How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

The Azure Monitor team has rolled out a new capability to everyone to help enable quicker debugging for KQL queries in the Log Analytics workspace. When writing queries now and you receive the standard error that includes the line number and position, you'll be able to identify the actual line more easily. For those used … Continue reading How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

Azure Sentinel Analytics Rule to Keep Track of Cloud Shell

I've been asked several times for the ability to use Azure Sentinel to keep track of who is executing Azure Cloud Shell. So, I finally put together a quick Analytics Rule that will identify when Cloud Shell is run and report on the user and IP address used. It definitely still needs to be tuned … Continue reading Azure Sentinel Analytics Rule to Keep Track of Cloud Shell

KQL Methods to Display a Per-Day Occurrence in Azure Sentinel

A customer recently wanted to show in a Workbook those users that used MFA to login and format the results so that it showed how many times per day it happened overall. There's multiple ways to get this done. You can parse the raw output of the TimeGenerated, use format_datetime, or bin with TimeGenerated. Here's … Continue reading KQL Methods to Display a Per-Day Occurrence in Azure Sentinel

KQL to Help Identify Systems Patched for CVE-2020-1350

On Tuesday, July 14th, we released an alert and guidance on a potentially impactful Windows DNS Server Remote Code Execution Vulnerability. See: CVE-2020-1350 If you're using Azure Sentinel, Intune, or any other service that can take advantage of KQL to sift through a Log Analytics Workspace (LAW), the following KQL query can help identify those … Continue reading KQL to Help Identify Systems Patched for CVE-2020-1350

Visualizing Azure Sentinel Billable Data by Solution and Data Type

We make it easy to quickly monitor data consumption for Azure Sentinel in the Settings blade in the console. Monitor data ingestion and retention But, for those cost-conscious individuals who need more, here's a couple valuable KQL queries to better visualize data consumption. Billable data volume by data type Usage | where TimeGenerated > ago(32d) … Continue reading Visualizing Azure Sentinel Billable Data by Solution and Data Type

Intune DeviceType Reference for Azure Sentinel KQL

As you start to connect your Intune/Endpoint Manager logs to Azure Sentinel, you may see right away that there's a DeviceType column exposed that looks valuable but the results show ID numbers instead of just device names. This DeviceType column is directly related to the DeviceTypeID for Intune device entities. As an example, the following … Continue reading Intune DeviceType Reference for Azure Sentinel KQL

Getting Direct URLs for Azure Sentinel Incidents Using KQL

We are making this capability much, MUCH easier in the very near future but for now here's a convoluted way to get the direct link to Incidents out of the Azure Sentinel tables. I created the following query for a customer so they could parse out the URL and then send it through email to … Continue reading Getting Direct URLs for Azure Sentinel Incidents Using KQL

Display the Azure Sentinel Analytics Rules that have produced Incidents

Working with a customer today they wanted to understand which Analytics Rules were most active (hitting thresholds) and how many times each were enacted. It didn't take long to whip up a KQL query to retrieve the information but thought it worthy of sharing in the event someone else is looking to do this, too. … Continue reading Display the Azure Sentinel Analytics Rules that have produced Incidents

Tools and Resources to Practice Your Azure Sentinel KQL-fu

I teach a couple KQL courses focused on Azure Sentinel - one beginner and one more advanced. The beginner course (level 100-200), coupled with our KQL docs (aka.ms/KQLDocs), is usually enough though to get customers on the right path to learning the Kusto Query Language. Whenever I deliver an Azure Sentinel workshop, it's the moment … Continue reading Tools and Resources to Practice Your Azure Sentinel KQL-fu

Azure Sentinel Tip for Table Details and Descriptions

I wrote a recent article that talks about tips for doing Data Sampling for Azure Sentinel. Data Sampling is a method that allows the Sentinel Analyst to figure out where and what data exists in the Log Analytics workspace to help hone KQL queries to produce good data results. Read that here if you missed … Continue reading Azure Sentinel Tip for Table Details and Descriptions