Azure Sentinel Log Query Scripts Collection (Kusto Query Language)

感冒的梵高 好物分享

Kusto Query Language is the language you will use to work with and manipulate data in Microsoft Sentinel. The logs you feed into your workspace aren't worth much if you can't analyze them and get the important information hidden in all that data. Kusto Query Language has not only the power and flexibility to get that information, but the simplicity to help you get started quickly. If you have a background in scripting or working with databases, a lot of the content of this article will feel very familiar. If not, don't worry, as the intuitive nature of the language quickly enables you to start writing your own queries and driving value for your organization.

 

Search Keywords in Tables

search in (CommonSecurityLog) "172.17.20.10"

search in (Syslog) "172.17.20.10"

CommonSecurityLog
| where DeviceVendor contains "Palo Alto Networks"
| where DeviceCustomString6 contains "LogForward"

Syslog
| where Computer !contains "10"
Syslog
| summarize count() by Computer
CommonSecurityLog
| summarize count() by Activity

Count Logs in a Table

Check Last 5 logs

SigninLogs
| sort by TimeGenerated desc
| take 5

Showing last 7 days log trending

 let Now = now();
        (range TimeGenerated from ago(7d) to Now-1d step 1d
                | extend Count = 0
                | union isfuzzy=true
                (SecurityEvent
                | summarize Count = count() by bin_at(TimeGenerated, 1d, Now))
                | summarize Count=max(Count) by bin_at(TimeGenerated, 1d, Now)
                | sort by TimeGenerated
                | project Value = iff(isnull(Count), 0, Count), Time = TimeGenerated, Legend = "SecurityEvents") | render timechart 

Check certain table's raw logs in last 1 hour:

meraki_CL
| where TimeGenerated > ago(1h)
| sort by TimeGenerated desc

Which Windows machine is sending logs through Azure Monitor Agemt?

Heartbeat | where OSType == 'Windows' | where Category != 'Azure Monitor Agent'| summarize arg_max(TimeGenerated, *) by SourceComputerId | sort by Computer | render table

Check Subscription ID

AzureActivity
| summarize by SubscriptionId

Price Related

Check Table Sizes and if Billable

union withsource=TableName1 *
| where TimeGenerated > ago(1d)
| summarize Entries = count(), Size = sum(_BilledSize), last_log = datetime_diff("second",now(), max(TimeGenerated)), estimate  = sumif(_BilledSize, _IsBillable==true)  by TableName1, _IsBillable
| project ['Table Name'] = TableName1, ['Table Entries'] = Entries, ['Table Size'] = Size,
         ['Size per Entry'] = 1.0 * Size / Entries, ['IsBillable'] = _IsBillable, ['Last Record Received'] =  last_log , ['Estimated Table Price'] =  (estimate/(1024*1024*1024)) * 0.0
| order by ['Table Size']  desc

Calculate Cost Per Table

let rate = 4.30;                                 //<-- Effective per GB Price in EastUS (LAW & Sentinel per GB cost combined)
SecurityEvent                                     //<-- We're querying the SecurityEvent table in this one
| where TimeGenerated >ago(30d)                  //<-- Let's look at the past month, which makes sense considering we're billed monthly
| summarize GB=sum(_BilledSize)/1024/1024/1024    //<-- Summarize billable volume in GB using the _BilledSize table column
| extend cost = GB*rate                          //<-- Multiply total GBs for the month by the effective rate (defined in first line of query)

Videos

 

References

  • https://learn.microsoft.com/en-us/azure/sentinel/kusto-overview

https://blog.51sec.org

版权声明:
作者:感冒的梵高
链接:https://www.techfm.club/p/122624.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>