Microsoft SIEM and XDR Weekly Wrap - Issue #14

So, you're telling me there's a chance

Things from Me

Happy Friday, folks!

After a few needed days off last week, I’m back this week in full swing. Even though the time off didn’t fully meet my expectations (nothing ever really does, right?), I still feel refreshed and ready for the busy times ahead. Some of those busy times involves seeing some of you in the real world.

First off, I’ll be in Ft. Lauderdale, Florida October 20-23 for the MMS Flamingo Edition event. I’ll be on-hand talking about Copilot for Security, delivering a short KQL workshop and even signing The Definitive Guide to KQL books. I may even have a couple of my recent fiction books on-hand.

After that, you’ll find me in Chicago for Microsoft Ignite November 19-21, 2024. At Ignite, I’ll be super-focused on Copilot for Security in sessions and on the show floor.

I’ve heard from many people about being sad and shocked that Ignite sold out so quickly. While our initial run of passes did sell out super-fast, there’s still a chance. There are additional spots open and if you use the RSVP code ATTNLIYL, you can still register. But do it quickly as these will sell like hotcakes, too.

Register here: https://register.ignite.microsoft.com/

…

Grab an opportunity to help drive better services and products!

The Azure Monitor Alerts team is looking for feedback.

Your insights and opinions are critical, and by participating in this survey, you will have the opportunity to influence the product roadmap and help us improve the service capabilities that matter most to you.

The survey is designed to be quick and easy, taking only a few minutes to complete. Your responses will be kept confidential and will only be used to improve Azure Monitor Alerts.

Link to Survey

…

That’s it from me for this week. Have a wonderful weekend and week ahead.

-Rod

Things to Attend

Join us at the Microsoft Entra Suite Showcase! - This fall, we are bringing the Microsoft Entra Suite Showcase to cities worldwide. Join us to explore how our latest advancements in secure identity and access management can help safeguard your organization's digital assets.

Things that are Related

How to Create an xPath Filter for a Data Collection Rule - In the world of data collection, efficiency is key. Just as my miniature schnauzer buddy, Raven, has a knack for sniffing out the most interesting scents while ignoring the mundane, an xPath filter can be used to streamline data collection by focusing only on the most relevant information. This document will guide you through the process of writing an xPath filter for a data collection rule, ensuring that your data ingress is as efficient and effective as Raven’s nose.

Things to Watch/Listen To

The Inside Scoop on Using KQL for Cloud Data Security - In this episode of the Microsoft Threat Intelligence Podcast host Sherrod DeGrippo is joined by the authors of the new book The Definitive Guide to KQL: Using Kusto Query Language for Operations, Defending, and Threat Hunting. Guests Rod Trent, Matt Zorich, and Mark Morowczynski discuss the significance of KQL (Kusto Query Language) in cloud data security and how it enables efficient data querying for threat detection in Microsoft products like Sentinel and Defender. They share insights from their own experiences, highlight key features of the book, and explain how both beginners and experts can benefit from KQL. Later in the episode Sherrod speaks with Senior Threat Hunter Lekshmi Vijayan about the growing trend of cyberattacks using malicious PowerShell commands. Lekshmi explains how attackers trick users into copying and pasting harmful code, often through compromised websites or phishing emails. They discuss how these attacks aim to install remote access tools like NetSupport RAT or information stealers, targeting sensitive data like browser credentials and crypto keys.

Microsoft Security Insights Show Episode 228 - Microsoft Learn Student Ambassadors

Things in Techcommunity

Microsoft Defender Endpoint Security Policies - I have a problem with creating Endpoint Security Policies (Windows policies, Mac policies, Linux policies). License is Microsoft Defender for Endpoint P2 for EDU.

DC sync attack alert issue- Microsoft Sentinel - I've been receiving an alert in Microsoft Sentinel titled "Non-Domain Controller Active Directory Replication on one endpoint." However, I'm having difficulty investigating the event because key fields like "Account" and "Subject Name," which are crucial for the analysis, are missing. Do you have any idea why these fields might be empty?

Copilot for Security Things

THE PROMPT for Copilot for Security

THE PROMPT for Copilot for Security is a bi-weekly newsletter that covers Copilot for Security.

By Rod Trent

Microsoft Sentinel Things

The power of Data Collection Rules: Detect Disabling Windows Defender Real-Time Protection - There are scenarios in which organizations cannot enforce Tamper Protection for all devices and attackers being attackers always try their best to bypass defenses and come up with new creative approaches to evade detection mechanisms and defenses. Therefore, it might be a good idea to monitor Defender related event logs in parallel and to respond if you spot such malicious behavior. In this article we will review what event IDs you can collect to detect potential malicious behavior that can affect the device protection in your organization.

Detecting AiTM Phishing via 3rd-Party Network events in Unified Security Operations Platform - Microsoft Security has been evolving from individual security products - such as endpoint, email, identity, and app - to XDR (Extended Detection and Response) solution, and it also offers a cloud-native SIEM solution, Microsoft Sentinel. Despite having these two strong security backbones, we have made tremendous progress by unifying the SIEM and XDR experience into a single platform called the Unified Security Operations Platform. Thanks to that, this platform provides comprehensive visibility, investigation, and response capabilities across endpoints, hybrid identities, emails, collaboration tools, cloud apps, cloud workloads, and data. 

Enable Sentinel UEBA Activity Templates At Scale (In Bulk) - Once you have enabled Microsoft Sentinel UEBA (User and Entity Behavior Analytics) in your environment, you can customize the entity page and change the activities UEBA tracks. In addition to the activities tracked and presented in the timeline by Microsoft Sentinel UEBA, you can create any other activities you want to keep track of and present them on the timeline.

What's New: Global Search in Unified Security Operations platform includes Sentinel user and devices - We are thrilled to announce a significant enhancement to our Unified Security Operations (SecOps) platform. The Global Search feature in the Defender XDR portal now supports searching for Microsoft Sentinel users and devices, providing a more comprehensive and unified search experience for the customers using Microsoft’s Unified Security Operations platform. This powerful feature allows you to search for devices, users, and other information by typing full or partial search terms. With this update, you can now search for Microsoft Sentinel entities directly within the Unified security operations platform, streamlining your workflow and improving efficiency.

Defender for Cloud Things

Build and secure your apps with Azure App Service and Defender for Cloud - We are excited to share one of the latest security capabilities within the Better Together tab in Azure portal. It is now easier for Azure App Service customers to secure web apps by enabling Defender for App Service – part of Microsoft Defender for Cloud’s Cloud Native Application Platform (CNAPP) solution. The Better Together experience is designed to enhance your development journey by recommending and deploying the right services precisely when you need them, focusing especially on Azure App Service, Azure Container Apps (ACA), and Azure Kubernetes Service (AKS).

Defender for Endpoint Things

Introducing the new File Integrity Monitoring with Defender for Endpoint integration - The new FIM solution based on Defender for Endpoint offers real-time monitoring on critical file paths and system files, ensuring that any changes indicating a potential attack are detected immediately. In addition, FIM offers built-in support for relevant regulatory compliance standards, such as PCI-DSS, CIS, NIST, and others, allowing you to maintain compliance. 

​​Microsoft is named a Leader in the 2024 Gartner Magic Quadrant for Endpoint Protection Platforms - We are excited to announce that Gartner has named Microsoft a Leader in the 2024 Gartner Magic Quadrant for Endpoint Protection Platforms for the fifth consecutive time. Notably, Microsoft has moved to a tie for number 1 on the Vision Axis. We believe this announcement reflects Microsoft’s continued progress in helping organizations protect their endpoints against even the most sophisticated attacks, while driving continued efficiency for security operations center (SOC) teams.

Defender for Identity Things

Identity Summary: New Security Copilot skill within Defender XDR - Today, we are excited to share details on the new Identity Summary skill, available within the Microsoft Defender XDR and Copilot for Security portals, it provides a natural language summary of user behavioral anomalies and potential misconfigurations. This blog highlights how the summary can uncover discrepancies and security gaps, enabling timely actions to enhance your organization’s overall security posture.

Defender Experts Things

Microsoft IR Internship Blog Series, Part 4– ‘Facing an Active Threat’ – Patro’s experience - The Microsoft Intern Experience occurs during the summer at Microsoft. Interns at Microsoft's Incident Response (IR) customer-facing business, the Detection and Response Team (DART), gain insight into what’s needed to be a cyber incident response investigator - and experience it first-hand with our team of IR threat hunters. This blog is based on an interview with an intern about their internship experience and written from a first-person perspective.

Microsoft Entra Things

Explore the key benefits of Microsoft Entra Private Access - The traditional network security models are becoming increasingly ineffective in a world where remote work and cloud services are the norm. Conventional technologies like VPNs, while popular, offer limited protection in a boundary-less landscape, typically granting users excessive network access and posing significant risks. If compromised, these can lead to unauthorized access and potentially lateral movement within corporate networks, exposing sensitive data and resources. Microsoft Entra Private Access is at the forefront of addressing these challenges by effectively integrating identity and network access controls.

Purview Things

Implementing a secure by default approach with Microsoft Purview and address oversharing - Microsoft Purview provides several solutions and features that complement each other.  For new-to-Purview administrators, it can be overwhelming to know where to start.  Existing administrators may also be less familiar with how additional Purview features could enhance their data security posture.