User Profile
FeintBE
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Azure Microsoft monitor agent install error :(
Hello all, A couple of days i uninstalled my Microsoft monitor agent from my VM (windows server 2019). I want to install it again but i get an error message (see picture) : failed to install performance counters https://snipboard.io/Yc6bvE.jpg Any idea on how to fix this? Thanks!Re: if statment in a KQL query?
CliveWatson Yes my parameter comes from a dropdownlist, i have json values for the dropdownlist The parameter i will use is called {Honeytoken:label} What i want to achieve is that based on the dropdownlist value there should be another query be executed. for example u have this query : SecurityEvent | where Computer contains "MainPC" | where EventID == 4663 I want this query to be executed in a grid form on my workbook when i choose the value file from the dropdownlist. i was thinking of putting my query in a let variable like so : let q = SecurityEvent | where Computer contains "MainPC" | where EventID == 4663; Then use another SecurityEvent with the iff() : SecurityEvent | extend test = iff({Honeytoken:label} == "File",q,"none") So if {Honeytoken:label} is equal to File run the q variable (Query) else do "none" But i get the error, 'extend' operator: Failed to resolve column or scalar expression named 'File'... Click to Retry.Azure Sentinel - Logs delay?
Hello, I've connected my windows server with Azure Sentinel via Security events data connector. A few days ago, the delay of getting logs from windows event manager to Azure sentinel logs was 50 secs, now it is 10 minutes. Any idea on how I can see why it takes so long? Thanks!Realtime alerting possible?
Hello, I was wondering if real-time alerting is possible, 1-2minutes delay is ok. Setup: Windows server with client, is connected to Azure sentinel. Case: When someone tries to login with an admin account and it fails, i would like to receive a mail. I already know how this would be done, but i'm struggeling to send real time alert(the mail) can it be done?Analytic rule querying
Hello, I'm working on alerting in Azure sentinel, my domain controller is connected with Azure, for example when someone trying to login to my domain, it will be logged. I already know u can make an analytic rule with a query and run it every x minutes and u can attach a playbook to it, for example, to send mail of the incident. But here is my question, how do u do real-time alerting? for example in the analytics tab, u can only trigger to query every 5 minutes to look if your query has results or not, based on the results u can send an alert. U can't go below 5 minutes, this means if someone got access to the account, it would take at least 5 minutes to send an alert. Does anyone know know how to query it for example every 1-2 minutes?
