Microsoft SIEM and XDR Weekly Wrap - Issue #22
The Only Wrap Without Lettuce or Tomato!
Things from Me
Happy Friday, everyone!
I’m thrilled to bring you the 22nd issue of the Microsoft SIEM and XDR Weekly Wrap! This week, the newsletters delves into a range of exciting topics that showcase the latest developments and insights in the world of cybersecurity.
From exploring the lessons learned from red teaming over 100 generative AI products to introducing the Autonomous SOC Maturity Model, this issue covers the cutting-edge advancements that are shaping the security landscape. Additionally, we highlight significant enhancements in Microsoft Sentinel, including Bicep support and improved log ingestion capabilities.
The newsletter also features discussions on practical tools and strategies, such as deploying Defender for Cloud Apps and managing bandwidth during peak times.
I hope you find this issue informative and engaging. As always, your feedback is invaluable, and I look forward to your thoughts and contributions.
Happy reading!
…
For anyone in the NYC area the last of January, I’ll be speaking about Security Copilot for the AI Tour. This is a free, one-day event. I hope you can join and connect with me.
Details: https://aitour.microsoft.com/en-US/new-york
…
That’s it from me for this week.
-Rod
Things that are Related
Building Defenses with Modern Security Solutions - This is a series of blog posts and labs intended to help educate security admins/architects/auditors on several key topics of cybersecurity.
3 takeaways from red teaming 100 generative AI products - The AI red team was formed in 2018 to address the growing landscape of AI safety and security risks. Since then, we have expanded the scope and scale of our work significantly. We are one of the first red teams in the industry to cover both security and responsible AI, and red teaming has become a key part of Microsoft’s approach to generative AI product development. Red teaming is the first step in identifying potential harms and is followed by important initiatives at the company to measure, manage, and govern AI risk for our customers. Last year, we also announced PyRIT (The Python Risk Identification Tool for generative AI), an open-source toolkit to help researchers identify vulnerabilities in their own AI systems.
Introducing The Autonomous SOC Maturity Model - The autonomous SOC: A well-grounded vision for the future of machine speed, AI-driven cyber defense, or nothing more than a pipe dream? Few concepts in modern security have been as polarizing, with sides painted as distinct camps of “believers” versus “non-believers”, each accompanied by increasingly hyperbolic claims.
Things to Watch/Listen To
Things in Techcommunity
Bug in stand-alone MS Sentinel MITRE tactics - I setup a new Analytic rule where I had selected multiple tactics/techniques combinations. When I create an incident from that rule, only one of the tactics/techniques actually show up in the stand-alone MS Sentinel UI as well as in the SecurityIncident table. It isn't even the first one I selected; it is the last one. I did double check the Analytic rule and all the tactics/techniques are selected.
Things in the News
CISA Publishes Microsoft Expanded Cloud Log Implementation Playbook - The Cybersecurity and Infrastructure Security Agency (CISA), in close coordination with the Office of Management and Budget (OMB), Office of the National Cyber Director (ONCD) and Microsoft, announces today the release of Microsoft Expanded Cloud Log Implementation Playbook. This guidance helps public and private sector organizations using Microsoft Purview Audit (Standard) to operationalize newly available cloud logs to be an actionable part of their enterprise cybersecurity operations.
Things to Have
Lessons from red teaming 100 generative AI products (PDF) - In recent years, AI red teaming has emerged as a practice for probing the safety and security of generative AI systems. Due to the nascency of the field, there are many open questions about how red teaming operations should be conducted. Based on our experience red teaming over 100 generative AI products at Microsoft, we present our internal threat model ontology and eight main lessons we have learned.
Security Copilot Things
Microsoft Sentinel Things
What's New: Bicep Support in Microsoft Sentinel Repositories - We are thrilled to announce a significant enhancement to the Microsoft Sentinel Repositories feature: support for Bicep templates. This update empowers security teams and DevOps professionals to manage Sentinel-as-Code with greater efficiency, scalability, and clarity.
Ingesting Palo Alto Cortex XDR Logs into Microsoft Sentinel with the Updated CCP Connector - In today’s cybersecurity landscape, having a comprehensive and streamlined security information and event management (SIEM) system is paramount. Microsoft Sentinel, with its robust capabilities, is a go-to for many security professionals. With the evolution of the Codeless Connector Platform (CCP), integrating logs from various sources has never been more efficient. This article delves into how the updated CCP connector enhances the ingestion of Palo Alto Cortex XDR logs into Microsoft Sentinel.
ALSO: Now, in preview, Microsoft Sentinel is available in the Defender portal even without Microsoft Defender XDR or a Microsoft 365 E5 license. For more information, see:
Parsing CEF messages without Azure Monitor Agent - During my time as SOC Engineer, I do a lot of third-party data source ingestion projects for clients into their Microsoft Sentinel instances. Most of these data sources are network security solutions like firewalls and proxy solutions.
Microsoft Sentinel REST APIs vs MS Graph – Yet Another Security Blog - If you have connected your Microsoft Sentinel instance to your Microsoft Defender instance (and if not, why not?), you know that the same incidents and alerts will show up in both instances. You can use either the Microsoft Sentinel REST API or the MS Graph to get the data. So, which one should it be?
Using PowerShell with Microsoft Graph – Yet Another Security Blog - In my last blog post I compared using Microsoft Graph with the Microsoft Sentinel REST APIs. If you have your Microsoft Sentinel hooked up with Microsoft Defender, I recommend using the Microsoft Graph as much as possible. It appears that Microsoft will be pushing more and more to the Graph, so it makes sense to use it. It is very easy to use, with easy-to-understand URLs that utilize common parameters. It can be used with many different programming languages, and the Microsoft Graph Explorer shows code for C#, CLI, Go, Java, JavaScript, PHP, Python, and the one we will be looking at, PowerShell.
Defender XDR Things
Break the 30,000 Rows Limit with Advanced Hunting API! - In this blog post, I will explain how to utilize advanced hunting APIs to bypass the 30,000 rows limit in Defender XDR's advanced hunting feature. Before we delve into the topic, let’s understand what is an Advanced Hunting in Defender XDR and what problem we are trying to solve.
Defender for Cloud Apps Things
Deploy Defender For Cloud Apps [mdca] & Block Unwanted Applications - You’re troubleshooting a mysterious bandwidth hog 🐖 in your network, only to discover that the culprit is the very same employee who asked you to look into it 😁❗ It’s March Madness, and that user is streaming the latest KY Wildcat basketball game on the ESPN app (Go Cats! 😺) and you need to preserve bandwidth and compliance at the same time… What do you do in this situation?
Microsoft Purview Things
Defender for Business Things
Seamlessly Migrating from Symantec Endpoint Protection to Microsoft Defender for Business - I recently worked on a project for a client who wanted to migrate their endpoint security solution from Symantec Endpoint Protection (SEP) to Microsoft Defender for Business (MDB). This is the Defender for Endpoint (MDE) plan included in the Business Premium license, which they aimed to maximise the value of. The client’s devices were fully managed with Intune, comprising a mix of hybrid and Entra ID-joined endpoints. In this blog, I’ll share the process we followed, challenges we encountered, and how we overcame them, including a PowerShell script I created to streamline the migration.
Microsoft Entra Things
Step-by-Step Guide: How to use Temporary Access Pass (TAP) with internal guest users - Passwords are fundamentally weak and vulnerable to being compromised. Even enhancing a password only delays an attack; it does not render it unbreakable. Multi-Factor Authentication (MFA) offers more security but still depends on passwords. This is why passwordless authentication is a more secure and convenient alternative.
Exploring Microsoft Entra Private Access — Rubix - The Entra Suite packs a ton of great features - for this blog, I want to focus on one standout: Private Access. This feature makes it easy to securely connect to private applications and on-premises resources, all while staying true to Zero Trust Principles. It’s a powerful solution that blends security with usability, and I can’t wait to dive into it further.