Microsoft Sentinel this Week - Issue #154

Apr 26, 2024

Stuff from Me

Happy Friday everyone!

If you caught this past week’s MSI Show (Microsoft Security Insights Show Episode 207 - Forsyte), you heard about my wife’s experience with a Goose and our vehicle. For more to the story, the car is in the shop, and they are suggesting that it might take about a month to get parts to repair just because of how hard it is to get parts. The type of accident gave many at the repair shop and the tow truck service much to laugh and talk about.

Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.

So, we’re in the market for a new car. I’ve never used any of the self-buy programs like Carvana but am open to it. I’d be happy to hear your experiences with these programs. If the experiences have been good, we may opt to do that instead of spending hours shopping local.

…

If you remember, I hosted a subscriber poll for both the Microsoft Sentinel and Defender weekly newsletters last week and the response was overwhelmingly positive to start a newsletter about Copilot for Security. Go figure!

So much so, that I've already started the process. Called "The CfS Prompt" the newsletter will start out with bi-weekly delivery and is designed to capture all the great content delivered by Microsoft, Microsoft MVPs, and the community at large. The newsletter will begin delivery on Friday, May 3rd.

Subscribe here to be a Founding Member:

With the advent of The CfS Prompt, the Copilot for Security content here and in the Defender newsletter will be able to be more fine-tuned and focused. So, if you’re looking for all the great Copilot for Security content, you’ll need to subscribe or watch there.

…

For those that attended (and didn't attend) the beta workshop for Prompt Engineering for Copilot for Security last week, the current deck is here:

https://github.com/rod-trent/Copilot-for-Security/tree/main/Prompts/Workshop

At around 89 slides currently, this is a work in progress and has been updated a couple times already. The final version will be available for both internal and external partners and will be updated at this location.

Additionally, I will be recording a Ninja Training series episode for this in the coming days. So, Prompting for Copilot for Security is coming to the Ninja Training series! Stop by to hear about this upcoming workshop content.

May 15 at 9:00AM (PT) - Add it to your calendar: https://aka.ms/NinjaShow/S8Ep4/calendar

Check out all the upcoming shows: https://adoption.microsoft.com/ninja-show/

…

That’s it from me for this week.

Talk soon.

-Rod

Stuff to Read

Setting up Sentinel for Kubernetes Monitoring - In part 1 and part 2 of this series, we discussed the type of log sources you should consider for monitoring the security of your Kubernetes environment, most pertinent risks (and corresponding use cases) in your AKS environment, and log sources to ingest data. This blog will demonstrate how to configure Azure Sentinel to derive identify the risks.

Microsoft Sentinel KQL Solo Leveling | LinkedIn - In this article I will share my two all-in-one utility KQL query by IP or UPN, it basically searches through all the Sentinel tables information containing either the IP or UPN. From there analyst will have a better view of which Sentinel table schema contained the possible investigation data they need and run another individual query on the specific table to locate the data. I believe repeating this basic process will improve your threat hunting skills and help to understand the data schematic of the Sentinel log tables better.

Stuff That's New or Updated

Unified security operations platform in the Microsoft Defender portal (preview)

The unified security operations platform in the Microsoft Defender portal is now available. This release brings together the full capabilities of Microsoft Sentinel, Microsoft Defender XDR, and Microsoft Copilot in Microsoft Defender. For more information, see the following resources:

Microsoft Sentinel now generally available (GA) in Azure China 21Vianet

Microsoft Sentinel is now generally available (GA) in Azure China 21Vianet. Individual features might still be in public preview, as listed on Microsoft Sentinel feature support for Azure commercial/other clouds.

For more information, see also Geographical availability and data residency in Microsoft Sentinel.

Two anomaly detections discontinued

The following anomaly detections are discontinued as of March 26, 2024, due to low quality of results:

Domain Reputation Palo Alto anomaly
Multi-region logins in a single day via Palo Alto GlobalProtect

For the complete list of anomaly detections, see the anomalies reference page.

Microsoft Sentinel is now available in Italy North region

Microsoft Sentinel is now available in Italy North Azure region with the same feature set as all other Azure Commercial regions as listed on Microsoft Sentinel feature support for Azure commercial/other clouds.

For more information, see also Geographical availability and data residency in Microsoft Sentinel.

Stuff That's Related

New Microsoft Incident Response guide simplifies threat investigation | Microsoft Security Blog - Our guide serves as an essential resource, meticulously structured to illuminate commonly seen, but not commonly understood, Windows Internals features in forensic investigations.

Stuff About Copilot for Security

Copilot for Security Plugin: Bad Tables - If you want to identify potential ingestion issues in Microsoft Sentinel tables, here’s a KQL plugin for Copilot for Security that you can use.

Copilot for Security Plugin: Sentinel Table Sizes and Costs - Table size and the cost of those tables continues to be an item of interest for most Microsoft Sentinel customers. Using this plugin, you can use Copilot for Security to help show that information in a much easier way.

For more Copilot for Security content, subscribe to the sister publication: The CfS Prompt - https://aka.ms/TheCfSPrompt

Stuff in Techcommunity

KQL leftanti join query - I need to verify if my devices are having the security tools installed. One way of doing it I am thinking of is running KQL query on BehaviourAnalytics logs to extract user list who signed in last 24 hours and compare with userlist of CommonSecurity table.

Get account name if UserPrincipalName is UserId - Sometimes the signin events in the various AAD signin logs contain the UserId as the UserPrincipalName. In some spot checks it looks to me that this often happens when the signin comes from a Teams app on an iOS device...

Stuff to Have

UrlClickEvents Table in Microsoft Sentinel for Threat Hunting and Anomaly Detection - In the dynamic world of cybersecurity, proactive threat hunting and anomaly detection are key to staying ahead of potential threats. One powerful tool that aids in this process is the **UrlClickEvents table in Microsoft Sentinel**. This table can help us hunt for several cybersecurity attack vectors related to URL click activities.

Risky User Hunting Workbook - a Sentinel workbook to help you hunt user risk in Entra.

Parse and query the Azure Public IP JSON file using the externaldata operator - This is example is for the Public Cloud JSON. The files are curated and updated once a week, so the URL will need to be updated often.