Microsoft Sentinel this Week - Issue #159
Stuff from Me
Happy Friday everyone!
It’s been a short week here in the US, which usually means the week feels longer than it really is. But this time, I can honestly say that the four-day week actually felt like a four-day week. Friday hit me quicker than I expected.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.
In some respects, that’s good. But from another angle, I feel like I didn’t accomplish all I needed to this week. I have some upcoming sessions to deliver - all internal to Microsoft and all of them about Copilot for Security - and the four-day week has put me behind somewhat.
I’m really looking forward to these to help our own people and our security MVPs skill-up on Microsoft’s GenAI security tool.
Speaking of Copilot for Security, I’ll have an upcoming appearance on the Virtual Ninja Training show…
Add it to your calendar (https://aka.ms/NinjaShow/S8Ep7/calendar) and then check out all the upcoming shows: https://adoption.microsoft.com/ninja-show/
…
A couple weeks back, I mentioned that I’m considering merging the Microsoft Sentinel weekly newsletter with the Microsoft Defender weekly newsletter. I’m still in the process of noodling how best to do that and when to do it. So, I have another question for you all.
…
Talk soon.
-Rod
Stuff to Read
Part 2: Threat Detection Engineering and Incident Response with AuditD and Sentinel — Combine Events by ID with Laurel before sending to Sentinel as JSON and Parser for event searching and alert building - In this guide we will install Laurel which will combine all the AuditD events which will make creating higher fidelity alerts easier.
Direct linking to Microsoft Sentinel incidents in the unified portal - Having working links to Microsoft Sentinel incidents is a common and basic request when doing automation and integration to external systems such as Microsoft Teams or a ticketing system.
Facing a problem with Microsoft 365 Defender Data Connector in Sentinel? - A lot of my clients and peers have recently been hit with a problem when trying to configure the Defender 365 Data Connector in Microsoft Sentinel. Even with the correct privileges, opening the connector page results in the following error.
Stuff to Watch/Listen To
Stuff That's New or Updated
Public Preview: Log Analytics Workspace Replication - Azure Monitor Log Analytics uses workspaces as a logical container for logs. Workspaces are region-bound, but workspace replication allows you to create cross-regional redundancy to increase workspace resilience to regional incidents.
Incident and entity triggers in playbooks are now Generally Available (GA)
The ability to use incident and entity triggers is playbooks is now supported as GA.
For more information, see Create a playbook.
Stuff About Copilot for Security
Copilot for Security stuff now has its own bi-weekly newsletter!
Stuff in Techcommunity
Threat Intelligence Pane in Sentinel Broken - It seems that the 'Threat Intelligence' pane within Sentinel is broken. It seems to have been updated with a new search capability but displays as below with an error.
Query an external CSV file - Hi, I am trying to query an external CSV file via KQL using externaldata() operator. As a POC, I created a test storage account with a simple container and then uploaded a CSV file to it. I am using a SAS token & URL to fetch the data.
Stuff That’s Related
Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks | Microsoft Security Blog - Microsoft has identified a new North Korean threat actor, now tracked as Moonstone Sleet (formerly Storm-1789), that uses both a combination of many tried-and-true techniques used by other North Korean threat actors and unique attack methodologies to target companies for its financial and cyberespionage objectives. Moonstone Sleet is observed to set up fake companies and job opportunities to engage with potential targets, employ trojanized versions of legitimate tools, create a fully functional malicious game, and deliver a new custom ransomware.
Public Preview: App Service Authentication Logs on Diagnostic Settings - A new log “AppServiceAuthenticationLogs” is now available in Public Preview for App Service resources on Windows. This would include Web Apps, Functions, and Logic Apps. If you would like to have more visibility into your App Service Authentication and would like to troubleshoot or self-diagnose issues, you can enable this log category to help with these scenarios.
Stuff to Have
FailedSignins.kql - Failed signins to the CfS service exposing user, reason, and other necessary information.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.