There's a newer feature in Log Analytics that you may have missed. This feature makes it much, much easier to share your fantastic KQL query creations with the world and puts the real work on the folks at Microsoft. In the Logs blade in any Log Analytics workspace, under the Share option, there's a new … Continue reading How to Easily Share Your Azure Sentinel Queries with the Community
The Functions capability of Log Analytics has been enhanced and its worth knowing about these changes because some of the nuances can help you in your Azure Sentinel endeavors such as Hunting and Parsing. Take a look in your Azure Sentinel console along with the image below to get the comparison. Changes in Functions The … Continue reading How to Find the Enhanced Functions Capabilities in the Azure Sentinel Console
Overview: Automanage is the latest approach of managing your virtual machines with optimized, automated operations across the entire VM lifecycle. This is a service that eliminates the need to discover, know how to onboard, and how to configure certain services in Azure that would benefit your virtual machine. Major Benefits: The major benefits of using … Continue reading Azure Automanage – Simplify and optimize IT management with automated operations
In this blog I will demonstrate how to collect the SMBv1 audit events in Azure Log Analytics. I will also show a simple query to extract the IP information from these events which can be exported to a CSV file if needed.
Need a good way of tracking your Azure Sentinel table usage? Here's a KQL query to help. I can't take full credit for it, other than sharing it. This query is an amalgam of different queries and the work of a multitude of individuals, but hugely useful. union withsource=TableName1 * | where TimeGenerated > ago(30d) … Continue reading How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL
The Azure Monitor team has rolled out a new capability to everyone to help enable quicker debugging for KQL queries in the Log Analytics workspace. When writing queries now and you receive the standard error that includes the line number and position, you'll be able to identify the actual line more easily. For those used … Continue reading How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries
On Tuesday, July 14th, we released an alert and guidance on a potentially impactful Windows DNS Server Remote Code Execution Vulnerability. See: CVE-2020-1350 If you're using Azure Sentinel, Intune, or any other service that can take advantage of KQL to sift through a Log Analytics Workspace (LAW), the following KQL query can help identify those … Continue reading KQL to Help Identify Systems Patched for CVE-2020-1350
Service Map can show you which clients are connecting to your DC, now how do we find which sites they belong to?
I teach a couple KQL courses focused on Azure Sentinel - one beginner and one more advanced. The beginner course (level 100-200), coupled with our KQL docs (aka.ms/KQLDocs), is usually enough though to get customers on the right path to learning the Kusto Query Language. Whenever I deliver an Azure Sentinel workshop, it's the moment … Continue reading Tools and Resources to Practice Your Azure Sentinel KQL-fu
I had the occasion recently to work with a customer that had domain controllers that were disconnected from the Internet, but still wanted to ingest the server event logs into Azure Sentinel. Sifting through research I found there's a myriad of ways to do it (including standing up a Log Analytics gateway) but one of … Continue reading Exporting Events from Disconnected Systems to Ingest into Azure Sentinel