KQL to count current enabled, disabled analytic rules
Hi, Would like some help in an KQL query to count the number of enabled and disabled analytic rules for entry into a workbook. Plus a simple count of connected data connectors so the number reflects the overview number and not all the enabled data types. Many thanks, Tim
Fill zero in the table for timechart
Hi, I would like to create a timechart for high daily number of incident in the past 7-day. However, not everyday has high incident. How could I fill the 0 into the result if that day has no high incident? I had the similar ticket before: https://techcommunity.microsoft.com/t5/microsoft-sentinel/barchart-when-the-returned-result-is-zero/m-p/3219799#M9144 I am not sure if i need to create the dynamic object for the past 7-day. Thanks. SecurityIncident | where Severity == "High" | summarize StartTime = startofday(min(TimeGenerated)), count() by Severity, IncidentNumber | summarize count() by bin(StartTime,1d)
Firewalls Integration with Sentinel
Hello, We have integrated F5 (WAF Firewall) and Palo Alto firewall with Microsoft Sentinel, using CEF Collector, the Logs received in the server of CEF collector are have all the values of events as we see using tcpdump to capture that logs, but when trying to see that logs in CommonSecurityLogs table, there are some fields missing like ExternalId of event linked with Firewall, which is important for referencing the event in Sentinel with event in Firewall. Is there any method to fetch these missing field, i'm thinking the out of box connector using logic app can implement this, but i want to ask if there is another method for that. Thank you
