Microsoft Sentinel this Week - Issue #145
Stuff from Me
Happy Friday, everyone! I hope your week has been a good one.
This week, I sat through 3 days of internal Copilot for Security training. There was a lot of learning to consume, and my brain was fried at the end of each day. And despite being plugged into Copilot for Security for the last year already, there were lots of nuggets to glean. You all should be very excited about what’s coming.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.
Of course, with my level of ADHD I couldn’t just sit and listen, I had to also work while learning. So, here’s a couple Copilot for Security treasures I put together during the training:
When it hits GA, Security Copilot will become Copilot for Security. I’ve updated the Windows wallpaper to reflect the change. You can download the updated Windows wallpaper from here: https://github.com/rod-trent/Security-Copilot/tree/main/Images
I reorganized and built out the “Plugins” section for the Copilot for Security GitHub repo: https://aka.ms/MustLearnCfP
Working on the formatting, but here's a good example of how a "prompt session" works in Copilot for Security. It’s a way to teach "how to prompt" and provide exposure to the guts of a Promptbook: https://github.com/rod-trent/Security-Copilot/blob/main/Prompts/Plugins/Tanium.md#promptbook-flow-example
There’s a new Templates folder. The templates are designed to facilitate the creation of structured and detailed prompts for Copilot for Security, ensuring that all pertinent information related to an incident in the template’s area of focus is captured for effective analysis and response. Templates folder here: https://github.com/rod-trent/Security-Copilot/tree/main/Prompts/Templates
And finally, here’s a folder for Promptbooks: https://github.com/rod-trent/Security-Copilot/tree/main/Prompts/Promptbooks
P.S. If you’re interested in deeper learning for prompt engineering, we have several resources coming as we get closer to GA for Copilot for Security. Additionally, check out: Prompt Engineering for AI: A Valuable Skill for Security Professionals?
And one more thing on Copilot for Security. We have added 7 new videos to the Microsoft Copilot for Security Playlist on YouTube over the past couple days. Check them out: https://lnkd.in/gnH82dYv
Are you a Copilot for Security partner or want to be? Montior this page: https://aka.ms/CopilotforSecurityPartners
…
I already noted for the last couple newsletter issues about my upcoming trip to speak at the Experts Live Denmark edition, but now I’ve also been tapped for the Paris date for the Microsoft AI Tour. So, I’ll be in Europe slightly longer than I originally planned. I say that to suggest we now have two opportunities to meet somewhere in Europe in March. If you’re in the area (either Copenhagen or Paris) in March, try to find me.
Microsoft AI Tour dates: https://envision.microsoft.com
Experts Live Denmark edition: https://events.justattend.com/events/conference-tickets/584b32f5
In Paris, I’ll be talking about securing Generative AI and tools developers can use to enhance security for the things they build. In Denmark, I’ll be focusing mostly on Copilot for Security.
…
The super popular Sentinel SOC 101 free eBook is now over 210 pages with many more coming.
Looks like there's enough interest building to warrant paperback/hardcover editions. I'll shoot for post-Spring for that.
Consider this, though. All the content that I've written for the Sentinel SOC 101 series should actually be moot once Copilot for Security is released. And I’m OK with that. In a perfect world, Copilot for Security should supply much of this knowledge to you just by asking.
…
That’s it from me for this week.
Talk soon.
-Rod
Stuff to Read
Using Python Plugin in Microsoft Sentinel by Leveraging ADX - Microsoft Sentinel is a robust SIEM platform, but it has its limitations, particularly when it comes to extending its capabilities with Python and fully leveraging the Kusto Query Language (KQL). However, there’s a workaround that bridges this gap up to a certain point, integrating the advanced analytics and flexibility of Python with Sentinel’s comprehensive security data.
Create Tasks Repository in Microsoft Sentinel - One of the most important factors in running your security operations (SecOps) effectively and efficiently is the standardization of processes. SecOps analysts are expected to perform a list of steps, or tasks, in the process of triaging, investigating, or remediating an incident. Standardizing and formalizing the list of tasks can help keep your SOC running smoothly, ensuring the same requirements apply to all analysts. This way, regardless of who is on-shift, an incident will always get the same treatment and SLAs. Analysts don't need to spend time thinking about what to do or worry about missing a critical step. Those steps are defined by the SOC manager or senior analysts (tier 2/3) based on common security knowledge (such as NIST), their experience with past incidents, or recommendations provided by the security vendor that detected the incident. In Microsoft Sentinel, you can utilize Tasks functionality for this purpose.
Azure Monitor Agent Migration Security Tips - Attention Microsoft Sentinel users, this is your six-month heads-up! Microsoft’s Log Analytics Agent, the tool that brings logs from your non-Azure systems to Microsoft Sentinel, is scheduled to be deprecated on August 31, 2024. The Azure Monitor Agent will then take over as the fully supported logging agent.
Monitoring Windows built-in local security Groups with Microsoft Defender XDR or Sentinel - Windows has several built-in local security groups that are designed to manage permissions and access rights on a computer. These groups are predefined by Windows, and each group has specific rights and permissions. The exact groups available can vary depending on the version of Windows you’re using or the features that are enabled, but here’s a general overview of the most commonly found built-in local security groups in Windows systems.
Microsoft Sentinel SOC 101: How to Detect and Mitigate Inactive Account Sign-ins with Microsoft Sentinel - In this post, I will explore how to use Microsoft Sentinel to detect and mitigate inactive account sign-ins with Microsoft Entra ID, the identity and access management service that provides single sign-on and multi-factor authentication for cloud and hybrid applications. I will also discuss some of the best practices and recommendations for managing inactive accounts in Microsoft Entra ID.
Microsoft Sentinel SOC 101: How to Detect and Mitigate Social Engineering Attacks with Microsoft Sentinel - Social engineering attacks have become a prevalent and concerning issue in the realm of cybersecurity. These attacks involve manipulating individuals to divulge sensitive information or perform actions that may compromise the security of an organization. The impact of social engineering attacks can be devastating, leading to financial loss, reputational damage, and even legal consequences. It is crucial for organizations to understand the techniques employed by attackers and implement effective defense mechanisms to mitigate the risk.
Microsoft Sentinel SOC 101: How to Detect and Mitigate Multiple Microsoft Teams Deleted by a Single User with Microsoft Sentinel - In this blog post, we will show you how to use Microsoft Sentinel, a cloud-native security information and event management (SIEM) solution, to detect and respond to multiple Teams deletion events in your organization.
Stuff That's New or Updated
What's New: CrowdStrike Falcon Data Replicator V2 Data Connector is now Generally Available! - The CrowdStrike Falcon Data replicator V2 Data connector is now Generally Available as a part of the CrowdStrike Falcon Endpoint Protection solution in Microsoft Sentinel Content Hub. The connector leverages an Azure Function based backend to poll and ingest CrowdStrike FDR logs at scale.
Windows DNS Events via AMA connector now generally available (GA) - Windows DNS events can now be ingested to Microsoft Sentinel using the Azure Monitor Agent with the now generally available data connector. This connector allows you to define Data Collection Rules (DCRs) and powerful, complex filters so that you ingest only the specific DNS records and fields you need.
For more information, see Stream and filter data from Windows DNS servers with the AMA connector.
Stuff That's Related
Stuff About Security Copilot
Awesome set of resources for Copilot for Security - Here are some resources that are helpful in ramping up and using Security Copilot.
Copilot for Security Prompt Samples - As we get closer to Copilot for Security being a tangible thing, today I’ve started building a prompt template library to help drive your own creativity.
Leveraging Generative AI for Efficient Security Investigation Summaries - Generative AI (GAI) has revolutionized how we interact with technology, especially in the realm of cybersecurity. By understanding natural language, GAI enables us to instruct complex operations in simple terms. This post explores how to utilize GAI for creating concise, accurate summaries of security investigations, using Security Copilot as a prime example.
The Ways Microsoft Copilot for Security Can Enhance Security Operations with Microsoft Purview - In the ever-evolving landscape of cybersecurity, organizations are constantly seeking innovative solutions to protect their data and comply with regulatory requirements. Microsoft Security Copilot, powered by advanced AI, offers a robust set of capabilities that can significantly enhance security operations when integrated with Microsoft Purview.
Microsoft Copilot for Security provides immediate impact for the Microsoft Defender Experts team | Microsoft Security Blog - Organizations everywhere are on a lightning-fast learning trajectory to understand the potential of generative AI and its implications for their security, their workforce, and the industry at large. AI is quickly becoming a force multiplier—presenting significant opportunities for security teams to increase productivity, save time, upskill resources, and more. News and information about “the age of AI” is everywhere. But while AI generates a lot of buzz, it’s not all just talk. Microsoft Copilot for Security is already showing immediate impact for security teams at Microsoft.
Stuff in Techcommunity
Fortinet CEF Log to Microsoft Sentinel - We have deployed ubuntu machine with CEF Collector, to collect Fortinet Firewall Log. We have an issue, machine correctly receive and collect the log, but not send them to Microsoft Sentinel.
Stuff from Partners
Stuff to Have
sigconverter.io - sigma rule converter
Create-AnalyticRulesFromTemplates automates the creation of Analytic Rules in Microsoft Sentinel starting from existing Templates. The cmdlet Create-AnalyticRulesFromTemplates creates the Analytic Rules (aka Rules) based on the Analytic Rules Templates (aka Templates) available in the Content Hub Solutions (aka Packages) already installed in the Sentinel workspace.
Create No_Signing_Last_90_Days.kql- Get a list of users who have not signed in for more than 90 days.
Detect_Multiple_Teams_Delete_IP.kql - Detecting multiple Teams deletion from a single IP address.
Detect_Multiple_Teams_Delete_User.kql - Detecting multiple Teams deletion by a single user.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.