How to Decipher the Active/Total/New Hunting Queries in Azure Sentinel

Have you ever wondered what the following breakdown in the Hunting blade in Azure Sentinel means? Huh? During our live stream of the Microsoft Security Insights podcast Frank asked me about this and it bugged me that I didn't have an answer. It bugged me so much that I had to dig into it to … Continue reading How to Decipher the Active/Total/New Hunting Queries in Azure Sentinel

How to Access and Use Your Custom Query Pack with Azure Sentinel

A bit ago, I talked about How to Save an Azure Sentinel Query to a Custom Query Pack. This gives Azure Sentinel users another option for saving queries for the long term. But, once the queries have been saved to a custom query pack, how do you access them? Here's how... In the Logs blade … Continue reading How to Access and Use Your Custom Query Pack with Azure Sentinel

How to Use Azure Sentinel to Monitor for CVE-2021-36934

Microsoft has provided guidance for CVE-2021-36934, but if you'd like to use Azure Sentinel to monitor for this vulnerability detection queries are now also available. Here's two queries: //Looks for any access to the HKLM that happens via a command or script that is not executed by system let startTime = now(-7d); let endTime = … Continue reading How to Use Azure Sentinel to Monitor for CVE-2021-36934

How to Use Azure Sentinel to Monitor for Windows Defender Exclusion Changes

There's reports of a new bit of malware called MosaicLoader that, in addition to installing malware, modifies exclusions for Windows Defender to ensure its actions are effective and unnoticed. Read about that here: This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection (thehackernews.com) So, it seems useful to be able to track … Continue reading How to Use Azure Sentinel to Monitor for Windows Defender Exclusion Changes

Azure Sentinel Analyst Assignment List Enhancement

Starting today, there's an enhancement to the dropdown list for assigning analysts to Incidents. It's a small, nuanced change but one that provides immediate value and should help improve efficiency for a product that already has tons of efficiency hacks built in. The dropdown list now shows the recently assigned analysts instead of listing all … Continue reading Azure Sentinel Analyst Assignment List Enhancement

How to Save an Azure Sentinel Query to a Custom Query Pack

Log Analytics Query Packs are a new concept. These "packs" enable you to save your queries so that they are immediately deployable. See Query packs in Azure Monitor - Azure Monitor | Microsoft Docs for details. When you save your first query to the Query Packs service, a DefaultQueryPack is created. This is helpful, but … Continue reading How to Save an Azure Sentinel Query to a Custom Query Pack

How to Enable the LAQueryLogs Table for Azure Sentinel

In the Logs blade for Azure Sentinel, only a specific amount of history (30 days worth) of the executed queries is maintained in the results window. You may have run something recently, or semi-recently, that no longer exists in the list. Of course, saving and categorizing queries is a solution to retain them. Additionally, you … Continue reading How to Enable the LAQueryLogs Table for Azure Sentinel

How to Estimate EPS and GB Per Day for Azure Sentinel Costs

Understanding your data ingestion and retention requirements is key to figuring out how much any SIEM solution might cost. This is equally true with Azure Sentinel. But, getting a true sense of the total amount of data can be difficult. Ashwin Venugopal has developed a brilliant web-based tool that provides an easy way to set … Continue reading How to Estimate EPS and GB Per Day for Azure Sentinel Costs