Microsoft Sentinel Logs & Writing Queries (part 2 of 3)

By Ashwin Venugopal -

 



To read part 1, please click here
To read part 3, please click here



The Tables Pane

It contains the list of all the logs that are part of your Log Analytics workspace, grouped together using predefined groups. 

After clicking on Tables, some of the logs listed under LogManagement, Office365, SecurityInsights, WindowsFirewall, and the others can be seen. After looking over at all the entries you will notice a star icon and an eye icon on the right of the log's name. 

While clicking on the star icon the entry can be saved as favorite, the eye will open a new pop-up window showing the first 50 rows of the log. Towards the right of the Group by section is the Filters section which helps you to filter the view of the tables by any of the section's same categories.

A single log can also be expanded for viewing of all the columns that make up the log and the data type of the column. 

The Filter Pane

The filter pane is very useful after running a query but before that it is empty. It analyzes the results of the query being run and generate useful filters for that query. 

You can easily modify a query by simply clicking on any of the checkboxes in the Filter pane and then choosing Apply & Run at the bottom of the screen. To filter the additional columns you have to click on the funnel icon to add them. 

After selecting all the required filters, click on the Apply & Run button to apply new filters and on the Clear button to remove all the selected filters.

The KQL Code Window

The KQL code window is located to the right of the Schema and Filter panes, where you can enter the KQL code you want to run. Similar to the page header, the KQL code window also has its own header. 

The KQL code window header

It contains the buttons that helps you to perform actions against your queries, including running, saving, copying as well as exporting them. Its various buttons are as follows:

  1. Run- This button can execute any KQL code in the window while ensuring that the query is selected before clicking this button to make sure your query is run.
  2. Time range- It can easily determine how far back your query will look, unless there is a statement in your KQL code that especially states that how far back to look. It works the same as any other time range button.
  3. Save- As the name suggests, it can help you to save your query for future use.

Copy link

This one will help you to copy either the link, the query, or the results to the clipboard.

New alert rule

It contains an entry under it called Create Microsoft Sentinel alert button which will take you to the new Analytics rule page where you can create a new scheduled rule containing an already filled in query. 

Export

It offers following three options:

  1. Export to CSV - All Columns- It can export all the columns, whether shown or not, into a CSV file and when you click it, a file called query_data.csv is created as well as downloaded along with the actual steps determined by your browser settings.
  2. Export to CSV - Displayed Columns- This one is similar to the above one except for the fact that the columns that are shown in the Results window will be saved. 
  3. Export to Power BI (M Query)- It can create and download a file known as powerBIQuery.txt and offers the instructions to load this query into the Microsoft PowerBI application.  

Pin to dashboard

It permits you to pin a query to an Azure portal dashboard so that you can easily see the results of the query. 

Prettify query

It can reformat the KQL code to make it more readable having internal rules to determine what is more readable so you or may not agree with how it reformats the code.

Running query

Now if you are satisfied with your query, you can click on the Run button to see the desired results meanwhile ensuring that all the code in your query that you want to run is pre-selected before clicking on it.  




To read part 1, please click here
To read part 3, please click here




Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning...
Read more