Microsoft Sentinel this Week - Issue #148
Microsoft Sentinel this Week - Issue #148
Stuff from Me
Happy Friday everyone!
Many of you are probably wondering after last issue about how my 34th wedding anniversary celebration weekend went. It was amazing! And I’ll share more in next week’s issue, but this issue I’m happy to introduce you to my teammate at Microsoft, Rey Bango, for some guest commentary. (yes…some people actually have cool names like that)
Talk soon.
-Rod
Here’s Rey…
New Open-Source Curriculum to Kickstart Your Cybersecurity Career
Are you interested in pursuing a career in cybersecurity? With an estimated demand for 3 million cybersecurity defenders, there has never been a better time to acquire the skills and knowledge needed to protect networks, systems, and data from cyber-attacks.
Our new open-source cybersecurity curriculum, Security for Beginners, is designed to help you learn the fundamentals of cybersecurity, including basic concepts, security controls, zero trust, and various domains of security. Whether you are new to the field or have some experience, our curriculum will equip you with the practical skills and theoretical concepts needed to succeed in this rapidly evolving industry.
Getting Started
Our course is hosted on GitHub, providing you with easy access to all the resources you need. To get started, simply fork the course repository into your own GitHub account and star it for easy access.
What to Expect
The course is divided into 7 lessons, each packed with valuable content. Each lesson includes a short video introduction, a comprehensive written guide, a quiz to test your knowledge, and links to extra resources for further learning.
The lessons cover basic security concepts, identity and access management, network security, security operations, application security, infrastructure security, and data security.
Ready to kickstart your cybersecurity career? Head over to our GitHub repository and start your journey today. Good luck and happy learning.
-Rey
Stuff to Read
Connect on-premises servers to Microsoft Sentinel using Azure Arc - In this blog, we will learn how to seamlessly migrate your on-premises servers to Azure utilizing Azure Arc, and subsequently, integrate them with Microsoft Sentinel.
How to Set Up Sentinel Data Connectors for Kubernetes and GitHub - In this document, we will show you how to set up Sentinel Data Connectors for three types of sources: Kubernetes clusters, GitHub CI/CD pipelines, and Defender for Containers alerts and Defender for Cloud recommendations. We will also explain how to use the connectors to view and query the collected data in Sentinel.
Stuff to Watch/Listen To
Stuff to Attend
Copilot L33t Sp34k is a webinar series that covers generative AI and Microsoft Copilot for Security. As the webinar name alludes (L33t Sp34k definition), this series was crafted for an experienced security professional audience that wants to hear industry experts talk broadly about how to use AI securely and how organizations should use AI, like Microsoft Copilot for Security, to enhance their security. This series is hosted by Sarah Young, and each episode will feature guest(s) both internal and external to Microsoft.
Microsoft Ignite 2024 will be in Chicago November 18–22, 2024 and will be bigger! Headed back to where Ignite got its start after we merged all the cool events into one. Save the date: https://ignite.microsoft.com/
Stuff That's New or Updated
New Google Pub/Sub-based connector for ingesting Security Command Center findings (Preview) - You can now ingest logs from Google Security Command Center, using the new Google Cloud Platform (GCP) Pub/Sub-based connector (now in PREVIEW). The Google Cloud Platform (GCP) Security Command Center is a robust security and risk management platform for Google Cloud. It provides features such as asset inventory and discovery, detection of vulnerabilities and threats, and risk mitigation and remediation. These capabilities help you gain insights into and control over your organization's security posture and data attack surface, and enhance your ability to efficiently handle tasks related to findings and assets.
The integration with Microsoft Sentinel allows you to have visibility and control over your entire multicloud environment from a "single pane of glass."
Learn how to set up the new connector and ingest events from Google Security Command Center.
Microsoft Sentinel solution for Microsoft Power Platform preview available - The Microsoft Sentinel solution for Power Platform (preview) allows you to monitor and detect suspicious or malicious activities in your Power Platform environment. The solution collects activity logs from different Power Platform components and inventory data. It analyzes those activity logs to detect threats and suspicious activities like the following activities:
Power Apps execution from unauthorized geographies
Suspicious data destruction by Power Apps
Mass deletion of Power Apps
Phishing attacks made possible through Power Apps
Power Automate flows activity by departing employees
Microsoft Power Platform connectors added to the environment
Update or removal of Microsoft Power Platform data loss prevention policies
Find this solution in the Microsoft Sentinel content hub.
For more information, see:
Microsoft Sentinel solution for Microsoft Power Platform overview
Microsoft Sentinel solution for Microsoft Power Platform: security content reference
Deploy the Microsoft Sentinel solution for Microsoft Power Platform
Stuff That's Related
Get the latest information on integrated threat protection—all in one place - In today’s quickly evolving threat landscape, staying up to date with the most innovative security practices is vital. Register now to learn how organizations are using integrated extended detection and response (XDR) and security information and event management (SIEM) to become more resilient against attacks.
The ABCs of ADX: Learning the Basics of Azure Data Explorer | Data Exposed: MVP Edition - You may have heard of Azure Data Explorer - but do you know what it does? Do we know the best ways to use it (and the ways we shouldn't use it)? Do we know some things that it does better than anything else in the Microsoft data platform? Join us for a walkthrough of what Azure Data Explorer is, what it isn't, and how to leverage it to offer your customers, colleagues, and users another tool in their data toolbox.
Stuff About Copilot for Security
Copilot for Security Prompt Samples, Templates, and Promptbooks - This folder contains prompt examples, prompting templates, and Promptbooks for use with Copilot for Security to provide ideas to build on to create your own.
Microsoft CoPilot for Security walk through series - The series is a starting point for anyone willing to master the skills of creating custom Plugins for Microsoft Security CoPilot.
In the lead up to Copilot for Security, welcome to our webinar series. First episode is now ready for registration (When: March 05, 2024 12:00 PM EST): CTO AI Security Perspective (CPT001EXT)
Microsoft Security Insight Day with Ontinue - 22nd March - 9.15 am - Join Ontinue and Microsoft for a day of cyber security learning at the Paddington office. Hear from experts about their experience implementing the Microsoft Security product portfolio to prevent cyber incidents, gain end to end visibility, and stay ahead of attackers using Security Co-Pilot.
Upcoming Copilot for Security Webinars
March 19- 11AM - 12PM PT - Microsoft Copilot for Security Beyond Basics: Elevate AI Expertise - https://msevents.microsoft.com/event?id=1846960273
March 26- 11AM - 12PM PT - Microsoft Copilot for Security Beyond Basics: Reduce Identity Risk with AI - https://msevents.microsoft.com/event?id=1011549491
April 2- 11AM - 12PM PT - Microsoft Copilot for Security Beyond Basics: Strengthen Data Protection - https://msevents.microsoft.com/event?id=2787687557
April 9- 11AM - 12PM PT - Microsoft Copilot for Security Beyond Basics: Analysts moving at the speed of AI - https://msevents.microsoft.com/event?id=1202278204
Stuff in Techcommunity
Identifying incidents that have been closed by automated investigations - Is it possible to identify security incidents in Microsoft Sentinel which have been closed automatically after one of the Defender/Microsoft products has carried out an automated investigation and closed the incident?
User missing from incident owners - I cannot understand an issue I'm facing. In our small team of SOC-analysts I, as a manager, is unable to add incidents to one of the analysts. His account isn't listed as a possible owner and isn't found when searching for it. He can take ownership of incidents himself but cannot be assigned by someone else.
Stuff from Partners
Exabeam introduces new features to improve security analyst workflows - Help Net Security - Exabeam announced two pioneering cybersecurity features, Threat Center and Exabeam Copilot, to its AI-driven Exabeam Security Operations Platform.
Stuff to Have
Detecting Post-Exploitation Behaviour - The recent ScreenConnect vulnerability (CVE-2024-1709 & CVE-2024-1708) showed once more why it is so important to detect post-exploitation behaviour. @Huntress described in a detailed way which behaviour was identified, more on that is shared on their blog: SlashAndGrab: ScreenConnect Post-Exploitation in the Wild (CVE-2024-1709 & CVE-2024-1708). The most important takeaway is mentioned in the last section most of the post-compromise activities we have documented in this article aren’t novel, original, or outstanding. This sentence forms the basis for this blog.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.