2 ай бұрын
2 ай бұрын
9 ай бұрын
9 ай бұрын
10 ай бұрын
10 ай бұрын
10 ай бұрын
10 ай бұрын
Жыл бұрын
Жыл бұрын
Пікірлер
@Braussie12 2 ай бұрын
thats already active rules....
@samikroy 2 ай бұрын
Multiple rules can be enabled and disabled using the same method
@yashrajsingh6716 2 ай бұрын
Informative 😊
@fajllo 3 ай бұрын
exacly what I was loking for, thanks!
@akshaysaxena4577 3 ай бұрын
If we want to see number of distinct users with make_set then how apply
@samikroy 3 ай бұрын
Here is an example, please try this and let me know if this helps. SigninLogs | summarize count() , make_set(Location) by Type | project count_, TotalCount = array_length(set_Location), Type
@sikharani437 9 ай бұрын
All the lessons on KQL are very very clear and detailed. Glad I found this course.
@samikroy 9 ай бұрын
Thank you for sharing this. Feel free to share to anyone who might be interested.
@daniellong5479 9 ай бұрын
Hey, great content. Does it work with URLs and hash values?
@samikroy 9 ай бұрын
Thank you @daniellong5479. This is an interesting question. Microsoft Sentinel Entity Behavior is yet to support those types. However, this can be achieved through a playbook. Hope this helps.
@daniellong5479 9 ай бұрын
@@samikroy thanks very much for confirming this. That's made up my mind on whether to implement a logic app or not.
@garreakhil6786 9 ай бұрын
how much time it will take to reflect matching devices after creating device group
@samikroy 9 ай бұрын
As per Microsoft, update might take a few minute to reflect learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-groups?view=o365-worldwide#:~:text=Applying%20changes%20to%20device%20group%20configuration%20may%20take%20up%20to%20several%20minutes. In addition, creation might reflect with few hours though.
@MrStumble 9 ай бұрын
From my understanding the daily cap used to not apply to any security related data. Meaning it did not apply to Sentinel. Has this changed?
@samikroy 9 ай бұрын
You are right, this setting is maintained within Log Analytics, but the context of this video is to share about the pros and cons with respect to Microsoft Sentinel.
@shrikumar1 Жыл бұрын
How we know every 5min it will work? After first execution completed
@samikroy Жыл бұрын
We can have a look at the workflow run history. Example - github.com/samikroy/Make-GitHub-Developers-Friendly-With-Advanced-Security/actions/workflows/basic_scheduler.yml Hope this helps.
@TheMwendandu Жыл бұрын
Great tutorial, but when I expand full screen, your window appears grainy, blurry, and unreadable. Try redoing the training lesson with a full screen. Thanks.
@samikroy Жыл бұрын
Thank you for the feedback @TheMwendandu and glad it is helpful. I will consider this in upcoming videos. And you can also enroll to the free Udemy course on KQL for Microsoft Sentinel. www.udemy.com/course/learn-kql-for-microsoft-sentinel/
@johanhellberg9677 Жыл бұрын
Thanks for the video!
@samikroy Жыл бұрын
You're welcome!
@obrebel0 Жыл бұрын
pointless, offers a whole 5 tables to monitor.
@samikroy Жыл бұрын
Thank you your comment. Could you please elaborate bit more
@sarathkumaras Жыл бұрын
Hi bro, can you help me with a KQL query to know who has done a " role assignment" for a given user
@samikroy Жыл бұрын
This query might help you AuditLogs | where OperationName == "Add member to role" | extend Target = tostring(TargetResources[0].userPrincipalName) | extend RoleAdded = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue))) | extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) | project TimeGenerated, OperationName, Actor, Target, RoleAdded
@traoreamara9572 Жыл бұрын
Hi ! Do you recommend a specific or best practice process for analytics tuning ?
@samikroy Жыл бұрын
Thank you for reaching out. Here a high level diagram which is a recommendation The Process ----------------------------------------- 1. Review rules performance through built-in workbooks a. How many alerts they are generating b. What is true positive percentage Leverage the buildin workbook a. Security Operations Efficiency b. Analytics Efficiency 2. Review the entity mapping and update accordingly. 3. Use Alert Name Format to create more customized incidents. 4. Use Entity behavior to analyze the top entities and then identify top rules. 5. Leverage KQL best practices. ----------------------------------------- KQL best practices ----------------------------------------- learn.microsoft.com/en-us/azure/data-explorer/kusto/query/best-practices Hope this helps
@CyberSOC-educational Жыл бұрын
@@samikroyThank you
@intel2390 Жыл бұрын
not sure if it talks about about what arg_max does and how to use it with summarize. It only talks about that you can add multiple columns in the function and * to add all the columns. Not very useful.
@samikroy Жыл бұрын
Thank you for sharing your feedback @Sukhmeet Singh. Please have a look at these to understand the use summarize and other operators: kzbin.info/www/bejne/rKfHaGSMn6yiiqc kzbin.info/www/bejne/eZikomyGn6-FnKc This video is targeted to demystify the efficiency for arg_max
@anfulari Жыл бұрын
Send your contact number
@susangriffith2663 Жыл бұрын
'promosm'
@LakshminarayanagariJunjanna Жыл бұрын
Hi Samik, i am used Your Query instead of BaseLocationlatitude, BaseLocationlongitude is zero, is it possible to take Base Location as a recent Location coordinates can You Please help me with this Query let BaseLocationlongitude =toscalar( SigninLogs |where TimeGenerated >ago(2d) | extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) | summarize max(Recent_Longitude=longitude_)); let BaseLocationlatitude =toscalar( SigninLogs |where TimeGenerated >ago(2d) | extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) | summarize max(Recent_Latitude=latitude_)); SigninLogs |where TimeGenerated >ago(2d) | extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) | extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) | extend Username=UserDisplayName | extend Location = strcat(LocationDetails.city,', ' ,LocationDetails.state,', ', LocationDetails.countryOrRegion) | distinct todecimal(latitude_), todecimal(longitude_), Username,Location | extend Distance_in_meters = geo_distance_2points(toint(BaseLocationlongitude),toint(BaseLocationlatitude),toint(longitude_),toint(latitude_)) | extend Distance_in_KM =strcat('Distance from Recent location', ' is ', Distance_in_meters/1000.0, ' KM.') | sort by Distance_in_KM desc Please Help me i am not getting Out put value
@samikroy Жыл бұрын
Thank you for reaching out. Could you please try & let me know with this kql snippet let target_User = "you user"; let User_Latest_Location = (SigninLogs | where UserPrincipalName == target_User // gets the latest location based on time. | summarize arg_max(TimeGenerated,*) by UserPrincipalName | extend longitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).longitude) | extend latitude_ = tostring(parse_json(tostring(LocationDetails.geoCoordinates)).latitude) | project longitude_, latitude_ ); let latest_longitude= toscalar(User_Latest_Location | project longitude_); let latest_latitude= toscalar(User_Latest_Location | project latitude_); print latest_longitude, latest_latitude
@jamesclifton9389 Жыл бұрын
Good information thank you
@samikroy Жыл бұрын
Glad it was helpful James.
@suryendubhattacharyya3628 Жыл бұрын
Great Content Samik
@samikroy Жыл бұрын
Thank you for extending the feedback Suryendu. Feel free to share if you find this useful.