In this blog I will demonstrate how to collect the SMBv1 audit events in Azure Log Analytics. I will also show a simple query to extract the IP information from these events which can be exported to a CSV file if needed.
Need a good way of tracking your Azure Sentinel table usage? Here's a KQL query to help. I can't take full credit for it, other than sharing it. This query is an amalgam of different queries and the work of a multitude of individuals, but hugely useful. union withsource=TableName1 * | where TimeGenerated > ago(30d) … Continue reading How to Keep Track of Your Higher Cost Azure Sentinel Tables Using KQL
The Azure Monitor team has rolled out a new capability to everyone to help enable quicker debugging for KQL queries in the Log Analytics workspace. When writing queries now and you receive the standard error that includes the line number and position, you'll be able to identify the actual line more easily. For those used … Continue reading How to Enable Line Numbers in Azure Sentinel to Aid Quicker Debugging of KQL Queries
On Tuesday, July 14th, we released an alert and guidance on a potentially impactful Windows DNS Server Remote Code Execution Vulnerability. See: CVE-2020-1350 If you're using Azure Sentinel, Intune, or any other service that can take advantage of KQL to sift through a Log Analytics Workspace (LAW), the following KQL query can help identify those … Continue reading KQL to Help Identify Systems Patched for CVE-2020-1350
Service Map can show you which clients are connecting to your DC, now how do we find which sites they belong to?
I teach a couple KQL courses focused on Azure Sentinel - one beginner and one more advanced. The beginner course (level 100-200), coupled with our KQL docs (aka.ms/KQLDocs), is usually enough though to get customers on the right path to learning the Kusto Query Language. Whenever I deliver an Azure Sentinel workshop, it's the moment … Continue reading Tools and Resources to Practice Your Azure Sentinel KQL-fu
I had the occasion recently to work with a customer that had domain controllers that were disconnected from the Internet, but still wanted to ingest the server event logs into Azure Sentinel. Sifting through research I found there's a myriad of ways to do it (including standing up a Log Analytics gateway) but one of … Continue reading Exporting Events from Disconnected Systems to Ingest into Azure Sentinel
I wrote a recent article that talks about tips for doing Data Sampling for Azure Sentinel. Data Sampling is a method that allows the Sentinel Analyst to figure out where and what data exists in the Log Analytics workspace to help hone KQL queries to produce good data results. Read that here if you missed … Continue reading Azure Sentinel Tip for Table Details and Descriptions