Log Analytics issues are things that should be an important matter for Microsoft Sentinel customers, since the service runs on top of a Log Analytics workspace. And, as such, there should be a mechanism to monitor when issues have been reported. The Azure Monitor team maintains a status blog: https://cda.ms/3kB This blog produces alerts when … Continue reading Quick Tip: Monitoring Log Analytics Issues for Microsoft Sentinel
My colleague, Sonia Cuff, recently posted a great article around How to find your Azure Log Analytics agent deployments in preparation for the Azure Monitor agent. In the article, she presents a couple different ways to locate the Log Analytics agent including using PowerShell and the actual Log Analytics service console. There's also another way … Continue reading How to Locate installed LA Agents and If On-prem or in Azure
There's a newer feature in Log Analytics that you may have missed. This feature makes it much, much easier to share your fantastic KQL query creations with the world and puts the real work on the folks at Microsoft. In the Logs blade in any Log Analytics workspace, under the Share option, there's a new … Continue reading How to Easily Share Your Azure Sentinel Queries with the Community
The Functions capability of Log Analytics has been enhanced and its worth knowing about these changes because some of the nuances can help you in your Azure Sentinel endeavors such as Hunting and Parsing. Take a look in your Azure Sentinel console along with the image below to get the comparison. Changes in Functions The … Continue reading How to Find the Enhanced Functions Capabilities in the Azure Sentinel Console
Overview: Automanage is the latest approach of managing your virtual machines with optimized, automated operations across the entire VM lifecycle. This is a service that eliminates the need to discover, know how to onboard, and how to configure certain services in Azure that would benefit your virtual machine. Major Benefits: The major benefits of using … Continue reading Azure Automanage – Simplify and optimize IT management with automated operations
In this blog I will demonstrate how to collect the SMBv1 audit events in Azure Log Analytics. I will also show a simple query to extract the IP information from these events which can be exported to a CSV file if needed.
Need a good way of tracking your Azure Sentinel table usage? Here's a KQL query to help. I can't take full credit for it, other than sharing it. This query is an amalgam of different queries and the work of a multitude of individuals, but hugely useful. union withsource=TableName1 * | where TimeGenerated > ago(30d) … Continue reading How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL
The Azure Monitor team has rolled out a new capability to everyone to help enable quicker debugging for KQL queries in the Log Analytics workspace. When writing queries now and you receive the standard error that includes the line number and position, you'll be able to identify the actual line more easily. For those used … Continue reading How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries
On Tuesday, July 14th, we released an alert and guidance on a potentially impactful Windows DNS Server Remote Code Execution Vulnerability. See: CVE-2020-1350 If you're using Azure Sentinel, Intune, or any other service that can take advantage of KQL to sift through a Log Analytics Workspace (LAW), the following KQL query can help identify those … Continue reading KQL to Help Identify Systems Patched for CVE-2020-1350
Service Map can show you which clients are connecting to your DC, now how do we find which sites they belong to?