Category: Microsoft Sentinel | Microsoft Community Hub

Recent Discussions

kql query for distinct values
Hi there, I'm trying to query all computers that match 2 or more DISTINCT DisplayName fields. I can get the distinct count: SecurityAlert | where ProductName in("Microsoft Defender Advanced Threat Protection") | where ProviderName == "MDATP" | mv-expand parsejson(Entities) |extend Computer = tostring(Entities.HostName) |summarize dcount(DisplayName) by Computer |where dcount_DisplayName >= 2 |where Computer <> "" But I want a table that lists out the Computer AND all of the unique DisplayNames for each Computer. eg: Host1 - DisplayName1 DisplayName2 Host2 - DisplayName1 DisplayName2 In Splunk this would simply be: | stats values(DisplayName) as DisplayName, dc(DisplayName) by host Thanks for your thoughts.
Solved
SocInABox
Iron Contributor
Mar 20, 2021 Place Microsoft Sentinel
75KViews
0likes
8Comments
What exactly is the AppDisplayName "Microsoft Authentication Broker"
Hello, When reviewing failed Sign In attempts through KQL (invalid username/password), I sometimes see the AppDisplayName to be "Microsoft Authentication Broker". I have tried looking for the answer online, and it does seem to be related to some kind of authentication broker service (makes sense for the name). But I have yet to figure out what exactly it is. I guessed that this was perhaps the authentication app for Microsoft, but I did some testing on my own device and was unable to trigger the logs for Microsoft Authentication Broker. Has someone else any experience dealing with these? Might it be something going on in the background of MS?
Solved
Tobias_Moe
Copper Contributor
Sep 15, 2023 Place Microsoft Sentinel
investigation
KQL
siem
63KViews
0likes
5Comments
KQL String Search With Wildcards?
Is it possible to do KQL string searches with wildcards? For example, I'm hunting for files written to C:\ProgramData\ but I don't want to see files written to subfolders. I've done this in Splunk so I was surprised that the last line in my query below does not filter out anything. Show this: C:\ProgramData\evil.exe Filter this out: C:\ProgramData\MyApp\NotEvil.exe Query: DeviceFileEvents | where ActionType == "FileCreated" | where FolderPath contains "ProgramData" | where FolderPath !contains "ProgramData\\*\\*"
Solved
TheDilly
Copper Contributor
Mar 17, 2022 Place Microsoft Sentinel
KQL
kusto
53KViews
0likes
2Comments
Microsoft Teams Flow Bot
Anyone able to use Azure Sentinel --> Logic App with MS Teams Flow Bot to post message in a channel ? I haven't figure how to do it and although my logic app Post a message to Teams works - when my action is Post a message as the Flow Bot in a channel always fails
akefallonitis
Brass Contributor
Apr 28, 2020 Place Microsoft Sentinel
50KViews
0likes
8Comments
Comment/Uncomment multiple lines
Hi all, Do you know a way to comment and uncomment multiple lines in the Logs Blade in Azure Sentinel ? I find it not convenient to type "//" every time. Is there a way to create a custom shortcut for it ? Kind regards, Emmanuel NGUYEN
emmanuelnguyen
Copper Contributor
Apr 29, 2020 Place Microsoft Sentinel
37KViews
0likes
8Comments
Loop through array in KQL
Hi, I've been exploring parsing and noticed that when parsing xml you get dictionaries and arrays. You can't pass those in functions, but you can pass a var of type dynamic, but then to loop you have to make a table and join the table with the query that you ran. Does anybody have any idea of how to loop through an array, I couldn't find anything around this?
LodewykV
Copper Contributor
Oct 23, 2020 Place Microsoft Sentinel
35KViews
0likes
5Comments
KQL for AAD Group Add & Remove User
Hi all, I would like to create a KQL query that can alert when a user has been added to a Azure Security Group. What would be the best way to create this query? Thanks in advance, Janice
Solved
JCSBCH123
Copper Contributor
Feb 06, 2021 Place Microsoft Sentinel
33KViews
0likes
3Comments
KQL query question: Filter out results where condition1, condition2, condition3 all evaluate true
Hi Sentinel friends, I've googled and read through many guides and can't find an easy way to perform a multi-variable exclusion statement. I need to be able to exclude a result if multiple variables ALL evaluate true. The pseudo logic I'm looking to apply is something like: Table | where Event == "12" (pseudo code) | except where (condition1 == x AND condition2 == y AND condition 3 == z) I tried things like: 1) | !where condition1 == "x" and condition2 == "y" and condition3 == "z" [this doesn't work] 2) | where !(condition1 == "x" and condition2 == "y" and condition3 == "z") [this doesn't work] 3) | where condition1 != "x" and !condition2 != "y" and condition3 == "z" [the logic here evaluates all conditions separately, instead I need it to only exclude only when all of the variables evaluate true for a specific log line] The only way I could figure out how to do this was to do 2 queries then do a left antijoin of the resulting datasets, but it's a big and messy query. I'm hoping that there's a simpler method that I'm missing. Ex: Table | where Event == "12" | join kind=leftanti ( Table |where Event == "12" | where condition1 == "x" and condition2 == "y" and condition3 == "z") on KEY Note: I did find materialize so at least I'm not querying the dataset twice.
browesec
Copper Contributor
Jul 20, 2020 Place Microsoft Sentinel
31KViews
0likes
5Comments
Azure Sentinel vs. Azure LogAnalytics
Hi, Do we have already available some kind of comparison chart between Azure Sentinel and Azure LogAnalytics. I'm trying to understand differences between these two solutions. What to pick for customer cases. Thanks Br, Joonas
Joonas Pakkanen
Brass Contributor
Apr 16, 2019 Place Microsoft Sentinel
30KViews
1like
5Comments
How to get all logs for a specific user in sentinel
Hi Community, Help me out how to get all the logs for an user in sentinel. I was using the below quire but it is not written the expected results UserAccessAnalytics | where SourceEntityName == user email address. Thanks, Kishore
kishore_soc
Copper Contributor
Aug 25, 2021 Place Microsoft Sentinel
29KViews
0likes
3Comments
KQL to extract IP addresses from SecurityAlerts
I'm not sure if there is a simpler way to do this, but I wanted to get a list of all the IP addresses in both Entities and ExtendedProperties of SecurityAlerts. This is helpful to join on DeviceNetworkEvents or other tables that contain IP addresses to see if any IP from a SecurityAlert had other activity in your environment. Here is the KQL query that I came up with and saved as a custom function. Suggestions for improvement are welcome! SecurityAlert // First get lists of IP addresses from ExtendedProperties | extend properties = parse_json(ExtendedProperties) | extend IP_list = split(tostring(properties["IP Addresses"]), ",") | project IP_list | where isnotempty(IP_list) | summarize make_set(IP_list) | mv-expand set_IP_list // get each IP on its own row | where isnotempty(set_IP_list) | project IP = tostring(set_IP_list) // Now get every IP address from Entities that are type "ip" | union (SecurityAlert | extend Entities = parse_json(Entities) | project Entities | mv-expand Entities | extend EType = tostring(Entities.Type) | where EType == "ip" | extend IP = tostring(Entities.Address) | project IP) | order by IP
Solved
rpargman
Copper Contributor
Mar 02, 2021 Place Microsoft Sentinel
29KViews
2likes
2Comments
Sentinel & Cisco Meraki?
Has anyone had any experience with getting Cisco Meraki feeds ingesting into Sentinel? Just checking for any gotcha's...
David Caddick
Iron Contributor
Mar 16, 2020 Place Microsoft Sentinel
28KViews
2likes
20Comments
(KQL) Searching for all tables of a customer for MSSPs
Hi guys, I need/want to the number of records in each table (datatype) of a customer (accessed via delegation/lighthouse). So, I would like to perform a search * but restrict it to a specific workspace. The following KQL searchs for the tables in the current workspace (not in a customer's workspaces). search * | summarize count() by $table |sort by count_ * Note: I didn't find the documentation for the workspace() function (https://docs.microsoft.com/en-us/search/?scope=kusto&terms=workspace) I imagine something like the following (but of course it doesn't work) search in (workspace("ABC").*) and *| summarize count() by $table A folloow-up question is on how to restrict the time to the last month (like where TimeGenerated >ago(30d))) Is there anyone with super master of KQL skills to help me? or forwarding this to the dev team?
Solved
jjsantanna
Brass Contributor
Jan 29, 2021 Place Microsoft Sentinel
28KViews
0likes
4Comments
Kusto Regex Matches
I'm trying write a query that will match logs where a field contains any domain other than our own. This is what I have tried: | where Recipient matches regex @"(@(?!ourdomain)[A-Za-z0-9]+(.))" But Kusto uses the re2 library which does not support lookarounds, as noted here: https://github.com/google/re2/wiki/Syntax Is there a workaround in Kusto to exclude strings from regex matches?
andrew_bryant
Brass Contributor
Apr 15, 2020 Place Microsoft Sentinel
27KViews
0likes
5Comments
AMA vs MMA which one should we go ahead???
Hello there, we have an issue with one of the Azure sentinel clients, where the cost has considerably increased due to a particular Event ID generating alot of traffic. Event ID 4663: Attempt to access an object” has highest count of “8263330” within 24 hours We dont want to just filter out this event all togather since this event ID is important specially for monitoring of OS level executables which at times attackers exploit/misuse. Going through the documentation, I see that AMA has capability to filter the event IDs using the XPath queries. I went through one of the blog post that says that when using AMA instead of MMA, we need to consider below: AMA can co-exist with MMA however, we will receive two heartbeats from one endpoint, one for each agent AMA will also collect logs and MMA as well, so rather than reducing logs, we will be having more logs coming in. I have customer who already has MMA installed and I cannot just ask him to uninstall all the MMA agents and install AMA agents from scratch? any easy resolution for this problem? We have new customers coming in and I dont want to end up in the same situation, so shall we start using AMA agent, is it stable enough as compared to MMA? or recommended by Microsoft to move ahead instead of MMA.? I dont see AMA agent installed within sentinel portal, only MMA is there. so from where can i download this?? I need answers on the above queries, any help will be much appreciated? Thanks Fahad.
FahadAhmed
Brass Contributor
Nov 05, 2021 Place Microsoft Sentinel
detection
26KViews
1like
5Comments
Join Our Azure Sentinel Community
Visit Our Blog Now that we have announced Azure Sentinel, we'd like to invite you to speak directly to our engineering team. We believe that the best way to improve our products is by having no barrier between you and the people that create them. That's why we need your participation in our community. As part of our community you can influence our products and get early access to changes by participating in private previews, giving feedback, requesting features, reviewing product roadmaps, joining conference call discussions, or attending in-person events. To try out Azure Sentinel, log into your Azure Portal and then click here to join the preview. Join Us To join our community, click here, and then click the join button and the heart icon for Azure Sentinel, as pictured below. Stay Updated via our Blog To keep up-to-date on all our major announcements, please visit our blog at https://aka.ms/AzureSentinelBlog. Check Out our GitHub Repository We have queries, detections, playbooks, and more on our GitHub repository at https://aka.ms/AzureSentinel/GitHub and we'll be investing significant efforts developing this content. We welcome contributions and hope you benefit from the shared expertise of our entire community. Additional Security Groups Here's a list of other security-related groups you may want to join. Azure Azure Security Center Azure Security and Identity Enterprise Mobility + Security Azure Advanced Threat Protection and ATA Azure Information Protection Microsoft Cloud App Security Microsoft Graph Security API Security, Privacy & Compliance. Windows Defender Advanced Threat Protection Find us on LinkedIn We have a general discussion group on LinkedIn called the Microsoft Security Community, where I announce highlights from this site. Please join the group and feel free to connect with me. Webinars and Private Preview Calls We hold regular webinars and calls where we provide technical training, preview forthcoming features, gather feedback, and host discussions. Many of these allow you to join private previews. Meeting invitations for the calls are posted here in this group, so please check back regularly. Our latest Azure Sentinel webinar can be found at https://aka.ms/AzureSentinelWebinar. We hope to hear from you soon!
Solved
Ryan Heffernan
Microsoft
Feb 22, 2019 Place Microsoft Sentinel
26KViews
44likes
28Comments
Email Alerts on New and Assigned Incidents
This is probably something simple but I would like to set-up the following: 1) Email alerts any time a new incident is auto generated 2) Email alert any time an incident is assigned
Solved
Stefanie Cortese
Copper Contributor
Feb 06, 2020 Place Microsoft Sentinel
26KViews
0likes
13Comments
Azure Sentinel Demo
Hi, I would like to find a demo environment where I can use to show case Azure sentinel with live data. can somebody help me with this
Solved
judith860
Copper Contributor
Apr 28, 2020 Place Microsoft Sentinel
25KViews
0likes
5Comments
Adding On-Prem Domain Controller Event Logs
We've added several sources (ASA, syslog, multiple Azure sources) .. what is the best way to get our on-prem domain controllers to feed into Sentinel?
unixdespair
Copper Contributor
Mar 01, 2019 Place Microsoft Sentinel
24KViews
2likes
6Comments
How to export incidents in azure sentinel
Hi Team, I have need to export the incidents to excel. Is this possible ? Basically i want to summarize the no of incidents triggered for curtain time period and do further analysis on this. Thanks
Pavan_Gelli
Copper Contributor
Dec 17, 2019 Place Microsoft Sentinel
24KViews
0likes
19Comments

Recent Discussions

kql query for distinct values

What exactly is the AppDisplayName "Microsoft Authentication Broker"

KQL String Search With Wildcards?

Microsoft Teams Flow Bot

Comment/Uncomment multiple lines

Loop through array in KQL

KQL for AAD Group Add & Remove User

KQL query question: Filter out results where condition1, condition2, condition3 all evaluate true

Azure Sentinel vs. Azure LogAnalytics

How to get all logs for a specific user in sentinel

KQL to extract IP addresses from SecurityAlerts

Sentinel & Cisco Meraki?

(KQL) Searching for all tables of a customer for MSSPs

Kusto Regex Matches

AMA vs MMA which one should we go ahead???

Join Our Azure Sentinel Community

Email Alerts on New and Assigned Incidents

Azure Sentinel Demo

Adding On-Prem Domain Controller Event Logs

How to export incidents in azure sentinel

Events

Recent Blogs

Integrating Fluent Bit with Microsoft Sentinel

Introducing Threat Intelligence Ingestion Rules

Resources

Share

Tags