Microsoft Sentinel this Week - Issue #156

May 10, 2024

Stuff from Me

Happy Friday all!

Just a quick note from me as I’m in Minneapolis this week talking about and demoing Copilot for Security to the attendees at the Midwest Management Summit.

Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.

It’s been a great week. Lots and lots of discussion about Copilot for Security - but more focused on how it intersects with Microsoft Intune - or rather Copilot in Intune powered by Copilot for Security. More to come on that statement next week. I have had plenty of in-person discussions about lots of feedback to filter through, which means the product teams I work with can expect plenty of work items.

There’s been a lot of general interest and attendees can see the value of how the Microsoft Intune teams have adopted and adapted the embedded experience of Copilot for Security.

I love events like this where I’m able to gather feedback that can also be used to develop ideas for new content around areas where there still may be some confusion or that needs some further clarity. That’s what you can expect from me on my blog in the next few weeks.

That said, as you’re reading this I’m packing up for home. My grandson’s 3rd birthday party is Saturday and I’ll be home just in time. For those that have been following along here in this community - can you believe it’s been 3 years already. How does that happen?

But that’s also a big reminder that this newsletter has been delivering for 3 years!

Thanks all for your continued support! The Sentinel community has come a long way in 3 years.

Talk soon.

-Rod

Stuff to Read

Send data to Microsoft Sentinel using Cribl Stream - Microsoft Sentinel is a modern cloud-native SIEM, enriched by AI and threat intelligence empowering security teams with an easy and powerful security operations solution. Microsoft Sentinel offers a comprehensive toolset to collect, correlate, and analyze large volumes of security data across multicloud, multiplatform environments to detect and mitigate cyberthreats at scale.

SOC optimization: unlock the power of precision-driven security management - Today, we’re happy to announce the public preview of a new experience and API – Microsoft Sentinel’s SOC Optimization, designed to empower security teams with precision-driven management capabilities. SOC optimization offers actionable tailored recommendations that adapt daily to the organization’s environment – starting with gaps in data utilization and detection of different types of attacks.

How-To Install and Setup: Azure Arc, (AMA) Azure Monitor Agent and (DCR) Data Collection Rules for sending Linux Syslog to Sentinel for Threat Hunting and Security Monitoring with AuditD - With the retirement of Legacy Log analytics, this will go over the new way on how to send logs into Sentinel using Linux using Azure Arc and DCR. This give additional flexibility and control over our endpoints and which logs we want to send in to Sentinel.

Stuff to Watch/Listen To

Microsoft Security Insights Show

Microsoft Security Insights Show Episode 209 - Copilot for Security Plug-ins

This episode we welcome back Chris Stelzer to dig deep into how to develop your own plug-ins for Copilot for Security! Show Notes/Links Chris Stelzer’s LinkedIn profile: https://www.linkedin.com/in/scstelz/ Official GitHub Repo for Copilot for Security…

Listen now

6 months ago · 5 likes · 1 comment · Rod Trent

Stuff to Attend

Building securely: Microsoft Build 2024 - This year’s Microsoft Build event is shaping up to be a must-attend event. The high demand for secure software development continues to grow. And with the complexity of today’s digital world, developers are being asked to do even more to keep apps, AI, and code secure—with more focus on built-in security and more integrated security at every phase of design, development, and deployment. Developers who attend Microsoft Build can learn how to manage and govern AI, securely. Our commitment is to provide developers with the knowledge, tools, and practices needed to build safely. It’s a commitment to ensuring security isn’t an afterthought, but a fundamental component of the entire development lifecycle. And Microsoft Build is a great time and place to connect with other developers globally, grow your skills, and learn more about building secure copilots, generative AI, securing applications, and more. Register now for live keynotes, breakout sessions, demos, and social events. Or if you can’t make it in person, access sessions online and on-demand.

Stuff That's New or Updated

Optimize your security operations with SOC optimizations (preview)

Microsoft Sentinel now provides SOC optimizations, which are high-fidelity and actionable recommendations that help you identify areas where you can reduce costs, without affecting SOC needs or coverage, or where you can add security controls and data where its found to be missing.

Use SOC optimization recommendations to help you close coverage gaps against specific threats and tighten your ingestion rates against data that doesn't provide security value. SOC optimizations help you optimize your Microsoft Sentinel workspace, without having your SOC teams spend time on manual analysis and research.

If your workspace is onboarded to the unified security operations platform, SOC optimizations are also available in the Microsoft Defender portal.

For more information, see:

Stuff That's Related

Retrieving more than 30,000 records from Log Analytics Workspace using Azure Data Explorer - In the ever-evolving landscape of cloud computing, Log Analytics Workspace is used as a tool in Azure to collect logs, edit/run log queries and interactively analyze query results.

Stuff About Copilot for Security

Copilot for Security stuff is now available in its own bi-weekly newsletter. Use the following to subscribe.

Stuff in Techcommunity

Cisco Secure Endpoint connector integration in sentinel - I am trying to send logs of Cisco AMP/secure endpoint to sentinel. I have select the ARM template deployment method. But I am not able to understand what exactly is "App insights workspace resource ID" that is highlighted in below image. I have not created any Application Insights and don't know much about it. Can anyone help?

KQL how to save query as functions witch parameters? - I have written this query, and I saved it as a function and entered the parameters as shown in the figure. I need to understand where I am going wrong. If I call the function and input the parameters, the result is an error.