Tag: Azure Sentinel
Explore:
-
-
Azure Workbook: This will show Public IP Address that you have
This Azure Monitor Workbook can help identify by using KQL (Kusto Query Language) data from AzureActivity and Azure Resource Graph (ARG) which IP addresses are configured and when. Tip you can also use the queries to form an Alert in Azure Monitor or Azure Sentinel to detect when a IP address is made public. Demo: -
Log Analytics: Queries, how to find and run them in a Workbook – part 2
I hadn’t intended a Part 2 on this topic, but I also managed to add Tabs into the “FindMySyntax” Workbook for Azure Monitor Workbooks and Azure Resource Graph. Please see part1: https://www.microsoft.com/en-gb/industry/blog/cross-industry/2020/06/18/log-analytics-kql-saved-queries-how-to-find-and-run-them-in-a-workbook/ For future versions please look here: https://github.com/CliveW-MSFT/KQLpublic/tree/master/KQL/Workbooks/findMySynatx Summary So why do I have a Azure Monitor Workbook to find Workbooks, two main reasons: -
Log Analytics Workspace Retention Reporting Options (Part 2)
In my previous post I talked about using Postman to make a REST API call to a Log Analytics workspace to view and change the retention settings. Equally I mentioned that I would look to utilise an Azure Monitor workbook to visualise the settings. Azure Monitor workbooks are a fantastic way to visualise data within -
Log Analytics: KQL saved Queries, how to find and run them in a Workbook
Summary Log Analytics has a option called Query Explorer (note, this is due to be updated, so this example is applicable for a short period of time). If like me you have 100’s of saved queries, managing them can be a challenge (my #1 challenge!), lets fix that with a Azure Monitor Workbook… One of -
Log Analytics Workspace Retention Reporting Options (Part 1)
Hi all, This is the first of two posts that I will be doing on how you can report on the Retention settings of an Azure Log Analytics workspace. In the second post I will provide a sample Workbook for displaying the settings. It is often that during my conversations with customers about Azure Monitor, -
Log Analytics or Azure Sentinel – how schedule a report
In this post I show how you can schedule a report to run, using a Log Analytics query, its a frequent ask and one I have answered a few times in posts like this: https://techcommunity.microsoft.com/t5/azure-log-analytics/log-analytics-for-report-generation/m-p/1469610 Question: Can I schedule a query to run in Azure Monitor Logs / Log Analytics (or even for Azure Sentinel) -
Audit at scale. Workspaces and Azure Security Center
A few times this week I’ve had two discussions. How is my Azure Security Center (ASC) licenced and configured? And how many workspaces do I have, and what retention policy is set. You can look in the portal, however to do this at scale, lets use Azure Resource graph: I suggest you use -
Log Analytics: Improved rendering of Charts
Hi all, I just found out today that the Render operator now supports more features in Log Analytics. Event | summarize dcount(EventID) by Computer , bin(TimeGenerated, 1h) | render timechart with (legend = hidden, title = “My Title here”, xtitle = “X title”, ytitle = “Y title”, ymin = 3, ymax = 10) -
Azure Sentinel: Adding the query data to an Alert in a Playbook
Azure Sentinel Playbooks (based on Logic Apps) are commonly used to take Alert data and perform a Security Orchestration, Automation and Response (SOAR) capability For this issue (I was asked about it twice today so decided to post the answer). You can use the “Run query and visualise results” to take the Query from the -
Azure Sentinel: CIDR matching
KQL has some IPV4 features. A new one last month is IPV4_is_match : https://docs.microsoft.com/en-us/azure/kusto/query/ipv4-is-matchfunction Two examples (more here https://github.com/CliveW-MSFT/KQLpublic/blob/master/Queries/CIDRexamples ): 1.Using the SigninLogs Table as data. This example takes an IP Address from the log and sees if it is in an allowed range or not. You define whats allowed or not in the CASE -
Azure Monitor Workbooks: How to find Virtual Machines that are in, and not in Azure!
Sorry I’ve been away for while, however I’m back with a few articles on Azure Monitor Workbooks. Thanks to Alp Babayigit for the idea and use case for this Workbook. I first started with Workbooks when Azure Sentinel was launched and published some articles here: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-and-azure-arc/ba-p/999379 https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-sentinel-to-follow-a-users-travel-and-map-their/ba-p/981716 https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-monitor-workbooks-to-map-sentinel-data/ba-p/971818 Summary In this new Workbook, I