Microsoft Sentinel this Week - Issue #146

Stuff from Me

Happy Friday, good people!

To start this week’s issue, I noted last issue that I would be speaking at the AI Tour in Paris next month. I’ve had a longer thought about that and wanted to update you all.

I have a couple big, super important family events coming up.

1. The wife and I celebrate 34 years of marriage on February 24th.We’re planning a weekend getaway to celebrate.

2. My oldest daughter gives birth to our 2nd grandbaby sometime in early March. We’re grandbaby fans here in the Trent household. If you’ve been a reader of this newsletter long enough, you know we’re crazy about our first grandboy.

For those reasons, I've opted out of the Paris trip for the AI Tour. Family is key to everything. It’s easy sometimes to lose sight of that. Everything I do, I do for my family. When I was younger - yeah - a lot of it was selfish. I did a lot of it for me and my career. But eventually you come to the understanding why you actually do the things you do. And if it’s not because of and for someone else, then you really need to review your life choices. Ego will not get you very far in life.

Paris is going to be great, though. My awesome colleague and teammate Joylynn Kirui will be speaking in Paris. You need to stop by to connect with her. She's the best!

I will still be speaking at Experts Live in Denmark. So that's currently the only way to connect with me in Europe in March.

Register now! https://events.justattend.com/events/conference-hub/584b32f5

There will be LOTS of Copilot for Security content in Denmark - some of it for the first time ever in a public setting.

…

We’ve finally released our show schedule for Women in Cybersecurity Month and hope you’ll be able to attend live or listen after.

Details at the link: https://aka.ms/MSIShow-WiCyS

…

That’s it for me for this week. I hope you have a great weekend, and your work week ahead is fruitful and fulfilling.

Talk soon.

-Rod

Stuff to Read

Using Microsoft Sentinel Watchlists in a Cross Workspace query – Yet Another Security Blog - In my last post, I talked about how to get a single (or a few) entries from a Microsoft Sentinel watchlist. I introduced the fact that watchlists are stored in the “Watchlist” table. We can use this to perform cross workspace queries.

Microsoft Sentinel SOC 101: Detecting and Mitigating Spear Phishing with Microsoft Sentinel - Spear phishing is a sophisticated cyber-attack targeting specific individuals or organizations to steal data or install malware. Microsoft Sentinel, a cloud native SIEM (Security Information and Event Management) platform, offers robust tools to detect and mitigate such threats.

Understanding Sentinel password spray data with Copilot for Microsoft 365 | LinkedIn - In this article, I will share how to use the password spray data obtained from Microsoft Sentinel and convert to Excel data for Copilot usage. Password spray is just one-use case for SecOps, potentially any security data extracted out from MS Sentinel or DefenderXDR we can use Copilot for Microsoft 365 to analyze the data by simply using prompts to get more insight to your security data. Work smartly to understand your security log data set!

CEF Data Connector: MMA vs AMA | LinkedIn - Here is an article comparing two different approaches for sending logs from a third-party platform to Microsoft Sentinel's Log Analytics Workspace via Syslog or CEF Log Forwarder.

Data Connector: AWS vs AWS S3 | LinkedIn - Below is an article comparing two different data connectors in Microsoft Sentinel - to collect logs from AWS environment.

Stuff to Watch/Listen To

Microsoft Security Insights Show Episode 190 - Andre Camillo

Stuff to Attend

Stuff That's New or Updated

Upcoming Content Hub AMA supported Data Connectors - Today we are happy to share that new data connectors with AMA support will soon be available in Sentinel's Content Hub.

Incident tasks now generally available (GA) - Incident tasks, which help you standardize your incident investigation and response practices so you can more effectively manage incident workflow, are now generally available (GA) in Microsoft Sentinel.

• Learn more about incident tasks in the Microsoft Sentinel documentation:

  • Use tasks to manage incidents in Microsoft Sentinel

  • Work with incident tasks in Microsoft Sentinel

  • Audit and track changes to incident tasks in Microsoft Sentinel

• See this blog post by Benji Kovacevic that shows how you can use incident tasks in combination with watchlists, automation rules, and playbooks to build a task management solution with two parts:

  • A repository of incident tasks.

  • A mechanism that automatically attaches tasks to newly created incidents, according to the incident title, and assigns them to the proper personnel.

Stuff That's Related

Announcing New Monitoring and Scaling Updates in Azure Firewall - We are pleased to introduce some new features and improvements for the service today. These features include capabilities that enhance the monitoring and scalability of your Azure Firewall:

• Flow Trace logs are now generally available.

• Autoscaling based on the number of connections is now generally available.

• Parallel IP Group update support is now in public preview.

The KQL Mysteries: Chapter 9 - The Ghost of Krampus Past - Jon braced himself, gripping the phone tighter. “What is it, Jordan? Don’t keep me in suspense.” Jordan’s voice was steady, but there was an undercurrent of disbelief. “It’s connected, Jon. The Night Princess… she’s using the same backdoor that Krampus_attack left open. It wasn’t fully secured.”

Stuff About Copilot for Security

Tanium Plugin Prompts - Thanks to the good folks at Tanium for supplying supporting content for their Copilot for Security plugin.

Navigating cyberthreats and strengthening defenses in the era of AI | Security Insider - Every day more than 2.5 billion cloud-based, AI-driven detections protect Microsoft customers.

Brief: Copilot for Security as a Tool for Threat Hunting - Copilot for Security can help organizations to transform their security posture from reactive to proactive, and to achieve higher levels of security maturity and resilience. By using Copilot for Security, organizations can benefit from the advantages of threat hunting without the drawbacks, and gain more visibility, control, and confidence over their network and system security.

Microsoft Copilot for Security: The great equalizer for government security - Microsoft Industry Blogs - Cybersecurity for government organizations is a game of speed, with cyberattackers working to compromise networks and steal data as swiftly as possible before defenders can detect and deter them. In this ongoing battle, cyberattackers have traditionally had an asymmetrical advantage. 

Stuff in Techcommunity

Ingesting Logs from on premises CEF collector via AMA- I want my CEF collector to be on prem and it should use AMA not MMA. One way is to install Azure ARC on that but in my case it won't work because I want all my resources to be in Qatar Central region and Azure ARC is currently not available in Qatar Central region. So, is there any other possibility that I can ingest CEF Logs from my firewalls using on premises CEF Collector.

MISP Sentinel Integration - I'm trying to integrate Sentinel with MISP using https://github.com/cudeso/misp2sentinel.
Everything is OK until I reach the Pyhton section https://github.com/cudeso/misp2sentinel?tab=readme-ov-file#python-environment

Stuff to Have

Daily_Cap.kql - When Daily Cap is reached.

Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.