And now…the Must Learn KQL Video series!

Imagine my surprise how popular and far-reaching the Must Learn KQL education series has gotten. I started a blog series about something I knew was important and just hoped -HOPED- someone else would also understand the importance. It's truly taken on a life of itself. I've been invited to speak about it several times already … Continue reading And now…the Must Learn KQL Video series! →

How to Locate and Enable the Analytics Rules After Installing the Maturity Model for Event Log Management for Microsoft Sentinel

We've recently released an excellent and much anticipated Solution for further monitoring Microsoft Sentinel health. The Solution can be found in the Content Hub and installation is easy. See the announcement for detailed information: Modernize Log Management with the Maturity Model for Event Log Management (M-21-31) Solution With all the cool content included with this … Continue reading How to Locate and Enable the Analytics Rules After Installing the Maturity Model for Event Log Management for Microsoft Sentinel →

Must Learn KQL Part 16: The Order/Sort and Top Operators

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days… The full series index (including code and queries) is located here: https://aka.ms/MustLearnKQL The book … Continue reading Must Learn KQL Part 16: The Order/Sort and Top Operators →

How to Obtain the Raw Alert Data in Defender for Cloud

A recently released feature for Defender for Cloud allows security teams to capture the raw alert data for further investigation. To do this... [1] Locate the Security Alert from which you want the alert and click the Copy alert JSON link. Copy alert JSON [2] Paste the JSON from the clipboard to another location. I'm … Continue reading How to Obtain the Raw Alert Data in Defender for Cloud →

How to Open Another Workbook Inside an Existing Microsoft Sentinel Workbook

Wouldn't it be awesome to take data from various related Microsoft Sentinel Workbooks and display it inline without having to exist the current view or open another browser tab to view them side-by-side? Workbook within a Workbook You can by using the Custom View Link Action in Workbook editing. To do this... [1] Because the … Continue reading How to Open Another Workbook Inside an Existing Microsoft Sentinel Workbook →

Must Learn KQL Part 15: The Distinct Operator

The Revoke Action for Threat Indicators in Microsoft Sentinel

Someone asked a great question today about what exactly marking a Threat Indicator in the Threat Intelligence blade in Microsoft Sentinel does. We don't currently have a good explanation in the docs, so I'll add an explanation here and submit it for inclusion in the docs. When you edit a Threat Indicator in Microsoft Sentinel … Continue reading The Revoke Action for Threat Indicators in Microsoft Sentinel →

How to Edit Threat Indicators in Microsoft Sentinel

Microsoft Sentinel customers have had the capability to organize Threat Indicators through tagging. Tagging indicators But now the ability to modify any Threat indicator is possible. For any indicator provided by Microsoft Sentinel, all fields are editable. For partner indicators, only specific fields are editable such as the tags, Expiration date, Confidence, and Revoked fields. … Continue reading How to Edit Threat Indicators in Microsoft Sentinel →

Must Learn KQL Part 14: The Project Operator

An Analytics Rule to Report on Analytics Rules in Microsoft Sentinel

With the public preview release of our Microsoft Sentinel Health Monitoring capability, this gives customers the ability to monitor more about the tool's environment than just Data Connectors and ingestion failures. It also provides a way to create alerts when Analytics Rules fail - or partially fail - to fire. The following query can be … Continue reading An Analytics Rule to Report on Analytics Rules in Microsoft Sentinel →