Member: Morten_Knudsen | Microsoft Community Hub

Recent Discussions

TimeGenerated
Hi, I'm trying to return the LAST set of records - related to Updates I'm using this, but my problem is, that it only returns the set of records, if the time is 100% the same. | summarize hint.strategy=partitioned arg_max(TimeGenerated,*) by Computer,UpdateID I would like to give 1 min of "slack", so it returns all records +1/-1 the last value of TimeGenerated. How can I accomplish that ?
Apr 07, 2022 Place Azure Observability
Azure Log Analytics
azure monitor
1.1KViews
0likes
0Comments
Lost connection to "Network Performance Monitor" solution
We are using the LogAnalytics solution “Network Performance Monitor” Ealier today, I disabled one of the service connectivity test “Skype Online”, because we are not using Skype Online After I did this, I lost connection to the GUI part for Network Performance Monitor as shown below – and now I cannot configure it I can see, that data is still flowing from the agents, but I cannot configure the settings anymore I have tried to DELETE the whole solution – and ADD it again, with NO luck Any ideas to fix this ?
Apr 07, 2022 Place Azure Observability
Azure Log Analytics
azure monitor
1.1KViews
0likes
1Comment
How to add TEXT data e.g. "Need important update" in a Tile
Anyone having a query sample and instructions on how to add TITLE and SUBTITLE in TILES in Azure It only shows the Count - how can I make a TEXT column with e.g. "number of servers" TITLE: Need Critical updates Subtitle: Servers Footer: Last 30 days ------- Sample query is provided below Update | where TimeGenerated > now(-30d) | where OSType!="Linux" and Optional==false | where (UpdateState =~ "Needed") and ((Classification == "Critical Updates")) and (Approved!=false) and (PublishedDate < ago(31d)) | where (Product contains "server") and (Product !contains "drivers") | summarize arg_max(TimeGenerated, *) by Computer,UpdateID | distinct Computer | count
Apr 07, 2022 Place Azure Observability
azure monitor
607Views
0likes
0Comments
System Updates queries, how to find counts and list machines
Hi, I'm trying to make a bunch of queries + new dashboard, that is similar to the built-in queries in the System Update Assessment in Azure LogAnalytics. But I simply don't know, how I can make the right queries. I have tried to describe the needed queries below. Does anyone have something they would share with me - or similar queries, which can inspire me. My customer has made their own definitions/grouping: // CRITICAL NON-SECURITY UPDATES (monthly): Critical Updates // IMPORTANT SECURITY UPDATES (monthly): Security Updates, Security-only update, Update Rollups, Monthly Rollups // IMPORTANT FEATURE UPDATES (planned): Feature Packs, Updates, Servicing Stack Updates, Upgrades, Service Packs // Output: Pie Chart // Need Critical Updates = CriticalUpdatesCountTotal // Need Important Security Updates = SecurityUpdatesCountTotal // Need Important Feature Updates = FeatureUpdatesTotal // Up to date = NoPendingTotal ------------------------------- Basically I want to find number of machines, which has CRITICAL NON-SECURITY UPDATES pending, which are more than 1 months old to exclude this months updates number of machines, which have IMPORTANT SECURITY UPDATES pending which are more than 1 months old to exclude this months updates number of machines, which have IMPORTANT FEATURE UPDATES pending which are more than 1 months old to exclude this months updates number of machines, which have NO pending updates which are more than 1 months old to exclude this months updates Hints ?? // ---------------------------------------------------------------------------------- // Query 1: Count of machines (dashboard) // ---------------------------------------------------------------------------------- Update // find all Windows updates - excluding Definition Updates and Drivers | where OSType!="Linux" and Optional==false and Classification != "Definition Updates" and Classification != "Drivers" // Find newest updates entries per computer | summarize hint.strategy=partitioned arg_max(TimeGenerated, *) by Computer,SourceComputerId,UpdateID // Summarize number of machines, which has CRITICAL NON-SECURITY UPDATES pending, which are more than 1 months old to exclude ths months updates CriticalUpdatesCountTotal = UpdateState=~"Needed" and Approved!=false and Classification contains "Critical Updates" and PublishedDate < now(-31d) // Summarize number of machines, which have IMPORTANT SECURITY UPDATES pending which are more than 1 months old to exclude ths months updates SecurityUpdatesCountTotal = UpdateState=~"Needed" and Approved!=false and ( (Classification contains "Security Updates") or (Classification contains "Rollups") ) and PublishedDate < now(-31d) // Summarize number of machines, which have FEATURE UPDATES pending which are more than 1 months old to exclude ths months updates FeatureUpdatesTotal = UpdateState=~"Needed" and Approved!=false and ( (Classification contains "Feature Packs") or (Classification == "Updates") or (Classification == "Upgrades") or (Classification contains "Service Packs") ) and PublishedDate < now(-31d) // Summarize number of machines, which have NO pending updates which are more than 1 months old to exclude ths months updates NoPendingTotal = UpdateState=~"Needed" and Approved!=false and ( (Classification contains "Feature Packs") or (Classification == "Updates") or (Classification == "Upgrades") or (Classification contains "Service Packs") ) and PublishedDate < now(-31d) // Output: Pie Chart // Need Critical Updates = CriticalUpdatesCountTotal // Need Important Security Updates = SecurityUpdatesCountTotal // Need Important Feature Updates = FeatureUpdatesTotal // Up to date = NoPendingTotal // ---------------------------------------------------------------------------------- Query 2: List of machines which has CRITICAL NON-SECURITY UPDATES pending, which are more than 1 months old // ---------------------------------------------------------------------------------- Query 3: List of machines which has IMPORTANT SECURITY UPDATES pending, which are more than 1 months old // ---------------------------------------------------------------------------------- Query 4: List of machines which has FEATURE UPDATES pending, which are more than 1 months old // ---------------------------------------------------------------------------------- Query 5: List of machines which has NO pending updates, which are more than 1 months old // ---------------------------------------------------------------------------------- // Microsoft Definition // ---------------------------------------------------------------------------------- // Critical update - A widely released fix for a specific problem that addresses a critical, non-security-related bug. // Definition update - A widely released and frequent software update that contains additions to a product’s definition database. Definition databases are often used to detect objects that have specific attributes, such as malicious code, phishing websites, or junk mail. // Driver - Software that controls the input and output of a device. // Feature pack - New product functionality that is first distributed outside the context of a product release and that is typically included in the next full product release. // Security update - A widely released fix for a product-specific, security-related vulnerability. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. // Service pack - A tested, cumulative set of all hotfixes, security updates, critical updates, and updates. Additionally, service packs may contain additional fixes for problems that are found internally since the release of the product. Service packs my also contain a limited number of customer-requested design changes or features. // Tool - A utility or feature that helps complete a task or set of tasks. // Update - A widely released fix for a specific problem. An update addresses a noncritical, non-security-related bug. // Update rollup - A tested, cumulative set of hotfixes, security updates, critical updates, and updates that are packaged together for easy deployment. A rollup generally targets a specific area, such as security, or a component of a product, such as Internet Information Services (IIS). // Security-only update - An update that collects all the new security updates for a given month and for a given product, addressing security-related vulnerabilities // Monthly Rollup - A tested, cumulative set of updates. They include both security and reliability updates that are packaged together. The Monthly Rollup is product specific, addresses both new security issues and nonsecurity issues in a single update and will proactively include updates that were released in the past. Security vulnerabilities are rated by their severity. The severity rating is indicated in the Microsoft security bulletin as critical, important, moderate, or low. This Monthly Rollup would be displayed under the title Security Monthly Quality Rollup when you download or install. This Monthly Rollup will be classified as an "Important" update on Windows Update and will automatically download and install if your Windows Update settings are configured to automatically download and install Important updates. // Servicing Stack Updates (SSU) - The "servicing stack" is the code that installs other operating system updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
Solved
Apr 07, 2022 Place Azure Observability
azure monitor
Log
19KViews
0likes
6Comments
Dashboard not showing actual value, but shows 1K - how can I change to actual value
I'm using the Number tile When numbers are >1000, it will change to 1K - instead of actual value 1136. How can I change so it will so actual number - it is critical to me
Apr 07, 2022 Place Azure Observability
Azure Log Analytics
azure monitor
3.5KViews
0likes
6Comments
How can I run a powershell script (Antimalware Collection) through the MMA agent ?
I have prepared a Powershell script that 1) asks Windows about which antivirus system is running and 2) parses the result using HTTP Data Collector API. But is it possible to wrap the script into the MMA agent, tha is already installed and running on all computers/servers ??
Apr 07, 2022 Place Azure Observability
Azure Log Analytics
azure monitor
915Views
0likes
1Comment
LogAnalytics View Designer - cannot save my View (nothing happens)
I have prepared a dashboard with overview tile and dashboard view. All queries are working fine. But nothing happens when I click the SAVE button, so the entire view doesn't get saved. Any hints ? /Morten
Apr 07, 2022 Place Azure Observability
Azure Log Analytics
azure monitor
2.9KViews
1like
8Comments
AntiMalware collection script does not collect any data from Win10 machines
I have enabled the AntiMalware collection in Azure LogAnalytics. On Win10 machines v1803 with latest updates until May 2019, I see this in the Eventlog under Operations Manager Event 9991 - AntiMalware Collection Script Started : Then another 5 sec later Event 9991 - AntiMalware Collection Script Finished : AntiMalware Collection Script Returned But there is NO data in the ProtectionStatus table about the machine. Other data about the machine IS COLLECTED fine, for example heartbeat, system update, etc. Hints ? I have other older WIn10 machines that shows in ProtectionStatus, but not newer Win10 machines Powershell is latest 5.1
Apr 07, 2022 Place Azure Observability
Azure Log Analytics Antimalware
azure monitor
1.4KViews
0likes
2Comments
OMS / Log Analytics - Filter Servers vs. Client computers
I'm a rookie into using Dashboards, PowerBI, Query, so bear with me, if my questions are basic 🙂 1. I would like to setup an Custom Update Dashboard on Azure, that contains the following views: Chile servers with missing critical updates or security updates Denmark servers with missing critical updates or security updates Norway servers with missing critical updates or security updates Chile client computers with missing critical updates or security updates Denmark client computers with missing critical updates or security updates Norway client computers with missing critical updates or security updates I'm hoping to be able to filter by RemoteIPCountry and OSVersion or similar It would be perfert with a nice graph per country with possibility to drill down How do I do that ? 2. I have also read that I should be able to clone current views in Log Analytics View Designer, but in my case, I don't see any of the standard OMS views in the View Designer - just a clean template Cheers Morten
Apr 07, 2022 Place Azure Observability
Azure Log Analytics
azure monitor
1.8KViews
0likes
1Comment
Secure Score - Data - no data to show
Why does my Secure Score keeps saying 'no data to show' for data
Nov 19, 2020 Place Microsoft Security
1.9KViews
3likes
1Comment
Enum of array in custom table
I have made a PS script uploading the complete list of applications. It is posted into a custom table in Log Analytics workspace. How can I enum the list using a query, where I get data into columns DisplayName, DisplayVersion, Publisher, InstallDate
Nov 04, 2020 Place Azure Data Explorer
Azure Data Explorer (Kusto)
Kusto language
788Views
0likes
0Comments
Re: Azure Automation connecting to Exchange with MFA enforced
Magnus Tengmo did you manage to solve this ?
Sep 09, 2019 Place Azure
25KViews
0likes
0Comments
Re: Secure score and MFA
Any news on this Anthony-Smith Our secure score is lacking many points, due to conditional access mfa is NOT recognized in Secure Score. please fix asap !!
Aug 29, 2019 Place Microsoft Security
5.2KViews
0likes
0Comments
Re: Lost connection to "Network Performance Monitor" solution
Problem solved. It was a bug with Microsoft. They are changing URLs. It is fixed now in all regions
Jun 21, 2019 Place Azure Observability
997Views
0likes
0Comments
Re: Geolocation query from IP address
Did you solve this - I'm very interested in getting this functionality :-)
Jun 17, 2019 Place Azure Observability
34KViews
0likes
1Comment
Re: Why doesn't O365 produce DMARC reporting?
Any news on Dmarc reporting from Microsoft/O365?
Jun 11, 2019 Place Microsoft 365
40KViews
1like
9Comments
Re: System Updates queries, how to find counts and list machines
Thank you - I managed to solve my queries by using your hints
May 29, 2019 Place Azure Observability
18KViews
1like
2Comments
Re: System Updates queries, how to find counts and list machines
CliveWatson Where is the query for these below - exactly those I need :-)
May 28, 2019 Place Azure Observability
19KViews
0likes
1Comment
Re: Dashboard not showing actual value, but shows 1K - how can I change to actual value
CliveWatson Thank You Clive. I have managed to solve it using Workbook in Azure Monitor :-) Thankx again !!
May 24, 2019 Place Azure Observability
3.4KViews
0likes
0Comments
Re: Dashboard not showing actual value, but shows 1K - how can I change to actual value
CliveWatson Thanks again Clive. We are getting close, but Azure Dashboard is new to me. I ahve been using View Designer so far. I have a simple query I would like to show on my dashboard with a single number. When I Edit my dashboard, I have the option to add 25 tiles from the gallery dashboard. Which of them would give me either Single number or Two Numbers query. A simple Query could be: Heartbeat | where TimeGenerated > ago(31d) | summarize hint.strategy=partitioned arg_max(TimeGenerated, *) by Computer | summarize total=count(Computer) | project tostring(total)
May 24, 2019 Place Azure Observability
3.4KViews
0likes
2Comments

User Profile

Morten_Knudsen

User Widgets

Recent Discussions

TimeGenerated

Lost connection to "Network Performance Monitor" solution

How to add TEXT data e.g. "Need important update" in a Tile

System Updates queries, how to find counts and list machines

Dashboard not showing actual value, but shows 1K - how can I change to actual value

How can I run a powershell script (Antimalware Collection) through the MMA agent ?

LogAnalytics View Designer - cannot save my View (nothing happens)

AntiMalware collection script does not collect any data from Win10 machines

OMS / Log Analytics - Filter Servers vs. Client computers

Secure Score - Data - no data to show

Enum of array in custom table

Re: Azure Automation connecting to Exchange with MFA enforced

Re: Secure score and MFA

Re: Lost connection to "Network Performance Monitor" solution

Re: Geolocation query from IP address

Re: Why doesn't O365 produce DMARC reporting?

Re: System Updates queries, how to find counts and list machines

Re: System Updates queries, how to find counts and list machines

Re: Dashboard not showing actual value, but shows 1K - how can I change to actual value

Re: Dashboard not showing actual value, but shows 1K - how can I change to actual value

Recent Blog Articles