Microsoft Sentinel this Week - Issue #152
Stuff from Me
Happy, Friday all!
I hope you are ready to dive into the new season of learning and growing. As always, I’m excited to share with you some of the latest news, tips, and resources from our community of experts.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.
I hope you enjoy this issue and find it useful and inspiring. As always, I welcome your feedback and suggestions. You can always connect with me in the newsletter’s web page comments, or over LinkedIn or X/Twitter.
Before I sign off for this week, I wanted to let you know that this newsletter will not deliver next week. I have two of the best friends in the world. We’re coming up on our 50th year of friendship. One is a chiropractor in Ohio Amish country and the other is an art professor near Kansas City. My fellow Ohio friend and I will be making a road trip to visit our KC friend next week and I’m looking forward to both the 10 hours or so stuck in a car driving to KC, and the few days we’ll all be together doing who knows what.
I feel super blessed to have been able to build so many memories over so many years with these two and even continue to do so.
The newsletter will resume its regular schedule the week after.
Thank you for your continued support and loyalty. I am always grateful to have you as part of our community.
Talk soon.
-Rod
Stuff to Read
Enhance the ingestion of AWS CloudWatch logs into Microsoft Sentinel with AWS Lambda - Microsoft Sentinel has recently made its AWS S3 data connector generally available (GA), offering users the capability to ingest logs from various AWS services such as CloudTrail, CloudWatch, VPCFlow Logs, and CloudWatch into Microsoft Sentinel using an S3 bucket and AWS's simple message queuing service.
Creating a Copilot for Security KQL Plugin to Query Sentinel Watchlists - Microsoft Copilot for Security’s extensibility ensures you can continually add additional capabilities and knowledge. This can be accomplished through 1st and 3rd party plugins but can also be accomplished through custom plugins that you create yourself.
Query And Send Results To A New Table In Log Analytics - Have you encountered a scenario where you want to run a KQL query data in the Log Analytics workspace and send the results to a new custom table? This article will show how easy it is to query and send results to a new table within your workspace for further analytics.
Create an Alert in Sentinel if someone enables Copilot for Security - Copilot for Security went GA on April 1 which means anyone with Contributor or Owner permissions can provision capacity. I’m going to show you how to create an alert in Sentinel so that you will be notified when that happens.
Get end-to-end protection with Microsoft's unified security operations platform, now in public preview | Microsoft Security Blog - Today, I am excited to announce the public preview of our unified security operations platform. When we announced a limited preview in November 2023, it was one of the first security operations center platforms that brought together the full capabilities of an industry-leading cloud-native security information and event management (SIEM), comprehensive extended detection and response (XDR), and generative AI built specifically for cybersecurity. This powerful combination of capabilities delivers a truly unified analyst experience in the security operations center (SOC).
Connect Microsoft Sentinel to Microsoft Defender XDR (preview) - Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. When you onboard Microsoft Sentinel to the Microsoft Defender portal, you unify capabilities with Microsoft Defender XDR like incident management and advanced hunting. Reduce tool switching and build a more context-focused investigation that expedites incident response and stops breaches faster.
Stuff to Watch/Listen To
Stuff to Attend
Upcoming newly added webinars:
April 18 - Microsoft Sentinel | What's New in Microsoft Sentinel & Unified Portal Enhancements
May 02 - Microsoft Sentinel | Splunk to Microsoft Sentinel Migration Experience
REGISTRATION: https://aka.ms/MSC_Webinars_Page
Stuff That's New or Updated
Easily migrate to Microsoft Sentinel with the new SIEM migration experience - Today we're announcing the general availability of the SIEM Migration experience in Microsoft Sentinel, that unlocks the capability to bring over your SIEM detections into Microsoft Sentinel. This is an initial step in the direction to help customers accelerate and simplify migrations to Microsoft Sentinel. Migrating a SIEM solution is often complex, resource-intensive, and expensive and current processes in this space are manual and arduous.
Stuff That's Related
Stay Ahead of Cyber Threats: Setting Up Azure Logic App for Real-time Alert Notifications | Tech Blog - In today’s fast-paced digital landscape, staying ahead of potential threats and system updates is crucial for maintaining the security and efficiency of your Azure environment. With the power of Azure Logic Apps, you can automate email notifications to ensure that you never miss out on critical events, such as when a KQL (Kusto Query Language) rule is triggered. In this guide, we’ll walk you through the steps to set up a Logic App that sends email notifications when a KQL rule is triggered, helping you stay informed and proactive in managing your Azure resources.
Stuff About Copilot for Security
Microsoft Copilot for Security is now generally available - Microsoft Copilot for Security is the first generative AI security product that empowers security and IT teams to protect at the speed and scale of AI. As announced at Microsoft Secure last month, Copilot for Security is now available for purchase as of April 1, 2024. Customers can get started by provisioning capacity to run all Copilot workloads, both for standalone and for those embedded in our security products beginning with Microsoft Defender XDR.
Copilot for Security Partners page has gotten a big revamp: https://securitypartners.transform.microsoft.com/security-copilot
Brief: Two Places to Access Copilot for Security Promptbooks - When wanting to access the in-product supplied Promptbooks, or the one’s that you may have created yourself, there’s a couple spots in the standalone experience UI where you can find them.
Getting the List of System Capabilities for Copilot for Security - Copilot for Security is an extensible platform that enables enhanced capabilities through the use of plugins, skills, and features. But how will you know what capabilities each plugin provides? You can use the System Capabilities option in the session prompt in Copilot for Security.
Adjust Capacity for Copilot for Security - Copilot for Security debuted to the public on April 1. There have been so many articles and questions being published an asked, but I don’t think anything has raised more questions than how to adjust the number of SCUs (if you don’t know what an SCU is you can read about it here). I decided it would be fun use some Azure Automation to increase and lower the amount of SCUs programmatically.
Two ways to investigate Copilot for Security pricing. The pricing table and the calculator.
Copilot for Security pricing table: https://azure.microsoft.com/pricing/details/microsoft-copilot-for-security/#pricing
Copilot for Security pricing calculator https://azure.microsoft.com/pricing/calculator/
Scheduling Microsoft Copilot for Security Capacities - However, with the power of Logic Apps, we can automate the scheduling of Security capacity creation and deletion, offering a solution to this challenge.
Limiting Access to Copilot for Security to the Wider Web - There’s an option in Copilot for Security to allow or disallow the service to access to industry information from the public web.
Helping Build a Better Copilot for Security - To help continue the improvement and advancement of more accurate responses, there’s a feedback mechanism directly integrated into Copilot for Security. The feedback supplied here is taken seriously and used to continually improve the service.
Azure Policy can interfere with Copilot for Security installation - Just a quick note to let you know that if you have an Azure Policy set that requires all your resources to be tagged, you will have difficulty provisioning Copilot for Security. Today, when you go to set up your Copilot capacity, there is no option to apply a tag.
The Copilot for Security Docs have been updated for GA - Microsoft Copilot for Security documentation https://learn.microsoft.com/security-copilot/
Microsoft Learn Path: Get started with Microsoft Copilot for Security - Training - Learn about Microsoft Copilot for Security, an AI-powered security analysis tool that enables analysts to process security signals and respond to threats at a machine speed, and the AI concepts upon which it's built.
Stuff in Techcommunity
Defender XDR connector - I'm confused about what I am seeing for installed connectors in Sentinel. Within "Data connectors" I have the Microsoft Defender XDR connector and it is enabled.
Sentinel SIEM - Logs Query Loading issue - the issue is related to "Logs" tab under Sentinel. when we open any query-> edit and make the required changes -> run it -> results observed. further, then if we copy this new query link --> we will have old query itself. also if we open new tab then in previous tab we will have old query -> but results will be for new query. kindly suggest to solve this issue.
Stuff to Have
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.