Microsoft Sentinel this Week - Issue #147
Stuff from Me
Happy Friday everyone!
Welcome back to another stellar issue of this newsletter. Thanks so much for being here and I’m truly always appreciative of your patronage.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.
As I noted in last week’s issue, I’m headed to the Ohio hills with the wife this weekend for an anniversary cabin getaway. We’re celebrating our 34th wedding anniversary. We’ve essentially lived our lives together and I can’t honestly think of a more blessed person than myself. My wife is awesome and amazing. We’ve suffered and celebrated together and become each other’s best friends.
One of my actual best friends (who I’ve known since 6th grade) regularly tells her he’s known me longer than she has in an effort to get her jealous, but I can’t imagine my life without her - and to be honest, he didn’t approve of her at first. So - there you go.
So, I am so happy to spend some quality, alone time together because our lives will be upended once again here soon with the birth of our second grandkid. If all goes well, Meredith Eloise Rumker will be born within the next couple weeks just before I head off to Denmark for Experts Live.
More and more life experiences. Who knew 34 years ago what we were actually signing up for?
…
I have just a couple quick tidbits this week to highlight some important matters.
First off, there’s a new blog about Copilot for Security you should be aware of. I did include it in the newsletter copy below, but it’s worth highlighting here:
Prompting - or learning to prompt effectively - is one of the most important pieces of tackling and commanding Generative AI. Bad Googlers will be bad prompters. So, anything you can do now to build your prompting skills will be super beneficial.
And here’s a couple other important Copilot for Security resources…
We have our very first Learn Path for Copilot for Security published.
And, coming up next month, we’ll have four Learn Live sessions. You may recognize some of the speakers…
…
That’s it for me for this week, folks.
Talk soon.
-Rod
Stuff to Read
Troubleshooting Guide: Syslog Forwarding into Microsoft Sentinel - Navigating challenges while attempting to forward syslog logs to Microsoft Sentinel? This comprehensive troubleshooting guide is your go-to resource for addressing potential roadblocks in three critical areas: the Data Source Side, Syslog Server, and Microsoft Sentinel Side.
Sentinel Integrated Rpi Soil Sensor 2.0 Part 2 - This follows up on a previous post where we built a Raspberry Pi based soil sensor and onboarded it to Azure IoT Hub. What next? How do we read that data and get it into a Log Analytics Workspace?
Log Trimming via Ingestion time transformation in Microsoft Sentinel - Microsoft Sentinel, powered by Azure Monitor’s Log Analytics, serves as a pivotal platform for security monitoring and threat detection. All incoming logs are channeled through Microsoft Sentinel and stored in Log Analytics Workspace, forming a centralized repository for efficient log management and analysis using Kusto Query Language (KQL).
Keeping track of object deletions in Microsoft Entra ID - Like any other service, Microsoft Entra ID is not immune to human errors, accidental deletions, or malicious attacks that could result in the loss of important data. Therefore, it is essential to have a Microsoft Entra ID recovery strategy, especially for the objects that are hard deleted when removed from the service.
Stuff to Watch/Listen To
Scotch and Security - A spirited blend of cybersecurity insights and casual banter, this podcast invites you to pull up a chair, pour yourself a dram of your favorite single malt, and join us for a lively discussion on all things security.
Stuff to Attend
Stuff That's Related
Update records in a Kusto Database (Public Preview) - Kusto databases, either in Azure Data Explorer or in Fabric KQL Database, are optimize for append ingestion. In recent years, we've introduce the .delete command allowing you to selectively delete records. Today we are introducing the .update command. This command allows you to update records by deleting existing records and appending new ones in a single transaction.
Navigating NIS2 requirements with Microsoft Security solutions | Microsoft Security Blog - Our team at Microsoft is excited to lead the charge in decoding and navigating this new regulation—especially its impact on compliance and how cloud technology can help organizations adapt. In this blog, we’ll share the key features of NIS2 for security professionals, how your organization can prepare, and how Microsoft Security solutions can help.
CISA, OMB, ONCD and Microsoft collaborate on new logging playbook for Federal agencies - As part of our efforts to increase security defaults and follow the principle of secure by design, we are happy to share that a feature change initiated by Microsoft engineering will enable more logging capabilities for Purview Audit (Standard). We have worked closely with the Executive Office of the President (EOP), the Office of the National Cyber Director (ONCD), and the Cybersecurity and Infrastructure Security Agency (CISA) to prioritize this effort for U.S. government customers. This data will provide new telemetry to assist in meeting OMB 21-31 logging requirements for customers without E5 capability. This data enhances threat hunting capabilities for business email compromise (BEC), advanced nation-state threat activities, and possible insider risk scenarios.
Stuff About Copilot for Security
How to use prompts in Microsoft Copilot for Security | Microsoft Security Blog - Prompting is very important in Copilot, as it is the main way to query the generative AI system and get the desired outputs. Prompting is the process of writing, refining, and optimizing inputs—or “prompts”—to encourage Copilot for Security to create specific, high-quality outputs.
Prompt attention! - What’s the difference between a prompt and a promptbook? - In the last week or so, I’ve been talking to customers about Copilot for Security. One thing I quickly discovered is that people seem to be using the term “prompt” and “promptbook” interchangeably even though they are two different things.
Our first Learn path for Copilot for Security is ready! Get started with Microsoft Copilot for Security - Training - Learn about Microsoft Copilot for Security, an AI-powered security analysis tool that enables analysts to process security signals and respond to threats at a machine speed, and the AI concepts upon which it's built.
Copilot for Security Partner Resources - We first introduced Copilot for Security at the inaugural Microsoft Secure. Microsoft Copilot for Security is the first security product to enable defenders to move at the speed and scale of AI. It combines the most advanced large language models (LLMs) from OpenAI with a Microsoft-developed, security-specific model.
Stuff in Techcommunity
Required data for DNS Anomalies - I am starting to work with Anomalies in my Sentinel deployment. I have a large volume of DNS data ingested via the Windows DNS Events via AMA connector. So far I haven't seen any anomalies trigger against it. Is this connector able to supply data for use in the two Anomaly models?
Log Ingestion Options - Is anyone ingesting Fortinet Firewalls, ZScaler, and Cisco Meraki logs into Sentinel? All three data sources require a log forwarder (Linux Syslog). I might use the below flow as a scalable design
Stuff from Partners
Multi-Tenant Security Management | Microsoft Sentinel & Defender XDR - In today's rapidly evolving digital landscape, managing security across multiple tenants has become a paramount challenge for large enterprises. As organizations expand and diversify, they increasingly rely on multi-tenant environments to streamline operations and enhance efficiency. However, this complexity introduces significant security risks, necessitating robust solutions that can adapt to the intricate needs of multi-tenant management.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.