Microsoft SIEM and XDR Weekly Wrap - Issue #17
Microsoft SIEM and XDR Weekly Wrap - Issue #17
Major Day
Things from Me
Happy Friday everyone!
As you’re reading this, I’m preparing to attend the Cincinnati Comic Expo as part of my birthday celebration. My birthday was October 10th, and even though I was gifted other presents on the actual day, today is extra special.
My wife rarely knows exactly what to get her husband who can generally buy what he wants, so I helped her out this year and bought my own birthday gift. Around 3pm today, I will be meeting Lee Majors, having him sign a piece of my memorabilia, and then getting a picture taken with him.
If you’re not aware already, Lee Majors is a childhood hero who played Steve Austin on the Six Million Dollar Man TV show in the 1970’s. If you’ve ever read the Must Learn KQL learning series, you’re intimately aware of this because I use it as part of an example. It’s even a question on the Must Learn KQL assessment.
And then, if you’ve ever watched our weekly show, The Microsoft Security Insights Show, you’ve seen my video background, which is replete with all sorts of Six Million Dollar Man curios.
I’ve met him before in my youth, along with his then wife, Farrah Fawcett, but this is still a real treat. I’ll share my experiences and probably photos in the next issue.
After my birthday prize, I’m gearing up to head out to Ft. Lauderdale, Florida next week for the MMS Flamingo conference where I’ll be co-presenting on Security Copilot with my good friend and MVP Morten Knudsen, and delivering a mini-KQL workshop with my Russian hacker colleague and MVP, Sergey Chubarov.
Which leads me to this…
I mentioned this during last week’s newsletter issue and this is your reminder: This newsletter will NOT deliver next week due to my being deeply engaged with community at the conference.
…
This past week, I sat down with Steve Goodman and Rich Dean of the Practical 365 podcast to talk all things Security Copilot. Here’s where you can listen in…
…
Lastly, help us plan the topics for an upcoming webinar! On December 5th, 2024, we will host a public webinar on how to effectively integrate APIs with Microsoft Sentinel and the Unified Security Platform. This session will cover when to use APIs, how to set them up, and potential challenges. We will present live demos to guide you through the process. To ensure this webinar is as engaging and relevant as possible for you, we’d love your input to help us create its agenda!
Do you have any use cases you think we should feature? Or have you encountered any blockers that you'd like us to address? We’re eager to find out what content matches your needs the most! Please answer this survey to help us with your input. It will remain open until October 31st, 2024.
Take the survey here: https://forms.office.com/r/hrWtm34WFu
…
That’s it from me for this week.
Talk soon.
-Rod
P.S. One additional thing...also on Friday, my latest fiction novel releases. This is the second in the Sword of the Shattered Kingdoms series called Isolde Frostbane: Legacy of the Ice Priestess.
Things to Attend
Defender Experts: S.T.A.R. Forum - Strategies for Threat Awareness and Response, Episode 1 - Are you ready to elevate your cybersecurity game? Join us for an engaging and informative webinar hosted by Microsoft Defender Experts, where we’ll dive into the ever-evolving landscape of cyber threats.
Things that are Related
Security Drift: The Silent Killer - New threats often capture our attention with their immediate and visible impact. However, lurking beneath the surface is a less conspicuous but highly insidious threat known as security drift. This gradual erosion of security measures over time can lead to significant vulnerabilities, making it a silent killer in the realm of cybersecurity. In this blog post, we will explore what security drift is, why it occurs, and how organizations can effectively combat it.
How to Turn Your Environment into Breach-Ready - The threat of cyber breaches is ever-present and evolving. To safeguard sensitive data and maintain the integrity of your systems, it is essential to turn your environment into breach-ready. This guide will provide you with comprehensive steps to enhance your security posture and ensure your readiness against potential cyber threats.
Why the Security Operations Center (SOC) Needs to be Modernized and Reformed - The Security Operations Center (SOC) stands at the frontline, defending organizations against an ever-growing array of cyber threats. The traditional SOC model, rooted in paradigms of the past, is increasingly being tested by the demands of the modern cyber environment. It is imperative to modernize and reform SOCs to ensure they remain effective, efficient, and capable of protecting critical assets in this dynamic ecosystem.
Announcement: Introducing the Logic Apps Hybrid Deployment Model (Public Preview) - We are excited to announce the launch of the Logic Apps Hybrid Deployment Model, a new feature that empowers our customers with additional flexibility and control. This new offering allows you to build and deploy workflows that run on customer-managed infrastructure, providing you with the option to run Logic Apps on-premises, in a private cloud, or even in a third-party public cloud.
Things to Watch/Listen To
Things in Techcommunity
Entra Cloud Sync - Will Creating a New Configuration Sync Immediately With Defaults - Setting up a new Entra Cloud sync agent for a customer who already has an established on-prem AD and Azure AD with a mess of non-synced accounts and passwords between them. So, I need to do a slow roll on this thing and filter syncing by OUs in AD.
Sysmon /operational is not in Event table - Need to create use case base on Sysmon /operational and with Event ID = 1. But Sysmon is not configured. Use case is based on process. It is GitHub use case. Need to create with the help of defender table.
Things from Partners
WHITEPAPER: Unlock the Secrets to Mastering Security Drift Management - Maintaining a robust security posture is more critical than ever. Even the most meticulous organizations can fall victim to security drift—a silent adversary that gradually deviates your systems and configurations from established security baselines.
Copilot for Security Things
Microsoft Security Copilot: AI's Role in Revolutionizing Cybersecurity - The Practical 365 Podcast S4 E29 - In this week’s episode of the Practical 365 podcast, Rich Dean and I had the pleasure of speaking with Rod Trent, Senior Program Manager at Microsoft. Before we discussed Microsoft Copilot for Security, Rod shared insights into his diverse career. From running conferences to writing books (both fiction and technical), managing communities, and serving as editor-in-chief for publications like Windows IT Pro, Rod’s journey has been centered around content creation. Now in his role at Microsoft, provided us with a deep dive into Microsoft Security Copilot and its potential to transform the cybersecurity landscape.
Microsoft Sentinel Things
Save money on your Sentinel ingestion costs with Data Collection Rules - Today, we’ll outline a strategy you can use to reduce your data volume while also collecting and retaining the information that really matters. We’ll show you how to use Data Collection Rules (DCRs) to drop information from logs that are less valuable to you. Specifically, we’ll first discuss the thought process around deciding what’s important in a log to your organization. Then we’ll show you the process of using DCRs to “project-away” information you don’t want or need using two log source examples. This process saves direct ingress and long-term retention costs and reduces analyst fatigue.
What to do if your Sentinel Data Connector shows as [DEPRECATED] - Several Sentinel users raised the alarm that several of the data connectors they were using suddenly show as deprecated in the user interface.
A Cost-Effective Approach to Integrate Edgio RTLD WAF Logs into Microsoft Sentinel | LinkedIn - In this article, we will present our custom-developed, cost-effective methodology for on-boarding Edgio RTLD WAF logs into Microsoft Sentinel. When it comes to SOC monitoring, Edgio provides a rich set of RTLD WAF logs that offer significant security value for web application protection. As shown in the diagram below, Edgio RTLD logs can be delivered to various destinations using multiple methods. If you're using Microsoft Sentinel as your SIEM and want to ingest Edgio RTLD WAF logs, the only direct method available is through Azure Blob Storage. This method of using Azure Blob Storage has its own cost and can be quite expensive. During a recent client engagement, we were tasked with developing a more budget-friendly alternative to this solution.
New Low-Cost Log Options, Automation, AI & SIEM Migration | Microsoft Sentinel Updates - Streamline threat detection and response across diverse environments with Microsoft Sentinel, your cloud-native SIEM solution. With features like Auxiliary logs for low-cost storage and proactive data optimization recommendations, you can efficiently manage high volumes of security data without compromising on threat intelligence. Leverage built-in AI and automation to uncover hidden threats and reduce investigation time from days to minutes.
Defender for Cloud Things
Deprecation of three compliance standards - Estimated date for change: November 17, 2024 - Three compliance standards are being removed from the product:
SWIFT CSP-CSCF v2020 (for Azure) - This was superseded by the v2022 version
CIS Microsoft Azure Foundations Benchmark v1.1.0 and v1.3.0 - We have two newer versions available (v1.4.0 and v2.0.0)
Learn more about the compliance standards available in Defender for Cloud in Available compliance standards.
Defender for Endpoint Things
Unleash The Power Of DeviceTvmInfoGathering - The DeviceTvmInfoGathering table in Defender XDR is one of the understudied tables of Defender For Endpoint. With only the small amount of four listings from Alex Verboon on kqlsearch.com before researching this table. This blog explores the uncovered potential of this table, because this will help you a lot to get quick insights into the configuration Defender For Endpoint on your devices!
Defender XDR Things
Demystify potential data leaks with Insider Risk Management insights in Defender XDR - In today's complex security landscape, understanding and mitigating data exfiltration risks is more critical than ever. Earlier this year, we announced the integration of Insider Risk Management (IRM) insights into the Defender XDR user page, offering enhanced visibility into insider risk severity and exfiltration activities. This integration empowers SOC teams to detect and respond more effectively to insider threats, enabling them to better distinguish between external and internal attacks.
Defender Experts Things
Phish, Click, Breach: Hunting for a Sophisticated Cyber Attack - In this blog, we will walk through one of the observed scenarios and discuss hunting approaches for detecting such attacks.
Microsoft Purview Things
Streamlining AI Compliance: Introducing the Premium Template for Indonesia's PDP Law in Purview - As AI and digital technologies continue to transform industries, aligning solutions with regulatory requirements has never been more critical. To help organizations navigate these challenges, we’re excited to introduce the Premium Assessment Template for Indonesia’s Personal Data Protection (PDP) Law in Microsoft Purview Compliance Manager.
Microsoft Entra Things
Support tip: Always unenroll from MDM when unjoining and rejoining Microsoft Entra hybrid devices - Recently, we identified an issue affecting Microsoft Entra hybrid devices which also impacts Windows Autopilot hybrid deployment. It occurs when hybrid devices are unjoined and rejoined to Microsoft Entra without first being unenrolled from mobile device management (MDM). This disruption can impact the device experience for users.
Trusted Signing is now open for individual developers to sign up in Public Preview! - In the realm of software development, code signing certificates play a pivotal role in ensuring the authenticity and integrity of code. For individual developers, obtaining these certificates involves a rigorous identity validation process. This blog explores the challenges individual developers face and how Trusted Signing can streamline the code signing process, with a focus on how its individual validation process contributes to this efficiency.