Microsoft SIEM and XDR Weekly Wrap - Issue #6

Hunter Gatherer

Things from Me

Happy Friday everyone!

It’s great to be back in your inbox once again. And, if you’re not reading this in your inbox…why not? The differences between hunters and gatherers have been a topic of discussions for thousands of years. Or, in our case - in the realm of Internet content - those that like to go get their information and those that like their information to flow to them. If you’re not an inbox subscriber, try it out for a bit. If it really doesn’t fit you, you can just continue to read on the web like normal.

Do you know someone that doesn’t read this weekly catch-all but should? Forward it along to them and recommend they start reading.

…

Microsoft Applied Skills: Call for Content for Microsoft SIEM+XDR

In November 2023, Microsoft launched the Applied Skills program (https://learn.microsoft.com/credentials/support/appliedskills-process-overview), giving users access to virtual Microsoft Azure environments where you can learn from a library of scenarios, and practice through learning exercises. Learning exercises are graded for the purpose of rewarding the user with a credential to show their accomplishment.

The SIEM & XDR Team at Microsoft want to create a library of Microsoft Sentinel and Microsoft XDR scenarios. With that, they would like to ensure that they are providing learning content that is best. To help, please complete this survey with what you feel is most valuable for you or your colleagues.

Complete the survey: https://forms.office.com/r/zicgJDaAFU

…

By the time this newsletter is live, my latest fiction book has launched!

The year is 2045, a century after World War II. As the world has moved on from the atrocities of World War II, an ominous force lurks in the depths of the cosmos, plotting its revenge. In the waning days of the war, the desperate dictator was abducted by an advanced alien civilization, the Kridrax, who saw his twisted genius as a valuable asset in their quest for universal domination.

Promising the chance to conquer Earth and exact his vengeance, the Kridrax performed a sinister experiment – transplanting the dictator's consciousness into a synthetic body, one designed to sustain him indefinitely. For decades, the dictator bided his time, assisting the Kridrax in subjugating planet after planet, all while honing his thirst for power over the human race he so despised.

Check it out: https://amzn.to/3A68QHb

…

That’s it for me for this week.

Talk soon!

-Rod

Things that are Related

Azure Monitor Logs Next Evolution: Multi-tier logging - Today we’re announcing the public preview of Auxiliary Logs, a new inexpensive Azure Monitor plan for verbose logs used in compliance and security scenarios. Together with the recent public preview of Summary Rules and improved capabilities of Basic Logs, Azure Monitor Logs is evolving into a new multi-tier logging vision.

Things to Watch/Listen To

Microsoft Security Insights Show Episode 220 - Yet Another Disney Sequel

Things in Techcommunity

Local IPs ( 10.60.0.0/24 ) in ClientIP field in OfficeActivity logs? - Started seeing this more often recently and it started to cause some uptick in alerts across multiple customers (we are an MSP). It seems to me like a backend workflow is failing to write true source IPs to OfficeActivity logs, resulting in some 10.60.0.0/24 IPs being recorded as the ClientIP. Could this be some backend IP belonging to a Microsoft services?

Device Control with Defender for Endpoint not capturing evidence - Recently Defender for Endpoint has stopped capturing evidence when transferring files to a USB device and I can't figure out what's changed.

Defender for Server without Internet access - I don't want to expose my servers to internet using a proxy or any other mechanism. Is there any possibility to deploy & manage Defender for both Windows & Linux servers?

Things to Have

KQL for locating Copilot Usage - This a list of locating Copilot usage in the SecurityEvent table.

Copilot for Security Things

Don’t miss a minute of being cool. Subscribe to the Bi-Weekly Copilot for Security newsletter…

THE PROMPT for Copilot for Security

THE PROMPT for Copilot for Security is a bi-weekly newsletter that covers Copilot for Security.

By Rod Trent

Microsoft Sentinel Things

Auxiliary Logs + Summary Rules - This article explains a how two new capabilities from Microsoft Sentinel/Log Analytics Workspace work in conjunction with each other and the problems they solve.

Microsoft Sentinel: Updated SecurityEvent Table Schema - As of July 30th, the SecurityEvent table now has new data columns available to query.

Monitoring Microsoft Sentinel Reports with Dashboard Hub & Power BI - Microsoft Sentinel provides a variety of pre-built workbooks that are crucial for visualizing data and enhancing operational efficiency. Given the numerous workbooks available in our content hub solution, organizing them into dashboards ensures that stakeholders can easily access data relevant to their specific interests.

New 1Password SIEM integration with Microsoft Sentinel now generally available - Microsoft Sentinel customers, get ready to streamline your security monitoring and investigation workflows with the official 1Password integration for Microsoft Sentinel.

New Auxiliary logs retention plan (Preview) - The new Auxiliary logs retention plan for Log Analytics tables allows you to ingest large quantities of high-volume logs with supplemental value for security at a much lower cost. Auxiliary logs are available with interactive retention for 30 days, in which you can run simple, single-table queries on them, such as to summarize and aggregate the data. Following that 30-day period, auxiliary log data goes to long-term retention, which you can define for up to 12 years, at ultra-low cost. This plan also allows you to run search jobs on the data in long-term retention, extracting only the records you want to a new table that you can treat like a regular Log Analytics table, with full query capabilities. To learn more about Auxiliary logs and compare with Analytics logs, see Log retention plans in Microsoft Sentinel.

Create summary rules in Microsoft Sentinel for large sets of data (Preview) - Microsoft Sentinel now provides the ability to create dynamic summaries using Azure Monitor summary rules, which aggregate large sets of data in the background for a smoother security operations experience across all log tiers.

• Access summary rule results via Kusto Query Language (KQL) across detection, investigation, hunting, and reporting activities.

• Run high performance Kusto Query Language (KQL) queries on summarized data.

• Use summary rule results for longer in investigations, hunting, and compliance activities.

For more information, see Aggregate Microsoft Sentinel data with summary rules.

Defender for Cloud Things

A Comprehensive, Single vendor CNAPP solution and its Capabilities in 2023 - I’ve spoken about Cloud-Native Application Protection Platform more than a year ago when Gartner announced their new “solution” term. Have a read at that here: The all in-one Cloud Security Solution CNAPP — according to Gartner | by Andre Camillo | Geek Culture | Medium

Defender for Cloud Apps Things

Enforcing Cloud App control with Defender for Cloud Apps - Particularly with the rise of SaaS-based genAI tools in the last year, protecting sensitive data usage is key, so let’s learn how to get started with this with a CASB and an agent in your fleet’s devices. Note how this is just the tip of the iceberg. I will skip information protection policies nad setup which are next steps…

Enhancing Security with Microsoft Defender for Cloud Apps' New In-Browser Protection - Microsoft has introduced a new in-browser protection feature for Microsoft Defender for Cloud Apps. This update is designed to strengthen security by offering real-time monitoring and control over user activities in sanctioned and unsanctioned cloud applications. Leveraging deep integration with Microsoft Edge and Google Chrome, this feature enables organizations to enforce data protection policies directly within the browser. It helps to mitigate risks associated with data exfiltration, shadow IT, and compliance violations by providing granular control over file uploads, downloads, and clipboard actions.

Defender for Office Things

Announcing quarantine release integration in MDO hunting experience!! - We are excited to introduce the new quarantine release integration within Microsoft Defender for Office 365 as part of the hunting experience. This enhancement allows Security Operators (SecOps) to address false positives more efficiently and with greater flexibility in Microsoft Defender for Office 365. 

Announcing Microsoft Defender for Office 365 API’s for retrieving threat data and remediating emails - We are excited to announce the release of new Microsoft Defender for Office 365 API’s which enable security teams to leverage threat information and response capabilities of Microsoft Defender for Office 365 inside automation and security orchestration tools of their choice.

Microsoft Entra Things

Migrate ADAL apps to MSAL with enhanced insights - We’re pleased to announce significant updates to the Sign-ins workbook in the Microsoft Entra admin center, a crucial tool for organizations transitioning from Azure Active Directory Authentication Libraries (ADAL) to Microsoft Authentication Libraries (MSAL). These updates aim to streamline the ADAL migration process by providing comprehensive insights into your ADAL-application-related data.