Another blog to help expand Security Knowledge
Introduction This is a continuation of the post Ingesting Azure Sentinel Incident information into Log Analytics. There are a few things that I want to clarify/rectify in it. I was working on the output from my last post to make a useful workbook from it and noticed a few things. Misspelling I misspelled “severity” when […]
Introduction Second Edit: Look at the entry Ingesting Azure Sentinel Incident information into Log Analytics Part II for more updates Edit: I forgot to add the image for the Compose section. Also, there is a typo in it. I have serverity when it should be severity (or whatever else you want to call it). If […]
If any of you have gone to GitHub (and since I have posted code there I will assume that is everyone reading this 🙂 ) you have seen output generated using the Markdown language. All the ReadMe files in GitHub use it. But what is it? According to its Wikipedia page located here, it is […]
I am happy to announce that my (and my co-author’s) book has, finally, been released. Learn Azure Sentinel is now available directly from the Packt site listed here: https://www.packtpub.com/security/learn-azure-sentinel It should be shipping from Amazon soon. Of course, with the world-side lockdown the actual shipping date may vary. I would suggest buying it directly from […]
Introduction If you go into the Azure Sentinel Logs page you can get a listing of all the tables that you have as well as the individual columns that make up the tables. Wouldn’t it be great if you could export that list into a CSV file? With the use of Azure Sentinel’s REST API […]
I am happy to announce that the book I have been writing with my co-worker, Richard Diver, (and I have no idea how he got top billing 😉 ) is almost finished and will be released soon. It is an introduction to Azure Sentinel and covers all the topics from planning your Log Analytics workspace […]
Microsoft quietly released the Incident settings page in the Scheduled Analytics rule wizard. On this page you can state whether you want the alert to create an incident, if the alerts should be grouped into a single alert, and if you want to re-open closed incidents when a new alert is generated. The page looks […]
Could this mean that an announcement of support Azure Sentinel REST API is coming soon? Let’s hope so! Take a look: https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights
I was playing around with workbooks and noticed that there is a new preview Data Source called Azure Resource Manager. When I selected it I noticed that the Path it wanted begins with /subscription so I thought I would try it with the URL to get Incidents from Sentinel. Lo and behold it worked! It […]
I was looking the latest changes MS made to the Azure Sentinel REST API (available at https://github.com/Azure/azure-rest-api-specs/tree/master/specification/securityinsights/resource-manager/Microsoft.SecurityInsights/preview/2019-01-01-preview) and noticed that they now have an entire section called “incidents” that can be used just as “cases” could before. This makes more sense since, during the beta, Alerts created “cases” but now they create “incidents” . This […]