Microsoft Sentinel this Week - Issue #153
Microsoft Sentinel this Week - Issue #153
Stuff from Me
Happy Friday everyone!
Thanks so much for being here. Despite the newsletter not delivering last week, I had an awesome time in my buddy road trip which led to riding to the top of the St. Louis arch and eventually meandered us toward GEHA stadium in Kansas City to watch Inter-Miami play soccer. It was a trip full of frolic and fun and included a trip to Joe’s Bar-B-Que that has been featured on Diner’s, Drive-ins, and Dives.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.
Our visit to GEHA stadium represented the largest-ever attendance to a soccer game in KC history and the second largest in the world.
And what better way to celebrate than to not only enjoy the trip and good friends, but watch Lionel Messi actually score a goal during the Inter-Miami win.
It was a great trip and we’re already planning to make it an annual thing.
…
I have one big note to share for the future of this newsletter. I know there’s been a lot of Copilot for Security content recently, but this week I’ve pared it down to only what’s pertinent to Microsoft Sentinel. There’s plenty more of Copilot for Security content, but for now that is being designated to this newsletter’s sister publication, Microsoft Defender Weekly Wrap. If you want to read more about Copilot for Security, subscribe there.
However, as you can imagine there has been a massive uptick in content for the newly released service, and as such, I’m considering building a newsletter specifically for Copilot for Security. If this is something you’d like to see, let me know in the following survey…
…
That’s it from me for this week. Thanks again for coming along with us on this Microsoft security journey.
Talk soon.
-Rod
Stuff to Read
Augment Microsoft Sentinel Incident Investigation with Microsoft Copilot for Security and Logic Apps - Fragmented security stacks, excessive alerts, and understaffing are some of the biggest challenges security teams face today. However, you can overcome these obstacles with Copilot for Security, a generative AI assistant that can boost the efficiency of security professionals by up to 22%, according to a recent study performed by experienced security professionals and expanded to randomized controlled trials, published by Microsoft in January 2024.
Ingesting Non-Microsoft Cloud Security Data into Microsoft Sentinel for Government & DIB Customers - Before we dive into how to ingest data from AWS into Microsoft Sentinel, we need to understand what levels each cloud is FedRamp authorized to operate. This is not a deep discussion on compliance, just a quick overview of what levels each cloud is authorized to operate at. For specific compliance or operating level guidance you are encouraged to talk to your agencies authorized approver.
Ingesting Non-Microsoft Cloud Security Data into Microsoft Sentinel for Gov & DIB customers part 2 - This blog will be focusing on how to ingest AWS Commercial and AWS GovCloud data into a Microsoft Sentinel workspace in Azure Government. This picture provides a high-level visual of the architecture we will walk through in this part of the blog series.
Sentinel Integrated Rpi Soil Sensor 2.0 Part 3 - Today, we’ll look at the free tiered Azure IoT Hub’s most significant limitation - the custom endpoint bottleneck - and how to solve it!
Sentinel Automation Part 1: Enriching Sentinel Incidents with KQL Results - Automating incident response queries is one of the quick wins you can implement in Microsoft Sentinel. This allows you to automate incident enrichment and further investigations. The first blog of the Sentinel Automation Series will explain how you can quickly implement this in your environment. This is done based on automation rules and Playbooks (Logic Apps).
Update Microsoft Sentinel Analytics Rules At Scale - Microsoft Sentinel comes with Content Hub, which you can use out-of-the-box to get content value and start on Microsoft Sentinel quickly. Solutions in Microsoft Sentinel Content Hub provide a consolidated way to acquire Microsoft Sentinel content, like data connectors, playbooks, workbooks, analytics rules, and automation in your workspace with a single deployment step.
Stuff to Watch/Listen To
Stuff About Copilot for Security
Copilot for Security Custom Plugin to Track SCU Changes - In addition to setting alerts in Microsoft Sentinel or Azure Monitor, or manually watching the Usage Monitoring screens to know when Copilot for Security capacity changes, you can use a custom plugin.
Brief: Getting a Monthly Cost for Resource Email for Copilot for Security - In the Microsoft Copilot for Security compute capacities service in the Azure portal, you can setup a Task for each compute capacity you have created.
How to Become a Microsoft Copilot for Security Ninja: The Complete Level 400 Training - This course is designed to equip you with the necessary skills to effectively utilize Microsoft Copilot for Security, a cloud-based platform renowned for providing comprehensive visibility and safeguarding of organizational assets and data. You'll learn to monitor, detect, analyze, and respond to security threats across hybrid environments.
Stuff in Techcommunity
How to disable Microsoft data connectors - I was able to turn off custom log connectors by disabling the log source, but i'm stumped as to how I disable the microsoft connectors like Azure Activity and others.
DataConnector throws error and can't be deleted - The DataConnector (from "Microsoft Defender for Cloud solution") "Tenant-based Microsoft Defender for Cloud (Preview )" could not be found anymore and just get Errors. The Problem is, the Connector can't be deleted, because it could not be found in the Dataconnectors.... ! There is an Error Massage every Time I open Sentinel, and it can't be deleted because the Connector is not displayed. Is there anaother way to delete this connector?
CEF via AMA - Last Friday I setup a new Ubuntu server (20.04) in Azure and went through the steps to configure the CEF Connector via AMA. This is being configured to replace the CEF via Legacy Agent as that goes away in August. With everything configured, I reconfigured my firewalls to send data to the new collector and I can see data in the CommonSecurityLog table. However, I noticed that the Computer field now shows the Source IP address of the firewall rather than the name. With the Legacy Agent, the Computer field was populated with the name of the firewall that sent the data. This makes the data harder to parse as I need to cross-reference IP addresses to names each time. Any idea why the AMA isn't able to display the firewall name?
Stuff to Have
Sentinel Automation - This repository provides automation solutions for Microsoft Sentinel. The repository is focused on Logic Apps/Playbooks.
Thanks for reading Microsoft Sentinel this Week! Subscribe for free to receive new posts and support my work.