Tag Archives: azure sentinel

Get all comments in an Azure Sentinel incident programmatically

Posted on 01/27/2020 by azsec

For any kind of report you may want to get all comments in an Azure Sentinel in order to archive as an forensic or incident artifact in an incident case before it is closed. Even comments in Azure Sentinel is … Continue reading

Posted in Security Automation | Tagged , , | Leave a comment

Authenticate with Log Analytics workspace interactively in Azure Sentinel notebooks

Posted on 01/16/2020 by azsec

One of the common steps before a SecOps analyst starts investigating and writing hunting query is to authenticate with the Log Analytics workspace where security data and event log are stored, using kqlmagic. Most common way is to let Azure … Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Get started with Azure Sentinel Notebooks

Posted on 01/13/2020 by azsec

Hunting in Azure using Kusto Query Language to write query against Log Analytics workspace may not be enough for you. Given an example like this article, you would want to extract all attacker IP addressees and use VirusTotal to verify … Continue reading

Posted in Security Operation | Tagged , | 3 Comments

An analysis of Suspicious Authentication activity from Azure Security Center

Posted on 01/10/2020 by azsec

There are some readers after following this article to simulate alerts generated from Azure Security Center approaching me asking about one of the alerts they have seen named Suspicious authentication activity. They don’t know whether their testing virtual machines in … Continue reading

Posted in Monitoring & Detection | Tagged , , | 2 Comments

Create a fully customized Azure Sentinel incident

Posted on 01/06/2020 by azsec

There are ways to create an incident in Azure Sentinel. Simulating an alert from Azure Security Center and feeding it to become an Azure Sentinel incident is one of the ways. Another way is to create a simple scheduled analytics … Continue reading

Posted in Security Automation | Tagged , | 2 Comments

Delete an Azure Sentinel incident (from ASC)

Posted on 01/03/2020 by azsec

Is it possible to remove an Azure Sentinel incident? The answer is Yes. However, this is not going to be a recommendation for security operation. Let’s see how to make that happen.

Posted in Security Automation | Tagged , | 3 Comments

Azure Sentinel ARM Template

Posted on 12/31/2019 by azsec

I got a question from some readers asking about if there is a way to deploy Azure Sentinel through Azure ARM template and what are common use cases for deploying such an ARM template. In this article, let’s explore the … Continue reading

Posted in Security Automation | Tagged , | 3 Comments

Extract all Azure Sentinel incidents

Posted on 12/16/2019 by azsec

I got asked by a few readers after reading this article if there was a way to extract all incidents in Azure Sentinel so they could conduct a report and send out to their managers. In this article, let’s see … Continue reading

Posted in Security Automation | Tagged , , | 3 Comments

Connect Azure Security Center to Azure Sentinel programatically

Posted on 12/14/2019 by azsec

Previously you knew how to integrate Azure Security Center to Azure Sentinel to make sure alerts are tracked as incidents in Azure Sentinel. Now you have decided to connect many Azure Security Center to your Azure Sentinel. This article is … Continue reading

Posted in Security Automation | Tagged , | 3 Comments

Working with Azure Security Center Alert from Azure Sentinel

Posted on 12/10/2019 by azsec

You wouldn’t want to jump over from Azure Security Center and Azure Sentinel to manage and operate security. We all know what they are and how they are used for which purpose. The ultimate goal would be to reduce effort … Continue reading

Posted in Azure Security Center | Tagged , | 7 Comments