Microsoft Sentinel this Week - Issue #151
Microsoft Sentinel this Week - Issue #151
Stuff from Me
Happy Friday everyone!
It’s been an awesome couple weeks since our last newsletter issue.
I had mentioned previously that I gave up trips to Paris and Berlin due to my new granddaughter close to being born. But she had other ideas. Instead, I woke on Wednesday of last week in Denmark to see texts from my wife that the baby had waited until I was away. But it worked out in that I was able to make the birth announcement in my Copilot for Security keynote, including birth pictures.
So, here’s my announcement to all of you. Welcome to Meredith Eloise Rumker! Here’s a great picture. You can tell my grandboy loves her already. My wife and I sure do.
Experts Live in Denmark was an awesome event and I thoroughly enjoyed connecting with everyone in-person. But my best memories are hanging with my good friends Morten Waltorp (and his wife) and Henrik Wojcik, who I’ve come to know over the last few years through the Microsoft MVP program. They welcomed me to the area with open arms and good times. I also appreciate the Experts Live crew for having me.
…
Can you believe GA for Copilot for Security is this Monday??!!
April 1st marks the end of one journey, but the beginning of another. And you’ll see this week’s newsletter issue has a LOT of Copilot for Security content, but that’s sort of a given considering the general release is so close. I noted a while ago that a Copilot for Security specific newsletter was not necessary, but that my not be the case for much longer. Stay tuned.
As we get closer to GA for Copilot for Security, I'll be hustling to post additional prompt samples that you can use. https://aka.ms/CfSPromptLibrary
And The Microsoft Security Insights Show will be hyper-focused on Copilot for Security partners next month. We hope you can join live, but definitely subscribe and listen after if that works best for you.
Click the image to check out next month’s schedule:
Additionally, as part of the Copilot for Security GA event, myself and my MSI Show co-hosts will be delivering a couple webinars to dig deep into working with the new service.
See: Learn Live: Get started with Microsoft Copilot for Security
…
That’s it from me for this week.
Talk soon.
-Rod
Stuff to Read
Re-onboard LogAnalytics to Sentinel, if SecurityInsights solution is deleted by mistake - Critical features will break or stop working, if you delete too much in Legacy solutions like SecurityInsights, SQLAdvancedThreatProtection or SQLVulnerabilityAssessment.
How to continuously import Threat Intelligence Indicators in Microsoft Sentinel - Microsoft Sentinel - our SIEM and SOAR Solution - has several methods to import your own threat intelligence data (BYOTI) or simply integrate the Microsoft Defender Threat Intelligence.
SOAR Capabilities with Microsoft Sentinel - Sentinel is the Microsoft SIEM (Security Information Event Management) and SOAR (Security Orchestration Automation and Response) solution. SIEM concerns everything related to the collection of data from the various sources of the organization, its storage, retention and access governance. SOAR concerns everything related to the reporting, mitigation, containment and eradication of a (possible) threat.
Stuff to Attend
Copilot L33t Sp34k is a webinar series that covers generative AI and Microsoft Copilot for Security. As the webinar name alludes (L33t Sp34k definition), this series was crafted for an experienced security professional audience that wants to hear industry experts talk broadly about how to use AI securely and how organizations should use AI, like Microsoft Copilot for Security, to enhance their security. This series is hosted by Sarah Young, and each episode will feature guest(s) both internal and external to Microsoft. Register: https://learning.eventbuilder.com/CopilotL33tSp34kSeries
Stuff That's New or Updated
Data connectors for Syslog and CEF based on Azure Monitor Agent now generally available (GA) - Microsoft Sentinel has released two more data connectors based on the Azure Monitor Agent (AMA) to general availability. You can now use these connectors to deploy Data Collection Rules (DCRs) to Azure Monitor Agent-installed machines to collect Syslog messages, including those in Common Event Format (CEF).
SIEM migration experience (preview)
The new Microsoft Sentinel Migration experience helps customers and partners to automate the process of migrating their security monitoring use cases hosted in non-Microsoft products into Microsoft Sentinel.
This first version of the tool supports migrations from Splunk
For more information, see Migrate to Microsoft Sentinel with the SIEM migration experience
Codeless connector builder (preview)
We now have a workbook to help navigate the complex JSON involved in deploying an ARM template for codeless connector platform (CCP) data connectors. Use the friendly interface of the codeless connector builder to simplify your development.
See our blog post for more details, Create Codeless Connectors with the Codeless Connector Builder (Preview).
Stuff About Copilot for Security
Copilot for Security is not an oxymoron – it's a potential game-changer for security-starved businesses - Picture this: you're a brand-new security operations coordinator at a major company that's been hit with dozens of daily ransomware attack attempts. You need to analyze, understand, and develop a threat defense plan – and all on your first day.
Tanium + Microsoft Copilot for Security: revolutionizing cybersecurity - Combine complete endpoint visibility and control with purpose-built AI capabilities to enhance defenses and mitigate threats.
Demystifying Security Copilot Features & Licensing - Many have questions about the costing model, how much it will cost to have it in the tenant, and minimum licensing requirements. I have simplified it below. I had the privilege of speaking with one of the partners facilitating the Security Copilot rollout in many companies.
Copilot for Security - script analysis integration - Copilot for Security is great: among the many capabilities it offers (KQL query in natural language, incident summary and reporting, Threat Hunting with Threat Intelligence etc) it also allows you to analyze scripts! This can be useful from a purely descriptive perspective - what a script performs - but also from a security perspective, especially if the script is voluntarily obfuscated/encoded by the attacker.
Custom Plugins in Microsoft Copilot for Security | LinkedIn - In preparation for General Availability of Copilot for Security on April 1, 2024 I thought I would take some time to share with the community just how easy and flexible Microsoft's Copilot for Security's Custom Plugin Framework is to work with.
Brief: Copilot for Security is Two Experiences but One Connected Service - A question was raised during my Copilot for Security keynote at Experts Live in Denmark recently about since there are two different experiences, are they somehow still connected? It’s worth noting that Copilot for Security is an Azure service. In fact, the Azure portal is how it’s accessed to enable and configure in an organization’s tenant.
Copilot for Security Tip: Conserving SCUs by Utilizing Prompt History - As more organizations discover the value of utilizing Copilot for Security to augment daily security operations, they may want to identify ways to minimize SCU usage.
Tanium Integrates with Microsoft Copilot for Security - Changing the Game for Cybersecurity Teams | Tanium - Learn how Tanium and Microsoft Copilot for Security joined forces to empower SOC teams with real-time, AI-driven security.
Brief: Standalone and Embedded Copilot for Security Experiences - The Standalone and Embedded experiences for Copilot for Security cater to different usage scenarios. Here’s some suggestions for where each may make sense in your organization.
Brief: Adjusting Access to Custom Plugin Management in Copilot for Security - Copilot for Security provides a platform to allow developers and users to create plugins that can do specific tasks. Copilot for Security’s extensibility is one of its superpowers. Copilot for Security has many built-in plugins, but you can also make Copilot for Security do more things by adding your own plugin.
Microsoft’s ‘Copilot for Security’ brings generative AI to the frontlines of cybersecurity - Vasu Jakkal, Microsoft’s corporate vice president for security, emphasized the significance of this release in a recent interview with VentureBeat. “GenAI is a superpower that security needs right now,” she said. “If you step back and look at the threat landscape and what we’re up against, in just the last year, the speed, the scale, and the sophistication of attacks has increased pretty dramatically.”
Get Ready for Takeoff: Microsoft Copilot for Security - Microsoft announced that the official launch day of Copilot for Security will be April 1, 2024. This proves that Microsoft won't let a late-night snowstorm stop its pursuit of security revenue or find new applications for generative AI. Approximately one year after announcing the project, Copilot for Security will be available to security leaders and their teams. We share our takeaways and thoughts on preparing security leaders for the technology below.
Stuff in Techcommunity
Ingesting Logs from S3 Bucket - I have an S3 bucket which stores some firewall logs. How do I go about pulling these logs into Sentinel? These are not AWS logs, the service provider is uploading the logs to S3. The native S3 connector seems to be AWS logs only. Do I need to write a script to start pulling these logs and ship them off with a DCR using the AMA?
KQL SiginLogs - Hi Everyone, I ask you a question from basilar KQL " SigninLogs | Project Id,UserId,Identity" I receive correctly the events, but in some case in the Identity column receive an ID in this format xxxx-xxxxx-xxxx and not the Display Name ?
Stuff from Partners
TechClick launches to help IT providers rapidly deploy Microsoft - A new partner-focused organisation called TechClick has burst on to the market to help IT providers with their Microsoft delivery capabilities.
iTWire - Logicalis elevates global security portfolio with Microsoft verified Managed XDR partner status - Logicalis, a leading global digital managed services provider, has announced it has achieved Microsoft-verified Managed Extended Detection and Response (MXDR) partner status.
Stuff in the News
Microsoft and ASD Join Forces: Uniting Sentinel and CTIS for Enhanced Cyber Resilience - Today, as part of the Microsoft-Australian Signals Directorate Cyber Shield (MACS) initiative, we are announcing a jointly engineered capability for Microsoft Sentinel customers to more easily integrate into the CTIS program. Sentinel is a cloud-native SIEM (Security Information and Event Management) where customers benefit from Microsoft’s global threat analysis of more than 78 trillion signals every day.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.