Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Here's a quick tip, but also a solid superpower you can unleash today. I regularly get asked by Azure Sentinel customers about "how to know" the columns that are available to query against in the data tables. We have a couple methods to do this in the UI itself. When you hover your mouse cursor … Continue reading Unleash the Rosetta Stone of Schema Knowledge for Your Azure Sentinel Data

Spice Up Your Azure Sentinel KQL Query Results with Emoji

Here's a little-known tip that can help brighten an otherwise mundane query existence. Instead of producing the normal query results of boring and blah rows and columns of data to sift through, have a little fun with it. Did you know that KQL supports emoji? Emoji in KQL? Say it isn't so!! It has to … Continue reading Spice Up Your Azure Sentinel KQL Query Results with Emoji

How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

Need a good way of tracking your Azure Sentinel table usage? Here's a KQL query to help. I can't take full credit for it, other than sharing it. This query is an amalgam of different queries and the work of a multitude of individuals, but hugely useful. union withsource=TableName1 * | where TimeGenerated > ago(30d) … Continue reading How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL

How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

The Azure Monitor team has rolled out a new capability to everyone to help enable quicker debugging for KQL queries in the Log Analytics workspace. When writing queries now and you receive the standard error that includes the line number and position, you'll be able to identify the actual line more easily. For those used … Continue reading How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries

Azure Sentinel Analytics Rule to Keep Track of Cloud Shell

I've been asked several times for the ability to use Azure Sentinel to keep track of who is executing Azure Cloud Shell. So, I finally put together a quick Analytics Rule that will identify when Cloud Shell is run and report on the user and IP address used. It definitely still needs to be tuned … Continue reading Azure Sentinel Analytics Rule to Keep Track of Cloud Shell

KQL Methods to Display a Per-Day Occurrence in Azure Sentinel

A customer recently wanted to show in a Workbook those users that used MFA to login and format the results so that it showed how many times per day it happened overall. There's multiple ways to get this done. You can parse the raw output of the TimeGenerated, use format_datetime, or bin with TimeGenerated. Here's … Continue reading KQL Methods to Display a Per-Day Occurrence in Azure Sentinel

KQL to Help Identify Systems Patched for CVE-2020-1350

On Tuesday, July 14th, we released an alert and guidance on a potentially impactful Windows DNS Server Remote Code Execution Vulnerability. See: CVE-2020-1350 If you're using Azure Sentinel, Intune, or any other service that can take advantage of KQL to sift through a Log Analytics Workspace (LAW), the following KQL query can help identify those … Continue reading KQL to Help Identify Systems Patched for CVE-2020-1350

Visualizing Azure Sentinel Billable Data by Solution and Data Type

We make it easy to quickly monitor data consumption for Azure Sentinel in the Settings blade in the console. Monitor data ingestion and retention But, for those cost-conscious individuals who need more, here's a couple valuable KQL queries to better visualize data consumption. Billable data volume by data type Usage | where TimeGenerated > ago(32d) … Continue reading Visualizing Azure Sentinel Billable Data by Solution and Data Type

Intune DeviceType Reference for Azure Sentinel KQL

As you start to connect your Intune/Endpoint Manager logs to Azure Sentinel, you may see right away that there's a DeviceType column exposed that looks valuable but the results show ID numbers instead of just device names. This DeviceType column is directly related to the DeviceTypeID for Intune device entities. As an example, the following … Continue reading Intune DeviceType Reference for Azure Sentinel KQL