Blogs by Ashwin

  To read part 1, please click  here To read part 2, please click  here Investigating an Incident An incident investigation can be done in Microsoft Sentinel via the graphical investigation page, which is a graphical interface to show the incident in question as well as find the related information. There is an Investigate button at the bottom of the incident details page and by simply clicking on it you can start the graphical investigation but if it is grayed out, then, that means there are no entities associated with the incident as it requires at least one entity for the graphical investigation to work.  Clicking on the button will take you to a page divided into different sections where the header bar provides the general information related to the incident (like title, severity, status, owner, and last update time); there are two columns buttons on the right side of the screen and the column on the left is consists of screen control buttons in which the top but...

  To read part 1, please click  here To read part 3, please click  here Exploring the Full Details Page As the name suggests, this page can show you lots of information about an incident like details on the alert(s) that make up the incident, any bookmarks associated with this incident, details on any entity, and any comments added to this incident. You can get to the Full Details page by simply clicking on the View Full Details button in the incident details pane, where the right side of the page is divided into the tabs that can show information about the alert itself, any bookmarks for this incident, the entities for this incident, and a  list of all the comments. Each of the sections are described below: The Alerts Tab- This tab can show one or more alert(s) that make up an incident. There is a colored strip that shows the alert's severity. At the far right of this screen is the View playbooks link which can open a new pane showing all the playbooks. By clicking...

  To read part 2, please click  here To read part 3, please click  here Using the Microsoft Sentinel Incidents Page You can simply click on the Incidents link in the left-hand navigation panel to go to the incidents page which is divided into the header bar, the summary bar, the search and filtering section, and the incidents details pane described as follows: The Header Bar- As the name suggests, the header bar is located at the top of the page along with a Refresh button, timespan drop-down option, and Actions button which can help you to perform actions against multiple incidents at once like changing the severity, assigning an owner, changing the status as well as adding tags.  The Summary Bar- It is located below the header bar and generally shows the total number of open incidents, the number of new incidents, and the number of incidents that are still in progress. On the right side of it is a list of open incidents divided by severity to determine the ways of ...

  To read part 1, please click  here To read part 2, please click  here Workbook Step Types Each workbook consists of five different types of steps- text, query, metric, parameters, and link/tabs that are described below: Text- As the name suggests, by clicking on the Add Text link will add a step that can display text with the help of Markdown language. A new step will be added along with an empty textbox to enter your text. After you are done with entering the desired text along with any of the Markdown formatting commands, you can click on the Done Editing button to see your changes. [The Markdown language is text-based language that can be used in various systems, especially GitHub]. Query- With the help of KQL queries, you can easily display data from the logs in various formats like grids (or tables), area charts, different types of bar charts, line charts, pie charts, scatter charts, time charts, and tiles. Nowadays, the visualization types are mostly supported wit...

  To read part 1, please click  here To read part 3, please click  here Creating Workbooks You can create your own workbook using following ways: Creating a workbook using a template- By following the steps given below, you can create your own workbook using a template which is easier as you have a basis to start from- Click on the Save button on the templates's details page.  A pop-up window will ask you about the location to save the new workbook which should be the same where your Log Analytics workspace resides.  Now you can click OK to create a new workbook under My workbooks , with the same name as the template. This is a very simple method to create a workbook that can be modified as required. Creating a new workbook from scratch- This method is a bit more complicated as it requires creating a workbook, and then its editing as it is already saved with a default query assigned to it. You have to perform the following steps-   Click the Add w...

  To read part 2, please click  here To read part 3, please click  here An Overview of the Workbooks Page Firstly, you have to select Workbooks page from the Microsoft Sentinel navigation blade to view following icons: The Workbook Header- There are total number of workbooks saved, to the right of it total number of templates, and far-right side is the total number of templates that can be updated under the Refresh and Add workbook buttons. The Templates View- The My Workbooks and Templates tabs can be seen below the workbook header where the My Workbook tab shows all the accessible workbooks including shared as well personal whereas the Templates tab shows all the templates available to be used. You can select any tab. At the My Workbooks tab, every report have a green bar since every report is available to view. After that there is an icon representing the company that created the template, then the template name, and the company's name under this.  Workbook Detail...

  To read part 1, please click  here Creating an Analytic Rule You can easily create an analytic rule with the help of two methods- by using a rule template or using the built-in wizard. Creating a rule from a rule template If you want to use a rule template, you can simply select the rule in the list of rule templates. At the bottom of the details pane on the right side of the screen is a Create rule button which will take you to the Rule creation wizard pages if you click on it. The rule templates are based on the Fusion and machine learning rule types which allow you to determine if the rule should be enabled or not while creating it from the template. You can easily modify all of the fields of scheduled as well as Microsoft security rule types. Creating a new rule using using the wizard The wizard which is provided by Microsoft Sentinel to help you to create new analytic rules, consists of two or four pages according to the type of rule being created. There are two types...

  To read part 2, please click  here An Introduction to Microsoft Sentinel Analytics Microsoft Sentinel Analytics can help you to establish new rules to find the issues related to your environment, each of them with its own configuration steps suitable for the type of abnormalities you want to detect. Types of Analytic Rules The following are the various types of analytic rules described below: Scheduled- It is named as such because these rules runs on a set of schedules to detect suspicious events and the queries uses KQL to define their findings. These rules are present in the large proportion of of the analytic rules. Microsoft Security- They can create Microsoft Sentinel incidents from the alerts generated from the other Microsoft Security solutions. The following security solutions have their alerts passed through- Microsoft Cloud App Security Microsoft Defender for Cloud Azure Advanced Threat Protection Azure Active Directory Identity Protection Microsoft Defender Advanc...

  To read part 1, please click  here To read part 2, please click  here The Results Window It is located below the query window and obviously shows the results of your queries. I can also hide or show columns, filter the results as well as change how the results look. The results window header As the name suggests it is at the very top of the results window and offers information related to the results. The left side will tell you the information regarding your query while to the right of that is a stopwatch icon which is a very important tool to determine the efficiency of the running query. On the far right, is the total number of records returned which can be any number from 0 to 10,000 and help you to determine if there is a requirement to refine the query further or not.  The table tab On the left side of the page there are two tabs that allows you to define and filter your queries. On the far left is the default Table view showing the results in a column/row fo...

  To read part 1, please click  here To read part 3, please click  here The Tables Pane It contains the list of all the logs that are part of your Log Analytics workspace, grouped together using predefined groups.  After clicking on Tables, some of the logs listed under LogManagement, Office365, SecurityInsights, WindowsFirewall, and the others can be seen. After looking over at all the entries you will notice a star icon and an eye icon on the right of the log's name.  While clicking on the star icon the entry can be saved as favorite, the eye will open a new pop-up window showing the first 50 rows of the log. Towards the right of the Group by section is the Filters section which helps you to filter the view of the tables by any of the section's same categories. A single log can also be expanded for viewing of all the columns that make up the log and the data type of the column.  The Filter Pane The filter pane is very useful after running a query but befo...

  To read part 2, please click  here An Introduction to the Microsoft Sentinel Logs Page The Log Analytics workspace is at the top of the hierarchical pattern it follows and it can be considered as a container for all the individual logs for your instance of Microsoft Sentinel almost equivalent to a database in SQL. Individual logs called tables are present within each workspace that are equivalent to a table in SQL. These have a set of columns, and zero or more rows of data. There are also columns that can hold different types of data like text, date/time, integers, and others.  Navigating through the Logs page It's the page which shows you the list of all the logs belonging to your instance, existing queries, allows you to write your own queries, shows the results, and much more. First of all, choose Logs from the Microsoft Sentinel navigation section which takes you to the page having various sections like - Page Header, Tables Pane, Filter Pane, KQL Code Window, and S...

  Introduction to KQL Command The following table contains an overview of the commands, functions, and operators: Type Name Description Tabular Operators print Prints results of a query.   search Searches for specific data throughout the logs.   where Filters table to a subset of rows that satisfy a comparison.   take/limit Returns up to the specified number of rows.   count( ) Returns the number of records in the input record set.   summarize Produces a table that summarizes the content of the selected columns.   extend Creates calculated columns and appends them to the result set.   project Selects the columns to include.   distin...