Microsoft SIEM and XDR Weekly Wrap - Issue #11

Authorship

Sep 06, 2024

Things from Me

Welcome back and happy Friday!

As we transition into fall, we're excited to bring you a series of insightful webinars and updates designed to enhance your security posture. This month, we have a lineup of events covering a range of topics from Microsoft Defender for Cloud to Azure Network Security. Whether you're looking to prepare for upcoming transitions, explore new ways to protect OT environments, or dive into the latest in eDiscovery, there's something for everyone.

Join us for these informative sessions and stay ahead in the ever-evolving world of cybersecurity. Don't miss out on the opportunity to learn from experts and enhance your security strategies.

Stay secure and informed!

…

Did you know?

Even though I recently merged Sentinel and Defender newsletters into this single SIEM and XDR weekly edition, all of the product areas represented here still have their own active community groups on LinkedIn. There’s always something going on.

Join us if you want more:

…

On a personal note, did you know I write fiction books? If you’re one of those interested in taking a tech break every once in a while, you can immerse yourself in the following stories.

https://amazon.com/author/rodtrent

Talk soon.

-Rod

Things to Attend

September 10 - Microsoft Defender for Cloud | Prepare for upcoming transitions in Defender for Servers
September 11 - Microsoft Defender XDR | New ways for security teams to protect OT environments with Defender XDR
September 17 - Azure Network Security | Introducing DDoS Vulnerability Management for Azure DDoS Protection with MazeBolt
September 18 - Microsoft Purview | Microsoft Purview eDiscovery Modern UX
September 25 - Microsoft Defender for Cloud | Defender for Servers - New FIM Version
September 26 - Microsoft Defender for Cloud Apps | How to protect Oauth apps with app governance in Microsoft Defender for Cloud Apps
October 01 - Microsoft Sentinel | Building Microsoft Sentinel integrations - Part 2: Creating data connectors

Things that are Related

Enhancing Data Security and Digital Trust in the Cloud using Azure Services. - In this article, we’ll explore how CSE can provide superior protection for your data, particularly if an authentication and authorization account is compromised. We’ll also address common questions about Microsoft's stance on CSE and explain why CSE might not be as widely discussed as Client-Side Key Encryption (CSKE). By understanding these concepts, you can better meet security and regulatory requirements and ensure that your data remains protected.

Things to Watch/Listen To

Things in Techcommunity

Auto Disabled (Rule Name) - One of scheduled rule is auto disabled 2 days ago (31-aug) and showing like "The alert rule was disabled due to too many consecutive failures. Reason: The query was blocked as it was consuming too many resources." When I tried to re-enabled and it showing:

"Failed to save analytics rule 'rule name'. Conflict:Newer instance of rule 'ID' exists for workspace 'workspace id' (Etag does not match). Data was not saved."

I made some changes in KQL but still showing same message. Can someone help me to find out solution?

Defender Browser/Domain blocks - We have an issue with Defender for Endpoint, with most users, When we add browsers/domains in DLP settings "Browser and domain restrictions to sensitive data" usually an unallowed browser would not open in a blocked browser by default and would redirect to edge.

Copilot for Security Things

The Microsoft Security Insights Show

Microsoft Security Insights Show Episode 225 - Performanta and CfS

Stop by this episode and learn why Performanta has been recommended for the show for its highly innovative and sophisticated solutions. Looking for evidence of how far a partner can push the integration with Copilot for Security? This is it…

Listen now

5 months ago · 1 like · 1 comment · Rod Trent

Microsoft Sentinel Things

Import and export Microsoft Sentinel automation rules - Manage your Microsoft Sentinel automation rules as code! You can now export your automation rules to Azure Resource Manager (ARM) template files, and import rules from these files, as part of your program to manage and control your Microsoft Sentinel deployments as code. The export action creates a JSON file in your browser's downloads location, that you can then rename, move, and otherwise handle like any other file.

Microsoft Sentinel Summary KQL deep dive (From Beginner to Advanced KQL) - How to write KQL Sentinel Summary Rules with 3 real world examples.

Microsoft Sentinel support in Microsoft Defender multitenant management (Preview) - If you've onboarded Microsoft Sentinel to the Microsoft unified security operations platform, Microsoft Sentinel data is now available with Defender XDR data in Microsoft Defender multitenant management. Only one Microsoft Sentinel workspace per tenant is currently supported in the Microsoft unified security operations platform. So, Microsoft Defender multitenant management shows security information and event management (SIEM) data from one Microsoft Sentinel workspace per tenant. For more information, see Microsoft Defender multitenant management and Microsoft Sentinel in the Microsoft Defender portal.

Premium Microsoft Defender Threat Intelligence data connector (Preview) - Your premium license for Microsoft Defender Threat Intelligence (MDTI) now unlocks the ability to ingest all premium indicators directly into your workspace. The premium MDTI data connector adds more to your hunting and research capabilities within Microsoft Sentinel. For more information, see Understand threat intelligence.

Better visibility for Windows security events - We've enhanced the schema of the SecurityEvent table that hosts Windows Security events, and have added new columns to ensure compatibility with the Azure Monitor Agent (AMA) for Windows (version 1.28.2). These enhancements are designed to increase the visibility and transparency of collected Windows events. If you're not interested in receiving data in these fields, you can apply an ingestion-time transformation ("project-away" for example) to drop them.

Unified AMA-based connectors for syslog ingestion - With the impending retirement of the Log Analytics Agent, Microsoft Sentinel has consolidated the collection and ingestion of syslog, CEF, and custom-format log messages into three multi-purpose data connectors based on the Azure Monitor Agent (AMA):

Syslog via AMA, for any device whose logs are ingested into the Syslog table in Log Analytics.
Common Event Format (CEF) via AMA, for any device whose logs are ingested into the CommonSecurityLog table in Log Analytics.
New! Custom Logs via AMA (Preview), for any of 15 device types, or any unlisted device, whose logs are ingested into custom tables with names ending in _CL in Log Analytics.

Create summary rules in Microsoft Sentinel for large sets of data (Preview) - Microsoft Sentinel now provides the ability to create dynamic summaries using Azure Monitor summary rules, which aggregate large sets of data in the background for a smoother security operations experience across all log tiers.

Defender XDR Things

Unlocking Real-World Security: Defending against Crypto mining attacks - Cross-domain attacks remain a critical challenge for most security teams. As attackers use a combination of threat vectors to gain a foothold in an organization, visibility across critical assets becomes vital. With advanced attacks like cryptojacking and IaaS resource theft becoming increasingly prominent, it’s clear that attacks are crossing boundaries into cloud and hybrid workloads. The importance of natively integrating your XDR and cloud security insights becomes crucial when defending against these attacks.

Microsoft Security Exposure Management Things

Microsoft Security Exposure Management Graph: Prioritization is the king - In the dynamic world of cybersecurity, staying ahead of threats is not merely about reacting to threats but proactively understanding and managing the security posture of every asset within an organization. The introduction of Microsoft’s ExposureGraphEdges & ExposureGraphNodes tables within Advanced Hunting signifies a substantial advancement in exposure management tools. These tables encapsulate the entire dataset of the Microsoft Security Exposure Management Graph. In this blog, we delve into key concepts and provide powerful queries that you can implement in your own environment.

Defender Experts Things

Hunting with Microsoft Graph activity logs - Responding to and detecting these cloud-based attacks is of utmost priority. Multiple products and logs are available to help with threat investigation and detection. In this blog, we’ll explore the recent addition of Microsoft Graph activity logs, which has been made generally available.

Microsoft Defender Experts services are now HIPAA and ISO certified - We are pleased to announce that Microsoft Defender Experts for XDR and Microsoft Defender Experts for Hunting can help healthcare and life science customers in meeting their Health Insurance Portability and Accountability Act (HIPAA) obligations. To carry out proactive threat hunting and managed detection and response on behalf of our customers, our Defender Experts team needs access to their Microsoft Defender portal alerts, incidents, and advanced threat hunting data. We can now support our customers’ compliance with HIPAA when they utilize Defender Experts services through a Business Associate Agreement (BAA) to ensure that protected health information (PHI) is appropriately safeguarded.

Defender for Office Things

How your submissions to Defender for Office 365 are processed behind-the-scenes - Microsoft Defender for Office 365 enables users and administrators to submit suspicious items for analysis (email and Teams messages, files, or URLs) to enhance detection and prevention. Your submissions allow Microsoft to determine the nature of the item, update filtering decisions, and offer you actionable insights. We're often asked what happens after you submit an item to Microsoft, so here's a brief overview of what happens behind-the-scenes.

Microsoft Entra Things

MFA enforcement for Microsoft Entra admin center sign-in coming soon - As cyberattacks become increasingly frequent, sophisticated, and damaging, safeguarding your digital assets has never been more critical. In October 2024, Microsoft will begin enforcing mandatory multifactor authentication (MFA) for the Microsoft Entra admin center, Microsoft Azure portal, and the Microsoft Intune admin center.

Microsoft Purview Things

Harnessing the power of Generative AI to protect your data - Microsoft Copilot for Security helps professionals across the many cybersecurity disciplines to be more effective and efficient at all the roles they play. It helps you enhance and grow your capabilities and skills, while also supporting the workflows and teams you collaborate with to solve security challenges. Since Copilot for Security uses GenAI to analyze data from many sources, including other Microsoft Security solutions, it can also help analysts catch what they might have otherwise missed. Copilot for Security synthesizes data and detects those important signals better than ever before, all in a single pane of glass, without having to jump between different solutions to get additional context.