Microsoft SIEM and XDR Weekly Wrap - Issue #5
AI Touring
Things from Me
Happy Friday all! I hope everyone is well and ready to dig in.
Before I leave you with the newsletter, here’s a few things to highlight.
…
The next season of the AI Tour is gearing up, so if you're able to join us when it heads your way this fall, I want to personally invite you. This round there’s an actual Copilot for Security session that will be lots of fun, so I’ll be on-hand to meet you in-person. This session won’t be delivered for every single tour date due to venue restrictions, but for those that are, I hope to see you there.
The schedule for the AI Tour is still being finalized, but you can sign-up to be notified when the schedule gets posted publicly.
Sign up to be notified by email here: https://info.microsoft.com/AI-Tour-Corp_Interest-form.html
And, if you’re interested in what the Copilot for Security session might look like, I’m already starting to build out the demo files. You can find those here: https://aka.ms/CfSAITour
…
That’s it from me for this week.
Talk soon.
-Rod
Things that are Related
Azure Monitor: How To Get Alerts for Disconnected Arc Agents - In this post, I am going to show you how to set up alerts for disconnected Arc agents using Azure Monitor. If you are not familiar with Azure Arc, it is a service that lets you manage and govern your hybrid cloud resources from a single pane of glass. More about it in the Azure Arc overview public documentation page.
Public Preview: New Azure Monitor Auxiliary Logs Plan - Today, Azure Monitor Logs introduces a new plan in our multi-tier strategy for optimal consumption and cost optimization: Auxiliary Logs. Auxiliary Logs are for verbose logs and are designed to be inexpensive, while providing you with a set of capabilities to manage and consume your data. Azure Monitor’s multi-tier strategy now supports three plans - Analytics, Basic and the new Auxiliary plan - and allows you to store all your logs in one place and retain different data types for as long or as little as you need, with a cost-effective pricing model.
Things to Watch/Listen To
Things in Techcommunity
Need some KQL for DNS - I need few KQL query for below use case as table is _Im_Dns and ASimDnsActivityLogs.
Problem with defender onboarding using script - I try to onboard PC with win 11 to Endpoint and I receive same error as in thread.
Copilot for Security Things
The Copilot for Security Prompt Library sees right around 4,500 visits a week and is updated daily. Built for Copilot for Security, many of these prompts can be used anywhere and represent proper techniques of prompt engineering.
CfS Prompt Library: https://aka.ms/CfSPromptLibrary
This is a GitHub repository, so you can choose to fork it or follow it to stay informed when new things are posted.
Microsoft Sentinel Things
Extract Custom Details From Microsoft Sentinel Into Logic App - When a security alert is triggered, the information provided in the alert is vital for the security analyst to conduct an investigation. Therefore, the alert must contain essential details. Including custom information in the alert will enhance the efficiency of the investigation. Custom details enable users to add specific information to the alert generated by scheduled and near-real-time (NRT) alert rules.
SOC optimization is now GA!
Introducing SOC Optimization API - SOC optimization is a new feature designed to combine the power of out of the box content with the flexibility of the SIEM to help you optimize your SOC processes and coverage to your organization’s specific needs, priorities, threats and environment. The first phase of this new feature helps you gain deep insights into your data usage patterns and coverage gaps against specific threats. It provides actionable recommendations to tighten your ingestion rates for data that doesn't provide security value, leverage correctly the data the does and improve your current coverage based on the threat landscape. You can learn more about the feature with the following resources.
Optimize your security operations - SOC optimization surfaces ways you can optimize your security controls, gaining more value from Microsoft security services as time goes on.
Defender for Cloud Things
Microsoft Defender for Cloud PoC Series - Microsoft Defender for APIs - This Microsoft Defender for Cloud PoC Series provides guidelines on how to perform a proof of concept for specific Microsoft Defender plans. For a more holistic approach where you need to validate Microsoft Defender for Cloud and Microsoft Defender plans, please read How to Effectively Perform an Microsoft Defender for Cloud PoC article.
Defender Vulnerability Management
Using Export API with Defender Vulnerability Management - Microsoft Defender Vulnerability Management helps organizations identify and remediate security vulnerabilities in their environment. It provides a centralized view of vulnerabilities across all device types in an organization and prioritizes them based on severity and exploitability. Defender Vulnerability Management provides an export API that allows programmatic access to vulnerability data. The API can be used to automate vulnerability management tasks, integrate vulnerability data with other security tools, and generate custom reports and dashboards.
Microsoft Entra Things
Now available: Modernize your SAP environment with Microsoft Entra ID - Building on our joint announcement with SAP earlier this year, we have now released guidance to help customers modernize their SAP environment and move their identity management scenarios from SAP Identity Management (SAP IDM) to Entra ID. With this documentation, SAP IDM customers can migrate seamlessly to the cloud-based IAM and identify the right partners that can assist.