Microsoft SIEM and XDR Weekly Wrap - Issue #18
Microsoft SIEM and XDR Weekly Wrap - Issue #18
Cosplayed
Things from Me
Happy Friday everyone!
Thanks so much for your continued support of this community. I hope each week’s updates continue to provide you value. And if it does, please share this newsletter with your colleagues.
…
It’s been a couple weeks since we’ve been together. If you remember, the newsletter didn’t deliver last week due to my travel and speaking schedule. But just prior to delivering sessions on KQL and Security Copilot in Ft. Lauderdale, Florida last week, I had my birthday wish fulfilled.
From last newsletter: If you’re not aware already, Lee Majors is a childhood hero who played Steve Austin on the Six Million Dollar Man TV show in the 1970’s. If you’ve ever read the Must Learn KQL learning series, you’re intimately aware of this because I use it as part of an example. It’s even a question on the Must Learn KQL assessment.
Here’s one result of this endeavor…
In the picture, that’s me on the left, my wife on the far right, and my youngest daughter (in the green hair) and - of course - Lee Majors right in the middle. My youngest daughter worked for a couple weeks on her Cosplay costume, which is some anime character I can’t remember. But it worked out so well, there were a bunch of attendees that asked to take selfies with her. We all had a great time. Lee was super nice, friendly, and even told a couple jokes.
…
What’s next? Microsoft Ignite!
If you’re attending Microsoft Ignite this year in Chicago in November (brrrrrr!), here’s some definite ways to find me.
2 Lab options:
Boost security and IT efficiency with Microsoft Security Copilot
* LAB462 Wednesday, November 20 4:00 PM - 5:15 PM Eastern Standard Time https://ignite.microsoft.com/en-US/sessions/LAB462* LAB462-R1 Thursday, November 21 9:30 AM - 10:45 AM Eastern Standard Time https://ignite.microsoft.com/en-US/sessions/LAB462-R1
1 Theater session:
Mastering custom plugins in Microsoft Security Copilot - https://ignite.microsoft.com/en-US/sessions/THR653
* THR653 Tuesday, November 19 12:15 PM - 12:45 PM Eastern Standard Time
These aren’t the only times you’ll be able to find me at Microsoft Ignite, but you’ll have to look harder otherwise. In addition to Security Copilot booth duty and the community areas, my Microsoft Security Insights Show cohosts and I will be hosting some impromptu community events.
…
That’s all from me for this week.
Talk soon.
-Rod
Things to Attend
Automating Mission-Critical Security with Azure Logic Apps - November 7th, 11am-12pm ET - In this session, we’ll explore how to leverage Azure Logic Apps to address budget-constrained, mission-critical security use cases while reducing overhead for your SOC analysts.
Things that are Related
Emerging Threats in Cloud Security: What You Need to Know - Cloud computing has revolutionized the way businesses operate, offering unparalleled flexibility, scalability, and cost-efficiency. However, as organizations increasingly migrate critical applications and sensitive data to the cloud, the landscape of cybersecurity threats evolves correspondingly. Understanding these emerging threats is paramount for any business looking to safeguard its digital assets in the cloud. This blog post delves into the most pressing cloud security threats and provides insights on how to mitigate them effectively.
Zero Trust partner kit - Helping our partners and customers design, architect, and deploy security solutions is important. These top-requested Zero Trust resources are available for you to use with your own organization and customers. They're ready for you to add your own branding.
Skill up to strengthen your organizations cybersecurity posture - National Cybersecurity Awareness Month is an ideal time for organizations of all sizes to refocus and make a plan to build strong, year-round defenses. Microsoft Learn for Organizations can help your teams build skills to protect and secure your data, information, and systems.
Stay ahead of cyber threats with security skill-building - As organizations around the world contend with mounting cyber threats, one thing is clear: building security skills is everyone’s responsibility. And cybersecurity isn’t just for October—it’s a year-round concern. Sophisticated attacks are increasingly common and costly; combatting them requires a comprehensive strategy that invests not only in cutting-edge technology, but in the knowledge and abilities of your team.
Things to Watch/Listen To
Things in Techcommunity
Issue while deploying Sentinel Rules - I know that when deleting a Sentinel rule, you need to wait a specific amount of time before it can be redeployed. However, in this tenant, we've been waiting for almost a month and are still getting the same deployment error ('was recently deleted. You need to allow some time before re-using the same ID. Please try again later. Click here for details'). I still want to use the same ID ect. Does anyone have any idea or similar issue why it's still not possible after waiting for about a month?
Secure Score - Accounts with non-default Primary Group ID failing to return exposed entities - When trying to complete this secure score item on the "General Tab" it states under Users affected "No data to show". Going to the "Exposed Entities" tab I get "Failed to load data, please try again later". This has been happening for a couple of days since I first looked at this item and I am not able to progress it. Please can you advise...
Copilot for Security Things
Microsoft Sentinel Things
Microsoft now a Leader in three major analyst reports for SIEM - We’re excited and honored to be positioned in the Leaders Category in the IDC MarketScape: Worldwide SIEM (security information and event management) for Enterprise 2024 Vendor Assessment (doc #US51541324, September 2024)—our third major analyst report in SIEM to name Microsoft as a Leader.
The Mysterious Case of the Disappearing Logs - Recently, a Sentinel instance that I'm responsible for showed a significant decrease in the volume of firewall logs being ingested. This drop coincided with an upgrade to the firewall firmware version, so I assumed there may have been a change in what logs were being sent by the firewalls.
Deploy Microsoft Sentinel using Bicep - Bicep is a domain-specific language that uses declarative syntax to deploy Azure resources. It provides benefits over Azure Resource Management (ARM) templates including smaller file size, integrated parameter files, and better support to tools like Visual Studio code.
Unified Security Operations Platform - Technical FAQ! - If you are a security practitioner who uses Microsoft Sentinel in your daily workflows, and you have tried or are evaluating the unified security operations platform for your SOC – this blog is for you. With Microsoft Sentinel now Generally Available in the Microsoft Defender portal, as part of our unified security operations platform, it’s a great time to try and get started with a streamlined experience for the two products.
Effective Approach To Collect Windows Firewall Events To Microsoft Sentinel - The built-in Windows Firewall is a great security feature for the Windows client and server operating systems. While not every organization actively uses Windows Firewall (they may have a third-party security solution deployed instead), the Windows Firewall application has a powerful logging component that is highly valuable for investigation and proactive hunting.
Improving automated Sentinel detection validation - Microsoft Sentinel offers a lot of features, one being the ability to manage your analytic rules (detection rules) as infrastructure as code. Microsoft Sentinel, being a cloud-native SIEM, was designed with an API-first approach in mind. That means that it supports storing SIEM content as Infrastructure as Code (IAC).
Defender for Cloud Things
Enhancing Server and Container Risk Score Analysis in Power BI - The Power BI solution builds Defender for Cloud's capabilities by integrating these multiple factors, providing a more comprehensive risk score for each resource and enhancing the prioritization of vulnerabilities requiring urgent remediation. This combined approach allows users to generate a more accurate top-down list of resources needing attention.
New E-book: Building a Comprehensive API Security Strategy - APIs are everywhere – they are proliferating at a rapid pace, therefore, making them a prime target for attackers. Thus, having a plan to secure protect your APIs as part of your overall cybersecurity strategy is critical for protecting your business, as well as sensitive user data.
MMA migration experience is now available - You can now ensure that all of your environments are fully prepared for the post Log Analytics agent (MMA) deprecation expected at the end of November 2024.
Security findings for GitHub repositories without GitHub Advanced Security is now GA - The ability to receive security findings for infrastructure-as-code (IaC) misconfigurations, container vulnerabilities, and code weaknesses for GitHub repositories without GitHub Advanced Security is now generally available.
Defender XDR Things
Coming in December: SC-5004: Defend against cyberthreats with Microsoft Defender XDR - To earn this Microsoft Applied Skills credential, demonstrate the ability to defend against threats with Microsoft Defender (XDR). As a candidate for this credential, you should be familiar with investigating and gathering evidence about attacks on endpoints. You should also have experience using Microsoft Defender for Endpoint and Kusto Query Language (KQL).
Defender for Cloud Apps Things
Microsoft Purview Things
Upcoming design updates: Microsoft Purview Message Encryption Portal - The Microsoft Purview Message Encryption portal will undergo minor design updates to align with Purview branding. Microsoft will be updating fonts, colors, controls, and more to align with Purview branding. These changes are designed to enhance the user experience without causing any disruptions. Microsoft will begin rolling out changes mid-October 2024 and expects to complete by mid-December 2024.
Upcoming design updates: Microsoft Purview Message Encryption Portal - The Microsoft Purview Message Encryption portal will undergo minor design updates to align with Purview branding. Microsoft will be updating fonts, colors, controls, and more to align with Purview branding. These changes are designed to enhance the user experience without causing any disruptions. Microsoft will begin rolling out changes mid-October 2024 and expects to complete by mid-December 2024.
Microsoft Entra Things
How to block TOR access on Corp devices by using Conditional Access in Entra ID - For individuals without a work-related need to access the TOR network from the corporate network or on corporate devices, it may be best to block it. Implementing this is straightforward and requires only the following steps:
Two Conditional Access Named Locations
One Conditional Access Policy
One Logic App
Manage Microsoft Entra ID role assignments with Microsoft Entra ID Governance - I’m excited to announce that we now support Microsoft Entra role assignments in Microsoft Entra ID Governance's Entitlement Management feature!
Managed Identity Permission Manager – A new tool is out to test – v. 1 - Introducing a new PowerShell tool for Managing Managed Identity Permissions in Azure/Entra ID!
Meet Microsoft Entra at Ignite 2024: November 18-22 - This year, we're thrilled about our sessions on Microsoft Entra. These breakouts are your all-access pass to not only hear about the cutting-edge advancements in identity and access management (IAM), but also to engage with Microsoft Entra experts and team members behind these innovations. Whether you're curious about advancing your Zero Trust architecture with identity and network, delving into the latest advancements in generative AI for securing access, or exploring our unified approach to identity and network access controls, we've got you covered!
Update to security defaults - This update is part of our ongoing effort to provide you with a secure and reliable identity service. We recommend that you enable security defaults for your organization if you’ are not using Conditional Access, as security defaults offer a simple and effective way to protect your users and resources from common threats
Set Device Extension Attributes In Microsoft Entra ID - Extension attributes in Microsoft Entra ID provide a powerful method to add custom details to objects, including devices, in your tenant. They allow you to store unique data about each device, enabling filtering and grouping for specific policies or apps. These attributes cover devices registered as Microsoft Entra ID Joined, Hybrid Joined, or simply Registered.