Sentinel Reports
We are switching over from an on-prem SIEM solution and moving to Sentinel. One very nice feature of our previous SIEM was that we could generate PDF reports for the board meetings very easily. I know you can make wondering graphs and dashboards within Sentinel using Playbooks and such but is the only way I have found to get them out of Sentinel is in an excel spreadsheet. Has anyone found a way to nicely generate reports through Sentinel?
Combine 2 columns in Single coulmn in KQL
Hi , I have data in sign-in logs as username and location, I want to combine username, location columns and add it to 3rd column. How I can do it in KQL. I have data like- User Name Location User-1 IN User-2 US User-3 GB User-4 MX I want it like following- User Details User-1 - IN User-2 - US User-3 - GB User-4 - MXPricing Calculator for Microsoft Sentinel
Hi everyone, I am using the Pricing Calculator for Microsoft Sentinel. I can see the pricing split into two parts - Azure Monitor and Microsoft Sentinel. In my understanding, Microsoft Sentinel will process the log stored in the Log Analytics Workspace. The Cost is based on the log size in the Log Analytics Workspace. It may not relate to the Azure Monitor part. The Pricing Calculator will charge the Azure Monitor part because Azure Monitor and Microsoft Sentinel share the same Log Analytics Workspace? Basically, I am not using Azure Monitor. Any method to reduce the cost of the Azure Monitor part?
Integration of Microsoft Sentinel & Microsoft TEAMS for integration of alerts
What are some of the best methods and strategies to start implementing an integration between Sentinel and TEAMS where when there are certain instances or alerts occurring, said alerts can be pinged to certain members on Microsoft TEAMS like through the use of playbooks, automations and setting up a API connection to integrate the two.
Sentinel KQL Query to retrieve last sign-in date.
Can someone take a look at my queries and see if they can find any errors please? My original query below provides as output all disabled accounts for the previous month and includes the admin who took the action, the disabled user along with their information and the time the account was disabled. //All User account that were disabled the previous month let lastmonth = getmonth(datetime(now)) - 1; let year = getyear(datetime(now)); let monthEnd = endofmonth(datetime(now), -1); SecurityEvent | where TimeGenerated >= make_datetime(year, lastmonth, 01) and TimeGenerated <= monthEnd | extend Disabled_EST = datetime_utc_to_local(TimeGenerated, "US/Eastern") | where EventID == "4725" | where AccountType == "User" |join IdentityInfo on $left.TargetSid== $right.AccountSID | summarize by TimeGenerated, Disabled_EST, Account, Activity, MemberName, TargetAccount, Computer, AccountDisplayName, GivenName, Surname | order by Disabled_EST asc Now the auditors want to also see when the disabled account was last signed-in so I need to add another column to the above, however I could not find any values from the IdentityInfo, the SecurityEvent and the SigninLogs tables that can be used to join the tables. So what I did was to start from scratch and use the slit function to create a field that I could use as a key for the join operation. The query below works as expected although I believe the builtin datetime_utc_to_local() function no longer works? As I'm still getting the UTC time it appears. SigninLogs |extend LastLoginTimeEST = datetime_utc_to_local(TimeGenerated, "US/Eastern") | extend NetAccount_ = tostring(split(AlternateSignInName, "@")[0]) | project-away AlternateSignInName | summarize max(LastLoginTimeEST) by NetAccount_, OperationName, AuthenticationRequirement So then the original query was modified to include the above query. Now I'm able to get as output the required columns and the last sign-in of the user. However, as mentioned earlier, the results appear to be incorrect as the date/time in this query does not match the output of the standalone SigninLogs query above. //Working but incorrect results shown in lastLogin_EST column let lastmonth = getmonth(datetime(now)) - 1; let year = getyear(datetime(now)); let monthEnd = endofmonth(datetime(now), -1); let SecurityEvents = SecurityEvent | where TimeGenerated >= make_datetime(year, lastmonth, 01) and TimeGenerated <= monthEnd //| extend EST_Disabled = datetime_utc_to_local(TimeGenerated, "US/Eastern") | where EventID == "4725" | where AccountType == "User" | join kind=leftouter (IdentityInfo | project AccountName, AccountDisplayName, GivenName, Surname) on $left.TargetUserName == $right.AccountName; let LastSigninLogs = SigninLogs //| extend LastLogin_EST = datetime_utc_to_local(TimeGenerated, "US/Eastern") | extend IdName=split(AlternateSignInName,"@", 0) | extend NetAccount_ = tostring(IdName[0]) | project-away IdName | summarize LastLogin_EST = max(TimeGenerated) by NetAccount_, OperationName, AuthenticationRequirement; SecurityEvents //|where Surname == "xyz" //use a lastname to reduce output for verification | join kind=leftouter LastSigninLogs on $left.TargetUserName == $right.NetAccount_ | summarize max(TimeGenerated)by TimeGenerated,Account, Activity, TargetAccount, Computer, AccountDisplayName, GivenName, Surname, LastLogin_EST, OperationName, AuthenticationRequirement //|extend DisabledEST= datetime_utc_to_local(max_TimeGenerated, "US/Eastern") Can someone take a look at help me find the bug or is this actually correct?
More than 10 failed logins per user and device
Hello I have been working with a query that is very useful but I want it to show me the username of the person as well as the device used. I am using a pre built query I found to detect more than 10 failed logins. As well I want to be able to search for a specific name of a person in our company. Thanks. Here is the query that I have been using. // Sample query to detect If there are more then 10 failed logon authentications on high value assets. // Update DeviceName to reflect your high value assets. // For questions @MiladMSFT on Twitter or email address removed for privacy reasons DeviceLogonEvents | where ActionType == "LogonFailed" | summarize LogonFailures=count() by DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn | where LogonFailures > 10 | project LogonFailures, DeviceName, LogonType, InitiatingProcessCommandLine, AccountName, InitiatingProcessAccountUpn | sort by LogonFailures desc
