Microsoft Sentinel this Week - Issue #150
Microsoft Sentinel this Week - Issue #150
Stuff from Me
Happy Friday everyone!
This Friday is a special one for a couple reasons.
First off, if you haven’t heard during or after the Microsoft Secure event this past week, the Copilot for Security GA was announced. Copilot for Security goes live in just a couple weeks from now on April 1st. I truly hope that releasing on April Fool’s Day is not an omen, but we’re clearly not superstitious at Microsoft or we would never have branded so many different things ‘Mesh’ over the years.
As part of that, I’m headed to Denmark tomorrow to talk about Copilot for Security Experts Live. I’ll be delivering a keynote called Microsoft Security Copilot: The Future of Cybersecurity on Wednesday of next week after spending some time being a tourist, having customer dinners, and enjoying time with my good friend and MVP, Morten Waltorp Knudsen and his family. I’m really looking forward to finally being able to talk about Copilot for Security in a public setting and spending time with many folks in-person that I’ve only connected with over LinkedIn and other online platforms over the year.
NOTE: Because of my travel schedule and the time zone change, this newsletter will not deliver next week.
…
Happy birthday, KQL!
KQL, once just an internal codename at Microsoft, turned 10 years old on Tuesday, March 13, 2024.
I’m proud and happy to see how far KQL has come and how I’ve had a small part in helping it gain greater adoption.
…
And P.S. STILL no grandbaby yet. It’s sort of funny… I offloaded trips to Paris and Berlin to make sure to be at home for the birth, but it looks like it may happen while I’m in Denmark.
Talk soon.
-Rod
Stuff to Read
Mastering Threat Intelligence: Enhancing Cyber Security with Microsoft Sentinel - Learn how to leverage threat intelligence to enhance cyber security with Microsoft Sentinel. This article provides insights from a recent session on threat intelligence and incident response, including key points and FAQs for a comprehensive understanding.
Enhanced Cybersecurity: Azure Sentinel Data Export to Azure Storage Guide - Exporting data in a Log Analytics workspace allows you to continuously send data from chosen tables to either an Azure Storage Account or Azure Event Hubs. This feature sends data directly to an Azure Monitor pipeline as it arrives. This article offers a breakdown of this capability and instructions on setting up data export to Azure storage account in your workspaces.
Stuff to Watch/Listen To
Stuff to Attend
Microsoft Secure Tech Accelerator - Apr 03 2024, 07:00 AM - 11:00 AM (PDT) - Join us on April 3rd at the Microsoft Secure Tech Accelerator for a deep dive into the announcements from the Microsoft Secure digital event on March 13th. You'll have an opportunity to learn technical information that will help you and your team implement Copilot, learn how to Secure your AI, see demonstrations, and get answers to your questions from the product team. All sessions will be streamed live here on the Microsoft Tech Community as well as on YouTube and X.
Microsoft Copilot for Security Beyond Basics: Analysts moving at the speed of AI - When: Tuesday, April 9, 2024 11:00 AM Pacific Time / 02:00 PM Eastern Time - Cybersecurity challenges are constantly evolving and require security operations teams to be agile, efficient, and effective. Copilot for Security uses the power of AI to equip these teams with natural language interaction that can help them to summarize vast data signals into key insights, provide quick guidance and context to respond to incidents, empower and advance junior staff through step-by-step assistance, and much more.
Stuff That's New or Updated
Data connectors for Syslog and CEF based on Azure Monitor Agent now generally available (GA) - Microsoft Sentinel has released two more data connectors based on the Azure Monitor Agent (AMA) to general availability. You can now use these connectors to deploy Data Collection Rules (DCRs) to Azure Monitor Agent-installed machines to collect Syslog messages, including those in Common Event Format (CEF). To learn more about the Syslog and CEF connectors, see Ingest Syslog and CEF logs with the Azure Monitor Agent.
SIEM migration experience (preview) - The new Microsoft Sentinel Migration experience helps customers and partners to automate the process of migrating their security monitoring use cases hosted in non-Microsoft products into Microsoft Sentinel.
This first version of the tool supports migrations from Splunk
For more information, see Migrate to Microsoft Sentinel with the SIEM migration experience
Stuff That's Related
How to add a constant to a time chart in Kusto | LinkedIn - Time charts are useful for detecting trends, anomalies, and patterns in your data. But what if you want to compare your metric to a fixed value, such as a threshold or a baseline? How can you add a constant line to your time chart that shows the desired value across the entire time range? In this blog post, I will show you how I used Copilot in Edge, an AI-powered code completion tool, to help me solve this problem.
Exporting Azure Management Group Activity Logs - I’ve been working with Management Groups a lot recently in my day job and have really seen the benefit of being able to enforce governance by assigning RBAC roles and policies once, and have all new subscriptions inherit them. However, I soon realised there was no way in the Azure Portal or the native Azure RM Terraform provider to export the Activity Logs to a Log Analytics Workspace for use with Sentinel, so I decided to figure out a solution to this.
Stuff About Copilot for Security
Microsoft Copilot for Security: General Availability details - To help you seize this opportunity, we are excited to announce the general availability of Microsoft Copilot for Security (Copilot) on April 1st. This industry-leading product is the only generative AI solution that helps security and IT professionals amplify their skillset, collaborate more, see more, and respond faster.
Highlight… Microsoft plans to make Copilot for Security generally available for purchase as a consumption offering beginning April 1, 2024. We will have one simple pricing model that covers both the standalone Copilot experience, and embedded experiences across the Microsoft Security product portfolio.
A consumption model means it will be easy to get started quickly and on a small scale, to experiment and learn with no upfront per device or per user charges. Customers will use their existing Azure subscription or sign up for one if they are not already an Azure customer. They will then be able to provision Azure capacity to support all their Copilot for Security workloads, both standalone and embedded. Copilot for Security capacity is anticipated to be billed monthly via a new Security Compute Unit (SCU) at the rate of $4/hr.
Microsoft Copilot for Security is generally available on April 1, 2024 | Microsoft Security Blog - Today, we are excited to announce that Microsoft Copilot for Security will be generally available worldwide on April 1, 2024. The industry’s first generative AI solution will help security and IT professionals catch what others miss, move faster, and strengthen team expertise. Copilot is informed by large-scale data and threat intelligence, including more than 78 trillion security signals processed by Microsoft each day, and coupled with large language models to deliver tailored insights and guide next steps. With Copilot, you can protect at the speed and scale of AI and transform your security operations.
Copilot for Security Resources - With the GA of Copilot for Security now fully announced, it’s time to stay engaged and learn more. Use the following resources to continue your learning path.
Brief: MDTI and Copilot for Security - MDTI powers Copilot for Security via a wide range of Threat Intelligence skills and promptbooks. Skills are natural language commands that allow you to retrieve and operate on MDTI data and content.
Tip: Running Copilot for Security in the Microsoft Edge Sidebar for Quick Access - I don’t know how many of you use the sidebar feature for Microsoft Edge, but I use it periodically, and it’s a highly recommended feature if you need quick access to certain websites. In particular, the sidebar has become a valuable tool more recently to host the link to CfS for easy access.
Microsoft introduces a preview of Copilot in Intune - Microsoft Intune is at the cusp of transforming endpoint management and security with Microsoft Copilot, introducing new ways for organizations to help protect and drive productivity for your workers and simplify IT and security operations. April 1, 2024 will mark the beginning of a new era of endpoint management with the public preview of Copilot in Intune.
Grab a new Copilot for Security Windows Background https://github.com/rod-trent/Security-Copilot/tree/main/Images/WindowsBackgrounds
Stuff in Techcommunity
Adding tenable.io connector to Microsoft Sentinel - I am trying to connect tenable io connector to my Sentinel instance. I have followed the steps and provided the access key and other information requested. I can see in my resource group that everything was successfully deployed with app insight and function app and storage but when I go back to the connector it shows that it is disconnected and the common logs are still greyed out. Please what am I doing wrongly?
Ingest logs from WorkOS API to our customer's Sentinel / Logs Analytics workspace - Hey everyone, I'm learning about the Azure environment to stream WorkOS Audit Log Events to our customers’ Microsoft Sentinel. As a reference, our product has support for other SIEMs such as Splunk and Datadog. IT admins provide via our Dashboard, the credentials/value needed for our API to call their SIEM client and ingest logs. The goal of this post is to get guidance on the solution with the best experience for IT admins that use Azure's Sentinel.
Stuff from Partners
From our partner, Invoke: Microsoft Copilot for Security Readiness Assessment & PoC - With this readiness assessment, customers will work through various demos on copilot in action, relevant user scenarios challenges and pain points to identify top prioritized scenarios for their Security Operations.
Stuff to Have
Demystifying-KQL - Content Repo for Demystifying KQL Tutorial Series. This series is a passion project of mine to help SOC Analysts get up to speed on KQL to use Microsoft Sentinel. It is designed to give a foundational knowledge of KQL and enable you to ramp up on writing basic security related queries.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.