Alert When Microsoft Sentinel Daily Ingestion Reaches a Threshold

I just wanted to take a quick moment to highlight the efforts of a community member and to make everyone aware of this potential solution. Ashok Krishna Vemuri wrote a KQL query that reports when the daily data ingestion volume is more than 200GB. This number can be modified to fit your needs and can … Continue reading Alert When Microsoft Sentinel Daily Ingestion Reaches a Threshold

RSA 2022 Interview on Sentinel Automation and Repositories and KQL

RSA 2022 was a wonderful event for me and for Microsoft, in general. We have a really awesome security story to tell, and the RSA crowd was a very welcoming group. I look forward to next year. During the event, I was fortunate enough to be selected by our good friends at Tiberium to talk … Continue reading RSA 2022 Interview on Sentinel Automation and Repositories and KQL

Certification Dashboard and SC-100 News

June 30 UPDATE: SC-100 is now out of beta and generally available. See: https://rodtrent.com/hrj There's some movement happening for those that are still anxiously waiting for their SC-100 exam results. For those that have been watching for the results to come through after taking the beta exam for SC-100 Microsoft Cybersecurity Architect, you probably read … Continue reading Certification Dashboard and SC-100 News

Spice Up Your Microsoft Sentinel KQL Query Results with Emoji

Here's a little-known tip that can help brighten an otherwise mundane query existence. Instead of producing the normal query results of boring and blah rows and columns of data to sift through, have a little fun with it. Did you know that KQL supports emoji? Emoji in KQL? Say it isn't so!! It has to … Continue reading Spice Up Your Microsoft Sentinel KQL Query Results with Emoji

How to Use Threatview.io Threat Intelligence Feeds with Microsoft Sentinel

Threatview.io provides some excellent threat intelligence feeds that can be used with Microsoft Sentinel as external sources. The Threatview.io feeds are updated regularly - generated daily at 11PM UTC - so you can be sure that the most current indicators will be available. The feeds are available from here: https://threatview.io/ The feeds are provided as … Continue reading How to Use Threatview.io Threat Intelligence Feeds with Microsoft Sentinel

How to Get a List of Your Active Analytics Rules for Microsoft Sentinel

Though I've used the Workspace Usage Report Workbook a hundred times or more, I've never quite identified this little treasure myself. There's a number of times that customers ask for a way to quickly get a list of their enabled Analytics Rules. There are ways of doing this using the API and PowerShell, but the … Continue reading How to Get a List of Your Active Analytics Rules for Microsoft Sentinel