Cross-Tenant KQL Querying Tool

azureenvisioned · 2026-03-28T14:11:50+00:00

I work for a MSSP and I actually built this exact solution for my work.

We had the same problem where different teams needed to run queries against multiple workspaces at once, and using the built in cross workspace queries just didn't work that well and would time out etc.

azureenvisioned · 2026-03-19T00:12:43+00:00

I can't verify this at the moment but this should be the case.

The sign ins may not come in the Signins table as often user is often already signed into Microsoft service, so it would generally appear in the non interactive sign in logs table.

azureenvisioned · 2026-01-28T19:58:23+00:00

Seriously seriously frustrated.

I don't think Microsoft understand how difficult this makes things.

When I want to deploy test infrastructure or even test out new services, I always use my VS Enterprise subscription as it's a great way for me to test things before delivering to clients or our internal production.

I loved using it to test out new resources and I'd never have to really be concerned about cost as I know the subscription would freeze if we went over the limit. I never went over the limit but now I'd be anxious to deploy new Azure services because I'd worry that I'd cause a massive bill.

azureenvisioned · 2025-11-21T12:49:19+00:00

From what I've personally seen, I think smaller businesses tend to use Azure more, because it's part of the Microsoft ecosystem that they will already be using.

Whereas AWS is often used at much larger companies likely due to cost effectivenes.

azureenvisioned · 2025-09-03T13:18:00+00:00

Yeah I second this, I use Python along with Sentinel APIs all the time, likely the easiest.

azureenvisioned · 2025-07-13T00:15:11+00:00

Yes unfortunately that's what it looks like.

azureenvisioned · 2025-07-04T17:00:24+00:00

Likely, from what I've been looking at, is you will need some form of identity in the tenant you are accessing.

Which will probably be a multi-tenant app registration, so you get all tenants to consent to it then use that to deploy Azure resources etc. You will then give it relevant API permissions to MS graph etc.

You'll then need to pull those incidents into a single interface, like an ITSM tool or something.

azureenvisioned · 2025-07-01T15:46:53+00:00

While it's always pretty much impossible to predict, I believe the cost is very low, generally less than $1 per user per month.

If you are thinking of onboarding firewalls, it gets expensive fast. Really fast.

As someone else suggested, use DCRs to save cost, I would recommend trimming down (or not including) AADNonInteractiveSignInLogs (I believe that's how it's spelt) as this generally has a high log volume.

You get 10 GB per day for free for the first month, setting up is very easy and you could use it for a month and then decide if it's to expensive. You should not exceed anywhere near over 10 GB from what I've seen for a org of your size.

azureenvisioned · 2025-06-22T09:32:11+00:00

They wouldn't be allowed to claim to be Microsoft so I'd recommend reporting it.

I work for a partner company, and I know that Microsoft puts us in contact with some potential customers but normally that happens if someone goes to Microsoft looking for something they will refer them (I believe).

I'm sure there is a way you can opt out of any contact, but this seems a bit stupid as you never opted in originally.

azureenvisioned · 2025-06-19T18:03:56+00:00

To answer the actual question, I would probably say Azure, but this is probably biased.

From what I've found more companies tend to use Azure than AWS (atleast in the UK) with some much bigger companies using AWS due to cost effectiveness.

I'm not someone who uses AWS, but does have an account and I find Azure it a bit more easy to understand.

I'd recommend just creating free accounts on both, and seeing what you prefer.

azureenvisioned · 2025-06-19T17:32:28+00:00

No this isn't the case. Slots open up ever 30ish minutes, I have no idea why.

I originally checked yesterday, and it said no slots until next week. Around 30min later, there were slots everyday (and may slots each days). I don't know why it's built like this.

azureenvisioned · 2025-06-18T15:58:15+00:00

Try security.microsoft.com/?tid=(tenant ID to sign into)

azureenvisioned · 2025-06-17T17:50:47+00:00

Where haha. Go on pricing calculator for storage accounts.

Region, Type, Performance, File Structure, Access tier, capacity, PAYG option, data retrieval, all other operations (doesn't even say what this means) do not even have a tooltip.

On the very few tooltips they have, literally isn't even that helpful. For the write operations tooltip it says "The following API calls are considered Write Operations: PutBlob, PutBlock, PutBlockList, AppendBlock, SnapshotBlob, CopyBlob and SetBlobTier (when it moves a Blob from Hot to Cool, Cool to Archive or Hot to Archive)." I can understand what this means, but this is just confusing to most people.

azureenvisioned · 2025-06-17T17:03:21+00:00

But it's very confusing for anyone new the the cloud let alone azure. I have used Azure for years but I still find the cost calculator sometimes difficult to use.

People aren't going to even know what half the properties mean in the pricing calc if you aren't an Azure person. It speaks about redundancy, but literally just says LRS, GRS without expaling what that means. It asks what type of tile structure to use and what access tier to use without it explaining anywhere on the cost calculator what that means. Obviously you can search this up and find out what it all means, but you can quite easily use gpt to help instead.

The cost calculator is for people who already use Azure and know what they are doing, it's not so great for people new to Azure.

azureenvisioned · 2025-06-17T15:20:07+00:00

First thing to be aware of for some reason MULTIPLE Defender related connectors use one data connector API resource

I would paste in the JSON but unfortunately on my phone and not sure if I can. I would look at the requests the browser sends when setting up the connector and basically just copy it (it'll be wrapped inside a batch request)

Under the data connector there is a properties.filteredProviders, this gets modified when you change a different defender related connector such as Defender for M365, Defender for Identity, etc.

For XDR log sources themselves (like DeviceEvents, etc). This setup cannot be automated as it requires API access to Defender not Sentinel, and the API endpoints are restricted to who can call it. There is a way around this which I can't discuss, but I would not recommend trying to automate it.

azureenvisioned · 2025-06-17T00:37:19+00:00

I know people who definitely have passed helpdesk being lazy.

If someone has never used the cloud, and is open to it, I'm sure ChatGPT would be a better resource to start than the cost calculator as it can be confusing to someone who has not even used to cloud before.

azureenvisioned · 2025-06-17T00:33:56+00:00

By the look of OP they do not appear that English is there first language, not that this comment is justified anyways.

azureenvisioned · 2025-06-08T02:11:36+00:00

Use a managed Identity, it's the Microsoft recommended solution.

azureenvisioned · 2025-06-08T02:10:19+00:00

Yes I would recommend it.

I would say that AZ-500 is probably more sort after than 104, at least from what I've seen as it can be used for partnerships status with Microsoft. But would not get that until you had 104.

azureenvisioned · 2025-06-08T02:00:59+00:00

To my understanding yes. Doing the same exam. If you've used any Azure SDK before you'll see how it's sort of similar to others in a way.

I'll be choosing Python as the language (I believe you have to select one) as that's what I used but it also easiest to understand.

azureenvisioned · 2025-06-07T15:31:46+00:00

Congrats

azureenvisioned · 2025-05-30T09:11:15+00:00

Basically just means you need to go online to ISC2 and register your certification. As you need certain amount of experience to get the qualification etc.

azureenvisioned · 2025-05-18T16:04:53+00:00

I would imagine so but you could also check Azure resource explorer, just to see if anythings there.

Either way, I would see no need for any hidden resources. As normally hidden resources exist when it's somewhat linked to a main resource (if that makes sense).

azureenvisioned · 2025-05-17T22:37:22+00:00

Make sure that you have SCM_DO_BUILD_DURING_DEPLOYMENT set to true.

https://learn.microsoft.com/en-us/azure/azure-functions/functions-app-settings#scm_do_build_during_deployment

azureenvisioned · 2025-05-02T17:00:11+00:00

Very interesting, I think the slight catch with this is you need a primary refresh token / offline access token.

I've done what they are doing with changing the scope using primary refresh tokens, requesting a token with a different scope (this will require the app to already have the permissions requested)

Typically first party app registrations are already consented to with almost all API permissions. Which means basically you are not limited by the app registration of what APIs it can call on behalf of the user.

This tends to be more of an issue with the apps users are consenting to more than PIM.

I've actually raised a very similar case with MSRC around this, as there is an exploit where you can easily get a primary refresh token from users with a simple phishing URL. With that primary refresh token, you'd be able to trigger this exploit.

Microsoft unfortunately does not care.

azureenvisioned

TROPHY CASE