How to Locate and Enable the Analytics Rules After Installing the Maturity Model for Event Log Management for Microsoft Sentinel

We've recently released an excellent and much anticipated Solution for further monitoring Microsoft Sentinel health. The Solution can be found in the Content Hub and installation is easy. See the announcement for detailed information: Modernize Log Management with the Maturity Model for Event Log Management (M-21-31) Solution With all the cool content included with this … Continue reading How to Locate and Enable the Analytics Rules After Installing the Maturity Model for Event Log Management for Microsoft Sentinel

Must Learn KQL Part 16: The Order/Sort and Top Operators

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days… The full series index (including code and queries) is located here: https://aka.ms/MustLearnKQL The book … Continue reading Must Learn KQL Part 16: The Order/Sort and Top Operators

How to Open Another Workbook Inside an Existing Microsoft Sentinel Workbook

Wouldn't it be awesome to take data from various related Microsoft Sentinel Workbooks and display it inline without having to exist the current view or open another browser tab to view them side-by-side? Workbook within a Workbook You can by using the Custom View Link Action in Workbook editing. To do this... [1] Because the … Continue reading How to Open Another Workbook Inside an Existing Microsoft Sentinel Workbook

Must Learn KQL Part 15: The Distinct Operator

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days… The full series index (including code and queries) is located here: https://aka.ms/MustLearnKQL The book … Continue reading Must Learn KQL Part 15: The Distinct Operator

The Revoke Action for Threat Indicators in Microsoft Sentinel

Someone asked a great question today about what exactly marking a Threat Indicator in the Threat Intelligence blade in Microsoft Sentinel does. We don't currently have a good explanation in the docs, so I'll add an explanation here and submit it for inclusion in the docs. When you edit a Threat Indicator in Microsoft Sentinel … Continue reading The Revoke Action for Threat Indicators in Microsoft Sentinel

How to Edit Threat Indicators in Microsoft Sentinel

Microsoft Sentinel customers have had the capability to organize Threat Indicators through tagging. Tagging indicators But now the ability to modify any Threat indicator is possible. For any indicator provided by Microsoft Sentinel, all fields are editable. For partner indicators, only specific fields are editable such as the tags, Expiration date, Confidence, and Revoked fields. … Continue reading How to Edit Threat Indicators in Microsoft Sentinel

Must Learn KQL Part 14: The Project Operator

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days… The full series index (including code and queries) is located here: https://aka.ms/MustLearnKQL The book … Continue reading Must Learn KQL Part 14: The Project Operator

An Analytics Rule to Report on Analytics Rules in Microsoft Sentinel

With the public preview release of our Microsoft Sentinel Health Monitoring capability, this gives customers the ability to monitor more about the tool's environment than just Data Connectors and ingestion failures. It also provides a way to create alerts when Analytics Rules fail - or partially fail - to fire. The following query can be … Continue reading An Analytics Rule to Report on Analytics Rules in Microsoft Sentinel

Must Learn KQL Part 13: The Extend Operator

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days… The full series index (including code and queries) is located here: https://aka.ms/MustLearnKQL The book … Continue reading Must Learn KQL Part 13: The Extend Operator

How to Enable Health Monitoring for Microsoft Sentinel

We've released into public preview a new feature for Microsoft Sentinel that gives customers tools to enable monitoring of the health of Microsoft Sentinel operations like data connector activity and on scheduled analytics rules' operation. Enabling this new feature requires a manual operation. To enable Health Monitoring, do this: [1] In the Microsoft Sentinel console, … Continue reading How to Enable Health Monitoring for Microsoft Sentinel