Member: Clive_Watson | Microsoft Community Hub

Recent Discussions

Re: How to Prevent Workspace Details from Appearing in LAQueryLogs During Cross-Workspace Queries
For me this is working as expected, as you need to know in the logs what has been done, however as you mention the downside is the visibility of this in the remote workspaces. If you avoid the workspace() function you can bypass this. By using the APIs to run the queries remotely e.g. run the query then loop through required workspaces - this will require some dev work or Postman etc... In this case you auth to each Workspace, as you go, so only one is listed in RequestContext. You maybe able to use Advanced Hunting from withing the Microsoft Defender MTO portal (not tested this much, so maybe check as I'm not 100%)
Jan 09, 2026 Place Microsoft Sentinel
36Views
1like
0Comments
Re: Tenant-based Microsoft Defender for Cloud Connector
Hello, did you do step 1 here? Ingest Microsoft Defender for Cloud incidents with Microsoft Defender XDR integration | Microsoft Learn
Nov 14, 2025 Place Microsoft Sentinel
146Views
0likes
1Comment
Re: need to create monitoring queries to track the health status of data connectors
Some data connectors (Monitor the health of your Microsoft Sentinel data connectors | Microsoft Learn) do write health the SentinelHealth table, Monitor the health of your Microsoft Sentinel data connectors | Microsoft Learn However for the majority you need to employ techniques like looking for when the last record was received or anomalies (this has long been the case) You can use KQL to find a Table and when it last ingested data, however you cant map a Table easily back to a Connector (or a Connector to a Table) Otherwise you need to use a Rest api to access Data Connector info (and ingest the results to use KQL) or use a Workbook.
Sep 29, 2025 Place Microsoft Sentinel
142Views
1like
0Comments
Re: Log Ingestion Delay in all Data connectors
Hello, I've not seen this before across such a range of connectors (assuming its not a blip and fixed itself) you might want to confirm in the Logs what the "lastSeen" or Last log recieved is. KQL union * | extend lastSeen = datetime_diff('minute',now(), TimeGenerated) | summarize arg_max(TimeGenerated,lastSeen) by TableName=Type | order by lastSeen desc
Sep 02, 2025 Place Microsoft Sentinel
74Views
0likes
0Comments
Re: Cannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?
I'm sure this is because Sentinel excludes union * in the Logs blade within Sentinel (it will work outside Sentinel in similar looking logs blades, like in Log Analytics). It was excluded for performance reasons for Detections, as you could be looking through 10's, 100s or more tables and the results may not come back in enough time for the next alert trigger. More relevant for NRT or rules that trigger every 5mins. Can you union by named Table (e.g. union IdentityInfo) or Join or lookup? The screen shot you provided doesn't show the union * just a join.
May 13, 2025 Place Microsoft Defender XDR
403Views
1like
1Comment
Re: create incident in sentinel using logic apps after running query in azure data explorer
ADX doesn't have a trigger like you have for Sentinel. So you probably need to run your logic app on a schedule (every 5, 10, 15mins etc...) and have it run the code and then use the HTTP control to talk to the Incident API Incidents - Create Or Update - REST API (Azure Sentinel) | Microsoft Learn
Apr 25, 2025 Place Microsoft Sentinel
122Views
0likes
0Comments
Re: Extend sentinel/LAW table schema
Hi, please take a look at Transformations or the API Custom data ingestion and transformation in Microsoft Sentinel | Microsoft Learn
Apr 24, 2025 Place Microsoft Sentinel
160Views
0likes
1Comment
Re: Advanced Hunting Visualize Results
If you have some PowerBI skills you can try this below? Or us the API to extract the data for another tool? Create custom Microsoft Defender XDR reports using Microsoft Graph security API and Power BI - Microsoft Defender XDR | Microsoft Learn
Apr 24, 2025 Place Microsoft Defender XDR
272Views
1like
1Comment
Re: Advanced Hunting Visualize Results
Are you using Sentinel? If so, Azure Dashboards or Azure Workbooks are an option, when you connect USOP to Microsoft Sentinel (some data may also be needed to sync to Sentinel for which there is a cost).
Apr 23, 2025 Place Microsoft Defender XDR
96Views
0likes
0Comments
Re: Sentinel Incident Priority Mapping to SIR
Its often the case that you can store the additional values in the Sentinel "comments" using a Logic App / Playbook and then read/write these in your ITSM tool.
Apr 23, 2025 Place Azure Observability
136Views
0likes
0Comments
Re: Sentinel Log Volume vs Defender Log Volume
btw, you could have saved some typing and made sure all Tables were included, you can group with the union for example all tables that start with DEVICE or even multiple groups, as per this example union Device* , Email* | summarize RecordCount = count(), MDETotalSizeMB = round(sum(estimate_data_size(*))/pow(1024,2),2) You also have to assess if you need all the Tables duplicated in Sentinel, you normally do it for one of two reasons: 1. You need to retain the data for a longer period for ad-hoc Hunting/reporting or to meet a compliance obligation 2. You have Analytics that need the data in Sentinel - so make sure you are using the data you are syncing
Apr 23, 2025 Place Microsoft Sentinel
180Views
1like
0Comments
Re: How to use KQL to associate alerts with incidents?
If you do have Sentinel integration it would be this (just sharing in case you haven't seen it, and I know it wasn't the request you asked for, but the way I know that works) SecurityIncident | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds)) | mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string) | join kind=leftouter ( SecurityAlert //| where TimeGenerated > ago(10m) ) on $right.SystemAlertId == $left.AlertIds | summarize AlertCount=dcount(AlertIds), arg_max ( TimeGenerated, * ) by IncidentNumber
Apr 17, 2025 Place Microsoft Defender XDR
79Views
0likes
0Comments
Re: Insecure Protocol Workbook
Hello, it probably been 5years since we last updated this, I'll check with the other 2 authors to make sure if there is any value in this still / or does it need a overhaul.
Apr 16, 2025 Place Microsoft Sentinel
219Views
1like
1Comment
Re: Scheduled Analytics Rule not triggering...
I'd look to remove the ago(1d) line from the SigninLogs part as the portal applies those, and retest You can also avoid the lowercase conversion and use the ID's let PrivilgedRoles = dynamic(["Global Administrator"]); let PrivilegedIdentities = IdentityInfo | summarize arg_max(TimeGenerated, *) by AccountObjectId | mv-expand AssignedRoles | where AssignedRoles in~ (PrivilgedRoles) | summarize AssignedRoles=make_set(AssignedRoles) by AccountObjectId, AccountSID, AccountUPN, AccountDisplayName, JobTitle, Department; SigninLogs | join kind=inner PrivilegedIdentities on $left.UserId == $right.AccountObjectId | project TimeGenerated, AccountDisplayName, AccountObjectId, AccountUPN, UserPrincipalName, AppDisplayName, ResultType, ResultDescription, IPAddress, LocationDetails
Mar 31, 2025 Place Microsoft Sentinel
34Views
0likes
0Comments
Re: Get Custom Details from Sentinel
Hello, so if you have defined Custom Details You can then query for those (example basic query) SecurityAlert | where * contains "Custom Details" | extend CustomDetails_ = tostring(parse_json(tostring(parse_json(tostring(parse_json(ExtendedProperties).["Custom Details"])).ParentFileName))[0]) | where isnotempty(CustomDetails_) | project CustomDetails_ | take 1
Mar 14, 2025 Place Microsoft Graph Security API
128Views
0likes
0Comments
Re: Add Search Results to alert details in Microsoft Sentinel
Hello, you already get a few places that take you to the results in the Investigation UI (see below), so I guess you need this data for some other use like in your ITSM tool? You'll see a query like this SecurityAlert | summarize arg_max(TimeGenerated, *) by SystemAlertId | where SystemAlertId in("a guid will go in here") and if there are events you'll see But if you really need it again, then as Gary says, a playbook will be the option Note even with the contents of OriginalQuery you may need to amend it to re-run at the same time as the original, so you may need something like this as a new line 1 of the query set query_now = datetime("1/1/2025, 2:20:46.333 PM");
Mar 14, 2025 Place Microsoft Sentinel
30Views
1like
1Comment
Re: KQL to extract URL from TI Feeds
or let url_ = '"3430907","2025-02-07 11:02:07","http://chmod0777kk.com/main","online","2025-02-07 11:02:07","malware_download","elf","https://urlhaus.abuse.ch/url/3430907/","anonymous"'; print url_ // assumes that HTTP is always in the 3 column (counting from 0) // trim is used to removed any " in the column | extend http_ = trim(@"[^\w]+",tostring(split(url_,',')[2]))
Feb 28, 2025 Place Microsoft Sentinel
117Views
0likes
0Comments
Re: Fetch security events with their underlying log entries
I tend to use this, which is very similar, you'd have to add you exclusion line into it: SecurityIncident | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds)) | mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string) | join kind=leftouter ( SecurityAlert //| where TimeGenerated > ago(10m) ) on $right.SystemAlertId == $left.AlertIds | summarize AlertCount=dcount(AlertIds), arg_max ( TimeGenerated, Title, Severity, Status, Owner, ModifiedBy, CreatedTime, FirstModifiedTime, LastModifiedTime, Tags=tostring(parse_json(Labels).labelName), Comments=tostring(parse_json(Comments).message), AdditionalData, Tactics, Techniques, SubTechniques, Classification, ClassificationComment, ClassificationReason, ProviderName, Description, ExtendedProperties ) by IncidentNumber or just this if you want all raw columns SecurityIncident | extend Alerts = extract("\\[(.*?)\\]", 1, tostring(AlertIds)) | mv-expand AlertIds to typeof(string), Labels to typeof(string), Comments to typeof(string), AdditionalData to typeof(string) | join kind=leftouter ( SecurityAlert //| where TimeGenerated > ago(10m) ) on $right.SystemAlertId == $left.AlertIds | summarize AlertCount=dcount(AlertIds), arg_max ( TimeGenerated, * ) by IncidentNumber
Jan 29, 2025 Place Microsoft Sentinel
28Views
0likes
0Comments
Re: Investigation Insights Workbook IP address Search
That portal integration never existed when we created the workbook so wasn't tested, however it should "just work" but let me take a look if I get some time
Jan 28, 2025 Place Microsoft Sentinel
95Views
0likes
0Comments
Re: Fetch Sentinel admin activity
There is some data in the Activity logs, here is a brief example AzureActivity | where TimeGenerated > ago(90d) | where ResourceProviderValue =~ "Microsoft.SecurityInsights" | extend eventCategory_ = tostring(parse_json(Properties).eventCategory)
Jan 24, 2025 Place Microsoft Sentinel
146Views
1like
0Comments

User Profile

Clive_Watson

User Widgets

Recent Discussions

Re: How to Prevent Workspace Details from Appearing in LAQueryLogs During Cross-Workspace Queries

Re: Tenant-based Microsoft Defender for Cloud Connector

Re: need to create monitoring queries to track the health status of data connectors

Re: Log Ingestion Delay in all Data connectors

Re: Cannot use union * for Defender Hunting query to Create Detection Rule, so what other workarounds?

Re: create incident in sentinel using logic apps after running query in azure data explorer

Re: Extend sentinel/LAW table schema

Re: Advanced Hunting Visualize Results

Re: Advanced Hunting Visualize Results

Re: Sentinel Incident Priority Mapping to SIR

Re: Sentinel Log Volume vs Defender Log Volume

Re: How to use KQL to associate alerts with incidents?

Re: Insecure Protocol Workbook

Re: Scheduled Analytics Rule not triggering...

Re: Get Custom Details from Sentinel

Re: Add Search Results to alert details in Microsoft Sentinel

Re: KQL to extract URL from TI Feeds

Re: Fetch security events with their underlying log entries

Re: Investigation Insights Workbook IP address Search

Re: Fetch Sentinel admin activity

Recent Blog Articles