How to Get UEBA Costs for Azure Sentinel

The cost for UEBA is nominal and based on the amount of data that is analyzed. Your costs will vary depending several factors. However, the following KQL query can be used to get the estimated cost of the solution. union withsource=TableName1 * | where TimeGenerated > ago(30d) //In the last 30 days | summarize Entries … Continue reading How to Get UEBA Costs for Azure Sentinel

How to Convert Your Old, Boring Queries to KQL for Azure Sentinel

Migrating from a legacy SIEM can seem like a daunting task, particularly when you've built so much into the existing tool over the years. You have use cases, queries, reports, etc., that you would still like to take advantage of in Azure Sentinel. I hear this quite a bit, and we do a good job … Continue reading How to Convert Your Old, Boring Queries to KQL for Azure Sentinel

Run KQL Queries Locally to Expose Log Events RealTimeKQL

My colleague Nathan Swift (@SwiftSolves) sent me a note yesterday about a tool that I wasn't aware of, but haven't been able to stop using since. RealTimeKQL gives you the ability to use KQL queries locally to retrieve event transaction information in <ahem> "real time." This is a great way to capture specific event IDs, … Continue reading Run KQL Queries Locally to Expose Log Events RealTimeKQL

How to Use serialize to Add Line Numbers to KQL Results for Azure Sentinel Workbooks

A customer asked recently if they could add line numbers to query results in an Azure Sentinel Workbook. They wanted to show the number of rows returned from the query in one Workbook module and then show total records for a value side-by-side in another module. This would allow them to identify if the query … Continue reading How to Use serialize to Add Line Numbers to KQL Results for Azure Sentinel Workbooks

How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel

In August, we released security updates to resolve a vulnerability (CVE-2020-1472) for all affected systems. With August or September security updates deployed, Domain, Trust and Windows machine accounts will be protected. However, for those organizations that want to monitor for those systems that are either compliant or non-compliant - and find those systems that might … Continue reading How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel

Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Here's a quick tip, but also a solid superpower you can unleash today. I regularly get asked by Azure Sentinel customers about "how to know" the columns that are available to query against in the data tables. We have a couple methods to do this in the UI itself. When you hover your mouse cursor … Continue reading Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Spice Up Your Azure Sentinel KQL Query Results with Emoji

Here's a little-known tip that can help brighten an otherwise mundane query existence. Instead of producing the normal query results of boring and blah rows and columns of data to sift through, have a little fun with it. Did you know that KQL supports emoji? Emoji in KQL? Say it isn't so!! It has to … Continue reading Spice Up Your Azure Sentinel KQL Query Results with Emoji

How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

Need a good way of tracking your Azure Sentinel table usage? Here's a KQL query to help. I can't take full credit for it, other than sharing it. This query is an amalgam of different queries and the work of a multitude of individuals, but hugely useful. union withsource=TableName1 * | where TimeGenerated > ago(30d) … Continue reading How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

The Azure Monitor team has rolled out a new capability to everyone to help enable quicker debugging for KQL queries in the Log Analytics workspace. When writing queries now and you receive the standard error that includes the line number and position, you'll be able to identify the actual line more easily. For those used … Continue reading How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries