Azure Sentinel Archives - Microsoft Industry Blogs

A CISO discusses cybersecurity with her colleague in an office with multiple screens

Cross-industry

Published 28/03/2023

What is a ‘security culture’? Best practices for implementing your security strategy

Over 100 million attacks against remote management devices were observed in May 2022. Today, a Zero Trust security approach is crucial in a world of remote work.

Cross-industry

Published 15/07/2020

Azure Workbook: This will show Public IP Address that you have

This Azure Monitor Workbook can help identify by using KQL (Kusto Query Language) data from AzureActivity and Azure Resource Graph (ARG) which IP addresses are configured and when. Tip you can also use the queries to form an Alert in Azure Monitor or Azure Sentinel to detect when a IP address is made public. Demo:

Cross-industry

Published 02/07/2020

Log Analytics: Queries, how to find and run them in a Workbook – part 2

I hadn’t intended a Part 2 on this topic, but I also managed to add Tabs into the “FindMySyntax” Workbook for Azure Monitor Workbooks and Azure Resource Graph. Please see part1: https://www.microsoft.com/en-gb/industry/blog/cross-industry/2020/06/18/log-analytics-kql-saved-queries-how-to-find-and-run-them-in-a-workbook/ For future versions please look here: https://github.com/CliveW-MSFT/KQLpublic/tree/master/KQL/Workbooks/findMySynatx Summary So why do I have a Azure Monitor Workbook to find Workbooks, two main reasons:

Cross-industry

Published 18/06/2020

Log Analytics Workspace Retention Reporting Options (Part 2)

In my previous post I talked about using Postman to make a REST API call to a Log Analytics workspace to view and change the retention settings. Equally I mentioned that I would look to utilise an Azure Monitor workbook to visualise the settings. Azure Monitor workbooks are a fantastic way to visualise data within

Cross-industry

Published 18/06/2020

Log Analytics: KQL saved Queries, how to find and run them in a Workbook

Summary Log Analytics has a option called Query Explorer (note, this is due to be updated, so this example is applicable for a short period of time). If like me you have 100’s of saved queries, managing them can be a challenge (my #1 challenge!), lets fix that with a Azure Monitor Workbook… One of

Cross-industry

Published 17/06/2020

Log Analytics Workspace Retention Reporting Options (Part 1)

Hi all, This is the first of two posts that I will be doing on how you can report on the Retention settings of an Azure Log Analytics workspace. In the second post I will provide a sample Workbook for displaying the settings. It is often that during my conversations with customers about Azure Monitor,

Cross-industry

Published 17/06/2020

Log Analytics or Azure Sentinel – how schedule a report

In this post I show how you can schedule a report to run, using a Log Analytics query, its a frequent ask and one I have answered a few times in posts like this: https://techcommunity.microsoft.com/t5/azure-log-analytics/log-analytics-for-report-generation/m-p/1469610 Question: Can I schedule a query to run in Azure Monitor Logs / Log Analytics (or even for Azure Sentinel)

Cross-industry

Published 04/06/2020

Audit at scale. Workspaces and Azure Security Center

A few times this week I’ve had two discussions. How is my Azure Security Center (ASC) licenced and configured? And how many workspaces do I have, and what retention policy is set. You can look in the portal, however to do this at scale, lets use Azure Resource graph: I suggest you use

Cross-industry

Published 11/05/2020

Log Analytics: Improved rendering of Charts

Hi all, I just found out today that the Render operator now supports more features in Log Analytics. Event | summarize dcount(EventID) by Computer , bin(TimeGenerated, 1h) | render timechart with (legend = hidden, title = “My Title here”, xtitle = “X title”, ytitle = “Y title”, ymin = 3, ymax = 10)

Cross-industry

Published 27/04/2020

Azure Sentinel: Adding the query data to an Alert in a Playbook

Azure Sentinel Playbooks (based on Logic Apps) are commonly used to take Alert data and perform a Security Orchestration, Automation and Response (SOAR) capability For this issue (I was asked about it twice today so decided to post the answer). You can use the “Run query and visualise results” to take the Query from the

Cross-industry

Published 18/03/2020

Azure Sentinel: CIDR matching

KQL has some IPV4 features. A new one last month is IPV4_is_match : https://docs.microsoft.com/en-us/azure/kusto/query/ipv4-is-matchfunction Two examples (more here https://github.com/CliveW-MSFT/KQLpublic/blob/master/Queries/CIDRexamples ): 1.Using the SigninLogs Table as data. This example takes an IP Address from the log and sees if it is in an allowed range or not. You define whats allowed or not in the CASE

Cross-industry

Published 16/03/2020

Azure Monitor Workbooks: How to find Virtual Machines that are in, and not in Azure!

Sorry I’ve been away for while, however I’m back with a few articles on Azure Monitor Workbooks. Thanks to Alp Babayigit for the idea and use case for this Workbook. I first started with Workbooks when Azure Sentinel was launched and published some articles here: https://techcommunity.microsoft.com/t5/azure-sentinel/azure-sentinel-and-azure-arc/ba-p/999379 https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-sentinel-to-follow-a-users-travel-and-map-their/ba-p/981716 https://techcommunity.microsoft.com/t5/azure-sentinel/how-to-use-azure-monitor-workbooks-to-map-sentinel-data/ba-p/971818 Summary In this new Workbook, I

Tag: Azure Sentinel