Jan

Sentinel analytics rules have _SentinelHealth() for failure monitoring. Defender XDR custom detections have... nothing. No table, no native alerting. Just the GUI. How is everyone catching these silent detection failures? @msftsecurity #MicrosoftDefender

Yo, fam! Why’s Action Center history not popping up in my Advanced Hunting tables? Spill the tea, #MicrosoftDefender!

@ellishlomo Why is this posted in LinkedIn though? Shouldn't this be in the Sentinel blog or learn something something Sentinel?

An important update to the Office table in Microsoft Sentinel: the introduction of the AppAccessContext property. linkedin.com/pulse/new-way-…

@reprise_99 Find the first and last timestamp | summarize min(timestamp), max(timestamp)

People often share full Kusto queries, which is awesome, but what about those handy one liners and tips you have picked up along the way? Here are some of my favourites, share yours below! Extend an additional column for your local time, example +5 UTC: | extend LocalTime = TimeGenerated +5h Find events only on weekends, cast a variable to make it easy to read: let Saturday = time(6.00:00:00); let Sunday = time(0.00:00:00); AuditLogs | where dayofweek(TimeGenerated) in (Saturday, Sunday) Find events during certain hours of the day: | where hourofday(TimeGenerated) !between (4 .. 23) Calculate the minutes (or hours or days etc) between two events: | extend ['Minutes Between Events']=datetime_diff("minute",Timestamp1,Timestamp2) Parse the details, including browser family and version etc of a user agent: | extend UserAgentDetail = todynamic(parse_user_agent(UserAgent, "browser")) Decode base64 encoded strings, useful for PowerShell: | extend DecodedCommand = base64_decode_tostring(EncodedCommand) Rename columns while using project: | project LogTime=TimeGenerated, SigninLocation=Location, IP=IPAddress, Agent=UserAgent

In #MicrosoftSentinel how can you see if an incident / alert has been suppressed in #DefenderXDR ?

In #MicrosoftDefender how do you see when an incident was created? 🤔

@ITguySoCal You might check AuditLogs as well 🫠

KQL to spot missing Microsoft logs (excludes weekends since those are normally low) SigninLogs | where TimeGenerated >= ago(90d) | summarize SignInCount = count() by bin(datetime_utc_to_local(TimeGenerated,"US/Pacific"), 1d) | where dayofweek(Column1) !="6.00:00:00" and dayofweek(Column1) !="00:00:00" | order by Column1 I have additional variations of this that I am working on such as only plotting when the variance is > 30% - input from community is welcome.

@BertJanCyber Why can't they just allow adx() in Analytics rules instead of introducing more complexity and cost? 🤷‍♂️

New Blog 🛡️: Use Cases For Sentinel Summary Rules kqlquery.com/posts/sentinel…

Sentinel Analytics: Why can't I add UserPrincipalName to Account type directly? UserPrincipalName used by Defender, but Sentinel makes it so difficult. Is splitting the preferred solution? #MicrosoftSentinel #L60" target="_blank" rel="nofollow noopener">github.com/Azure/Azure-Se…

You can resolve alerts in Defender, but not in Sentinel🤔 #MicrosoftSentinel

@reprise_99 Hi Matt, how do query for phishing emails with QR code inside? 🤠

Kusto tip, if you are looking for recon in your environment and also use Defender for Identity, you can exclude the DfI sensor, as it uses various ports, including RDP to help map the network DeviceNetworkEvents | where InitiatingProcessFileName != "Microsoft.Tri.Sensor.exe"

@rodtrent Quick question. What is a "valid Sentinel entity structure". Any schema around? Ref techcommunity.microsoft.com/t5/microsoft-s…

Analytic rules - 'Sentinel entities' new entity type cda.ms/4q7 #MicrosoftSentinel #Cybersecurity #MicrosoftSecurity #Security