Run KQL Queries Locally to Expose Log Events RealTimeKQL

My colleague Nathan Swift (@SwiftSolves) sent me a note yesterday about a tool that I wasn't aware of, but haven't been able to stop using since. RealTimeKQL gives you the ability to use KQL queries locally to retrieve event transaction information in <ahem> "real time." This is a great way to capture specific event IDs, … Continue reading Run KQL Queries Locally to Expose Log Events RealTimeKQL

How to Use serialize to Add Line Numbers to KQL Results for Azure Sentinel Workbooks

A customer asked recently if they could add line numbers to query results in an Azure Sentinel Workbook. They wanted to show the number of rows returned from the query in one Workbook module and then show total records for a value side-by-side in another module. This would allow them to identify if the query … Continue reading How to Use serialize to Add Line Numbers to KQL Results for Azure Sentinel Workbooks

How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel

In August, we released security updates to resolve a vulnerability (CVE-2020-1472) for all affected systems. With August or September security updates deployed, Domain, Trust and Windows machine accounts will be protected. However, for those organizations that want to monitor for those systems that are either compliant or non-compliant - and find those systems that might … Continue reading How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel

Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Here's a quick tip, but also a solid superpower you can unleash today. I regularly get asked by Azure Sentinel customers about "how to know" the columns that are available to query against in the data tables. We have a couple methods to do this in the UI itself. When you hover your mouse cursor … Continue reading Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Spice Up Your Azure Sentinel KQL Query Results with Emoji

Here's a little-known tip that can help brighten an otherwise mundane query existence. Instead of producing the normal query results of boring and blah rows and columns of data to sift through, have a little fun with it. Did you know that KQL supports emoji? Emoji in KQL? Say it isn't so!! It has to … Continue reading Spice Up Your Azure Sentinel KQL Query Results with Emoji

How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

Need a good way of tracking your Azure Sentinel table usage? Here's a KQL query to help. I can't take full credit for it, other than sharing it. This query is an amalgam of different queries and the work of a multitude of individuals, but hugely useful. union withsource=TableName1 * | where TimeGenerated > ago(30d) … Continue reading How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

The Azure Monitor team has rolled out a new capability to everyone to help enable quicker debugging for KQL queries in the Log Analytics workspace. When writing queries now and you receive the standard error that includes the line number and position, you'll be able to identify the actual line more easily. For those used … Continue reading How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

Azure Sentinel Analytics Rule to Keep Track of Cloud Shell

I've been asked several times for the ability to use Azure Sentinel to keep track of who is executing Azure Cloud Shell. So, I finally put together a quick Analytics Rule that will identify when Cloud Shell is run and report on the user and IP address used. It definitely still needs to be tuned … Continue reading Azure Sentinel Analytics Rule to Keep Track of Cloud Shell

KQL Methods to Display a Per-Day Occurrence in Azure Sentinel

A customer recently wanted to show in a Workbook those users that used MFA to login and format the results so that it showed how many times per day it happened overall. There's multiple ways to get this done. You can parse the raw output of the TimeGenerated, use format_datetime, or bin with TimeGenerated. Here's … Continue reading KQL Methods to Display a Per-Day Occurrence in Azure Sentinel