Azure KQL – Working with IP Addresses

Introduction Much of the investigative work done inside of Microsoft Sentinel, as well as many other Azure products that use KQL, deals with IP Addresses. Matching, comparing, and seeing if they show up in a table are many of the actions we perform against IP Addresses. Luckily, KQL provides many different functions to work with […]

Azure KQL – Time After Time

Introduction Ok, the title is a bit cheesy, but the song just came on and it really does fit. Anyone who has used KQL for any length of time knows about the “datetime”, “now”, and “ago” command as in To see information in the last 5 days. However, KQL provides a lot more capabilities regarding […]

Get the number of MS Sentinel rules looking at tables (approximately)

Overview Microsoft Sentinel can show you which MITRE tactics and techniques that are being used with your rules to see the total coverage. But how about which tables are being covered? Unfortunately, this data is not stored anywhere that is accessible. It would be nice to have a place to enter the tables being used […]

Recreating a MS workbook in PowerBI: Part 1 – Get the data

Overview In one of my last posts, I talked about the differences between Microsoft Sentinel workbooks and PowerBI. In this post, the first of however many I decide to write, we will look at converting the Security Operations Efficiency workbook into PowerBI. Why this workbook? There are a few reasons. It has different steps in […]

Determining when a Microsoft Sentinel incident’s owner has changed

Introduction Update: Microsoft Sentinel now has the ability to trigger a playbook when an incident has been updated so this blog post is obsolete! If you are like me, you feel that one of the holes in Microsoft Sentinel is knowing when something changes. I am hoping that this changes soon (pun intended). In the […]

Nice shortcut in KQL to get JSON data in a dynamic column.

While looking at the SigninLogs table in Azure Sentinel I noticed there are a lot of dynamic fields that hold JSON data. I was trying to use parse_json to get to the data but it was always returning empty fields. I then realized that parse_json requires a string input, not a dynamic. After some messing […]

Ingesting Azure Sentinel Incident information into Log Analytics Part III – Using the data

Introduction In Ingesting Azure Sentinel Incident information into Log Analytics, I showed you how to create a Log Analytics workflow to ingest Azure Sentinel Incidents into a Log Analytics workspace. In Ingesting Azure Sentinel Incident information into Log Analytics Part II, I fixed some of the issues I ran into while using the instructions from […]

Ingesting Azure Sentinel Incident information into Log Analytics Part II

Introduction This is a continuation of the post Ingesting Azure Sentinel Incident information into Log Analytics. There are a few things that I want to clarify/rectify in it. I was working on the output from my last post to make a useful workbook from it and noticed a few things. Misspelling I misspelled “severity” when […]