I’ve just spend a very pleasant couple of days creating a set of Azure Sentinel macros for 3.13.
So far, we have:
- [Azure.Connection:]
- [Azure.SentinelGraph:]
- [Azure.SentinelTable:]
- [Azure.SentinelQuery:]
- [Azure.SentinelScalar:]
It took me a while to get my mind around the KQL language, but now that I have, ReportMagic 3.13 will allow you to use a macro like this:
[Azure.SentinelGraph:
query=`SigninLogs
| where TimeGenerated between (datetime(2024-03-01) .. datetime(2024-04-01))
| where ResultType == "0"
| summarize SigninCount=count() by AppDisplayName, bin(TimeGenerated, 1d)
| render columnchart`,
chartHeight=1000
]
…resulting in:
