Another blog to help expand Security Knowledge
Overview EDIT: If you need to use this information in workbook, take a look at the “Log Sources & Analytics Rules Coverage” workbook. It uses a combination of ARM templates, JSON, and Regex to show which rules are enabled for a selected table. Very cool! Microsoft Sentinel can show you which MITRE tactics and techniques […]
Overview I recently saw a question about how to do a drilldown in a Microsoft Sentinel workbook. While Rod Trent wrote a post called How to Make Your Azure Sentinel Workbooks Even More Interactive with Drilldowns and Downloads – Azure Cloud & AI Domain Blog (azurecloudai.blog) about 2 years ago on this subject, it deals […]
Overview Back in the first post in this series, I mentioned that you can easily change how far back you can look to get information in your queries. This post will talk about PowerBI parameters that we will use to do this. Create a parameter Parameters are very easy to create. In left hand navigation […]
Overview So far in this series (if 3 posts can be considered a series), we have ingested data into PowerBI and created a basic report. We looked at some of the pitfalls that may happen when creating a table view. In this post, we will look at the tables themselves and how we can expand […]
Overview In one of my last posts, I talked about the differences between Microsoft Sentinel workbooks and PowerBI. In this post, the first of however many I decide to write, we will look at converting the Security Operations Efficiency workbook into PowerBI. Why this workbook? There are a few reasons. It has different steps in […]
Introduction I’m sure anyone who has using Microsoft Sentinel for any length of time has used the workbooks feature. While this is technically an Azure Monitor feature, we use them with Microsoft Sentinel as well. They are great but may not work for everyone. Another choice is Microsoft’s PowerBI reporting tool. This blog post will […]
Introduction Update: Microsoft Sentinel now has the ability to trigger a playbook when an incident has been updated so this blog post is obsolete! If you are like me, you feel that one of the holes in Microsoft Sentinel is knowing when something changes. I am hoping that this changes soon (pun intended). In the […]
If you have read either version of my book, I sent you to a URL that uses the Azure Data Explorer to play around with the KQL queries. Rod Trent just posted a blog at Create and Maintain Your Own KQL Demo Environment with the New Start-for-free Cluster – Azure Cloud & AI Domain Blog […]
Introduction For most people using Microsoft Sentinel, you would login the Azure portal, go to the Sentinel page (and maybe select the required instance), go to workbooks, and select the workbook you want to see. That is great, but what if you are a CISO and you don’t want to have to go through all […]
You may have noticed a new blog post about a new SOC Process Framework workbook (What’s New: Azure Sentinel – SOC Process Framework Workbook – Microsoft Tech Community). But what does really mean? First, the workbook is very awesome. It provides a great framework for setting up your own SOC processes. It was meant to […]