Have you ever wondered what the following breakdown in the Hunting blade in Azure Sentinel means? Huh? During our live stream of the Microsoft Security Insights podcast Frank asked me about this and it bugged me that I didn't have an answer. It bugged me so much that I had to dig into it to … Continue reading How to Decipher the Active/Total/New Hunting Queries in Azure Sentinel →

My intent with my blog here is to cover the "extra stuff" not covered in our docs, so for those that have been alongside with me over the past couple years you've read about a lot of the best practices for Azure Sentinel here already. With Azure Sentinel's popularity growing by leaps and bounds, it … Continue reading The Azure Sentinel Best Practices Series →

A bit ago, I talked about How to Save an Azure Sentinel Query to a Custom Query Pack. This gives Azure Sentinel users another option for saving queries for the long term. But, once the queries have been saved to a custom query pack, how do you access them? Here's how... In the Logs blade … Continue reading How to Access and Use Your Custom Query Pack with Azure Sentinel →

Microsoft has provided guidance for CVE-2021-36934, but if you'd like to use Azure Sentinel to monitor for this vulnerability detection queries are now also available. Here's two queries: //Looks for any access to the HKLM that happens via a command or script that is not executed by system let startTime = now(-7d); let endTime = … Continue reading How to Use Azure Sentinel to Monitor for CVE-2021-36934 →

There's reports of a new bit of malware called MosaicLoader that, in addition to installing malware, modifies exclusions for Windows Defender to ensure its actions are effective and unnoticed. Read about that here: This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection (thehackernews.com) So, it seems useful to be able to track … Continue reading How to Use Azure Sentinel to Monitor for Windows Defender Exclusion Changes →

Starting today, there's an enhancement to the dropdown list for assigning analysts to Incidents. It's a small, nuanced change but one that provides immediate value and should help improve efficiency for a product that already has tons of efficiency hacks built in. The dropdown list now shows the recently assigned analysts instead of listing all … Continue reading Azure Sentinel Analyst Assignment List Enhancement →

Log Analytics Query Packs are a new concept. These "packs" enable you to save your queries so that they are immediately deployable. See Query packs in Azure Monitor - Azure Monitor | Microsoft Docs for details. When you save your first query to the Query Packs service, a DefaultQueryPack is created. This is helpful, but … Continue reading How to Save an Azure Sentinel Query to a Custom Query Pack →

In the Logs blade for Azure Sentinel, only a specific amount of history (30 days worth) of the executed queries is maintained in the results window. You may have run something recently, or semi-recently, that no longer exists in the list. Of course, saving and categorizing queries is a solution to retain them. Additionally, you … Continue reading How to Enable the LAQueryLogs Table for Azure Sentinel →

Just a heads-up for those that are interested in hearing me talk about Azure Sentinel in the near future. I've have several talks coming up which I'll share as we get closer to each one, but the next one up is an updated session on "A Day in the Life of an Azure Sentinel Analyst" … Continue reading Upcoming Session for the INDIA CLOUD SECURITY SUMMIT →

Understanding your data ingestion and retention requirements is key to figuring out how much any SIEM solution might cost. This is equally true with Azure Sentinel. But, getting a true sense of the total amount of data can be difficult. Ashwin Venugopal has developed a brilliant web-based tool that provides an easy way to set … Continue reading How to Estimate EPS and GB Per Day for Azure Sentinel Costs →