Is Moving the Sentinel Workspace to Another Resource Group or Subscription Supported?

This is a common question and one that needs both an answer and a Docs location to always find the answer. Digging around in the Microsoft Sentinel Docs may not yield the answer you're looking for. The answer is located in the Azure Monitor Doc for Workspace move considerations (URL: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/move-workspace#workspace-move-considerations). Per the Doc: Currently, … Continue reading Is Moving the Sentinel Workspace to Another Resource Group or Subscription Supported?

How to Quickly Tell Which Microsoft Sentinel Tables are Configured as Basic Logs

Basic Logs, of course, is a preview feature for Microsoft Sentinel that enables customers a cheaper, but more limited way to ingest large volume, low security value logs. If you've not heard of this new feature yet, check out the following recent articles to catch up: When to Use and When NOT to Use Basic … Continue reading How to Quickly Tell Which Microsoft Sentinel Tables are Configured as Basic Logs

Quick Tip: Monitoring Log Analytics Issues for Microsoft Sentinel

Log Analytics issues are things that should be an important matter for Microsoft Sentinel customers, since the service runs on top of a Log Analytics workspace. And, as such, there should be a mechanism to monitor when issues have been reported. The Azure Monitor team maintains a status blog: https://cda.ms/3kB This blog produces alerts when … Continue reading Quick Tip: Monitoring Log Analytics Issues for Microsoft Sentinel

How to Locate installed LA Agents and If On-prem or in Azure

My colleague, Sonia Cuff, recently posted a great article around How to find your Azure Log Analytics agent deployments in preparation for the Azure Monitor agent. In the article, she presents a couple different ways to locate the Log Analytics agent including using PowerShell and the actual Log Analytics service console. There's also another way … Continue reading How to Locate installed LA Agents and If On-prem or in Azure

How to Easily Share Your Azure Sentinel Queries with the Community

There's a newer feature in Log Analytics that you may have missed. This feature makes it much, much easier to share your fantastic KQL query creations with the world and puts the real work on the folks at Microsoft. In the Logs blade in any Log Analytics workspace, under the Share option, there's a new … Continue reading How to Easily Share Your Azure Sentinel Queries with the Community

How to Find the Enhanced Functions Capabilities in the Azure Sentinel Console

The Functions capability of Log Analytics has been enhanced and its worth knowing about these changes because some of the nuances can help you in your Azure Sentinel endeavors such as Hunting and Parsing. Take a look in your Azure Sentinel console along with the image below to get the comparison. Changes in Functions The … Continue reading How to Find the Enhanced Functions Capabilities in the Azure Sentinel Console

Azure Automanage – Simplify and optimize IT management with automated operations

Overview: Automanage is the latest approach of managing your virtual machines with optimized, automated operations across the entire VM lifecycle. This is a service that eliminates the need to discover, know how to onboard, and how to configure certain services in Azure that would benefit your virtual machine. Major Benefits: The major benefits of using … Continue reading Azure Automanage – Simplify and optimize IT management with automated operations

How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

Need a good way of tracking your Azure Sentinel table usage? Here's a KQL query to help. I can't take full credit for it, other than sharing it. This query is an amalgam of different queries and the work of a multitude of individuals, but hugely useful. union withsource=TableName1 * | where TimeGenerated > ago(30d) … Continue reading How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

The Azure Monitor team has rolled out a new capability to everyone to help enable quicker debugging for KQL queries in the Log Analytics workspace. When writing queries now and you receive the standard error that includes the line number and position, you'll be able to identify the actual line more easily. For those used … Continue reading How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries