KQL – Working with version numbers using parse_version

Overview If you have versions numbers that contain major and minor decimal places such as 1.2, 1.3, 1.3.1, 1.5 you may have noticed ordering by these fields doesn’t really work well. As we can see from the example below order by doesn’t properly order the version number column. 1.21.1 is a higher version number than … Read more

Sentinel: Creating Data Collection Rules to send to the SecurityEvent table

Currently today you can ingest Windows Security Events to Microsoft Sentinel using the Windows Security Events via AMA data connector. This data connector will send events directly to the SecurityEvent table. When it comes to Windows event log collection its fairly important that events generally land in the SecurityEvent table. Most of the out of … Read more

Sentinel Syslog Forwarder with AMA

Configure syslog forwarding for Microsoft Sentinel with the Azure Monitor Agent

Microsoft Sentinel Workspace Settings Best Practices

Since Microsoft Sentinel leverages Azure Log Analytics as its data platform it is therefore beheld to the Log Analytics Workspace default settings. When creating a initial instance of Azure Sentinel and the corresponding Log Analytics Workspace there are few settings you need to further enable manually. Workspace Data Retention Settings Out of the box a … Read more