Microsoft Sentinel this Week - Issue #149
Stuff from Me
Happy Friday, everyone! Thank you for your continued support of this community.
There’s plenty to catch up in today’s newsletter issue, so just want to share a couple things I think you might find interesting before leaving you to the newsletter content.
…
First…
A couple colleagues and I have written an “official” book on KQL for Microsoft Press. Titled, The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting, this book goes from basic to advanced. And, while the book itself is cool, an even cooler thing is that there’s also a GitHub repo for it that includes all of the example queries and data sources in the book, plus plenty more that were donated by several product teams at Microsoft. We finalized the GitHub repo this past weekend and realized there are over 500 ready-to-use queries. That’s quite an addition value for the price of a book.
The repo will be public and available closer to the book release (June 2024).
You can pre-order the book from Amazon: https://amzn.to/49sTgSR
There will be a Kindle/eBook version of the book, but that may not show up until after the book releases.
…
Second…
Hopefully you know by now, but me, Brodie Cassell, Edward Walton, and Andrea Fisher host a weekly security show called The Microsoft Security Insights Show. We’re nearing our 200th episode and this month we have a stacked guest list for Women in Cybersecurity month.
But more than that, we’re also starting to branch out and use our skillsets to participate in other areas. Later this month, we will be delivering some Learn Live events as part of a Copilot for Security motion.
We hope you’ll join to learn more: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/learn-about-ai-and-microsoft-copilot-for-security-with-learn/ba-p/4076305
…
Lastly…
As you can probably tell, there’s been a growing amount of Copilot for Security content in this newsletter each week. That’s to be expected as we get closer to Copilot for Security reaching GA. If you’re interested in knowing more about that special GA date, make sure you attend the online Microsoft Secure event next week <wink, wink - nudge, nudge>.
But, if there’s a couple pieces of content I’d recommend reviewing this week, check out the following:
Improving Threat Hunting Efficiency using Copilot for Security
Introduction to Mad Prompts: Copilot for Security is a blank
…
The wife and I are on pins-and-needles the last week or so after returning from our wedding anniversary weekend (I mentioned this over the past couple newsletter issues). Why? Our oldest daughter is severely close to giving birth to our second grandbaby. She’s due March 10th. So, every noise during the night now, we both instantly wake up wondering if it was message or notification that it was time to act.
So, I’m a bit sleep deprived this week. I thought losing sleep over babies would be over once your own babies were grown. I guess not.
Talk soon.
-Rod
Stuff to Read
Using Python Plugin in Microsoft Sentinel by Leveraging ADX - Microsoft Sentinel is a robust SIEM platform, but it has its limitations, particularly when it comes to extending its capabilities with Python and fully leveraging the Kusto Query Language (KQL). However, there’s a workaround that bridges this gap up to a certain point, integrating the advanced analytics and flexibility of Python with Sentinel’s comprehensive security data.
Microsoft Sentinel Fundamentals Course with Free Lab - It covers all you need to get started using Sentinel, including how to enable sample data for Free in a lab you create yourself (also for free!!)
CyberEstate with Threat & Vulnerability Managment to the DataLake - This article is a follow up to my TVMIngestion. As a refresh, the background is as follows: There is no Sentinel connector option for Microsofts XDR Threat Vulnerability Management data to ingest into Sentinel. Since the release of my LogicApp, which works flawless for smaller orgs - there are API limitations.
Stuff to Watch/Listen To
Stuff to Attend
Learn about AI and Microsoft Copilot for Security with Learn Live - Microsoft is launching a Learn Live Series called “Getting Started with Microsoft Copilot for Security.” This weekly online seminar series will run from March 19th through April 9th and will review skill development resources and discuss topics related to AI and Copilot for Security.
Build a Modern SOC and Stay Ahead of Threats with Microsoft Sentinel - March 26th 10 am PST - In this webinar, Microsoft Global Partner Technical Strategy Manager Samba Koita and OCG Principal Architect Nathan Mertz are teaming up to show how Microsoft Sentinel can transform your organization’s security posture.
Stuff That's New or Updated
New Google Pub/Sub-based connector for ingesting Security Command Center findings (Preview)
You can now ingest logs from Google Security Command Center, using the new Google Cloud Platform (GCP) Pub/Sub-based connector (now in PREVIEW). The Google Cloud Platform (GCP) Security Command Center is a robust security and risk management platform for Google Cloud.
The integration with Microsoft Sentinel allows you to have visibility and control over your entire multicloud environment from a "single pane of glass."
Learn how to set up the new connector and ingest events from Google Security Command Center.
AWS and GCP data connectors now support Azure Government clouds
Microsoft Sentinel data connectors for Amazon Web Services (AWS) and Google Cloud Platform (GCP) now include supporting configurations to ingest data into workspaces in Azure Government clouds.
The configurations for these connectors for Azure Government customers differs slightly from the public cloud configuration. See the relevant documentation for details:
Connect Microsoft Sentinel to Amazon Web Services to ingest AWS service log data
Ingest Google Cloud Platform log data into Microsoft Sentinel
Windows DNS Events via AMA connector now generally available (GA)
Windows DNS events can now be ingested to Microsoft Sentinel using the Azure Monitor Agent with the now generally available data connector. This connector allows you to define Data Collection Rules (DCRs) and powerful, complex filters so that you ingest only the specific DNS records and fields you need.
For more information, see Stream and filter data from Windows DNS servers with the AMA connector.
The Cisco ASA and Cisco FTD via AMA connector has been released for public preview. This connector enables the collection of logs using AMA and is powered by Data Collection Rules (DCR) which enable ingest time transformation and filtering. Events are landed in the CommonSecurityLog table, allowing for seamless migration to AMA.
The connector can be found in the Content Hub solution package of Cisco-ASA
Stuff That's Related
Announcing the Public Preview of Change Actor - Identifying who made a change to your Azure resources and how the change was made just became easier! With Change Analysis, you can now see who initiated the change and with which client that change was made, for changes across all your tenants and subscriptions.
Stuff About Copilot for Security
Improving Threat Hunting Efficiency using Copilot for Security - Copilot for Security is the next level in the ongoing story to resolve efficiency in security. It is a solution that can help organizations overcome the challenges of threat hunting and achieve better security outcomes.
Introduction to Mad Prompts: Copilot for Security is a blank - Prompting is key to producing the best results when using a Generative AI assistant to augment your daily tasks or produce desired information. Let’s gamify the learning.
How Microsoft Copilot for Security helps defend against human-operated ransomware attacks | Microsoft Security Blog - The availability of Microsoft Copilot for Security, brings SecOps teams a new tool with the power of generative AI to help outpace and outsmart threat actors. In the following demonstration videos, we take a detailed, step-by-step look at how it can help surface, contain, and mitigate a human-operated ransomware attack.
Microsoft Copilot for Security and NIST 800-171: Access Control - Early reports indicate organizations are reducing time and resource constraints by deploying Security Copilot in private preview and the early access program.
CISO Insider Briefings coming up for Microsoft Copilot for Security
NYC - Wednesday, March 27, 2024, 1:00 – 4:30 PM (GMT-04:00) - https://msevents.microsoft.com/event?id=1578191803
Bellevue, WA - Tuesday, March 26, 2024, 1:00 – 4:30 PM PST - https://msevents.microsoft.com/event?id=2187443513
An Introduction to Microsoft Copilot for Security - Microsoft Copilot for Security is one of the first security products to enable defenders to move at the speed and scale of AI. It combines an advanced large language model (LLM) with a security-specific model from Microsoft.
Stuff in Techcommunity
Azure DevOps Service as ActorDisplayName in Sentinel Logs - While creating alerts for group membership update using AzureDevOpsAuditing table in Sentinel, we observed logs for user addition/removal from certain groups where ActorDisplayName displays "Azure DevOps Service". I believe this is a service and not a username/account.
Anonymous IP address alert for users of iCloud private relay - We have had a few incidents of Anonymous IP address where the users are using iCloud Private Relay. My research shows me that Apple uses Cloudflare WARP service at the back end and that is what is triggering this.
Stuff to Have
The Copilot for Security Windows background has been updated. Download here: https://github.com/rod-trent/Security-Copilot/blob/main/Images/CopilotforSecurityBackground_2_0.jpg
Thanks to Andrey Vistavkin for the update!
Stuff from Partners
'Strengthen Your Cybersecurity' with METCLOUD and Chorus: Introducing Microsoft Sentinel and Defender XDR - In response to escalating cyber threats, METCLOUD and Chorus have announced a partnership aimed at bolstering digital security with the introduction of Microsoft Sentinel and Defender XDR. This collaboration marks a significant advancement in enhancing cybersecurity.
Red Canary Announces Full Coverage of All Major Cloud Providers, Delivering Improved Visibility and Correlated Threat Activity Across Multicloud Environments - Red Canary dramatically simplifies cloud security for enterprise teams, enabling them to tackle the rise in cloud threats.
Secure SaaS applications with Valence Security and Microsoft Security | Microsoft Security Blog - Valence and Microsoft Security work together to ensure that SaaS applications are configured according to the best security practices and improve the security posture of identities configured in each individual SaaS application.
Stuff to Have
Checkpoint Harmony EDR - Microsoft Sentinel Workbook - This Microsoft Sentinel Workbook is designed to visualize key metrics from Checkpoint Harmony Endpoint Detection and Response (EDR). The workbook leverages Common Event Format (CEF) events forwarded from the EDR to provide a comprehensive overview of your cybersecurity posture directly within Microsoft Sentinel.
Sentinel Bulk Threat Intelligence-Management - Currently when you delete a TI feed in Sentinel, the indicator from that feed are not automatically deleted until the indicators expire.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.