Azure Workbook: This will show Public IP Address that you have 

This Azure Monitor Workbook can help identify by using KQL (Kusto Query Language) data from AzureActivity and Azure Resource Graph (ARG) which IP addresses are configured and when. Tip you can also use the queries to form an Alert in Azure Monitor or Azure Sentinel to detect when a IP address is made public. Demo: Read more

Log Analytics: Queries, how to find and run them in a Workbook – part 2 

I hadn’t intended a Part 2 on this topic, but I also managed to add Tabs into the “FindMySyntax” Workbook for Azure Monitor Workbooks and Azure Resource Graph. Please see part1: For future versions please look here: Summary So why do I have a Azure Monitor Workbook to find Workbooks, two main reasons: Read more


Log Analytics Workspace Retention Reporting Options (Part 2) 

In my previous post I talked about using Postman to make a REST API call to a Log Analytics workspace to view and change the retention settings. Equally I mentioned that I would look to utilise an Azure Monitor workbook to visualise the settings. Azure Monitor workbooks are a fantastic way to visualise data within Read more

Log Analytics Workspace Retention Reporting Options (Part 1) 

Hi all, This is the first of two posts that I will be doing on how you can report on the Retention settings of an Azure Log Analytics workspace. In the second post I will provide a sample Workbook for displaying the settings. It is often that during my conversations with customers about Azure Monitor, Read more

Log Analytics or Azure Sentinel – how schedule a report 

In this post I show how you can schedule a report to run, using a Log Analytics query, its a frequent ask and one I have answered a few times in posts like this: Question: Can I schedule a query to run in Azure Monitor Logs / Log Analytics (or even for Azure Sentinel) Read more

Audit at scale. Workspaces and Azure Security Center 

A few times this week I’ve had two discussions. How is my Azure Security Center (ASC) licenced and configured? And how many workspaces do I have, and what retention policy is set.   You can look in the portal, however to do this at scale, lets use Azure Resource graph:   I suggest you use Read more

Log Analytics: Improved rendering of Charts 

Hi all,   I just found out today that the Render operator now supports more features in Log Analytics.   Event | summarize dcount(EventID) by Computer , bin(TimeGenerated, 1h) | render timechart with (legend = hidden, title = “My Title here”, xtitle = “X title”, ytitle = “Y title”, ymin = 3, ymax = 10) Read more

Azure Sentinel: Adding the query data to an Alert in a Playbook 

Azure Sentinel Playbooks (based on Logic Apps) are commonly used to take Alert data and perform a Security Orchestration, Automation and Response (SOAR) capability For this issue (I was asked about it twice today so decided to post the answer).  You can use the “Run query and visualise results” to take the Query from the Read more


Azure Sentinel: CIDR matching 

KQL has some IPV4 features.  A new one last month is IPV4_is_match : Two examples (more here ): 1.Using the SigninLogs Table as data. This example takes an IP Address from the log and sees if it is in an allowed range or not.  You define whats allowed or not in the CASE Read more


Azure Monitor Workbooks: How to find Virtual Machines that are in, and not in Azure! 

Sorry I’ve been away for while, however I’m back with a few articles on Azure Monitor Workbooks.  Thanks to Alp Babayigit for the idea and use case for this Workbook. I first started with Workbooks when Azure Sentinel was launched and published some articles here:   Summary In this new Workbook, I Read more