View profile

Microsoft Sentinel this Week - Issue #44

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #44
By Rod Trent • Issue #44 • View online
Hi, all! Welcome to week and issue #44 of this fabulous community newsletter. I truly appreciate our time together every week and I hope as this community continues growing that you’ll come to enjoy our brief moments together, too.
Before releasing you to this week’s curated content, I have a few things to highlight, of course. Through the fog of pain killers due to an unexpected visit to the hospital on Wednesday, to have a kidney stone removed, directly after the Microsoft Security Insights podcast, my hope is to muddle through today’s newsletter issue with at least a modicum of success. So, let’s see how this works out. It could be like any Microsoft delivered demo and go belly-up and bluescreen, but we’ll see.
Speaking of community and the Microsoft Security Insights podcast, if you attended the live stream on Wednesday evening you heard me talk about how KQL is the engine behind the strength of the Microsoft Sentinel community. I also noted that Must Learn KQL Part 13: The Extend Operator chapter would be released before the end of the week. Well, due to my previously mentioned hospital visit, I’ve pushed that off to next week. Hopefully, I can double or triple-up on chapters next week. I’ve updated the Must Learn KQL TOC with the new scheduling information.
The next thing to highlight is the updated schedule for our Microsoft Sentinel webinars for 2022. There’s some really great content coming. As part of the Q&A team, I should be at each of these, so bring your toughest questions. I could be the one answering them.
Here’s what coming up:
  • January 19 - Microsoft Sentinel | Present and Future of User Entity Behavioral Analytics in Microsoft Sentinel 
  • January 20 - Microsoft Defender for Cloud | What’s New in the Last 3 Months 
  • February 3 - Microsoft Sentinel | Become a Jupyter Notebooks Ninja - MSTICPy Intermediate to Build Your Own Notebooks 
  • February 10 - Microsoft Sentinel | Automate Your Microsoft Sentinel Triage with RiskIQ Threat Intelligence 
Details and registration:
I announced this past week that The Microsoft Sentinel in Action book ( is near release and we’re looking for people interested in giving honest reviews and commentary about the book through Amazon reviews and blog posts. 
I’ve been overwhelmed with responses, but ultimately, it’s up to the publisher to select the group from the list who will participate. That said, I’m still building the list and hope to deliver it to the publisher by early next week. So, if you are interested and able to do this, please connect with me directly. Those selected will receive a free copy of the book to read and provide feedback.
The best spots to hit me up about this are on Twitter or LinkedIn.
Lastly, I’ve updated the order of the newsletter sections this week. This newsletter tends to see a LOT of KQL submissions which means that the Stuff to Have section grows substantially week-to-week. Having that section in the middle of the newsletter copy just didn’t make sense anymore. So, as you’re perusing this week’s issue remember that all the awesome Stuff to Have is at the bottom.
During my hospital procedure this week, they removed a stone that originated from my left kidney. The CT-scan showed that I also have one in my right kidney that I’ll have to deal with eventually. Ugh.
Apparently, there’s some things you can do diet-wise to dissolve existing stones before they become a problem. I’m researching this, but always happy to hear your own remedies. So, on a personal note - if you have your own successful remedies, I’m all ears.
And, btw: my running streak is still intact. I was able to get in just over a 10th of a mile before the surgery. I sort of hoped the activity would help the stone move through on its own. Many of you know I’ve been on a mission to run every single day until I just can’t run anymore. I’m currently up to 2,376 days.
But, wow…2022 has been an interesting year so far. I’m still positive about it, though. It’ll take much, much more than this to push me off-kilter.
I hope your 2022 is faring well.
Talk soon.

Stuff to Read
Adding a Custom Location to the Dropdown List of the User Map Workbook in Microsoft Sentinel – Azure Cloud & AI Domain Blog
Ensure Critical Log Collection in Microsoft Sentinel
Must Learn KQL Part 12: The Render Operator – Azure Cloud & AI Domain Blog
Parsing Azure Firewall logs in Microsoft Sentinel | by Koos Goossens | Jan, 2022 | Medium
“Server error Category A is not supported” message when enabling Microsoft Defender for Office 365 in the Microsoft Sentinel Connector – Azure Cloud & AI Domain Blog
Who's afraid of compliance? The importance of SIEM
Stuff to Watch/Listen To
AzureFunBytes Episode 64 - Building SOC Efficiency with @Azure Sentinel with @rodtrent
Stuff to Attend
A Buyer's Guide to Microsoft Sentinel | ThirdSpace Webinar
Jan 2022 | Meetup
Stuff That's New or Updated
Microsoft Sentinel Cross-workspace Incidents View Limit Bumped to 30 Workspaces and/or Tenants – Azure Cloud & AI Domain Blog
UPDATED: Cloud Service Provider Access to Microsoft Sentinel Content Hub – Azure Cloud & AI Domain Blog
Stuff That's Related
Monitor Elevate Access Activity In Azure – Sam's Corner
Pass the Cloud with a Cookie
Stuff to Have
Sentinel-Queries/AzureVM-DiskImageURLGenerated.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityEvent-SummarizePrivilegesAssignedonLogon.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/365DaysofKQL-Day100.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-ServicePrincipalSummaryofResources.kql at main · reprise99/Sentinel-Queries · GitHub
SentinelKQL/DataPerComputer.txt at master · rod-trent/SentinelKQL · GitHub
Sentinel-Queries/SecurityAlert-SuspectedGoldenTicket.kql at main · reprise99/Sentinel-Queries · GitHub
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue