Microsoft Sentinel this Week - Issue #155

May 03, 2024

Stuff from Me

Happy Friday, everyone!

Welcome to the latest issue of our Microsoft Sentinel newsletter, where we delve into the cutting-edge of security operations and event management. In this edition, we’re excited to share insights from industry experts, updates on the latest features, and tips to enhance your security posture with Microsoft Sentinel.

Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.

Our focus remains steadfast on providing a scalable, cloud-native solution that empowers you with AI-driven insights and automation to streamline your security operations. With over 300 partner integrations and a robust community backed by Microsoft security experts, Microsoft Sentinel stands as a modern approach to SIEM that’s designed to detect complex threats and expedite incident response.

Thank you for your continued support and engagement. Together, we’re forging a path towards a more secure and resilient digital landscape.

…

Next week, I’ll be in the fabulous Mall of America in Minnesota at the Midwest Management Summit talking about and delivering demos for Copilot for Security. This is a great, community driven conference and if you’re not attending, consider attending one of the two editions that this group puts on per year. The next opportunity is the Flamingo Edition, Oct 20-23, 2024 at the Westin Fort Lauderdale Beach Resort in Florida: https://mmsmoa.com/mms2024fll

Which is a reminder that the new Copilot for Security newsletter, THE PROMPT, launches today. The content for Copilot for Security has been moved from this newsletter to its own bi-weekly newsletter. So, if you want to learn about and keep tabs on Copilot for Security, subscribe over there:

…

That’s it from me for this week.

Have an awesome weekend and week ahead.

Talk soon.

-Rod

Stuff to Read

The way of the Cookie - ironPeak Blog - For everyone in the room who is somewhat of an IT administrator to one or more Azure (including Office365) tenants, please raise your hand if you’ve been bestowed with the gift (or curse) of permanent administrative permissions. Cue nervous laughter. Sounds a bit risky, right? Imagine the chaos if that account ever fell into the wrong hands. But how could one ever fix this at all if you need those to do your job? Let me show you the way of the cookie, a vastly underutilized feature of Azure. So grab one and let’s crunch through this together.

Investigating Microsoft Graph Activity Logs - At the beginning of April (2024) Microsoft announced the general availability of the Microsoft Graph activity logs, this new log source opens opportunities for a variety of defensive security roles. This blog explains how the data can be effectively analyzed and enriched with KQL. Lastly, the blog explores the new detection potential by sharing a query to detect AzureHound activity.

Streamlining Bulk Incident Closure in Azure Sentinel with PowerShell - Azure Sentinel, Microsoft’s cloud-native SIEM (Security Information and Event Management) solution, offers powerful capabilities for detecting, investigating, and responding to security threats. In this blog post, we’ll explore how to streamline bulk incident closure in Azure Sentinel using a simple PowerShell command.

Stuff to Watch/Listen To

MSI Show Partner Month 2024: A Look Back - What an amazing month! Our annual partner themed month produced some great discussions with our Copilot for Security partners. I want to personally thank all of our guests and our audience for your participation and support.

Stuff to Attend

May 2nd - Microsoft Sentinel Webinar | Splunk to Microsoft Sentinel Migration Experience - Learn about the new functionality in Microsoft Sentinel that assists with Splunk to Microsoft Sentinel migration starting with Splunk detections to Microsoft Sentinel analytic rules.

May 21st - Microsoft Sentinel Webinar | Optimizing Your Security Operations: Manage Your Data, Costs and Protections with SOC Optimizations in Microsoft Sentinel - In this webinar, we'll dive deep into how Microsoft Sentinel SOC Optimization empowers security operations.

June 4th - Microsoft Sentinel Webinar | Building Microsoft Sentinel Integrations - Part 1: Onboarding - In this webinar, we will go over the scenarios to consider when building Sentinel integrations and share guidance to help you decide what scenarios make sense.

Stuff About Copilot for Security

For Copilot for Security content, subscribe to the sister publication: The CfS Prompt - https://aka.ms/TheCfSPrompt

Stuff in Techcommunity

Handling Entity Data in Sentinel - So, I have set up some playbooks that allow me to add IPs/Domains/File Hashes to the MDE Indicators list, which is awesome to have and saves time when we need to block malicious entities. However, I have not found a great way for Sentinel to give me more information regarding File Hashes.

Stuff to Have

Entra Identity Protection Risk Hunting Workbook

Identify endpoints where MitigationStatus is Isolated - The following query will leverage the DeviceInfo table and identify endpoints where MitigationStatus Isolation equals true. It will also the logged on UserName and Domain.