let LastSigninLogs=SigninLogs//| extend LastLogin_EST=datetime_utc_to_local(TimeGenerated,"US/Eastern")| extend IdName=split(AlternateSignInName,"@",0)| extend NetAccount_=tostring(IdName[0])| project-away IdName | summarize LastLogin_EST=max(TimeGenerated)byNetAccount...
Hi, I'm currently trying to create a KQL query for an alert rule in Sentinel. The log source upon which the alert rule is based, only contains the SAMAccountName, which prevents me from mapping it to an Account entity in the alert. I'm therefore trying to use the IdentityInfo table ...
View Full Discussion (1 Replies) GBushey Microsoft Jan 23, 2024 I would start by looking at the "Azure Devops Auditing" solution under the Content Hub. There are some manual steps that are required to get the DevOps data into Sentinel. ...
I need to use variables as parameters of functions in Sentinel Logs. I have: let t = "Syslog"; let name = "my-Sentinel"; let id = "abc123"; Well, if do this, it works fine: table("Syslog") table(t) workspace("my-Sentinel").table("Syslog") workspace("my-Sentinel").Syslog Bu...
{"__typename":"TagNodeProperties","tagsEnabled":{"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"PRESET_ONLY","description":"","title":"Microsoft Sentinel","shortTitle":"Microsoft Sentinel","parent":{"__ref":"Category:category:...
Hi, I'm new to Sentinel and KQL and wish to use the Security Event logs that are being sent to sentinel to get information about AD logons.I have manged to...
Hello! I need to use variables as parameters of functions in Sentinel Logs. I have: let t = "Syslog"; let name = "my-Sentinel"; let id = "abc123"; Well, if do this, it works fine: ... I've confirmed in testing the same as what you're experiencing. ...
(Note: It’s best to run the sample queries using your own data as “LA Demo” is not a Microsoft Sentinel enabled workspace. Hence, not all data sources found in the sample queries are available in “LA Demo” ) What if you need to do a quick search on whi...
{"__typename":"TagNodeProperties","tagsEnabled":{"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"PRESET_ONLY","description":"","title":"Microsoft Sentinel","shortTitle":"Microsoft Sentinel","parent":{"__ref":"Category:category:microsoft-sentinel"},"...
{"__typename":"TagNodeProperties","tagsEnabled":{"__typename":"PolicyResult","failureReason":null}},"requireTags":true,"tagType":"PRESET_ONLY","description":"","title":"Microsoft Sentinel","shortTitle":"Microsoft Sentinel","parent":{"__ref":"Category:category:microsoft-sentinel"},"...