Updating the Azure Monitor Agent on Demand

update-ama.ps1 is a PowerShell script you can use to update the Azure Monitor Agent on Azure Virtual Machines and Azure Arc Machines. The script will handle both Linux and Windows servers with the below features. I have also written a universal extension upgrade script that can be used to upgrade any extension: update-extension.ps1 Usage – Azure … Read more

KQL – Working with version numbers using parse_version

Overview If you have versions numbers that contain major and minor decimal places such as 1.2, 1.3, 1.3.1, 1.5 you may have noticed ordering by these fields doesn’t really work well. As we can see from the example below order by doesn’t properly order the version number column. 1.21.1 is a higher version number than … Read more

Programmatically Updating Defender for Cloud Integration Settings and enabling the Unified Agent

Overview Defender for Cloud has several integrations with Microsoft’s security ecosystem. These integrations allow data sharing between Defender for Cloud Apps, Defender for Endpoint, and Microsoft Sentinel. Most of these integrations are enabled by default on subscriptions, however in some circumstances some of these settings may not be enabled. The most common setting not enabled … Read more

Automating Network Security Group Creation with Defender for Cloud

As a best practice its generally advised to always have a network security group associated with a subnet which will ensure all resources in the subnet have the capability to be protected with layer 4 access control rules. Specific to virtual machines if you plan on using Defender for Servers Just-in-time virtual machine access a … Read more

Sentinel: Creating Data Collection Rules to send to the SecurityEvent table

Currently today you can ingest Windows Security Events to Microsoft Sentinel using the Windows Security Events via AMA data connector. This data connector will send events directly to the SecurityEvent table. When it comes to Windows event log collection its fairly important that events generally land in the SecurityEvent table. Most of the out of … Read more

Reporting on Defender for Endpoint Agent Status

Report on Defender for Endpoint’s health across Defender 365 and Defender for Cloud

Using the new Archiving, Basic Logs, and Retention Workbook

Back in February of 2022 several new features for Azure Monitor were released to support long term data retention, data search, data recovery and data ingestion. More specifically these features are built into Azure Log Analytics which is the data lake for Microsoft Sentinel. While we are still waiting for many of these features to … Read more

Creating Scheduled Analytics Rules From Templates – New Features

A while back I developed a PowerShell script that provides the ability to import multiple Scheduled Analytics from the Sentinel template library. Check out the original article here: Mass Creating Scheduled Analytics Rules From Templates Grab the script here: sentinel-tools/analytics_rules at main · seanstark/sentinel-tools (github.com) Since then I have recently added a few new features … Read more

Estimating Defender 365 Event Size

If you are planning on exporting raw events from Defender 365 to your SIEM you can easily estimate the table sizes and number of entries in Defender 365 Advanced Hunting. Estimate All Table Sizes Estimated Sentinel Price Update the price variable based on your region from the Azure pricing calculator. Price = Sentinel + Log … Read more

%d bloggers like this: