Another blog to help expand Security Knowledge
Introduction This post is in response to a question that was asked on LinkedIn. The person wanted to know how to get the custom hunting queries using the REST API since it didn’t seem that any of the Microsoft Sentinel APIs retrieve that information. That is correct. There are no Microsoft Sentinel REST APIs to […]
Introduction Much of the investigative work done inside of Microsoft Sentinel, as well as many other Azure products that use KQL, deals with IP Addresses. Matching, comparing, and seeing if they show up in a table are many of the actions we perform against IP Addresses. Luckily, KQL provides many different functions to work with […]
Introduction Ok, the title is a bit cheesy, but the song just came on and it really does fit. Anyone who has used KQL for any length of time knows about the “datetime”, “now”, and “ago” command as in To see information in the last 5 days. However, KQL provides a lot more capabilities regarding […]
Overview Microsoft Sentinel can show you which MITRE tactics and techniques that are being used with your rules to see the total coverage. But how about which tables are being covered? Unfortunately, this data is not stored anywhere that is accessible. It would be nice to have a place to enter the tables being used […]
Overview Back in the first post in this series, I mentioned that you can easily change how far back you can look to get information in your queries. This post will talk about PowerBI parameters that we will use to do this. Create a parameter Parameters are very easy to create. In left hand navigation […]
Overview So far in this series (if 3 posts can be considered a series), we have ingested data into PowerBI and created a basic report. We looked at some of the pitfalls that may happen when creating a table view. In this post, we will look at the tables themselves and how we can expand […]
Overview In one of my last posts, I talked about the differences between Microsoft Sentinel workbooks and PowerBI. In this post, the first of however many I decide to write, we will look at converting the Security Operations Efficiency workbook into PowerBI. Why this workbook? There are a few reasons. It has different steps in […]
Introduction Update: Microsoft Sentinel now has the ability to trigger a playbook when an incident has been updated so this blog post is obsolete! If you are like me, you feel that one of the holes in Microsoft Sentinel is knowing when something changes. I am hoping that this changes soon (pun intended). In the […]
If you have read either version of my book, I sent you to a URL that uses the Azure Data Explorer to play around with the KQL queries. Rod Trent just posted a blog at Create and Maintain Your Own KQL Demo Environment with the New Start-for-free Cluster – Azure Cloud & AI Domain Blog […]
I just noticed this morning that one of my queries in Azure Sentinel returned 30,000 results rather than the old 10,000 it used to. Hopefully this is not a bug and will continue.
