Another blog to help expand Security Knowledge
Introduction For most people using Microsoft Sentinel, you would login the Azure portal, go to the Sentinel page (and maybe select the required instance), go to workbooks, and select the workbook you want to see. That is great, but what if you are a CISO and you don’t want to have to go through all […]
“Microsoft Sentinel in Action” has been released! Technically it is the second edition of “Learn Azure Sentinel” but with all the changed that have occurred between the two books, it was almost a complete rewrite (of the technical sections at least). Check it out on Amazon: Amazon.com: Microsoft Sentinel in Action: Architect, design, implement, and […]
You may have noticed a new blog post about a new SOC Process Framework workbook (What’s New: Azure Sentinel – SOC Process Framework Workbook – Microsoft Tech Community). But what does really mean? First, the workbook is very awesome. It provides a great framework for setting up your own SOC processes. It was meant to […]
While working on the videos for my series on how to work with Azure workbooks, I have run into a few places where you can access another workbook but you need to know the workbook’s ID. This is not easy to do as there is button anywhere that can provide this information (I am going […]
I am starting a new series on Azure workbooks. The first video is up on YouTube covering an introduction to Azure Workbooks. The videos in the series (that I have planned so far) are Overview Groups Text Parameters Links/Tabs Query Metrics There may be more since Query, for instance, has a LOT to talk about.
I just noticed this morning that one of my queries in Azure Sentinel returned 30,000 results rather than the old 10,000 it used to. Hopefully this is not a bug and will continue.
Introduction As you probably already know, Jupyter notebooks allow for much great threat hunting than you can get using the OOTB Azure Sentinel Threat Hunting queries, especially when you consider that you can run the Azure Sentinel KQL queries from a Jupyter notebook. Most of the articles written about Azure Sentinel and Jupyter notebooks use […]
There is a new agent that will be replacing the Microsoft Monitoring agent that we all know from Azure Sentinel. It is called the Azure Monitor Agent and you can think of it more of a new system to ingest data rather than an upgrade from the current system. To get a better idea of […]
It has been a while since I wrote a blog post. New house and new responsibilities at work kept me kind of tied up for quite a while, but I have some posts I have been wanting to write for a while so here is the first one. Azure Arc. What is Azure Arc? According […]
While looking at the SigninLogs table in Azure Sentinel I noticed there are a lot of dynamic fields that hold JSON data. I was trying to use parse_json to get to the data but it was always returning empty fields. I then realized that parse_json requires a string input, not a dynamic. After some messing […]