AZSentinel icon indicating copy to clipboard operation
AZSentinel copied to clipboard

Published 20 hours ago verified publisher icon wortell

Bug Report

Open secalert170925 opened this issue 3 years ago • 2 comments

Environment

Windows build number: Microsoft Windows [Version 10.0.19042.985]
PowerShell version (if applicable): 7.1.3

Steps to reproduce

Run "Get-AzSentinelHuntingRule".

Expected behavior

Hunting Rule information is output.

Actual behavior

Log Analytics workspace function information is output.

secalert170925 avatar May 19 '21 02:05 secalert170925

Can you provide more detail, what was the output? What was the full command you ran?

pemontto avatar May 24 '21 09:05 pemontto

I ran bellow command.

Get-AzSentinelHuntingRule -WorkspaceName $WorkSpaceName -SubscriptionId $SubscriptionId | format-table

And its output is bellow.

Category DisplayName Query

function testFunction2 Heartbeat… TEST testFunction dynamic({… Log Management All Events Event | sort by TimeGenerated desc… Log Management Count of Events containing the word "started" grouped by EventID search in (Event) "started" | summarize AggregatedValue = count() by EventID… Log Management Count of Events grouped by Event Log Event | summarize AggregatedValue = count() by EventLog… Log Management Count of Events grouped by Event Source Event | summarize AggregatedValue = count() by Source… Log Management Count of Events grouped by Event ID Event | summarize AggregatedValue = count() by EventID… Log Management All Events with level "Warning" Event | where EventLevelName == "warning" | sort by TimeGenerated desc… Log Management Count of Events with level "Warning" grouped by Event ID Event | where EventLevelName == "warning" | summarize AggregatedValue = count() by EventID… Log Management How many connections to Operations Manager's SDK service by day Event | where EventID == 26328 and EventLog == "Operations Manager" | summarize AggregatedValue = count() by bin(TimeGe… Log Management Events in the Operations Manager Event Log whose Event ID is in the range between 2000 and 3000 Event | where EventLog == "Operations Manager" and EventID >= 2000 and EventID <= 3000 | sort by TimeGenerated desc… Log Management When did my servers initiate restart? search in (Event) "shutdown" and EventLog == "System" and Source == "User32" and EventID == 1074 | sort by TimeGenerate… Log Management Windows Firewall Policy settings have changed Event | where EventLog == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and EventID == 2008 | so… Log Management On which machines and how many times have Windows Firewall Policy settings changed Event | where EventLog == "Microsoft-Windows-Windows Firewall With Advanced Security/Firewall" and EventID == 2008 | su… Log Management All IIS Log Entries search * | extend Type = $table | where Type == W3CIISLog | sort by TimeGenerated desc… Log Management Shows breakdown of response codes search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = count() by scStatus… Log Management Find the maximum time taken for each page search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = max(TimeTaken) by csUriStem… Log Management Shows which pages people are getting a 404 for search scStatus == 404 | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = count() by csUriS… Log Management Average HTTP Request time by HTTP Method search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = avg(TimeTaken) by csMethod… Log Management Shows servers that are throwing internal server error search scStatus == 500 | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = count() by sCompu… Log Management Count of IIS Log Entries by HTTP Request Method search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = count() by csMethod… Log Management Count of IIS Log Entries by HTTP User Agent search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = count() by csUserAgent… Log Management Count of IIS Log Entries by Client IP Address search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = count() by cIP… Log Management IIS Log Entries for a specific client IP Address (replace with your own) search cIP == "192.168.0.1" | extend Type = $table | where Type == W3CIISLog | sort by TimeGenerated desc | project csU… Log Management Count of IIS Log Entries by URL requested by client (without query strings) search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = count() by csUriStem… Log Management Count of IIS Log Entries by Host requested by client search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = count() by csHost… Log Management Count of IIS Log Entries by URL for the host "www.contoso.com" (replace with your own) search csHost == "www.contoso.com" | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = count… Log Management Total Bytes sent by Client IP Address search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = sum(csBytes) by cIP… Log Management Total Bytes received by each Azure Role Instance search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = sum(csBytes) by RoleInstance… Log Management Total Bytes received by each IIS Computer search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = sum(csBytes) by Computer | limi… Log Management Total Bytes responded back to clients by each IIS ServerIP Address search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = sum(scBytes) by sIP… Log Management Total Bytes responded back to clients by Client IP Address search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = sum(scBytes) by cIP… Log Management Average HTTP Request time by Client IP Address search * | extend Type = $table | where Type == W3CIISLog | summarize AggregatedValue = avg(TimeTaken) by cIP… Log Management All Syslogs Syslog | sort by TimeGenerated desc… Log Management All Syslog Records with Errors Syslog | where SeverityLevel == "error" | sort by TimeGenerated desc… Log Management All Syslog Records grouped by Facility Syslog | summarize AggregatedValue = count() by Facility… Log Management All Syslog Records grouped by ProcessName Syslog | summarize AggregatedValue = count() by ProcessName… General Exploration Which Management Group is generating the most data points? search * | summarize AggregatedValue = count() by ManagementGroupName… General Exploration Distribution of data Types search * | extend Type = $table | summarize AggregatedValue = count() by Type… General Exploration All Computers with their most recent data search not(ObjectName == "Advisor Metrics" or ObjectName == "ManagedSpace") | summarize AggregatedValue = max(TimeGener… General Exploration Stale Computers (data older than 24 hours) search not(ObjectName == "Advisor Metrics" or ObjectName == "ManagedSpace") | summarize lastdata = max(TimeGenerated) b…

secalert170925 avatar May 26 '21 00:05 secalert170925