a summary of the changes and the files its

So if you are into Malware Analysis you can find the great tool here

Maker Studio

And what an impressive makerstudio, 3D Printers, Laser Cutting Machines, Tooling, Printers, Sewing Machines, Molding Machines. Electronics, Engines etc, basically everything you needed to make an awesome custom zumo boat to win the battle. A great activity, I saw many people team up and do 3D Cad Drawings, Code Arduino and build some really cool boats to win the battle.

Image may contain: one or more people, people sitting and indoor

Image may contain: indoor

Image may contain: one or more people




So, to wrap it up, a great conference, great atmosphere the prep of everything was so cool and yeah finally the secret Casino Room was just so awesome! In other words, I hooked up with a guy Yitai and we completed the first part of the CTF that as to gather information from some QR Codes and then decrypted the code to get to a webpage where you could find the next steps in the CTF that I unfortunately didn’t have time to play more more on.

Big shout out to the Team that made it possible and by the way don’t miss BlueHat in Shanghai in May! My biggest take away for the week is humbleness, there is still so much to learn in different areas. When talking security you just need to expect unexpected things,  things you think are impossible are very often possible. I have worked over 20 years in IT and Security and to be successful I would say you need curiosity, a mind that is thinking out of the box, allot of time and stubbornness is also some good things to put in the mix. And at last enjoy and have fun of what you are doing.

You can find more info on the Event at or following and reading up on the twitter hashtag #bluehatil and why not watch the official aftermovie below.

System Center User Group – Clients days 2018

System Center User Group Sweden (SCUGSE) Client Days, a 2 day event with many interresting sessions.

October 8th
October 9th

Microsoft Office – Stockholm
Finlandsgatan 36
36 Finlandsgatan
164 74 Akalla

On this 10 years celebration of SCUGSE, David James from the Config Manager product team will come to Sweden and present.


Agenda (as per June 28th)

Day 1

  • 0815 – Doors Open
  • 0900 – 0915 – Welcome – Jörgen & Stefan
  • 0915 – 1015 – State of the union – David James
  • 1015 – 1030 – Break / Networking
  • 1030 – 1115 – TBA – David James
  • 1115 – 1130 – Break / Networking
  • 1130 – 1215 – What’s new from Ignite! – Stefan Schörling / TBA
  • 1215 – 1300 – Lunch
  • 1300 – 1330 – Sponsor Session – TBA
  • 1330 – 1345 – Break / Networking
  • 1345 – 1430 – TBA – David James
  • 1430 – 1445 – Break / Networking
  • 1445 – 1530 – TBA – TBA
  • 1530 – 1615 – Q&A DJAM and Speakers

Day 2

  • 0815 – Doors Open
  • 0900 – 1000 – Windows 10 as a Service, the good the bad and the ugly – Stefan Schörling / Jörgen Nilsson
  • 1000 – 1015 – Break / Networking
  • 1015 – 1100 – Managing and Securing Web browsers in Windows 10 – Jörgen Nilsson
  • 1100 – 1115 – Break / Networking
  • 1115 – 1215 – From the Community – TBA
  • 1215 – 1300 – Lunch
  • 1300 – 1330 – Sponsor Session – Lookout
  • 1330 – 1345 – Break / Networking
  • 1345 – 1430 – What’s new in Windows 10 1809 – TBA
  • 1430 – 1445 – Break / Networking
  • 1445 – 1545 – Advanced Windows 10 Deployment Tricks “TS End2End” – Nickolaj A
  • 1545 – 1600 – Closing and Price Drawings

OBS! Genom att anmäla mig binder jag mig till en no-show avgift på 500kr om jag anmäler mig till en fri-biljett och inte kommer på eventet. Jag godkänner även att mina uppgifter kan även komma att delas med sponsorerna.


For tickets and further information, please visit:

SCUG SE on Facebook:



Links from our TechDays Presentation


Image may contain: 2 people, people smiling, people standing

Here are a link collection and some brief information from our TechDays session.

We’ll skip the wannacry part from the post because it’s everywhere anyway except for the fact that patching is extremely important.

Selecting hardware

There is no secret that Microsoft is working hard to reduce the use of passwords. It’s simple, It’s something you know and someone else can find it out.

Windows Hello Requirements
Hardware Security Testability Specification

Managing firmware patches

Firmware also needs patching. You need to be able to deploy firmware patches to your clients which is already in the environment

TPM Recommendations

BitLocker mitigation plan for vulnerability in TPM

UEFI Secure Boot

Security features

Credential guard

Device Guard

Windows Defender Exploit Guard

Attack Surface Reduction

This security feature really harderns the client. Especially when it comes to office applications.
As an example, one of the rules, will stop office applications form starting another process like CMD or powershell using DDE.

PowerShell Example
Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled


Controlled Folder Access

This is the new ransomware protection. It looks great but too soon to call it the silver bullet since you can still to a full disc encryption.
But ransomware’s that encrypt files this is something that has to be configured for your protection. Sec-Labs R&D will dig deeper into this feature.

PowerShell Downgrade Attacks

All new cool security features are being added in PowerShell version 5.0.
AMSI (Antimalware scan interface) – Not that many 3rd party AV vendors are supporting this which is a shame when we look at real world attacks today
Constrained Language Mode – Lock down, no api calls just legacy powershell
System Wide Transcript
Script Block Logging

PowerShell -version 2 and you’re in… (more or less)

PowerShell version 2 is deprecated since Windows 10 1709. When you install .net 3.5 it will be enabled and then you’ll have to disable it.

PowerShell downgrade attacks can be found in the event viewer, ID 400 and then the host version less than 5.0

Oldschool configurations which should already be in place

Local firewall – Enabled!

We always get’s questions about applocker. It is builtin since Windows 7.
Build, evaluate and push a baseline to take control of executions no need for 3rd party here.

Windows Event Forwarding, WEF
When we asked, there were just a few actually using this.
There are lots of documentation on how to deploy this in an enterprise.

Encrypt the harddrives, no excuses here.

DMA Protection

Don’t spend your money here.

LAPS Local Admin Password Solution
Make sure you don’t have the same local admin password on all clients.

Guidelines to secure and lockdown you Internet Browsers

Windows Defender Advanded threat protection (WD ATP)

Built-in Security Stack (Agent-less)

Supported on:
Windows 10 1607 (minimum)
Windows Server 2012 R2
Windows Server 2016
X-Plat Support under Investigation

Windows 10 Enterprise E5
Windows 10 Education E5
Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5


Sysinternals Sysmon is also a great tool to deploy if you can’t use WD ATP for some reasons or just want to see more for yourself.
Should be used with Event Forwarding

Securing Privilege access


Link to slides here