Microsoft Sentinel Logs & Writing Queries (part 2 of 3)

By Ashwin Venugopal -

 



To read part 1, please click here
To read part 3, please click here



The Tables Pane

It contains the list of all the logs that are part of your Log Analytics workspace, grouped together using predefined groups. 

After clicking on Tables, some of the logs listed under LogManagement, Office365, SecurityInsights, WindowsFirewall, and the others can be seen. After looking over at all the entries you will notice a star icon and an eye icon on the right of the log's name. 

While clicking on the star icon the entry can be saved as favorite, the eye will open a new pop-up window showing the first 50 rows of the log. Towards the right of the Group by section is the Filters section which helps you to filter the view of the tables by any of the section's same categories.

A single log can also be expanded for viewing of all the columns that make up the log and the data type of the column. 

The Filter Pane

The filter pane is very useful after running a query but before that it is empty. It analyzes the results of the query being run and generate useful filters for that query. 

You can easily modify a query by simply clicking on any of the checkboxes in the Filter pane and then choosing Apply & Run at the bottom of the screen. To filter the additional columns you have to click on the funnel icon to add them. 

After selecting all the required filters, click on the Apply & Run button to apply new filters and on the Clear button to remove all the selected filters.

The KQL Code Window

The KQL code window is located to the right of the Schema and Filter panes, where you can enter the KQL code you want to run. Similar to the page header, the KQL code window also has its own header. 

The KQL code window header

It contains the buttons that helps you to perform actions against your queries, including running, saving, copying as well as exporting them. Its various buttons are as follows:

  1. Run- This button can execute any KQL code in the window while ensuring that the query is selected before clicking this button to make sure your query is run.
  2. Time range- It can easily determine how far back your query will look, unless there is a statement in your KQL code that especially states that how far back to look. It works the same as any other time range button.
  3. Save- As the name suggests, it can help you to save your query for future use.

Copy link

This one will help you to copy either the link, the query, or the results to the clipboard.

New alert rule

It contains an entry under it called Create Microsoft Sentinel alert button which will take you to the new Analytics rule page where you can create a new scheduled rule containing an already filled in query. 

Export

It offers following three options:

  1. Export to CSV - All Columns- It can export all the columns, whether shown or not, into a CSV file and when you click it, a file called query_data.csv is created as well as downloaded along with the actual steps determined by your browser settings.
  2. Export to CSV - Displayed Columns- This one is similar to the above one except for the fact that the columns that are shown in the Results window will be saved. 
  3. Export to Power BI (M Query)- It can create and download a file known as powerBIQuery.txt and offers the instructions to load this query into the Microsoft PowerBI application.  

Pin to dashboard

It permits you to pin a query to an Azure portal dashboard so that you can easily see the results of the query. 

Prettify query

It can reformat the KQL code to make it more readable having internal rules to determine what is more readable so you or may not agree with how it reformats the code.

Running query

Now if you are satisfied with your query, you can click on the Run button to see the desired results meanwhile ensuring that all the code in your query that you want to run is pre-selected before clicking on it.  




To read part 1, please click here
To read part 3, please click here




Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more

Threat Hunting in Microsoft Sentinel (part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Introducing the Microsoft Sentinel Hunting Page Threat hunting is a series activities performed while investigating and as there are no guidelines to perform it, the available tools on the Microsoft Sentinel can be introduced to perform better in your investigations. Firstly, you have to choose the Hunting link in the Microsoft Sentinel navigation menu to get to the Hunting page which is divided into the following sections: The header bar- It is located at the top of the page as usual and contains Refresh as well as timespan drop down menu. The New Query button can help you with creating a new query and the Run all queries button can run all the hunting queries in the background while also updating the hunting query list section with the number of results found.  The summary bar- Here, you can view the total number of queries available to run, the total number of bookmarks, the number of results from running live
Read more