Microsoft SIEM and XDR Weekly Wrap - Issue #9
Weird
Things from Me
Happy Friday, everyone!
In this edition of the weekly newsletter, I’m excited once again to bring you the latest updates and insights from the world of Microsoft Security.
In this issue:
Discover how the new inline PowerShell action in Logic Apps can streamline your workflows
Explore the Azure Logic Apps for budget-constrained security use cases.
Learn about the MDTI Premium Data Connector for enhanced threat intelligence.
Stay informed with our comprehensive coverage on Microsoft Sentinel’s new data tier.
And much more.
Dive in to stay ahead in the ever-evolving landscape of cybersecurity!
…
Talk soon.
-Rod
Things that are Related
Unlock inline PowerShell capabilities to streamline Logic Apps workflows - The new inline PowerShell action, now in preview, adds flexibility to Logic Apps by enabling users to embed PowerShell scripts directly into workflows. This feature unlocks new possibilities for complex integrations, and I'm excited to demonstrate its potential with a bank reconciliation workflow demo.
Logic Apps & Automation - In this blog post, we will explore how to leverage Azure Logic Apps to solve for a common, budget-constrained, mission-critical security use case while also reducing overhead for your SOC analysts.
Things to Watch/Listen To
Things in Techcommunity
Get entities for every alert that Sentinel Incident has with the REST API - We are using the recommended in that post "expansionId" to fetch entities for specific alerts, as per documentation Sentinel Incidents API returns "summed" list of entities for Incidents (all entities from all alerts that are part of the same Incident).
Things to Have
UseCases_by_MITRE.kql - KQL query that shows Sentinel use cases count by MITRE tactics.
Things to Attend
AUG 29 (9:00 AM) Microsoft Sentinel | What's New in Microsoft Sentinel - We will spotlight the new developments and summarize the latest innovations in Sentinel.
SEP 4 Microsoft Purview | How can you use Copilot for Security in Purview to support your Data Security investigations - In this session you will learn about Copilot for Security in Purview, how it works and see demos of how can be used to address business challenges, simplify and speed investigations. This session is for anyone that would like to learn more about what Copilot for Security in Purview is and how to use it.
SEP 10 Microsoft Defender for Cloud | Prepare for Upcoming Transitions in Defender for Servers - In this webinar we will discuss Defender for Servers P2 updates toward MMA deprecations.
Copilot for Security Things
Microsoft Sentinel Things
How to parse network messages with KQL in Sentinel - Parsing the same firewall log message in 4 different formats (JSON, CEF, BSD Syslog, and Syslog RFC 5424) with full KQL breakdown.
Revolutionizing log collection with Azure Monitor Agent - With the deprecation of Log analytics agent (also called MMA or OMS), it’s a great opportunity to discuss its successor – the Azure Monitor Agent or in short - (AMA), and why it is so much better and keeps improving!
Introducing the MDTI Premium Data Connector for Sentinel - The MDTI and Unified Security Operations Platform teams are excited to introduce an MDTI premium data connector available in the Unified Security Operations Platform and standalone Microsoft Sentinel experiences. This connector enables customers with an MDTI premium license and API license to apply the powerful raw and finished threat intelligence in MDTI, including high-fidelity indicators of compromise (IoCs), across their security operations to detect and respond to the latest threats.
Comprehensive coverage and cost-savings with Microsoft Sentinel’s new data tier - Microsoft is excited to announce the public preview of a new data tier Auxiliary Logs and Summary Rules in Microsoft Sentinel to further increase security coverage for high-volume data at an affordable price.
What's new: Multi-tenancy in the unified security operations platform experience in Public Preview - Multi-tenancy, with a single workspace is now in public preview for customers using Microsoft’s unified security operations (SecOps) platform. This will expand the use cases we can support with this innovative experience that brings together the critical tools a SOC requires into a single experience to improve protection and efficiency. Read on to learn more about what is available now, and how to get started.
Defender for Cloud Things
Critical Cloud Assets: Identifying and Protecting the Crown Jewels of your Cloud - Microsoft is pleased to announce the release of a new set of critical cloud assets classification capability in the critical asset management and protection experience, as part of Microsoft Security Exposure Management solution, and Cloud Security Posture Management (CSPM) in Microsoft Defender for Cloud (MDC). This capability enables organizations to identify additional business-critical assets in the cloud, thereby allowing security administrators and the security operations center (SOC) teams to efficiently, accurately, and proactively prioritize to address various security issues affecting critical assets that may arise within their cloud environments.
Securing Multi-Cloud Gen AI workloads using Azure Native Solutions - AI Based Technology introduces a new set of security risks that may not be comprehensively covered by existing risk management frameworks. Based on our experience, customers often only consider the risks related to the Gen AI models like OpenAI or Anthropic. Thereby, not taking a holistic approach that cover all aspects of the workload.
Defender for Endpoint Things
Microsoft Defender for Endpoint’s Safe Deployment Practices - For customers it is key to understand that software vendors use safe deployment practices that help them build resilient processes that maintain productivity. This blog addresses Microsoft Defender for Endpoint’s architectural design and its approach to delivering security updates, which is grounded in Safe Deployment Practices (SDP).
Defender XDR Things
Host Microsoft Defender data locally in India - We are pleased to announce that Microsoft Defender for Endpoint and Microsoft Defender for Identity now support local data residency in India.
Defender for Identity Things
Defender for Identity PowerShell module update - Hi everyone! I'm excited to announce an update to the PowerShell module we released for Microsoft Defender for Identity earlier this year. These enhancements are designed to add some new functionality and address some of the feedback you provided in the comments. As always, we really appreciate your feedback and engagement with this module!
Microsoft Purview Things
Explaining Purview concepts: Domains, Business Domains, Collections, Data Products and Data Assets. - Microsoft Purview offers a comprehensive suite of tools for governing your organization's data through the solutions included in Purview Unified Platform. To catalog your data assets, you must first define your data map, which is composed of collections. However, you might encounter several related concepts that can be confusing when trying to streamline your organization’s data governance.
How to build the Microsoft Purview extended report experience - This is a step-by-step guided walkthrough of the extended report experience.
Guided walkthrough of the Microsoft Purview extended report experience - This is a step-by-step guided walkthrough of the Microsoft Purview extended report experience and how it can empower your organization to understand the cyber security risks in a context that allows them to achieve more. By focusing on the information and organizational context to reflect the real impact/value of investments and incidents in cyber.
Defender for Office Things
Secure architecture design – How Defender for Office 365 protects against EchoSpoofing - A new spoofing technique labeled “EchoSpoofing” was recently reported that impacted select Proofpoint customers. This blog provides a brief overview of how this particular attack exploited their specific architecture and describes the architecture best practices implemented by Microsoft Defender for Office 365 that protect against EchoSpoofing and spoofing attacks broadly.
Defender Threat Intelligence Things
Introducing the MDTI Article Digest - The MDTI team is excited to introduce the MDTI Article Digest, a new way for customers to stay up to speed with the latest analysis of threat activity observed across more than 78 trillion daily threat signals from Microsoft's interdisciplinary teams of experts worldwide.
Microsoft Entra Things
Securing your Azure deployments with PSRule | Microsoft Entra Identity Platform - Today, I’m going to show you how you can automatically check that your Azure infrastructure is configured according to security best practices and how you can fit it in as part of your GitHub CI/CD workflows.