Microsoft Sentinel this Week - Issue #158

May 24, 2024

Stuff from Me

Happy Friday, everyone! It’s good to see you here again this week.

For those just joining us, welcome to the best Microsoft Sentinel community! I really appreciate your interest in the best SIEM on the planet and hopefully this resource will be your go to guide for expanding your knowledge.

Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.

…

Last week I hosted a poll in both the Sentinel and Defender weekly newsletters about whether or not I should merge the two newsletters. With bigger emphasis on Sentinel in the Unified Microsoft Defender portal, I thought it might make sense.

Thanks to everyone that responded!

While I’m not quite ready to do it yet, the results from the community are overwhelmingly positive toward having a single weekly source for both Sentinel and Defender. I’ll think on this a bit and let everyone know before it happens so we can make a seamless transition.

…

I’m happy to announce that The Definitive Guide to KQL from Microsoft Press is in full release. This means it’s available for purchase from both the Microsoft Press website and from Amazon. I’ve seen a few notes over X/Twitter, LinkedIn and other places where folks are planning to host giveaways for the book.

One of those is from Ugur Koc, the inventory of KQLSearch.com. Check this out here: https://x.com/UgurKocDe/status/1792923167683444925

In July, on The Microsoft Security Insights Show, we’ll have all the authors from the book on the show (yes, I’ll have to pretend not to be a host of the show) and we’ll also be giving away books during the episode for the live viewers.

That episode is on Monday, July 22. You can find the show’s full schedule with links here: https://www.microsoftsecurityinsights.com/about#§schedule

…

That’s it from me for this week. Have a wonderful weekend and week ahead.

Talk soon.

-Rod

Stuff to Read

Monitor Log Flow for Devices in Microsoft Sentinel - You are ingesting multiple devices and appliances to Microsoft Sentinel through the Common Event Format (CEF) via AMA, and you want to ensure that the logs flow regularly to the Log Analytics workspace.

How To: Use UFW(Uncomplicated Firewall) and Send the logs to Sentinel and Parse with a function for… - UFW is basically a wrapper around IPTables so instead of having to remember how to build out IPTables, UFW makes the process simple. However, understanding IPTables makes understanding the low-level of Linux easier. In another article guide we will talk about IPTables and logging.

Part 1 : Threat Detection Engineering and Incident Response with AuditD and Sentinel — along how to… - In this guide, we will walk through detecting threats using AuditD by writing rules based on the logs and how to dig deeper into the logs.

Configuring archive period for tables at Mass for Data Retention within Log Analytics Workspace - This blog helps in configuring archive period for tables at Mass for Data Retention in Log Analytics Workspace.

Build: Azure Sentinel – Automated Evidence Storage Folders - Security Risk Advisors - Azure Sentinel have evolved into an excellent SIEM platform that we operate, tune, and optimize for many of our clients. One of the top features that differentiates Sentinel is that it is truly cloud native, fully exposing its data and functionality for use with all the other capabilities in Azure. I see the sky-as-the-limit when it comes to being able to creatively augment Sentinel with valuable features and functionality.

Stuff to Watch/Listen To

Microsoft Security Insights Show

Microsoft Security Insights Show Episode 211 - Cognni and Data Security

Join us this episode as we talk with Cognni to learn about their solution for data security and how this plays a huge part in securing AI. Show Notes/Links Cognni’s website: https://cognni.ai/ Connect with Clifford Corney on LinkedIn: https://www.linkedin.com/in/cliffcorney…

Listen now

9 months ago · 6 likes · Rod Trent

Stuff That's New or Updated

Incident and entity triggers in playbooks are now Generally Available (GA) - The ability to use incident and entity triggers is playbooks is now supported as GA.

Stuff That's Related

Public Preview: Log Analytics Workspace Replication - Azure Monitor Log Analytics uses workspaces as a logical container for logs. Workspaces are region-bound, but workspace replication allows you to create cross-regional redundancy to increase workspace resilience to regional incidents.

Stuff About Copilot for Security

Copilot for Security stuff now has its own bi-weekly newsletter!

Stuff in Techcommunity

How to clone or duplicate an Analytic Rule in Microsoft Sentinel using PowerShell - How can you clone or duplicate an Analytic Rule that resides in Microsoft Sentinel using either PowerShell or Azure CLI?

Need guidance in designing a workbook and function app with api keys - My requirement is to have a workbook that calls our product's apis and visualizes the data. The data to be visualized is divided into many widgets about 6-8 in total. Hence, I am thinking of creating a http trigger function app when the workbook is loaded. This function app will be provided the context of our product's url, api key, api secret, org_id as environment variables. These params will be provided by customer who deploys the solution.

Stuff from Partners

SGNL Joins Microsoft for Startups Pegasus Program - SGNL, the modern solution to privileged identity management, has joined Microsoft for Startups Pegasus Program. The two-year program helps drive sales and accelerate growth for SGNL.