Questions tagged [azure-sentinel]

Microsoft Azure Sentinel is a proprietary cloud-native SIEM (Security Information and Event Management) software that provides security analytics for an enterprise application.

Microsoft Azure Sentinel is a scalable, cloud-native, security information event management (SIEM) and security orchestration automated response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

Azure Sentinel is a birds-eye view across the enterprise alleviating the stress of increasingly sophisticated attacks, increasing volumes of alerts, and long resolution timeframes.

Collect data at cloud scale across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds.
Detect previously undetected threats, and minimize false positives using Microsoft's analytics and unparalleled threat intelligence.
Investigate threats with artificial intelligence, and hunt for suspicious activities at scale, tapping into years of cyber security work at Microsoft.
Respond to incidents rapidly with built-in orchestration and automation of common tasks.

Building on the full range of existing Azure services, Azure Sentinel natively incorporates proven foundations, like Log Analytics, and Logic Apps. Azure Sentinel enriches your investigation and detection with AI, and provides Microsoft's threat intelligence stream and enables you to bring your own threat intelligence.

196 questions

vote

1 answer

KQL string function not parsing all characters

I'm having difficulty searching a field for a value in KQL. The field I am searching I get by decoding a base64 encoded string using the built in function base64_decode_tostring(). The string I am decoding…

kql azure-sentinel

asked Oct 11 '22 at 13:15

LiamWBA

vote

2 answers

Is it possible to rename a column that contains special signs and numbers in microsoft azure in KQL?

I started working with Microsoft's sentinel one. I'm working on gathering information from the logs that sentinel is producing. For better readability, I want to change the names of the columns that I'm projecting, but couldn't rename a column that…

kql azure-sentinel

asked Oct 01 '22 at 18:01

Dolev

vote

1 answer

Multiple dates within KQL query

I am trying to create a sentinel query using KQL which would only search for information on certain dates such as bank holidays. I have seen this can be done on other query languages however best I have created so far is having multiple dates in a…

azure azure-devops kql azure-sentinel

asked Sep 26 '22 at 21:59

Stuart

vote

1 answer

Cross Tenancy Automated Response via Powershell

I am stumbling on the following problem: I have a script that creates the automation response rules for a specific tenant. Now this works like a charm when the Logic App is in the same tenant and subscription. But I am stumbling on the error that…

powershell azure-logic-apps azure-sentinel

asked Sep 26 '22 at 08:37

Leonardo van de Weteringh

vote

2 answers

Kusto error - has_any(): failed to cast argument 2 to scalar constant

I am trying to use has_any in sentinel to pass a list (comma delimited) of IPs to a query in a workbook. The IP values will be passed into the query from a workbook parameter that the user enters. With the below test code, if I use BadIPList…

kql azure-sentinel

asked Sep 15 '22 at 02:00

rick l

vote

2 answers

Azure Kusto Query to trim multiple parts of a string

I'm using a KQL query in Azure to create a Sentinel alert. I can't workout how to trim a string to show the data between the third instance of the " character and the first instance of ( I've tried to use a trim_start/ trim_end and also a split…

kql azure-log-analytics azure-sentinel

asked Jul 26 '22 at 20:31

wosset

vote

1 answer

Azure AKS in-container logs to Azure Logs/Azure Sentinel

Is there an dynamic way to pull log data from inside my containers? All of my searches are returning that Azure Logs/Azure Sentinel can read data about AKS relative to the containers as they exist in K8s (online, running, failed, etc.) but not the…

azure-devops azure-aks azure-log-analytics log-shipping azure-sentinel

asked Apr 22 '22 at 20:06

thepip3r

2,855
6
32
38

vote

1 answer

Azure Sentinel Heartbeat Monitor

I have an Azure Hybrid environment that has about 60 servers. All with the Azure Monitoring Agent on them. My knowledge of KQL is basic so I have an extremely basic heartbeat monitor setup in Sentinel. It checks every 5 minutes and looks back over…

azure azure-sentinel

asked Apr 12 '22 at 09:08

GarudaLead

vote

1 answer

how to unpack a system.string data type into a flat string in kql

The schema shows that a field is a "system.string" and it has a variable number of elements, like a list of lists. What I would like to do is convert this into a normal string and store that in a field. Just tostring() does not cut it. It is like I…

kql azure-sentinel

asked Mar 30 '22 at 17:57

user8369515

vote

1 answer

How to apply a user defined function to a range of values in KQL

I have a function that outputs a table: let my_function = (InputDate: datetime){....} What I would like to do is apply this function on a range and combine the result as in: range date_X from ago(7d) to now() step 1d | project my_function…

kql azure-sentinel

asked Feb 07 '22 at 16:04

user8369515

vote

1 answer

How to correlate two entries when one of them is a number and the other is a range

I have two tables in Sentinel with data in them. I have field A in Table A that is a number. And I have two fields B and C in Table B which are also numbers but they represent a range. Like Table A field A contains the number '9', Table B field B…

azure-data-explorer kql azure-sentinel

asked Jan 08 '22 at 22:05

user7696812

vote

1 answer

TimeGenerated field not taking provided date

I am writting custom logs to log analytics. Based on the following link: https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api#create-a-request I should be able to use a field in the request header called:…

azure-log-analytics azure-sentinel

asked Dec 01 '21 at 18:55

Rakim

vote

2 answers

Is there any Lync Services or connectors available for Azure Sentinel or Azure Log Analytics to connect Azure Data Factory

I need to pull the data from Azure Sentinel in an Incremental manner. E.g: step 1: Need a daily login details to my UI from Sentinel(using KQL) step 2: create a pipeline from ADF step 3: Load the data in tables Is there any Lync Services or…

azure-data-factory azure-log-analytics azure-analysis-services azure-sentinel azure-analytics

asked Nov 15 '21 at 10:17

subham das

vote

2 answers

KQL query showing preceding logs from a specific log

I'm working on a query where I need the log that has a message of "Compromised" in it, then I want it to return the preceding 5 "deny" logs. New to KQL and just don't know the operator, so I appreciate the help! Current query: | sort by…

azure logging analytics kql azure-sentinel

asked Oct 29 '21 at 19:55

cs-tech

vote

2 answers

Creating tiles in azure sentinel workbook using KQL

I am using this query to display what I want in workbook, but I want to have individual tiles with their values respectively for very high, high, medium, etc. But when I write this query and turn on tiles in visualization, it wont give me options to…

kql azure-sentinel azure-monitor-workbooks

asked Oct 07 '21 at 08:39

Shikhin Dahikar

Prev 1 2

…

12 13 Next