Get more results when querying logs in Azure Sentinel
I just noticed this morning that one of my queries in Azure Sentinel returned 30,000 results rather than the old 10,000 it used to. Hopefully this is not a bug and will continue.
Using PowerShell & C# with Jupyter Notebooks
Introduction As you probably already know, Jupyter notebooks allow for much great threat hunting than you can get using the OOTB Azure Sentinel Threat Hunting queries, especially when you consider that you can run the Azure Sentinel KQL queries from a Jupyter notebook. Most of the articles written about Azure Sentinel and Jupyter notebooks use […]
Azure Monitor Agent in public preview!
There is a new agent that will be replacing the Microsoft Monitoring agent that we all know from Azure Sentinel. It is called the Azure Monitor Agent and you can think of it more of a new system to ingest data rather than an upgrade from the current system. To get a better idea of […]
Nice shortcut in KQL to get JSON data in a dynamic column.
While looking at the SigninLogs table in Azure Sentinel I noticed there are a lot of dynamic fields that hold JSON data. I was trying to use parse_json to get to the data but it was always returning empty fields. I then realized that parse_json requires a string input, not a dynamic. After some messing […]
Ingesting Azure Sentinel Incident information into Log Analytics Part III – Using the data
Introduction In Ingesting Azure Sentinel Incident information into Log Analytics, I showed you how to create a Log Analytics workflow to ingest Azure Sentinel Incidents into a Log Analytics workspace. In Ingesting Azure Sentinel Incident information into Log Analytics Part II, I fixed some of the issues I ran into while using the instructions from […]
Ingesting Azure Sentinel Incident information into Log Analytics Part II
Introduction This is a continuation of the post Ingesting Azure Sentinel Incident information into Log Analytics. There are a few things that I want to clarify/rectify in it. I was working on the output from my last post to make a useful workbook from it and noticed a few things. Misspelling I misspelled “severity” when […]
Ingesting Azure Sentinel Incident information into Log Analytics
Introduction Second Edit: Look at the entry Ingesting Azure Sentinel Incident information into Log Analytics Part II for more updates Edit: I forgot to add the image for the Compose section. Also, there is a typo in it. I have serverity when it should be severity (or whatever else you want to call it). If […]
Getting a listing of your Azure Sentinel tables and columns
Introduction If you go into the Azure Sentinel Logs page you can get a listing of all the tables that you have as well as the individual columns that make up the tables. Wouldn’t it be great if you could export that list into a CSV file? With the use of Azure Sentinel’s REST API […]
Azure Sentinel book coming soon
I am happy to announce that the book I have been writing with my co-worker, Richard Diver, (and I have no idea how he got top billing 😉 ) is almost finished and will be released soon. It is an introduction to Azure Sentinel and covers all the topics from planning your Log Analytics workspace […]
New Azure Sentinel Analytics rule feature
Microsoft quietly released the Incident settings page in the Scheduled Analytics rule wizard. On this page you can state whether you want the alert to create an incident, if the alerts should be grouped into a single alert, and if you want to re-open closed incidents when a new alert is generated. The page looks […]