Microsoft Sentinel this Week - Issue #142

Stuff from Me

Hi, all. Happy Friday!

Thanks to all that commented last week that you’re happy the newsletter is back after the holiday hiatus. It is back in full swing, and you can expect delivery every Friday.

There was a huge influx of new subscribers over the holiday season, so I want to welcome all of the first-timers to this community. Thanks so much for being here and I hope the newsletter always meets your expectations. Anyone reading here can always supply feedback and make suggestions through the Substack commenting system, or reach out to me directly on Twitter (@rodtrent) or on LinkedIn.

…

I mentioned in the last newsletter issue about my recent trip to San Francisco to speak for the Microsoft AI Tour. Well, I’m on the road again this next week, this time for the New York City version. I’d love to meet you in-person if you’re onsite. This is an amazing event and its free.

Register here: https://msevents.microsoft.com/event?id=2474845579

When: Thursday, January 25, 2024, 7:30 AM – 5:15 PM (GMT-05:00)

…

That’s it from me for this week.

Talk soon.

-Rod

Stuff to Read

Querying Watchlists - Watchlists are a feature of Microsoft Sentinel that provide great flexibility and useability.  They allow for user-defined tables that can be used in KQL queries to provide additional data.  By uploading data using CSV files, users control the data that are in the watchlists and that data can be modified and new rows added as needed.

Integrating Microsoft Sentinel with GitHub - Webhooks are events that GitHub sends to a specified URL when certain actions occur in your repositories. Audit logs are records of user actions and changes in your GitHub enterprise account.

Detect Domain Account Discovery Techniques on Windows using KQL and Atomic Red - Atomic Red Team is a library of tests that every security team can execute to simulate adversarial activity and validate their defenses. For more details on how to use it you can check my previous article: Simulate Discovery Techniques on Windows via Atomic Red.

Stuff to Watch/Listen To

Microsoft Security Insights Show Episode 186 - Just Us

Stuff That's New or Updated

Unleash the full potential of User and Entity Behavior Analytics with our updated workbook - This blog post introduces a new and improved version of the User and Entity Behavior Analytics workbook. This workbook uses data from User and Entity Behavior Analytics (UEBA), a feature of Microsoft Sentinel that leverages machine learning and threat intelligence to detect anomalous and potentially malicious behavior of users and devices in your network (for more information see Identify advanced threats with UEBA).

Stuff That's Related

Who Deleted a Blob? - It is sometimes useful to know who created/modified/deleted a storage blob. For that information to be recorded in a log the authentication must be done with Azure AD to populate the user information correctly.

Ingest data using Splunk Universal forwarder into Azure Data Explorer - In today's data-driven world, it's essential to collect, analyze, and gain insights from various logs and data sources. Azure Data Explorer (aka Kusto) is a cloud-based data analytics platform designed for analyzing and visualizing large volumes of data in real time and is particularly well-suited for log time series and telemetry data. Its real-time capabilities make it a valuable resource for organizations looking to gain insights from their data such as forecasting, anomaly detection, and prediction among various other capabilities. More on leveraging the power of Kusto can be found here.

Stuff in Techcommunity

Creating a Custom Data Table I can apply transformations to? - I am going to configure a pipeline to push out AWS API GW logs to sentinel using S3 and lambda. In the past when I have used this same method, I am unable to create transformations on the custom data table or user DCR's.

Any way to audit who/what deleted an Outlook calendar event via Sentinel? - A few users have reported that they are missing calendar events, all of them are recurring events. I have a few examples of meetings that appear in 1 person's calendar but not another's despite them being shown as an attendee (did not respond).