Microsoft SIEM and XDR Weekly Wrap - Issue #16
Microsoft SIEM and XDR Weekly Wrap - Issue #16
Security Shenanigans
Things from Me
Happy Friday everyone!
I hope your week was a good one.
…
To start out this week, I want to let you know the Microsoft Ignite session catalog is now live! For those attending in-person or those attending virtually you can now sift through the catalog to locate your top desired sessions.
Here’s the direct link: https://ignite.microsoft.com/sessions
…
Speaking of in-person versus virtual attendance, one of my sessions this year will NOT be recorded, so you HAVE TO BE THERE in person. If you're attending Microsoft Ignite in Chicago, make sure you come find me for this session on Plugins for Security Copilot:
https://ignite.microsoft.com/en-US/speakers/b898aba9-a1e6-4926-b681-7ddebfe64440?source=/sessions
…
I took a sharp pivot this week to do some investigation into how the new capabilities of Microsoft Copilot can help me. What I found was super informative and a bit eye-opening. In this recent episode of my “After the Blog” podcast, I interviewed Microsoft Copilot about Microsoft Ignite. The results are entertaining and informative and contains some valuable details for Igniters.
Take a look/listen…
…
Here’s a big heads-up: I will be in Ft. Lauderdale, Florida speaking at a conference the week of October 21st. So, this is your first note that this newsletter will not deliver that week. I’ll remind you again next week before I head out.
…
Lastly, I want to make you aware that I will be back in Denmark in March of 2025 for Experts Live.
Details here: https://conference.expertslive.dk/
Additionally, if you’d like to speak at this conference, the call for content is now open: https://sessionize.com/experts-live-denmark-2025
…
Talk soon.
-Rod
Things to Attend
Make the most of your time at Microsoft Ignite! - Companies that strengthen their security with AI and safeguard their AI with security will be the lasting industry leaders. Join us at Microsoft Ignite 2024, November 18-22, to learn how you can create a security-first culture in the age of AI. The in-person experience is sold out, but security professionals can join us virtually to be a part of the Microsoft Security @ Microsoft Ignite Experience online. Whether you are joining us live or catching Microsoft Ignite on-demand, you won’t want to miss the product announcements, demos and technical training across your favorite Microsoft Security solutions. Keep reading for a preview of sessions you can expect.
Things that are Related
Integrating Security Drift into the Microsoft Security Future Initiative (SFI) - Microsoft has consistently been at the forefront of innovation and protection. The Microsoft Security Future Initiative (SFI) is a testament to this commitment, aiming to fortify digital defenses and anticipate future threats. A crucial aspect of this initiative is addressing the concept of Security Drift, a phenomenon that can undermine even the most robust security frameworks. This blog explores how Security Drift integrates into SFI, ensuring a comprehensive and resilient cybersecurity posture.
Why Security is Everyone’s Job - The importance of security cannot be overstated. As technology continues to advance, so do the threats that target our digital and physical realms. Whether it's a multinational corporation, a small business, or even an individual, security breaches can have devastating consequences. It is imperative to understand that security is not just the responsibility of a dedicated team or department; it is everyone’s job. In this blog post, we will explore the reasons why security should be a collective effort and how each individual can contribute to a safer environment.
Demystifying Log Ingestion API - In this blog, I’m going to delve into ingesting and transforming application logs to log analytics workspace using Log Ingestion API technique. Before we jump into the details, let’s explore the different types of ingestion techniques based on the application log types.
Things to Watch/Listen To
Things in Techcommunity
PnpDeviceBlocked for onboarded devices - We have an Entra hybrid setup with devices onboarded as hybrid joined. Using SCCM, we’ve configured Co-management with a pilot group synced to Intune, shifting the Endpoint Protection workload to Intune.
Backing up Sentinel and the Security subscription - A lot of people ask about how Security Operations can effectively back up all of the Sentinel related objects. One option is to use GitHub or Azure DevOps pipelines to get a daily backup. I've been doing this for a very long time and it seems like a good forum to share that code.
Things from Partners
Unlock the Secrets to Mastering Security Drift Management. Download the whitepaper: https://senserva.com/drift-management-whitepaper
Copilot for Security Things
Copilot for Security: Guided Hands-on Workshop - Want to get hands on with Copilot for Security alongside one of our Copilot experts? Sign up to this 3- hour guided session, where we will take you through the CfS live environment and enable you to go through the exercises using the Copilot for Security Training lab.
Microsoft Sentinel Things
Update Microsoft Sentinel Workbooks Efficiently At Scale (In Bulk) - Microsoft Sentinel comes with Content Hub, which you can use out-of-the-box to get content value and start on Microsoft Sentinel quickly. Solutions in Microsoft Sentinel Content Hub provide a consolidated way to acquire Microsoft Sentinel content, like data connectors, playbooks, workbooks, analytics rules, hunting, and automation in your workspace with a single deployment step.
Introducing the Use Cases Mapper workbook - While looking for the most effective use cases for Sentinel, it usually makes sense to start with data sources that already exist in some way in the corporate environment, whether due to a previous / third-party SIEM integration or due to an already implemented security stack / solution. The next logical step in this process is to determine preexisting sentinel solutions for the products already in use. Unfortunately, this often occurs only inadequately or is not carried out completely due to lack of resources. In addition, the solutions available (so called Content-Hub-Solutions) continue to evolve and once implemented, necessary updates may be neglected. This is where the Use Case Mapper Workbook can help.
Cowrie honeypot and its Integration with Microsoft Sentinel - Cowrie is an advanced honeypot designed to emulate SSH (Secure Shell) and Telnet services to attract, detect, and analyse malicious activities. As a type of cybersecurity tool, a honeypot like Cowrie is used to create a controlled environment that mimics real systems to lure attackers. Once attackers interact with Cowrie, their activities are logged(json), providing valuable insights into their methods and motives.
How to Detect North Korean Threat Actors Kimsuky - It’s 2024, and while the world keeps turning, Kimsuky—the cyber equivalent of that one person who won’t stop emailing you—keeps phishin’. If you haven’t heard of Kimsuky, let me introduce you: they’re a North Korean-backed threat actor also known as APT43, Sparkling Pisces, Thallium, and a handful of other names, probably because they keep reinventing themselves like a pop band. Their latest release? Two new malware strains: KLogEXE and FPSpy.
How to use Log Analytics log data exported to Storage Accounts - Exporting your logs from Sentinel or Log Analytics to Azure storage account blobs gives you low-cost long-term retention, as well as benefits such as immutability for legal hold, and geographical redundancy.
Sentinel Phantom Fields: Understanding and Managing Inaccessible Data - Managed Sentinel - Microsoft has transitioned to a DCR-based log ingestion and manual schema management for tables. Many organizations are adopting this modern approach to parse, filter, and enrich logs during ingestion. While effective, this system can incur unnecessary expenses if not used properly, leading to billable fields that remain inaccessible when querying events. We refer to these as “phantom fields.”
Defender XDR Things
File hosting services misused for identity phishing - Legitimate hosting services, such as SharePoint, OneDrive, and Dropbox, are widely used by organizations for storing, sharing, and collaborating on files. However, the widespread use of such services also makes them attractive targets for threat actors, who exploit the trust and familiarity associated with these services to deliver malicious files and links, often avoiding detection by traditional security measures.
Defender for Identity Things
Microsoft Defender for Identity – New posture recommendations focusing on Active Directory - Here at my blog, im committed to keeping you ahead of the newest of the new – and also for cool tools to help you agains threats and vulnerabilities. Excited to announce that Microsoft is now expanding coverage with new identity posture recommendations focusing on Active Directory as part of Microsoft Secure Score with Defender for Identity installed!
Defender for Office Things
Use community queries to hunt more effectively across email and collaboration threats - Using a new set of pre-built community queries to investigate and respond to email and collaboration related security threats, you can now hunt even for more effectively.
Windows Defender Things
Peeking Behind the Curtain: Finding Defender’s Exclusions - In this blog post, we will discuss a new method we’ve discovered that allows users to determine exclusion paths without relying on Windows Event Logs and without requiring administrative privileges. Unlike the previous technique, where access to exclusion paths depended on reviewing existing event logs, this new approach leverages the MpCmdRun.exe tool included with Microsoft Defender.
Microsoft Entra Things
What is Microsoft Entra (and why use it)? - Microsoft Entra is a family of identity and network access products designed to implement a Zero Trust security strategy. It is part of the Microsoft Security portfolio which also includes Microsoft Defender for cyberthreat protection and cloud security, Microsoft Sentinel for security information and event management (SIEM), Microsoft Purview for compliance, Microsoft Priva for privacy and Microsoft Intune for endpoint management.
Token theft protection with Microsoft Entra, Intune, Defender XDR & Windows - Prevent attackers from stealing your identity and data by protecting your tokens. In single sign-on systems like SAML and OAUTH, tokens are how services know who you are and what you can do. When you sign in to your machine with your Microsoft Entra ID account, you are getting a session token you can use to access things like your email, teams and other apps. Check out new capabilities like Credential Guard in Windows enforced by device policies in Intune, Token Protection enforcement in Microsoft Entra, and Token theft detections in Microsoft Sentinel and Defender XDR.