Member: Rod_Trent | Microsoft Community Hub

Recent Discussions

Re: KQL Queries
I cheated by asking Copilot for Security for the KQL query, but try the following: DeviceInfo | where SensorHealthState == 'Active' and OnboardingStatus == 'Onboarded' | join kind=inner (DeviceTvmSoftwareVulnerabilities) on DeviceId | summarize by DeviceId, DeviceName, OSPlatform, RecommendedSecurityUpdate
Sep 26, 2024 Place Microsoft Sentinel
543Views
1like
2Comments
Re: Data Base Integration with Sentinel
Sentinel utilizes its own data and data structure (Log Analytics) which is more efficient and better performant than legacy database types. You can ingest data from various sources to Sentinel to enable Sentinel to analyze and alert on security indicators. See the following which includes ingesting custom data types: https://learn.microsoft.com/en-us/azure/sentinel/connect-data-sources?tabs=azure-portal You can migrate Splunk and ArcSight to Sentinel. See the following for Splunk: https://learn.microsoft.com/en-us/azure/sentinel/migration-splunk-detection-rules See the following for ArcSight: https://learn.microsoft.com/en-us/azure/sentinel/migration-arcsight-detection-rules
May 30, 2024 Place Microsoft Sentinel
330Views
0likes
0Comments
Re: Copilot for security skill name
KnighthellUse the System Capabilities area to find what each enabled plugin can accomplish.
May 13, 2024 Place Microsoft Sentinel
467Views
0likes
0Comments
Re: How to determine where an alert rule comes from?
You should be able to click on the link for Analytics Rule in the info pane. This will take you directly to the Analytics Rule that generated the Incident.
Nov 20, 2023 Place Microsoft Sentinel
1KViews
0likes
2Comments
Re: Seeking Guidance on Best Practices for Ingesting Azure Diagnostics Logging into Sentinel
Most generally, you can avoid Azure Diagnostics as most of the data there is health and performance for Azure services. However, there are unique cases. For example, Azure Cognitive services (all the AI stuff) only logs to the Azure Diagnostics log right now.
Sep 13, 2023 Place Microsoft Sentinel
466Views
0likes
0Comments
Re: AI & ML for Cyber Security
I highly recommend starting with the following book: "Not with a Bug, But with a Sticker: Attacks on Machine Learning Systems and What To Do About Them" https://amzn.to/3YjfjXa And, then a great reference is the new MITRE ATLAS: https://atlas.mitre.org/
Aug 01, 2023 Place AI - Azure AI services
1.2KViews
0likes
0Comments
Re: Hi Community!, I'm looking how to apply IA and ML on SOC , for cybersecurity, thanks
And of course, don't forget Microsoft Sentinel has been using ML since day one to help sift through the unnecessary alerts to free efficiency for security teams. 😉 This is built in, i.e., the ML stuff. For AI, its easy to implement using the APIs. In Sentinel we do this currently through the use of Logic Apps. There's several good blogs out there that showcase this. Here's one example: https://rodtrent.substack.com/p/generating-kql-from-microsoft-sentinel I started a series on my blog recently (aka.ms/RodsBlog) to show how to build your own Security Copilot using Azure Cognitive services and Azure OpenAI.
Jul 14, 2023 Place AI - Azure AI services
891Views
1like
0Comments
Re: Looking for KQL query when high volume of USB writes happens by a user
The default is usually 24 hours, but you can set it in the query. Here it is for the past 2 days... DeviceFileEvents | where Timestamp > ago(2d) | where ActionType == "FileModified" | summarize USBWriteCount = count() by InitiatingProcessAccountName | where USBWriteCount > 1 | order by USBWriteCount desc
Jul 12, 2023 Place Microsoft Defender for Endpoint
3.5KViews
0likes
1Comment
Re: Looking for KQL query when high volume of USB writes happens by a user
I don't have a lot of USB data in my tenant and KQLSearch.com doesn't have much for this. Try the following (filemodified instead of filewrite): DeviceFileEvents | where ActionType == "FileModified" | summarize USBWriteCount = count() by InitiatingProcessAccountName | where USBWriteCount > 1 | order by USBWriteCount desc
Jul 12, 2023 Place Microsoft Defender for Endpoint
3.6KViews
0likes
3Comments
Re: Looking for KQL query when high volume of USB writes happens by a user
Replace that with InitiatingProcessAccountName. Here's the schema for that table: https://learn.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-devicefileevents-table?view=o365-worldwide
Jul 12, 2023 Place Microsoft Defender for Endpoint
3.7KViews
0likes
5Comments
Re: Looking for KQL query when high volume of USB writes happens by a user
In Microsoft Defender for Endpoint, you can use the following KQL query to show a high volume of USB writes by a single user. Modify the Threshold value to define what you consider a "high volume" of USB writes. DeviceFileEvents | where ActionType == "FileWrite" and InitiatingProcessFileName == "explorer.exe" and FileName contains ".usb" | summarize USBWriteCount = count() by AccountName | where USBWriteCount > Threshold // Replace Threshold with a specific value to define "high volume" | order by USBWriteCount desc
Jul 12, 2023 Place Microsoft Defender for Endpoint
3.7KViews
0likes
7Comments
Re: fooUser appearing in Sentinel device logs
Excellent blog here, too: https://call4cloud.nl/2022/09/foouser-meets-the-cosmic-autopilot-user/
Apr 26, 2023 Place Microsoft Sentinel
20KViews
0likes
0Comments
Re: fooUser appearing in Sentinel device logs
Just a heads-up. This part of an open, active ticket now.
Apr 24, 2023 Place Microsoft Sentinel
21KViews
0likes
1Comment
Re: How to generate Sentinel incidents to test playbooks?
Which one? Here's the Analytics Rule: https://github.com/rod-trent/SentinelKQL/blob/master/AR-CloudShellExecution.txt Sending emails: https://azurecloudai.blog/2020/09/23/sentinel-email-notification-logic-app/
Apr 20, 2023 Place Microsoft Sentinel
5.9KViews
0likes
0Comments
Re: fooUser appearing in Sentinel device logs
Please open a ticket. Also, run the following to show exactly which tables fooUser is showing up in: search "fooUser" | distinct $table
Apr 19, 2023 Place Microsoft Sentinel
21KViews
1like
2Comments
Re: RE: How you extract 'Incident ARM ID' from a KQL query to be used in a Logic App
That is the ARM ID, yes.
Mar 28, 2023 Place Microsoft Sentinel
2.8KViews
1like
0Comments
Re: RE: How you extract 'Incident ARM ID' from a KQL query to be used in a Logic App
JMSHW0420It comes from the system assigned Incident ID, the same ID that's included on the URL for the Incident in the browser. In the SecurityIncident table it's in the IncidentName data column.
Mar 24, 2023 Place Microsoft Sentinel
2.9KViews
0likes
3Comments
Re: Analytic rules, KQL queries and UEBA pricing
There's not cost to run queries. Sentinel costs are at the base level ingestion and data retention. There's other things that factor in like Logic Apps, etc. but for the most part it's just the ingestion and data retention. UEBA consists of four tables: BehaviorAnalytics, IdentityInfo, UserAccessAnalytics, and UserPeerAnalytics. You can look at how much each will cost based on ingestion and data retention using the following query: https://github.com/rod-trent/SentinelKQL/blob/master/UEBACosts.txt And, if you ever want to know which tables do or do not factor into cost, you can use the following query to show the isBillable flag: https://github.com/rod-trent/SentinelKQL/blob/master/TableUsageandCost.txt
Mar 24, 2023 Place Microsoft Sentinel
3.2KViews
1like
1Comment
Re: Hunting suspicious PowerShell activity in Defender
Here's a couple KQL queries that may help explain it and the tables the information comes from... https://github.com/rod-trent/SentinelKQL/blob/master/PowerShellExecutionwithDownload.txt
Mar 17, 2023 Place Microsoft Defender XDR
8KViews
0likes
1Comment
Re: Threat intelligence TAXII
Anomali shutdown the feeds last August: https://azurecloudai.blog/2022/08/12/anomali-limo-feeds-for-microsoft-sentinel-to-expire/ Here's an alternative: https://github.com/Cyberlorians/Articles/blob/main/MISPTISetup.md
Feb 13, 2023 Place Microsoft Sentinel
4KViews
1like
0Comments

User Profile

Rod_Trent

User Widgets

Recent Discussions

Re: KQL Queries

Re: Data Base Integration with Sentinel

Re: Copilot for security skill name

Re: How to determine where an alert rule comes from?

Re: Seeking Guidance on Best Practices for Ingesting Azure Diagnostics Logging into Sentinel

Re: AI & ML for Cyber Security

Re: Hi Community!, I'm looking how to apply IA and ML on SOC , for cybersecurity, thanks

Re: Looking for KQL query when high volume of USB writes happens by a user

Re: Looking for KQL query when high volume of USB writes happens by a user

Re: Looking for KQL query when high volume of USB writes happens by a user

Re: Looking for KQL query when high volume of USB writes happens by a user

Re: fooUser appearing in Sentinel device logs

Re: fooUser appearing in Sentinel device logs

Re: How to generate Sentinel incidents to test playbooks?

Re: fooUser appearing in Sentinel device logs

Re: RE: How you extract 'Incident ARM ID' from a KQL query to be used in a Logic App

Re: RE: How you extract 'Incident ARM ID' from a KQL query to be used in a Logic App

Re: Analytic rules, KQL queries and UEBA pricing

Re: Hunting suspicious PowerShell activity in Defender

Re: Threat intelligence TAXII

Groups

Recent Blog Articles

Know Before You Go: Security Copilot at Microsoft Ignite 2024

Building securely: Microsoft Build 2024

Re: Improving Threat Hunting Efficiency using Copilot for Security

Improving Threat Hunting Efficiency using Copilot for Security

Re: Announcing General Availability of Azure AI Content Safety

Re: Azure Network Security Ninja Training

Microsoft Sentinel Notebooks Ninja Part 2: Getting Started with Microsoft Sentinel Notebooks

Microsoft Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks - the Grand List

Sharing Microsoft Sentinel Workbook Data with Someone Outside the SIEM

Re: How to display Azure Monitor alerts with smart lights and no code