How to Get Time Range Help Directly in the Azure Sentinel Console

There's been a mighty effort over the last many months to include helpful links and information directly in the Log Analytics workspace for Azure Monitor - which, thankfully, is also available to Azure Sentinel customers in the Logs blade. A recent update makes getting better information around Time Range syntax quicker and easier, and I'm … Continue reading How to Get Time Range Help Directly in the Azure Sentinel Console

How to Create a Pie Chart Showing Threat Protection Signature Versions

If you'd like to get a sense of the versions for the threat protection signature files that are installed in your environment, here's a quick KQL query to do that. ProtectionStatus | project DeviceName, ThreatStatus, TenantId, ProtectionStatus, SignatureVersion, ScanDate, ProtectionStatusDetails | summarize sig_count=count() by SignatureVersion | render piechart by sig_count This particular KQL query displays … Continue reading How to Create a Pie Chart Showing Threat Protection Signature Versions

How to Save Your Azure Sentinel Query History Externally

I've talked recently about how to use the cool new feature of Query Packs to save your Azure Sentinel queries for longer term. Query history is only save for 30 days, despite the 90-day retention offering for other Azure Sentinel data. So, its good to make use of the Query Packs or the general Save … Continue reading How to Save Your Azure Sentinel Query History Externally

How to Easily Share Your Azure Sentinel Queries with the Community

There's a newer feature in Log Analytics that you may have missed. This feature makes it much, much easier to share your fantastic KQL query creations with the world and puts the real work on the folks at Microsoft. In the Logs blade in any Log Analytics workspace, under the Share option, there's a new … Continue reading How to Easily Share Your Azure Sentinel Queries with the Community

How to Get UEBA Costs for Azure Sentinel

The cost for UEBA is nominal and based on the amount of data that is analyzed. Your costs will vary depending on several factors. However, the following KQL query can be used to get the estimated cost of the solution. union withsource=TableName1 * | where TimeGenerated > ago(30d) //In the last 30 days | summarize … Continue reading How to Get UEBA Costs for Azure Sentinel

How to Convert Your Old, Boring Queries to KQL for Azure Sentinel

Migrating from a legacy SIEM can seem like a daunting task, particularly when you've built so much into the existing tool over the years. You have use cases, queries, reports, etc., that you would still like to take advantage of in Azure Sentinel. I hear this quite a bit, and we do a good job … Continue reading How to Convert Your Old, Boring Queries to KQL for Azure Sentinel

Run KQL Queries Locally to Expose Log Events RealTimeKQL

My colleague Nathan Swift (@SwiftSolves) sent me a note yesterday about a tool that I wasn't aware of, but haven't been able to stop using since. RealTimeKQL gives you the ability to use KQL queries locally to retrieve event transaction information in <ahem> "real time." This is a great way to capture specific event IDs, … Continue reading Run KQL Queries Locally to Expose Log Events RealTimeKQL

How to Use serialize to Add Line Numbers to KQL Results for Azure Sentinel Workbooks

A customer asked recently if they could add line numbers to query results in an Azure Sentinel Workbook. They wanted to show the number of rows returned from the query in one Workbook module and then show total records for a value side-by-side in another module. This would allow them to identify if the query … Continue reading How to Use serialize to Add Line Numbers to KQL Results for Azure Sentinel Workbooks

How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel

In August, we released security updates to resolve a vulnerability (CVE-2020-1472) for all affected systems. With August or September security updates deployed, Domain, Trust and Windows machine accounts will be protected. However, for those organizations that want to monitor for those systems that are either compliant or non-compliant - and find those systems that might … Continue reading How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel