Microsoft SIEM and XDR Weekly Wrap - Issue #1

Amish Reboot

Things from Me

Happy Friday, everyone!

Welcome to issue number — <drum roll> — 1! After spending some time this past week to merge the Sentinel and Defender newsletters, revamp the logo, and let everyone know about the changes, I thought it was also appropriate to reboot the numbering system.

In many ways, this newsletter is not new. But as we move forward with the consolidated community, I think it makes sense to start fresh. Thinking about it, it is a bit sad to reset the newsletter numbering considering we had reached 161 with Sentinel and 125 with Defender. But after just over 3 years of weekly newsletter issues, we needed a refresh.

But hey…I work for Microsoft. We reboot, reset, and rebrand things all the time. I guess by now it has been engrained into my DNA and it doesn’t seem like a major thing.

But still.

Thanks all for your continued trust and loyal readership. In addition to the merged community, the news of the consolidated newsletter brought on a lot of new subscribers. So, welcome everyone! Welcome to this monumental moment.

I hope your time here always exceeds your expectations and you always find something of value you can use right away.

…

During the last issues of both newsletters, I noted that I was headed to Amish country in Ohio to visit my best friend for his birthday. During my runs there I regularly capture the scenic views with my Samsung S24 Ultra. I have posted the pics from my runs on my own blog for those interested in getting a good view of the Amish countryside.

If you’re interested in these photos, check out what I’ve shared:

Amish Runs - June 2024

…

That’s it from me for this week.

Talk soon.

-Rod

Things to Attend

CANCELLED: JUN 25 Microsoft Defender for Cloud | New Version for File Integrity Monitoring - In this webinar you'll learn about the new improved version of File Integrity Monitoring (FIM) in Defender for Servers Plan 2, powered by Defender for Endpoint integration.

Jun 24, 2024 - Episode 215 - Cribl- 5PM EST - We have a treat this week! You've heard about it. Many of you have used it and swear by it. Now hear directly from ...drum roll, please... Cribl!

Things that are Related

Announcing enhanced multicloud integration enabled by Azure Arc - We are thrilled to announce a new set of capabilities for multicloud customers, making it easier than ever to manage cloud resources from a centralized platform. With the adaptive cloud approach enabled by Azure Arc, customers can quickly and easily access and manage their workloads across Azure and AWS through the multicloud connector, which is free to use!

Fight fraud across the full identity lifecycle with Transmit Security and Microsoft - In this guest blog post, Ravit Aviv, Director of Technology Alliances at Transmit Security, offers ways businesses can launch a formidable defense against AI-based cyber activity and threat actors and build long-term digital resilience with the help of Transmit Security and Microsoft.

Things to Watch/Listen To

Microsoft Security Insights Show Episode 214 - Difenda and CfS

Things in Techcommunity

Defender 365 admin console - Disabled Connected to a custom indicator & Connected to an unsanctioned - I want to know how I can disable these two following alerts:

1. Disabled Connected to a custom indicator

2. Connected to an unsanctioned blocked app

Those alerts type needs to be enabled or disabled on demand, like the other alert types.

Parameterized function in cross workspace queries - I'm looking to get some input on a query I'm working on.

The thought is to create a query for each customer in our Lighthouse tenant, then be able to query a function named for the customer.

Things to Have

//Failed MFA authentication against the Copilot for Security Standalone experience.

SigninLogs 
| where TimeGenerated >= ago(24h) 
| where AppDisplayName == "Medeina Portal" 
| where ResultType == "50074" 
| extend city = LocationDetails.city 
| extend state = LocationDetails.state 
| extend region = LocationDetails.countryOrRegion 
| extend latitude = parse_json(tostring(LocationDetails.geoCoordinates)).latitude 
| extend longitude = parse_json(tostring(LocationDetails.geoCoordinates)).longitude 
| project UserDisplayName, UserPrincipalName, UserType, city, state, region, latitude, longitude, AADTenantId

Permanent location: https://github.com/rod-trent/Copilot-for-Security/blob/main/Other/Queries/Failed_MFA.kql

Copilot for Security Things

Copilot for Security stuff now has its own bi-weekly newsletter! If you want updates and community for Copilot for Security, subscribe, follow, or grab the RSS feed.

THE PROMPT for Copilot for Security

THE PROMPT for Copilot for Security is a bi-weekly newsletter that covers Copilot for Security.

By Rod Trent

Microsoft Sentinel Things

Microsoft Azure Sentinel 101: Dynamically update and change Alert/Incident Severity — based on query results with automation or logic apps for all alerts - Depending on how you run your SOC, you may wish to drop Severity to help prevent going over SLAs, especially when an alert is not a threat. At the same time, you may wish to quickly change an alert severity if it does something specific.

Microsoft Azure Sentinel 101: Automatically add TLP (Traffic Light Pattern) to Incidents with logic apps/playbooks and automation by query tagging - Depending on your environment, you may need to TLP tag all your content, and this walk through is a good way to do it. I’ll only be going through one way using a logic app that can be used as a playbook through automation or per alert.

Defender for Cloud Things

Vulnerability Assessment on Azure Container Registry with Microsoft Defender and Docker Hub - I am excited to share my two favorite image analysis solutions to protect images hosted on Azure Container Registry. Please note that it is not my intention to compare these two solutions because I love working with both Microsoft Defender for Containers and Docker Scout altogether and they complement each other. If anything, they should be used alongside each other to further enhance container security on ACR.

Defender for Endpoint Things

Host Microsoft Defender data locally in Switzerland - We are pleased to announce that local data residency support in Switzerland is now generally available for Microsoft Defender for Endpoint and Microsoft Defender for Identity. This announcement demonstrates our commitment to providing customers with the highest levels of security and compliance by offering services that are aligned to local data sovereignty requirements. Swiss customers can now confidently onboard to Defender for Endpoint and Defender for Identity in Switzerland, knowing that their data at rest will remain within Swiss boundaries, which ensures that customers in Switzerland can meet their regulatory obligations and maintain control over their data.

Microsoft Entra Things

Microsoft Entra ID Governance licensing clarifications - In the past few weeks, we’ve announced the general availability of Microsoft Entra External ID and Microsoft Entra ID multi-tenant collaboration. We’ve received requests for more detail from some of you regarding licensing, so I’d like to provide additional clarity for both of these scenarios.

How to break the token theft cyber-attack chain - …as more customers do the right thing with MFA, actors are going beyond password-only attacks. So, we’re going to publish a series of articles on how to defeat more advanced attacks, starting with token theft. In this article, we’ll start with some basics on how tokens work, describe a token theft attack, and then explain what you can do to prevent and mitigate token theft now. 

Comments

[Corallo Mantovani]

JUN 25 Microsoft Defender for Cloud | New Version for File Integrity Monitoring was cancelled, as far as I know...

[dips]

Thanks! Very informative, as always!