Microsoft Sentinel this Week - Issue #160

Jun 07, 2024

Stuff from Me

Happy Friday everyone!

I don’t have a lot going on this week more than prepping some internal sessions for Copilot for Security and preparing for our next fiscal year’s projects. Microsoft’s fiscal year comes to an end at the end of this month, so there’s lots of miscellaneous happenings in preparation for the next year ahead.

Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.

I mentioned last week that I had an upcoming Virtual Ninja Show episode. That went off - but not without a hitch or two. Due to some strange (and still undiscovered) security setting on my Microsoft managed PC, local video recording couldn’t upload to our partner (who manages the production), so instead of a live version of me during the episode, you’ll find a static image instead. It’s sort of comical.

If you get some time, you can have a look: The Virtual Ninja Show | Season 8 Episode 7: Introducing the Copilot for Security Prompting Workshop

I joked with our production partner that we could have at least used AI to generate stop animation.

…

Next week, we’re making our annual trip to Ohio Amish country to visit my best friend. If you’ve been subscribing here for very long, you’ve heard this story before. If not, my best friend is a chiropractor to the Amish. The Amish love their chiropractors.

It’s his birthday. I feel very lucky to have my friend and I’m always honored to share another birthday with him. We’ve been best friends since 1978. He jokes quite often with my wife that he’s known me longer than she has.

Not to worry, though, the newsletter will be ready to go as usual next Friday.

Talk soon.

-Rod

Stuff to Read

1Password — Microsoft Sentinel solution - The 1Password Content Hub solution for Microsoft Sentinel is a community-developed project that enables organizations to ingest data from 1Password into their target SIEM/SOAR solution.

Microsoft Sentinel in the Microsoft Defender portal - Microsoft Sentinel is available as part of the unified security operations platform in the Microsoft Defender portal. Microsoft Sentinel in the Defender portal is now supported for production use. For more information, see:

Troubleshoot Log Ingestion Drops to Microsoft Sentinel from Linux Machines: Addressing /var/log Capacity Issues - In this blog, we’ll discuss a specific issue that can cause a sudden drop in log ingestion from a Linux machine to Microsoft Sentinel: the /var/log directory capacity getting full. This problem often occurs when the machine in use does not have enough storage capacity.

Geographical availability and data residency in Microsoft Sentinel - When you set up Microsoft Sentinel or prepare for compliance checks, you need the ability to validate and prove who has access to what data in your environment. In this article, you learn where Microsoft Sentinel data is stored so you can meet compliance requirements.

Stuff to Watch/Listen To

Stuff That's Related

Log search alert rules using linked storage will require using a managed identity staring July 2024 - Starting July 2024, alert rules using linked storage will require a managed identity to access the linked storage. This requirement will be enforced on alert rules created with API version 2023-12-01 or newer. Creating or updating linked storage rules using an older API version will be blocked.

Retrieve a Consumption Logic App workflow definition from deletion - More often than we want to admit, customers frequently come to us with cases where a Consumption logic app was unintentionally deleted. Although you can somewhat easily recover a deleted Standard logic app, you can't get the run history back nor do the triggers use the same URL. For more information, see GitHub – Logic-App-STD-Advanced Tools.

Validate CSV files before ingestion in Microsoft Data Factory Pipelines - Validating these files before they are processed allows your pipelines to continue ingesting files that do have the correct format. For pipelines that do fail, your code or process can pinpoint what caused the error, leading to faster resolution of the issue. In this blog, we'll walk through a Microsoft Fabric Data Factory Pipeline that validates incoming CSV files for common errors before loading to a Microsoft Fabric Lakehouse delta table.

Hunting for MFA manipulations in Entra ID tenants using KQL - Cloud security is a top priority for many organizations, especially given that threat actors are constantly looking for ways to compromise cloud accounts and access sensitive data. One of the common, and highly effective, methods that attackers use is changing the multi-factor authentication (MFA) properties for users in compromised tenants. This can allow the attacker to satisfy MFA requirements, disable MFA for other users, or enroll new devices for MFA. Some of these changes can be hard to detect and monitor, as they are typically performed as part of standard helpdesk processes and may be lost in the noise of all the other directory activities occurring in the Microsoft Entra audit log.

Stuff About Copilot for Security

Copilot for Security stuff now has its own bi-weekly newsletter!

Stuff in Techcommunity

Sending IIS logs to sentinel - We have multiple on-prem windows application servers to forward IIS logs to sentinel. Can we go with WEF and install AMA in WEF to send IIS logs to sentinel or do I need to onboard each windows server to Azure through Azure arc for AMA installation?

CEF Collector ingesting logs to 'Syslog' table instead of 'CommonSecurityLog' - I am forwarding Palo Alto and Fortinet Firewall logs to the CEF Collector but in Sentinel it is showing logs in 'Syslog' table instead of 'CommonSecurityLog'. What could be the issue? Everything is in place including DCR as well.