User Profile
ReganDangerCarey
Brass Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Dashboard/KQL to monitor enabled data connectors across multiple workspaces
Hi all, has anyone had any luck building dashboards that utilise Lighthouse/cross-workspace queries to show and compare data connectors across multiple environments? Trying to streamline my view of all the enabled log sources but having issues with the KQL to actually compare - e.g., CustomerA has SecurityEvents enabled but CustomerB doesn't.Solved783Views0likes1CommentRe: Reached the maximum limit of Analytics Rules of 512 in Sentinel
You can create a new workspace (without data) and use cross-workspace queries to hit the data in your main one. That way you can generate alerts in the other workspace to get around that limit. I'm surprised the 512 limitation isn't more prominently documented/mentioned, but I'd hazard that most orgs would struggle to come close to hitting that limit. Many don't have an analytics rule per-Mitre tactic/technique.6.9KViews2likes1CommentExporting Sentinel Analytics Rules on a Schedule
Hi all, Has anyone come up with a method for automatically exporting analytics rules in an environment on a schedule? I understand that it's possible to do it through the GUI manually. Is there a powershell script that can be executed to grab them all in JSON? Curious what others have done/are doing in this space.Solved2.4KViews0likes3CommentsMaterialize() and time ranges in analytics rules
Hi all, was looking for some clarification around this but wasn't able to find anything online that could confirm one way or another. If I want to use the materialize() function to cache 180d worth of data for use in my query, is it possible to use in an Analytics Rule? The 14d lookback limitation is there, and was wondering if materialize() is thus also restricted to 14 days maximum. My gut feel says it is, but some clear clarification on that would be awesome.Solved1.6KViews0likes2CommentsRe: Need the export/download dashboard data in pdf format ?
Along this line of thought, is there a query that can produce the stats from the portal? That being the Events, Alerts, Incidents bar and also the "Events and alerts over time" chart in Overview. Would love to be able to export that view and send it in an email or something like that.7.2KViews0likes2CommentsRe: Microsoft Defender ATP and Malware Information Sharing Platform integration
Haim Goldshtein I keep getting an error on this script; "Invoke-WebRequest : A parameter cannot be found that matches parameter name 'k'." On the "$response = curl -k --header" line. I've tried playing around with the curl/Invoke-WebRequest syntax a bit but no dice. Edit: Using Powershell 7 resolved this.23KViews0likes0Comments
Recent Blog Articles
No content to show