Microsoft SIEM and XDR Weekly Wrap - Issue #2

Kobayashi

Jun 28, 2024

Things from Me

Welcome back everyone and I hope you have a happy Friday after a fruitful and rewarding week.

Here we are at issue number 2 of the newly christened SIEM and XDR newsletter that serves as the combined Sentinel and Defender newsletters that delivered on their own for the last 3 years or so.

Feedback from the first issue was super complimentary and I want to thank everyone who commented. But even with the success and continued growth of this community, further gains depend on you. Please share the content of this newsletter and the newsletter itself with someone who needs to know about it. Together, let’s build the best community possible.

Share Microsoft SIEM and XDR Weekly Wrap

…

I’ve been under the weather for the last week. If you remember, from previous newsletter issues, my family spent some time in Ohio Amish country recently and, as relaxing and renewing as it was, I seemed to have caught some sort of cold bug. Over my lengthy career, I’ve rarely taken sick time off work, but this one was serious enough to actually shutdown and rest. As of this newsletter delivery, I’m finally emerging and feeling good enough to dig into what I’ve missed.

I say that to say this… If I did not respond as quickly as normal this past week or if I did not respond at all, that’s why and I promise I’ll get around to making things right.

…

I DID A THING.

Lastly, I wanted to drop a note about a fiction book of mine that has recently fully published. Sword of the Shattered Kingdoms: Ancient Crystal of Eldoria is a fantasy novel in the vein of Robert E. Howard.

It may not be your thing at all, but I suspect many that read here may be interested.

It’s currently available in paperback, Kindle/eBook, and Audio book. Amazon's Kindle Unlimited members can read it for free.

Paperback: https://amzn.to/3ztECgT
eBook/Kindle: https://amzn.to/4ckE0ci
Audio book: https://play.google.com/store/audiobooks/details/Rod_Trent_Sword_of_the_Shattered_Kingdoms?id=AQAAAEDSjwLPwM

This story lays the groundwork for the series. Additional locations for the audiobook are on the way.

Additionally, there’s an exclusive free chapter available for download: https://github.com/rod-trent/SSK/tree/main/Free_Chapter

With the July 4th weekend coming next week, this will be a great way to leave work at work and stretch your brain in new ways.

…

That’s it from me for this week. I hope your weekend and week ahead is a good one.

Talk soon.

-Rod

Things that are Related

Harnessing Microsoft's AI-Driven Tools to Safeguard Your Generative AI Landscape - As the realm of Generative AI (generative AI) continues to evolve, organizations are grappling with the complexities of navigating this uncharted territory. The surge in adoption of these cutting-edge technologies has given rise to a multitude of challenges, ranging from data security concerns to regulatory compliance hurdles. In this ever-changing landscape, it has become imperative for businesses to equip themselves with robust tools and strategies to effectively monitor and secure their Generative AI ecosystems.

Things to Watch/Listen To

Microsoft Security Insights Show

Microsoft Security Insights Show Episode 215 - Cribl

We have a treat this week! You've heard about it. Many of you have used it and swear by it. Now hear directly from ...drum roll, please... Cribl! Show Notes/Links Cribl’s website: https://cribl.io/ Aldo Dossola’s LinkedIn profile: https://www.linkedin.com/in/aldo-dossola…

Listen now

8 months ago · Rod Trent

Things in Techcommunity

Reset Entra ID User Password Playbook error "NotFound" | Microsoft Sentinel Automation - Has anyone ever used and activated the playbook 'Reset-EntraIDUserPassword-EntityTrigger' and encountered a 'NotFound' error as shown in the following image?

Daily "Network Port Sweep detected on port x" but no Source IP - For a couple of months we have been getting "Network Port Sweep was detection by multiple IPs" with ports 135 and 445 mostly. The KQL attached lists a load of Destination IPs but no Source IP (see example below) All these are inside our network, and so not coming from outside the network where the firewall would block such scans. We suspect it is one of our network tools such as Solarwinds but without the Source IP it is difficult to prove anything.

Copilot for Security Things

Copilot for Security Things now has its own bi-weekly newsletter! If you want updates and community for Copilot for Security, subscribe, follow, or grab the RSS feed.

Microsoft Sentinel Things

What's New: Create your own codeless data connector - Today we're announcing the general availability of the Codeless Connectors Platform (CCP) in Microsoft Sentinel that provides partners, advanced users, and developers the ability to create custom connectors for ingesting data to Microsoft Sentinel.

Introducing SOC Optimization API - SOC optimization is a new feature designed to combine the power of out of the box content with the flexibility of the SIEM to help you optimize your SOC processes and coverage to your organization’s specific needs, priorities, threats and environment. The first phase of this new feature helps you gain deep insights into your data usage patterns and coverage gaps against specific threats. It provides actionable recommendations to tighten your ingestion rates for data that doesn't provide security value, leverage correctly the data the does and improve your current coverage based on the threat landscape. You can learn more about the feature with the following resources.

Defender for Cloud Things

Architecting secure Generative AI applications: Safeguarding against indirect prompt injection - What if an attacker manages to run a prompt under the identity of a valid user? An attacker can hide a prompt in an incoming document or email, and if a non-suspecting user uses a Gen-AI LLM application to summarize the document or reply to the email, the attacker’s prompt may be executed on behalf of the end user. This is called indirect prompt injection. This blog focuses on how to reduce its risks.

Defender XDR Things

(Preview) Content distribution through tenant groups in multitenant management is now available. Content distribution helps you manage content at scale across tenants in multitenant management in Microsoft Defender XDR. In content distribution, you can create tenant groups to copy existing content, like custom detection rules, from the source tenant to the target tenants you assign during tenant group creation. The content then runs on the target tenant's devices or device groups that you set in the tenant group scope.
(Preview) You can now filter your Microsoft Defender for Cloud alerts by the associated alert subscription ID in the Incidents and Alerts queues. For more information, see Microsoft Defender for Cloud in Microsoft Defender XDR.

Defender Threat Intelligence Things

Copilot for Security TI Embedded Experience in Defender XDR is now GA - The Microsoft Defender Threat Intelligence (MDTI) and Defender XDR teams are pleased to announce that the Copilot for Security threat intelligence embedded experience in the Defender XDR portal is now generally available. As of today, Defender XDR customers will see a handy AI-powered sidecar in the Threat Analytics, intel profiles, intel explorer, and intel projects tabs in the threat intelligence blade (in brackets below), which returns, contextualizes, and summarizes intelligence from across MDTI and Threat Analytics about threat actors, threat tooling, and indicators of compromise (IoCs) related to their vulnerabilities and security incidents.

More Threat Intelligence Content in MDTI, TA Enables Better Security Outcomes - Microsoft threat intelligence empowers our customers to keep up with the global threat landscape and understand the threats and vulnerabilities most relevant to their organization. We are excited to announce that we have recently accelerated the speed and scale at which we publish threat intelligence, giving our customers more critical security insights, data, and guidance than ever before.

Microsoft Entra Things

User insights: Analyze customer identity data - Today, we're excited to announce the general availability of user insights in Microsoft Entra External ID. User insights, which was launched in public preview in October 2023, is a powerful tool that enables admins and developers to gain deeper insights into their customers’ behavior, preferences, and challenges.

Move to cloud authentication with the AD FS migration tool! - We’re excited to announce that the migration tool for Active Directory Federation Service (AD FS) customers to move their apps to Microsoft Entra ID is now generally available! Customers can begin updating their identity management with more extensive monitoring and security infrastructure by quickly identifying which applications are capable of being migrated and assessing all their AD FS applications for compatibility.

How to integrate Microsoft User Authentication using Microsoft Entra ID: A Step-by-Step Guide to Use - In this article we will be creating our tenant, resource and other services to use Microsoft Entra ID aka Azure AD, to create access management for only selected users at the end of this article you'll be able to create your own and also have the direction to take deep dive and more great implementation of this service.

Introducing the Microsoft Entra PowerShell module - We’re thrilled to announce the public preview of the Microsoft Entra PowerShell module, a new high-quality and scenario-focused PowerShell module designed to streamline management and automation for the Microsoft Entra product family.

Evolve your CIAM strategy with External ID - Since our GA announcement, we’ve received lots of interest from customers who want to get started with External ID. Don't miss our live Ask Me Anything webinar on July 11, 2024, at 9am PST! Register online to join our product experts as they showcase live demos to show how External ID shortens the implementation of secure end-to-end identity experiences into external-facing apps from months to minutes.

Windows Defender Things

New Microsoft Defender Antivirus services on Windows Devices (Last updated Jun 21, 2024)- Microsoft Defender Antivirus on Windows 10 and Windows 11 will be shipping with a new service called Microsoft Defender Core service. The rollout will occur in stages, starting with a preview in November 2023 and worldwide rollout in April 2024. To prepare, users need to update the Platform Update to the latest version and allow specific URLs. If using an Application Control application or running a 3rd party AV and/or EDR, add the Microsoft Defender Core Service process to the allowed list. GCC Moderate, GCC High and DOD: We will roll out to all rings (Current Channel (Preview), Current Channel (Staged) and Current Channel (Broad)) during late June 2024 (previously mid-June).