Easy Way to Build KQL Query Templates for Azure Services

If you want KQL queries to monitor general Azure services, there's actually a pretty easy, quick way to build them. This is not a hidden feature, by any means, but probably (for some of you) something that you've overlooked hundreds of times. In the Azure portal, when you access a number of Azure services, there's … Continue reading Easy Way to Build KQL Query Templates for Azure Services

How to Get the KQL Query Created by the New 365 Defender Query Builder

Hopefully, you didn't miss the latest news that the new KQL Query Builder for 365 Defender is in public preview. If you did miss it, check out: Hunt in Microsoft 365 Defender without KQL! KQL Query Builder This is exciting news and something that customers have asked for to match similar functionality of competitive products. … Continue reading How to Get the KQL Query Created by the New 365 Defender Query Builder

The Must Learn KQL Community Discussion Board

Among all the myriad of cool things that the Must Learn KQL series has birthed, there's now also a Community Discussion board available. The Discussion board is designed to enable Q&A, feedback, ongoing discussions, code posts, polls, and on and on. Must Learn KQL Discussion Board Jump out to the following link to get engaged … Continue reading The Must Learn KQL Community Discussion Board

Alert When Microsoft Sentinel Daily Ingestion Reaches a Threshold

I just wanted to take a quick moment to highlight the efforts of a community member and to make everyone aware of this potential solution. Ashok Krishna Vemuri wrote a KQL query that reports when the daily data ingestion volume is more than 200GB. This number can be modified to fit your needs and can … Continue reading Alert When Microsoft Sentinel Daily Ingestion Reaches a Threshold

RSA 2022 Interview on Sentinel Automation and Repositories and KQL

RSA 2022 was a wonderful event for me and for Microsoft, in general. We have a really awesome security story to tell, and the RSA crowd was a very welcoming group. I look forward to next year. During the event, I was fortunate enough to be selected by our good friends at Tiberium to talk … Continue reading RSA 2022 Interview on Sentinel Automation and Repositories and KQL

Spice Up Your Microsoft Sentinel KQL Query Results with Emoji

Here's a little-known tip that can help brighten an otherwise mundane query existence. Instead of producing the normal query results of boring and blah rows and columns of data to sift through, have a little fun with it. Did you know that KQL supports emoji? Emoji in KQL? Say it isn't so!! It has to … Continue reading Spice Up Your Microsoft Sentinel KQL Query Results with Emoji

The Microsoft Security Insights Podcast is Coming to Microsoft Reactor

For fans of the weekly Microsoft Security Insights podcast, Frank, Edward, Brodie, and I have some awesome news to share. The popularity of the podcast continues to grow. Not only is the listener audience in an exploding growth spurt, but there are many security experts coming out of the woodwork asking to come on the … Continue reading The Microsoft Security Insights Podcast is Coming to Microsoft Reactor

Addicted to KQL Part 0: The Wit and Wisdom of Standard Columns in Azure Monitor Logs

The Addicted to KQL series is an ongoing, advanced series for KQL. For beginning topics don't start here. Instead, see the original Must Learn KQL series. The series TOC along with the currently completed chapters, sample queries, series images, and even the series eBook will always be located at the following shortlink: https://aka.ms/Addicted2KQL ======================= I have a … Continue reading Addicted to KQL Part 0: The Wit and Wisdom of Standard Columns in Azure Monitor Logs