Azure KQL – Working with IP Addresses

Introduction Much of the investigative work done inside of Microsoft Sentinel, as well as many other Azure products that use KQL, deals with IP Addresses. Matching, comparing, and seeing if they show up in a table are many of the actions we perform against IP Addresses. Luckily, KQL provides many different functions to work with […]

Azure KQL – Time After Time

Introduction Ok, the title is a bit cheesy, but the song just came on and it really does fit. Anyone who has used KQL for any length of time knows about the “datetime”, “now”, and “ago” command as in To see information in the last 5 days. However, KQL provides a lot more capabilities regarding […]

Get or Export Microsoft Sentinel Automation rules

Introduction I ran across a question where someone was asking how to extract Microsoft Sentinel automation rules. I had thought the functionality was already in the automation rules, but I was wrong. There is the functionality for analytic rules, but it is not yet there for automation rules. I had some simple PowerShell scripts that […]

Get the number of MS Sentinel rules looking at tables (approximately)

Overview Microsoft Sentinel can show you which MITRE tactics and techniques that are being used with your rules to see the total coverage. But how about which tables are being covered? Unfortunately, this data is not stored anywhere that is accessible. It would be nice to have a place to enter the tables being used […]

Mimic drilldown in a Microsoft Sentinel workbook

Overview I recently saw a question about how to do a drilldown in a Microsoft Sentinel workbook. While Rod Trent wrote a post called How to Make Your Azure Sentinel Workbooks Even More Interactive with Drilldowns and Downloads – Azure Cloud & AI Domain Blog (azurecloudai.blog) about 2 years ago on this subject, it deals […]

Azure KQL: Access sub-columns using the bag_unpack plugin

Overview When accessing information using KQL, sometimes you have a column that contains sub-columns that you want to access. There are a couple of different ways to obtain this information and I will show you two ways in this blog post. The first way will be to extract each column individually. While this works and, […]

Recreating a MS workbook in PowerBI: Part 4 – PowerBI Parameters

Overview Back in the first post in this series, I mentioned that you can easily change how far back you can look to get information in your queries. This post will talk about PowerBI parameters that we will use to do this. Create a parameter Parameters are very easy to create. In left hand navigation […]

Recreating a MS workbook in PowerBI: Part 3 – Working with tables

Overview So far in this series (if 3 posts can be considered a series), we have ingested data into PowerBI and created a basic report. We looked at some of the pitfalls that may happen when creating a table view. In this post, we will look at the tables themselves and how we can expand […]

Recreating a MS workbook in PowerBI: Part 2 – Create the report

Overview In the last blog post, Recreating a MS workbook in PowerBI: Part 1 – Get the data – Yet Another Security Blog (garybushey.com), we looked at how to get data from Microsoft Sentinel into PowerBI. In this blog post, we are going to create the basic report that mimics the Microsoft Sentinel Security Operations […]