Insecure Protocol Workbook
Greetings, maybe most orgs have already eliminated insecure protocols and this workbook is no longer functional? I have it added and it appears to be collecting but when I go to open the template it is completely empty. Is the Insecure Protocol aka IP still supported and if so is there any newer documentation than the blog from 2000 around it? I am hoping to identify ntlm by user and device as the domain controllers are all logging this and the MDI agents on them are forwarding this data to Defender for Identity and Sentinel.
How to Filter Logs by User Parameter in Sentinel Workbook KQL?
Hi everyone, I am trying to create a Sentinel Workbook with a dropdown parameter to filter logs based on a selected username. The goal is to dynamically toggle between users and see logs related to each user, including total data downloaded, accessed repositories, and timestamps. Here’s what I have so far: Syslog | extend grpc_method_ = tostring(parse_json(SyslogMessage).["grpc.method"]) | extend grpc_request_glProjectPath_ = tostring(parse_json(SyslogMessage).["grpc.request.glProjectPath"]) | extend username_ = tostring(parse_json(SyslogMessage).username) | extend user_id_ = tostring(parse_json(SyslogMessage).user_id) | where isnotempty(username_) | where trim(" ", username_) == trim(" ", '{{UserParam}}') | extend remote_ip_ = tostring(parse_json(SyslogMessage).remote_ip) | extend response_bytes_ = tostring(parse_json(SyslogMessage).response_bytes) | where Facility == "Local" | where ProcessName <> "ldsclient" | where isnotempty(response_bytes_) //| project TimeGenerated, username_, UserParam, grpc_method_, grpc_request_glProjectPath_, remote_ip_, response_bytes_ I set up a dropdown parameter called userParam, which pulls distinct usernames from the logs using this query: Syslog | extend username_ = tostring(parse_json(SyslogMessage).username) | where isnotempty(username_) | summarize count() by username_ | distinct username_ However, when I select a user from the dropdown, the main query fails. It seems the parameter is not being recognized correctly in the query. How can I properly reference a dropdown parameter in a Sentinel Workbook KQL query? Is there a better way to filter logs dynamically based on a selected user? Any help is highly appreciated!
Add Search Results to alert details in Microsoft Sentinel
Hi everyone, I’m working with Microsoft Sentinel and looking to enhance my alerts by appending search results to the alert details. Specifically, I want to include the events that triggered these alerts in the SecurityAlert table for better context during investigations and for archival purposes. I came across this guide: Customize alert details in Microsoft Sentinel, which explains how to customize alert details. However, it doesn’t clarify whether it’s possible to add search results directly to the alert details. Is there a way to achieve this? If so, what would be the best approach? I’d really appreciate any insights, best practices, or examples from those who have done something similar. Thanks in advance!Investigation Insights Workbook IP address Search
Is there a way to roll back to a previous version of the investigation insights workbook? The new workbook from the content hub no longer allows you to enter an IP address without selecting entities and then IP addressees from the entity list. This was really useful when wanting to just search on an IP address that was suspect and related IOCs, Account sign in etc. Please provide suggestions for either rolling back the Investigation Insights workbook or other ways to achieve the same.
Workbook with multiple visualizations using lowest number of queries
Coming from Splunk world and didn't found answer to this in the workbook documentation. Is it possible to chains searches, like in Splunk, explained here: https://docs.splunk.com/Documentation/Splunk/9.3.1/DashStudio/dsChain Trying to explain in KQL terms: suppose there are 3 very similar queries, like same base search | condition 1 same base search | condition 2 same base search | condition 3 feeding 3 vizualizations. Goal is to execute the "same base search" part only once in the workbook. Defining a new function for "same base search" still means 3 executions, I guess. Your response is appreciated. Thank you.
Sentinel workbook
We are creating a workbook to list all the active analytics rules with the source table name. We are able to list the analytics rules using Azure resource manager API but unable to display source table name of the rules. Please suggest Also, trying to display the list of analytics rules with zero incident created.Sentinel Log Sources or asset list Information
In Sentinel as like any other SIEM, how do we get the complete list of log sources which are integrated along with some required fields like Device Vendor, Device Product, Host name/Computer, IP address. Is there any workbook or KQL which provides this information.
