Azure KQL – Working with IP Addresses

Introduction Much of the investigative work done inside of Microsoft Sentinel, as well as many other Azure products that use KQL, deals with IP Addresses. Matching, comparing, and seeing if they show up in a table are many of the actions we perform against IP Addresses. Luckily, KQL provides many different functions to work with […]

Azure KQL – Time After Time

Introduction Ok, the title is a bit cheesy, but the song just came on and it really does fit. Anyone who has used KQL for any length of time knows about the “datetime”, “now”, and “ago” command as in To see information in the last 5 days. However, KQL provides a lot more capabilities regarding […]

Get the number of MS Sentinel rules looking at tables (approximately)

Overview Microsoft Sentinel can show you which MITRE tactics and techniques that are being used with your rules to see the total coverage. But how about which tables are being covered? Unfortunately, this data is not stored anywhere that is accessible. It would be nice to have a place to enter the tables being used […]

Recreating a MS workbook in PowerBI: Part 4 – PowerBI Parameters

Overview Back in the first post in this series, I mentioned that you can easily change how far back you can look to get information in your queries. This post will talk about PowerBI parameters that we will use to do this. Create a parameter Parameters are very easy to create. In left hand navigation […]

Recreating a MS workbook in PowerBI: Part 3 – Working with tables

Overview So far in this series (if 3 posts can be considered a series), we have ingested data into PowerBI and created a basic report. We looked at some of the pitfalls that may happen when creating a table view. In this post, we will look at the tables themselves and how we can expand […]

Recreating a MS workbook in PowerBI: Part 1 – Get the data

Overview In one of my last posts, I talked about the differences between Microsoft Sentinel workbooks and PowerBI. In this post, the first of however many I decide to write, we will look at converting the Security Operations Efficiency workbook into PowerBI. Why this workbook? There are a few reasons. It has different steps in […]

Determining when a Microsoft Sentinel incident’s owner has changed

Introduction If you are like me, you feel that one of the holes in Microsoft Sentinel is knowing when something changes. I am hoping that this changes soon (pun intended). In the meantime, I wrote a KQL query that will show you when a specific column changes. In this example, I will show you when […]

Nice shortcut in KQL to get JSON data in a dynamic column.

While looking at the SigninLogs table in Azure Sentinel I noticed there are a lot of dynamic fields that hold JSON data. I was trying to use parse_json to get to the data but it was always returning empty fields. I then realized that parse_json requires a string input, not a dynamic. After some messing […]