I ma trying to onboard the %SystemRoot%\System32\Winevt\Logs\Microsoft-AzureADPasswordProtection-DCAgent%4Admin.evtx logs This logs is available on the eventviewer under Eventviwer-> Application and Services Logs -> Microsoft -> AzureADPasswordprotection ->DCAgent -> Admin I have added the below inputs.conf stanza in Windows_TA addon [WinEventLog://Microsoft-AzureADPasswordProtection-DCAgent/Admin] disabled = false index = wineventlog_itd renderXml=false & [WinEventLog:Microsoft-AzureADPasswordProtection-DCAgent/Admin*] disabled = false index = wineventlog_itd renderXml=false Both are not working. Any thoughts ?? ... View more

Hi I have a tenable json logs, i wrote rex and trying to send the logs to null queue, howevene it is not going to nullqueue, Sample log is given below   { [-]  SC_address: X.xx.xx acceptRisk: false acceptRiskRuleComment: acrScore: assetExposureScore: baseScore: bid: checkType: summary cpe: custom_severity: false cve: cvssV3BaseScore: cvssV3TemporalScore: cvssV3Vector: cvssVector: description: This plugin displays, for each tested host, information about the scan itself : - The version of the plugin set. - The type of scanner (Nessus or Nessus Home). - The version of the Nessus Engine. - The port scanner(s) used. - The port range scanned. - The ping round trip time - Whether credentialed or third-party patch management checks are possible. - Whether the display of superseded patches is enabled - The date of the scan. - The duration of the scan. - The number of hosts scanned in parallel. - The number of checks done in parallel. dnsName: xxxx.xx.xx exploitAvailable: No exploitEase: exploitFrameworks: family: { [+] } firstSeen: X hasBeenMitigated: false hostUUID: hostUniqueness: repositoryID,ip,dnsName ip: x.x.x.x ips: x.x.x.x keyDrivers: lastSeen: x macAddress: netbiosName: x\x operatingSystem: Microsoft Windows Server X X X X patchPubDate: -1 pluginID: 19506 pluginInfo: 19506 (0/6) Nessus Scan Information pluginModDate: X pluginName: Nessus Scan Information pluginPubDate: xx pluginText: <plugin_output>Information about this scan : Nessus version : 10.8.3 Nessus build : 20010 Plugin feed version : XX Scanner edition used : X Scanner OS : X Scanner distribution : X-X-X Scan type : Normal Scan name : ABCSCAN Scan policy used : x-161b-x-x-x-x/Internal Scanner 02 - Scan Policy (Windows & Linux) Scanner IP : x.x.x.x Port scanner(s) : nessus_syn_scanner Port range : 1-5 Ping RTT : 14.438 ms Thorough tests : no Experimental tests : no Scan for Unpatched Vulnerabilities : no Plugin debugging enabled : no Paranoia level : 1 Report verbosity : 1 Safe checks : yes Optimize the test : yes Credentialed checks : no Patch management checks : None Display superseded patches : no (supersedence plugin did not launch) CGI scanning : disabled Web application tests : disabled Max hosts : 30 Max checks : 5 Recv timeout : 5 Backports : None Allow post-scan editing : Yes Nessus Plugin Signature Checking : Enabled Audit File Signature Checking : Disabled Scan Start Date : x/x/x x Scan duration : X sec Scan for malware : no </plugin_output> plugin_id: xx port: 0 protocol: TCP recastRisk: false recastRiskRuleComment: repository: { [+] } riskFactor: None sc_uniqueness: x_x.x.x.x_xxxx.xx.xx seeAlso: seolDate: -1 severity: informational severity_description: Informative severity_id: 0 solution: state: open stigSeverity: synopsis: This plugin displays information about the Nessus scan. temporalScore: uniqueness: repositoryID,ip,dnsName uuid: x-x-x-xx-xxx vendor_severity: Info version: 1.127 vprContext: [] vprScore: vulnPubDate: -1 vulnUUID: vulnUniqueness: repositoryID,ip,port,protocol,pluginID xref: }   in props.conf [tenable:sc:vuln] TRANSFORMS-Removetenable_remove_logs = tenable_remove_logs transforms.conf [tenable_remove_logs] SOURCE_KEY = _raw REGEX = ABCSCAN DEST_KEY = queue FORMAT = nullQueue It is not working. Any solution ?. i have removed  SOURCE_KEY later , that is also not working     ... View more