Microsoft Sentinel this Week - Issue #157

Stuff from Me

Good Friday, folks! Thanks (as always) for showing up back here with me week after week.

I’ve been mulling something recently and want to get your thoughts on it.

Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.

Microsoft Sentinel is now being integrated more and more into the Unified Portal (Defender portal) and the standalone experience in the Azure portal is being more and more deemphasized. I suspect we’ll eventually get to a 1:1 feature sync between the Azure portal and the Defender portal, and the Azure side will be needed less and less.

And I’ve also noticed that there’s far less community content being generated specifically for Microsoft Sentinel. That means there’s far less content for this Microsoft Sentinel dedicated newsletter.

So, I’m considering merging the Microsoft Sentinel weekly newsletter with the Microsoft Defender weekly newsletter. I suspected I’d need to do this eventually, but I believe we’re getting closer and closer to that point. I don’t expect to do it right away, but I’d love to hear your thoughts on it. Use the following poll to let me know or connect directly with me on X or LinkedIn.

…

I’ve mentioned it before, but if you forgot, I’ve co-written the official Microsoft Press book on KQL. Originally, the book was slated to release in late June, but I’ve just been notified this week that it’s getting an early release!

You can expect the physical copies of the book to start shipping on May 24. The eBook/Kindle version will distribute electronically on June 13th.

Get it here: https://amzn.to/4buXkCK

And while the book releases May 24th from Amazon, it is already released and shipping from the Microsoft Press Store: https://www.microsoftpressstore.com/store/definitive-guide-to-kql-using-kusto-query-language-9780138293383

…

Are you a regular user of Microsoft Sentinel? Review your experience on Gartner Peer Insights™ and get a $25 gift card.

https://gtnr.io/t3KF0EQ41

…

That’s it from me for this week. Thanks again for all you do for this community through your shares and support. Find something that resonates this week, share it with a colleague. Don’t keep it to yourself.

Talk soon.

-Rod

Stuff to Read

How to: Parsing AuditD Syslog in Microsoft Sentinel with a function and combining the events by EventID - The ideal way is to do all this parsing at the log collection level, but depending on your environment and situation, you may not have that ability so this is a good fallback.

Ingest Open Source Indicators of Compromise - Threat Intel - Let’s suppose that you have a list of Indicator’s of Compromise such as IPv4 being updated on a weekly basis on a publicly accessible URL or this URL could also be used by your team to push the indicators of compromise into Azure Sentinel.

How-To Install and Setup: Azure Arc, (AMA) Azure Monitor Agent and (DCR) Data Collection Rules for… - With the retirement of Legacy Log analytics, this will go over the new way on how to send logs into Sentinel using Linux using Azure Arc and DCR. This give additional flexibility and control over our endpoints and which logs we want to send in to Sentinel.

Stuff to Watch/Listen To

Stuff to Attend

Secure AI Briefing: Protect at the Speed and Scale of AI - Join us at a Microsoft Technology Center for this limited series to learn about the power of Microsoft Copilot for Security and Tanium Converged Endpoint Management (XEM) to help protect more within your organization. Join us from 9:00 AM - 12:00 PM local time at a city near you! 

• New York, NY: May 21st

• Detroit, MI: May 22nd

• Atlanta, GA: June 4th

• Toronto, ON: June 12th

• Irvine, CA: June 13th

Stuff That's Related

Microsoft will require MFA for all Azure users - This July, Azure teams will begin rolling out additional tenant-level security measures to require multi-factor authentication (MFA). Establishing this security baseline at the tenant level puts in place additional security to protect your cloud investments and company. 

Logic Apps Aviators Community Day 2024 - On September 26, 2024 (Pacific Time) the Logic Apps Product Group will host a full day of learning where you will be the star! The Logic Apps Aviators Day is a free event driven by Microsoft, for anyone who wants to learn more about Logic Apps and how it can help to solve real life integration problems. In this full-day event, we will deep-dive into many aspects of Logic Apps with sessions from both Microsoft team and community. And we are looking for sessions of all types and lengths, from beginning to advance, from short demos to full sessions, and from patterns and practices to real life scenarios.

Stuff About Copilot for Security

Copilot for Security stuff now has its own bi-weekly newsletter!

THE PROMPT for Copilot for Security

THE PROMPT for Copilot for Security is a bi-weekly newsletter that covers Copilot for Security.

By Rod Trent

Stuff in Techcommunity

Cisco Secure Endpoint connector integration in sentinel - I am trying to send logs of Cisco AMP/secure endpoint to sentinel. I have select the ARM template deployment method. But I am not able to understand what exactly is "App insights workspace resource ID" that is highlighted in below image. I have not created any Application Insights and don't know much about it. Can anyone help? 

Constant Noninteractive sign in attempts from Microsoft IPs - In noninteractivesigninlogs, we're seeing a bunch of attempts made to sign in to our admin accounts rejected with error codes 500131 and 500133 coming from 4.231.207.170 and 2a01:111:f400:fe13::100 (Microsoft datacentre IPs), device type "Windows 10", Resources are ComplianceAuthServer/Office 365 Exchange Online. What are we seeing here, is this a misconfiguration on the Microsoft side, or an attack?

Partner Stuff

CRITICALSTART® Named a Major Player in 2024 IDC MarketScape: Worldwide Emerging Managed Detection and Response Services - Critical Start, a leading provider of Managed Detection and Response (MDR) cybersecurity solutions and pioneer of Managed Cyber Risk Reduction (MCRR), was recently named a Major Player in the IDC MarketScape: Worldwide Emerging Worldwide MDR Services (doc #US50101523, April 2024).

Stuff in the News

Microsoft is a Leader in the 2024 Gartner® Magic Quadrant™ for Security Information and Event Management​​ | Microsoft Security Blog - We are pleased to announce that Microsoft has been recognized as a Leader in the Gartner® Magic Quadrant™ for Security Information and Event Management (SIEM).  We believe our position in the Leaders quadrant validates our vision and continued investments in Microsoft Sentinel making it a best-in-class, cloud-native SIEM solution. In addition, we are honored to be recognized for our Completeness of Vision. We feel this reflects our deep commitment to listening and delivering on our customer’s security priorities, like the need to simplify operations, rapidly disrupt cyberthreats, and supercharge the security operations center (SOC). In a significant step, we have launched the unified security operations platform, a single experience across security information and event management (SIEM), extended detection and response (XDR), and Microsoft Copilot for Security.

Opposites Attract: LogRhythm And Exabeam To Merge - Today, LogRhythm and Exabeam announced their intent to merge into a single company. This is another big change for the security analytics platform market, which has been undergoing a rollercoaster of activity the past few years, from Microsoft announcing Sentinel in 2019 and Cisco’s acquisition of Splunk to XDR vendors shooting their shot and vendor misalignment with customer needs.

Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.