How to Connect Azure Kubernetes to Azure Sentinel

Not surprisingly I had a couple customers and someone on Twitter ask recently about how they could use Azure Sentinel to query against and monitor the Kubernetes service and containers. It's just early days for me as I start to test and expose the security events that are available in the data that is ingested, … Continue reading How to Connect Azure Kubernetes to Azure Sentinel

How to Automate the Backup of Azure Sentinel Tables to Blob Storage Using PowerShell

Not too long ago I wrote a blog post describing how to use Cloud Shell to create Export Rules for automating the backup of Azure Sentinel tables to Blob storage for long-term backup. This is useful for those organizations that need to store data, due to policy, for longer periods than the default 2 years … Continue reading How to Automate the Backup of Azure Sentinel Tables to Blob Storage Using PowerShell

How to Automate the Backup of Azure Sentinel Tables to Long-term Storage Using Cloud Shell

Azure Sentinel customers with specific policies around data retention and the ability to retain data longer than Log Analytics allows, are interested in knowing how to move their Azure Sentinel tables to long-term storage. In a more recent blog post, Matt Lowe talked about how to Move Your Azure Sentinel Logs to Long-Term Storage with … Continue reading How to Automate the Backup of Azure Sentinel Tables to Long-term Storage Using Cloud Shell

How to Add Geographical Data for IP Addresses to an Azure Sentinel Incident

We have a Playbook out on the official GitHub Repo that queries the IP-API.com website with IP addresses and then writes the geographical information to an Incident's Tags. This is useful, but it's been found to be too limiting based on the amount of information IP-API returns versus how little data a Tag can hold. … Continue reading How to Add Geographical Data for IP Addresses to an Azure Sentinel Incident

How to Link to Related Workbooks within the Current Azure Sentinel Workbook

Here's a quick one. I had a customer request where they wanted to replicate the capability of another product. In this other product links are generated to related resources within the system. While I can't currently offer that these links can be auto-generated, we do have the ability within Workbooks to create custom links to … Continue reading How to Link to Related Workbooks within the Current Azure Sentinel Workbook

Steps to Create a Cost Worthy Azure Sentinel Demo/Testing Environment

Periodically I'm asked about my own demo/testing environment for Azure Sentinel. These questions come from both customers and colleagues alike. I'm asked things like what steps do you follow, which connectors/rules to enable, and of course, how much does it cost? Being a Microsoft employee, many people think we get carte blanche on Azure services. … Continue reading Steps to Create a Cost Worthy Azure Sentinel Demo/Testing Environment

Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Here's a quick tip, but also a solid superpower you can unleash today. I regularly get asked by Azure Sentinel customers about "how to know" the columns that are available to query against in the data tables. We have a couple methods to do this in the UI itself. When you hover your mouse cursor … Continue reading Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

How to Enable the Microsoft Teams Public Preview for Azure Sentinel

On the last day of August (the 31st) the long-awaited Public Preview for the Microsoft Teams connector was finally delivered. During Private Preview, you might remember that the connector was a standalone version just for Microsoft Teams. But it's always been a logical path that Teams would just be added to the existing Office 365 … Continue reading How to Enable the Microsoft Teams Public Preview for Azure Sentinel

Azure Sentinel Event Grouping is in Public Preview

You may have noticed today that a new Public Preview component has made its way into your Azure Sentinel console. But it's truly possible that you didn't because the feature is tucked away inside the Analytics Rule wizard. When you modify an existing Scheduled-type Analytics Rule, or create a brand new one, there's now an … Continue reading Azure Sentinel Event Grouping is in Public Preview

Spice Up Your Azure Sentinel KQL Query Results with Emoji

Here's a little-known tip that can help brighten an otherwise mundane query existence. Instead of producing the normal query results of boring and blah rows and columns of data to sift through, have a little fun with it. Did you know that KQL supports emoji? Emoji in KQL? Say it isn't so!! It has to … Continue reading Spice Up Your Azure Sentinel KQL Query Results with Emoji