A new entry page for Microsoft Sentinel is rolling out after a successful stint in the Private Preview program. The rollout is slow but is creeping its way into every Microsoft Sentinel instance as you read this. You can see the differences between the two overviews in the image below and the changes are significant.
In particular, the Potential Malicious Events map is now gone. Some have relied on that. If you still need or want that map, I have the query behind the map in my GitHub repo that you can download: SentinelKQL/Potentialmaliciouseventsmap.txt at master · rod-trent/SentinelKQL (github.com)
The Sentinel Docs have also already been updated to reflect the new page: Visualize collected data | Microsoft Learn
Like it? Hate it? Let me know: @rodtrent
Here’s a couple quick FAQs that have already come up:
- With the new page are you able to change the view from past 24 hours to past 14 days or custom date like we did in the old entry page? No.
- Is there a way I can switch back to the old version? No.
- Did anybody save a clean copy of the KQL behind the old map they could share? Yes, see: https://github.com/rod-trent/SentinelKQL/blob/master/Potentialmaliciouseventsmap.txt
The Old Overview
The New Overview
=========================
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Learn KQL with the Must Learn KQL series and book]
