Microsoft Sentinel this Week - Issue #143
Microsoft Sentinel this Week - Issue #143
Stuff from Me
Happy Friday everyone!
As you’re reading this, I’m headed to the airport to fly home from the Microsoft AI Tour in NYC. I’ll have more to share on this specific event in next week’s newsletter issue, but in a recent “After the Blog” podcast, I talked about the Microsoft AI Tour and why I believe it’s a must-attend event.
Check it out…
…
This past week the Microsoft Sentinel Community on LinkedIn surpassed 20k members! That’s super amazing to me but makes a lot of sense how engaged and popular the group is. Microsoft Sentinel sits atop several popular Azure services, so Sentinel analysts and engineers need to have good knowledge about a lot of important things like Log Analytics, Logic Apps, Azure Monitor, KQL, etc., etc.
If you’ve not joined this highly engaged group yet, here’s the link: https://www.linkedin.com/groups/8768381/
…
That’s it from me for this week as I’m busy with traveling and delivering our messaging around what we’ve done, what we’re doing, and what customers can expect in the future as we build the safest, most trusted, platform for AI.
Talk soon.
-Rod
Stuff to Read
Powerbi & Log Analytics Workspace - Microsoft Sentinel is a powerful tool that enables security teams to detect, investigate, and respond to threats across their entire organization. However, when it comes to presenting this data to clients, it can be challenging to make sense of the raw data, and it can take time to manually query the data you might need.
Detect Failed Logins on Window and leverage Watchlist and Automation using Microsoft Sentinel - This article will explain how to trigger alerts and incidents for failed logins on Windows machines. This can be particularly useful to the SOC Team during a brute force attack. I am also using a watchlist to add a description to the SubStatus field.
Before and After - Archive Tier | LinkedIn - The article dives into Microsoft Sentinel as a SIEM/SOAR platform - before and after the introduction of Archive Tier, showcasing the improved ease of use.
Before and After - Data Collection Rules | LinkedIn - The article dives into Microsoft Sentinel as a SIEM/SOAR platform - before and after the introduction of Data Collection Rules, showcasing the improved ease of use.
Stuff to Watch/Listen To
Stuff That's New or Updated
Reduce false positives for SAP systems with analytics rules - Use analytics rules together with the Microsoft Sentinel solution for SAP® applications to lower the number of false positives triggered from your SAP® systems. The Microsoft Sentinel solution for SAP® applications now includes the following enhancements:
The SAPUsersGetVIP function now supports excluding users according to their SAP-given roles or profile.
The SAP_User_Config watchlist now supports using wildcards in the SAPUser field to exclude all users with a specific syntax.
Microsoft Sentinel: Windows DNS via AMA released to GA - The AMA and its DNS extension are installed on your Windows Server to upload data from your DNS analytical logs to your Microsoft Sentinel workspace.
Security Copilot Stuff
Manage plugins in Microsoft Security Copilot - To extend the capabilities of Security Copilot, preinstalled plugins are available for Microsoft security services and other commonly used services and websites that you can use. You can also add your own custom plugins, including plugins from OpenAI.
The Dolphin and the Monkey – Using Human Intellect in the AI age - Our goal as operators, no matter our discipline, is to find ways to establish trust in AI outputs but not as we did in the past with previous computer systems. Instead, we should develop and use frameworks for conversational understanding that drives clarity resulting in trust that facilitates any workflow or job. If we peel back and define what trust is, it’s a cognitive capacity based on critical thinking and decision making, with cognition simply being the process of acquiring knowledge.
Stuff That's Related
Detect Browser Bookmark Discovery Techniques on Windows using KQL - Here we are again with a new article about Sentinel in our series, we will talk today about how we can use Atomic Red to run Discovery techniques, and how to use KQL in detecting Browser Bookmark Discovery Techniques, I will have different articles on the same topic, so stay tuned.
ADX Query Performance Unleashed: Best Practices and Pro Tips - Azure Data Explorer (ADX) is a powerful tool that enables this by offering real-time data analytics at scale. However, to harness the full potential of ADX, it's essential to optimize query performance. In this article, we will explore the best practices for fine-tuning ADX queries to achieve maximum efficiency in real-world scenarios.
Securing the Clouds: Navigating Multi-Cloud Security with Advanced SIEM Strategies - This first article is by a team of Microsoft experts who share their insights and experiences in establishing a comprehensive security posture in a multi-cloud environment. It explores strategies for achieving a unified security stance, implementing Microsoft's security solutions, and realizing the benefits and greater insights of a multi-cloud SOC. It also explores how a threat-based approach is beneficial for helping organizations stay ahead of adversaries in this modern AI world.
Stuff in Techcommunity
Log Ingestion via Logstash - Custom table - I am using Logstash to send logs to my MS Sentinel instance. it works fine on standard tables e.g syslog. Now i am trying to ingest logs from other sources like gcplogs. I am using the gcp input plugin, filter via grok and use output plugin to send the logs to DCR.
Azure Activity connector - It shows not connected despite going through steps mentioned here: Azure-Sentinel/Solutions/Training/Azure-Sentinel-Training-Lab/Modules/Module-2-Data-Connectors.md at... Any idea? I tried assignment policy a couple of times.