{"id":15396,"date":"2019-07-19T14:09:43","date_gmt":"2019-07-19T14:09:43","guid":{"rendered":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/?p=15396"},"modified":"2019-10-07T09:42:59","modified_gmt":"2019-10-07T08:42:59","slug":"azure-sentinel-dashboard-queries","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/","title":{"rendered":"Azure Sentinel – Dashboard queries"},"content":{"rendered":"

The vast majority of my day job at the moment includes Azure Sentinel. Some of the queries I’ve shown in the previous posts can be used to see data points for Sentinel as well.<\/p>\n

Typically I display all these on an Azure Dashboard<\/a>, but you can also just use the queries. Sentinel specifc DashBoards can be found here<\/a><\/p>\n

My Example Dashboard<\/strong><\/p>\n

\"Example<\/p>\n

The new Data Tables that Sentinel uses are shown in this screen shot, but there are others that are related as well (you might want to include \u00a3Events <\/strong>?)<\/p>\n

\"Sentinel<\/p>\n

The query top left in the first picture, uses a Union to pull in the various Tables (I use a bin interval of 1hr to speed up the query (returns less data), which is especially useful as I normally want to look at a week or monthly view).<\/p>\n

let tBin = 1h;
\nunion isfuzzy=true
\n(
\n\/\/ Firewall vendors
\nCommonSecurityLog
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ Office 365
\nOfficeActivity
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ Azure Security Center - free
\nSecurityCenterFree
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ Azure Security Center - Standard
\nSecurityEvent
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ Security Alerts
\nSecurityAlert
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ DNS
\nDnsEvents
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ Windows Firewall
\nWindowsFirewall
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ Azure AD
\nSigninLogs
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ Syslog
\nSyslog
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ AWS
\nAWSCloudTrail
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ Symantec
\nSymantecICDX_CL
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ Hunting Bookmarks
\nHuntingBookmark
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ ThreatIntelligence Indicator
\nThreatIntelligenceIndicator
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n),
\n(
\n\/\/ LinuxAuditLog
\nLinuxAuditLog
\n| summarize LogVolume=count() by bin(TimeGenerated,tBin), SolutionName = Type
\n)
\n| sort by LogVolume
\n| render timechart title =\"Sentinel Log Volume by time\"<\/code><\/p>\n

Run the above here<\/a><\/p>\n

The second query (top right) is this one, in structure its very similar – but it’s giving an indication of the data we have and where it may be generated from. You can remove or add Tables that are relevant to you – I use this as a way to remember where the data was added Sentinel vs. Log Analytics.<\/p>\n

union isfuzzy=true
\n(
\n\/\/ Firewall vendors
\nCommonSecurityLog
\n| summarize Records = count() by SolutionName = Type, Vendor = DeviceVendor
\n| sort by Records desc
\n| extend PotentialDataSource = iif(Records>0,\"\u2705 Sentinel or CEF data found\",\"no data\")
\n),
\n(
\n\/\/ Office 365
\nOfficeActivity
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Microsoft O365\"
\n| sort by Records desc
\n| extend PotentialDataSource = iif(Records>0,\"data found, Log Analytics or Sentinel enabled\",\"no data\")
\n),
\n(
\n\/\/ Azure Security Center - free
\nSecurityCenterFree
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Azure Security Center Free\"
\n| sort by Records desc
\n| extend PotentialDataSource = iif(Records>0,\"data found, ASC or Sentinel enabled\",\"no data\")
\n),
\n(
\n\/\/ Azure Security Center - Standard
\nSecurityEvent
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Azure Security Center Standard\"
\n| sort by Records desc
\n| extend PotentialDataSource = iif(Records>0,\"data found, ASC or Sentinel enabled\",\"no data\")
\n),
\n(
\n\/\/ Security Alerts
\nSecurityAlert
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Azure Sentinel\"
\n| sort by Records desc
\n| extend PotentialDataSource = iif(Records>0,\"data found, ASC or Sentinel\",\"no data\")
\n),
\n(
\n\/\/ DNS
\nDnsEvents
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Microsoft DNS\"
\n| sort by Records desc
\n| extend PotentialDataSource = iif(Records>0,\"data found, Log Analytics or Sentinel\",\"no data\")
\n),
\n(
\n\/\/ Windows Firewall
\nWindowsFirewall
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Microsoft Firewall\"
\n| sort by Records desc
\n| extend PotentialDataSource = iif(Records>0,\"data found, Log Analytics or Sentinel\",\"no data\")
\n),
\n(
\n\/\/ Azure AD
\nSigninLogs
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Microsoft Azure AD\"
\n| extend PotentialDataSource = iif(Records>0,\"data found, Log Analytics or Sentinel\",\"no data\")
\n),
\n(
\n\/\/ Syslog
\nSyslog
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Linux\"
\n| extend PotentialDataSource = iif(Records>0,\"data found, Log Analytics or Sentinel\",\"no data\")
\n),
\n(
\n\/\/ Event log
\nSyslog
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Azure Monitor\"
\n| extend PotentialDataSource = iif(Records>0,\"Log Analytics\",\"no data\")
\n),
\n(
\n\/\/ AWS
\nAWSCloudTrail
\n| summarize Records = count() by SolutionName = Type, Vendor = \"AWS\"
\n| extend PotentialDataSource = iif(Records>0,\"\u2705 Sentinel or CEF data found\",\"no data\")
\n),
\n(
\n\/\/ Symantec
\nSymantecICDX_CL
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Symantec\"
\n| extend PotentialDataSource = iif(Records>0,\"\u2705 Sentinel data found\",\"no data\")
\n),
\n(
\n\/\/ Hunting Bookmarks
\nHuntingBookmark
\n| summarize Records = count() by SolutionName = Type, Vendor = \"Azure Sentinel\"
\n| extend PotentialDataSource = iif(Records>0,\"\u2705 Sentinel data found\",\"no data\")
\n),
\n(
\n\/\/ ThreatIntelligence Indicator
\nThreatIntelligenceIndicator
\n| summarize Records = count() by SolutionName = Type , Vendor = \"Azure Sentinel\"
\n| extend PotentialDataSource = iif(Records>0,\"\u2705 Sentinel data found\",\"no data\")
\n),
\n(
\n\/\/ LinuxAuditLog
\nLinuxAuditLog
\n| summarize Records = count() by SolutionName = Type , Vendor = \"Azure Sentinel\"
\n| extend PotentialDataSource = iif(Records>0,\"\u2705 Sentinel data found\",\"no data\")
\n)
\n| sort by Records<\/code><\/p>\n


\nExample output<\/strong><\/p>\n

\"Sen\"<\/p>\n

The next Four Charts on the left are these. I like to run these with a time-span of a week to give me an insight into any spikes or dips per solution:<\/p>\n


\nSecurityAlert
\n| summarize LogVolume=count() by bin(TimeGenerated,1h), SolutionName = Type
\n<\/code><\/p>\n


\nCommonSecurityLog
\n| summarize LogVolume=count() by bin(TimeGenerated,1h), SolutionName = Type
\n| render timechart title = \"CommonSecurityLog by time\"
\n<\/code><\/p>\n


\nSecurityEvent
\n| summarize LogVolume=count() by bin(TimeGenerated,1h), SolutionName = Type
\n| render timechart title = \"SecurityEvent by time\"
\n<\/code><\/p>\n


\nSyslog
\n| summarize LogVolume=count() by bin(TimeGenerated,1h), SolutionName = Type
\n| render timechart title = \"Syslog by time\"
\n<\/code><\/p>\n

The Bar Chart (2nd down on the right) is this query, which is similar to the cost ones here:
\nhttps:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/18\/azure-log-analytics-looking-at-data-and-costs-part-3\/ <\/a><\/p>\n

Note: you could also write the first query in this post in this more compressed format (I didn’t mainly as I wanted to keep the comments and structure readable). However if you want the compressed version click here<\/a><\/p>\n


\nunion isfuzzy=true withsource = tt *
\n| where tt in (\"Syslog\", \"SecurityEvent\",\"AWSCloudTrail\", \"CommonSecurityLog\",
\n\"SecurityAlert\", \"ThreatIntelligenceIndicator\", \"LinuxAuditLog\",
\n\"HuntingBookmark\")
\n| summarize
\nRecordCount = count(),
\nMbperRecord = round(count() \/ sum(_BilledSize\/(1024*1024)),2) ,
\nTotalGBytes = round(sum(_BilledSize\/(1024*1024*1024)),2)
\nby SolutionName = tt, _IsBillable
\n| sort by TotalGBytes desc
\n| render barchart
\n<\/code><\/p>\n

You can run the above here<\/a><\/p>\n

The final Query (bottom right) is:<\/p>\n


\n\/\/ Top 5 Security Alerts
\nSecurityAlert
\n| summarize count() by AlertName
\n| top 5 by AlertName desc
\n| render piechart
\n<\/code><\/p>\n","protected":false},"excerpt":{"rendered":"

The vast majority of my day job at the moment includes Azure Sentinel. Some of the queries I’ve shown in the previous posts can be used to see data points for Sentinel as well. Typically I display all these on an Azure Dashboard, but you can also just use the queries. Sentinel specifc DashBoards can<\/p>\n","protected":false},"author":424,"featured_media":17586,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"categories":[1],"post_tag":[128,424],"content-type":[],"coauthors":[],"class_list":["post-15396","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cross-industry","tag-azure","tag-hybridcloud"],"yoast_head":"\nAzure Sentinel - Dashboard queries - Microsoft Industry Blogs - United Kingdom<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Azure Sentinel - Dashboard queries - Microsoft Industry Blogs - United Kingdom\" \/>\n<meta property=\"og:description\" content=\"The vast majority of my day job at the moment includes Azure Sentinel. Some of the queries I’ve shown in the previous posts can be used to see data points for Sentinel as well. Typically I display all these on an Azure Dashboard, but you can also just use the queries. Sentinel specifc DashBoards can\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Industry Blogs - United Kingdom\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-19T14:09:43+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2019-10-07T08:42:59+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"800\" \/>\n\t<meta property=\"og:image:height\" content=\"450\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/\"},\"author\":{\"name\":\"\",\"@id\":\"\"},\"headline\":\"Azure Sentinel – Dashboard queries\",\"datePublished\":\"2019-07-19T14:09:43+00:00\",\"dateModified\":\"2019-10-07T08:42:59+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/\"},\"wordCount\":321,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg\",\"keywords\":[\"Azure\",\"Hybrid Cloud\"],\"articleSection\":[\"Cross-industry\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/\",\"url\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/\",\"name\":\"Azure Sentinel - Dashboard queries - Microsoft Industry Blogs - United Kingdom\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg\",\"datePublished\":\"2019-07-19T14:09:43+00:00\",\"dateModified\":\"2019-10-07T08:42:59+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg\",\"width\":800,\"height\":450,\"caption\":\"a close up of a logo\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Azure Sentinel – Dashboard queries\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/\",\"name\":\"Microsoft Industry Blogs - United Kingdom\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#organization\",\"name\":\"Microsoft Industry Blogs - United Kingdom\",\"url\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2019\/08\/Microsoft-Logo.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2019\/08\/Microsoft-Logo.png\",\"width\":259,\"height\":194,\"caption\":\"Microsoft Industry Blogs - United Kingdom\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Azure Sentinel - Dashboard queries - Microsoft Industry Blogs - United Kingdom","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/","og_locale":"en_US","og_type":"article","og_title":"Azure Sentinel - Dashboard queries - Microsoft Industry Blogs - United Kingdom","og_description":"The vast majority of my day job at the moment includes Azure Sentinel. Some of the queries I’ve shown in the previous posts can be used to see data points for Sentinel as well. Typically I display all these on an Azure Dashboard, but you can also just use the queries. Sentinel specifc DashBoards can","og_url":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/","og_site_name":"Microsoft Industry Blogs - United Kingdom","article_published_time":"2019-07-19T14:09:43+00:00","article_modified_time":"2019-10-07T08:42:59+00:00","og_image":[{"width":800,"height":450,"url":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Written by":"","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/"},"author":{"name":"","@id":""},"headline":"Azure Sentinel – Dashboard queries","datePublished":"2019-07-19T14:09:43+00:00","dateModified":"2019-10-07T08:42:59+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/"},"wordCount":321,"commentCount":1,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg","keywords":["Azure","Hybrid Cloud"],"articleSection":["Cross-industry"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/","url":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/","name":"Azure Sentinel - Dashboard queries - Microsoft Industry Blogs - United Kingdom","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg","datePublished":"2019-07-19T14:09:43+00:00","dateModified":"2019-10-07T08:42:59+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg","contentUrl":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2017\/08\/UK-Hybrid-Cloud-Team-Black.jpg","width":800,"height":450,"caption":"a close up of a logo"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/cross-industry\/2019\/07\/19\/azure-sentinel-dashboard-queries\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/"},{"@type":"ListItem","position":2,"name":"Azure Sentinel – Dashboard queries"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/","name":"Microsoft Industry Blogs - United Kingdom","description":"","publisher":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#organization","name":"Microsoft Industry Blogs - United Kingdom","url":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2019\/08\/Microsoft-Logo.png","contentUrl":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-content\/uploads\/sites\/22\/2019\/08\/Microsoft-Logo.png","width":259,"height":194,"caption":"Microsoft Industry Blogs - United Kingdom"},"image":{"@id":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/posts\/15396"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/users\/424"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/comments?post=15396"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/posts\/15396\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/media\/17586"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/media?parent=15396"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/categories?post=15396"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/post_tag?post=15396"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/content-type?post=15396"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-gb\/industry\/blog\/wp-json\/wp\/v2\/coauthors?post=15396"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}