Azure Sentinel – A Guide for Data Classification for Windows Server Event Log with Azure Sentinel Workbook

This post will guide you how to use Kusto query to classify the log data based on some log is just contain a string, and you want to separate the string into different column for easy view.

The steps for the whole configuration will be:

  1. Create a new Workbook
  2. Develop a customized Workbook for Windows Server
  3. Log Data Classification

Step 1 – Create a new Workbook

Visit to “Sentinel” and select “Workbook”, then click “Add workbook” to create a blank workbook.

Step 2 – Develop a customized Workbook for Windows Server

For the Sentinel Workbook, you can make the dashboard like our example.

For Workbook Design detail information, please visit our post:

Azure Sentinel – A Guide for Customizing Sentinel Workbook (Kusto Query) for Sentinel Incidents

Step 3 – Log Data Classification

This is the primary KQL for the log data classification for Windows Server Event Message:

Based on Windows Event Log do not have raw data about Event Name, so we have exported all the Event log Name into a CSV, and use looping to construct the KQL for column “EventTitle”

For the above example, you need to extend the custom column and use some string operation for doing the log data classification.

You can visit our SOS GitHub for downloading the source code as a template:

Eric Chan
| + posts

Microsoft MVP
SOS Group Limited

Leave a comment

SOS Group Limited © 2024. All Rights Reserved.