Things from Me
Happy Friday, good people!
Just one quick before I turn you over to the newsletter content this week.
…
Your Input for the Microsoft Sentinel Ecosystem
Solutions and integrations in the Microsoft Sentinel ecosystem, such as those available in Content Hub, are pivotal in bolstering the security coverage of organizations. As our customers increasingly integrate Microsoft Sentinel with Microsoft Defender XDR, by enabling our unified SOC platform (https://learn.microsoft.com/azure/sentinel/microsoft-365-defender-sentinel-integration), the importance of this ecosystem only increases.
In this brief survey, we seek your suggestions on improving Microsoft Sentinel's ecosystem. Whether it's a feature request, an idea for a new solution, or an enhancement to an existing one, we welcome your feedback. Feel free to submit multiple responses if you have multiple suggestions.
Your insights will help us prioritize features that matter most to you. This survey will be open until September 26, 2024.
Supply your input here: https://forms.office.com/r/Yy7WWFGyeD
…
That’s it from me for this week. Have a great weekend and week ahead.
-Rod
Things in Techcommunity
Why not separate the Defender for Cloud roles from Azure resources RBAC roles - I am wondering why MS can't separate the Defender for Cloud roles from the Azure resources RBAC roles, similar to the separation implemented for Reservations and Cost Management + Billing?
Sensor Status - Not configured - I've installed the sensors on each DC following the setup process. Even if there are no Health issues, the sensors status reports "Not Configured" and the healthy status is marked as "Not Healthy"
Hunting for data related to privilege escalation (like app installs) - I'm navigating the Defender tables to try to understand how can I hunt for privilege escalation events, benign ones in this case, for example, when our Helpdesk team connects to a computer to install an application, it will request an elevation of privileges, as the local users do not have permissions for it. I would like to audit this type of privilege escalation events, but I can't find the data related to it. Anyone knows in which table can I find this kind of data?
Things to Have
INCLUDE DETECTIONS: Peach Sandstorm deploys new custom Tickler malware in long-running intelligence gathering operations - Between April and July 2024, Microsoft observed Iranian state-sponsored threat actor Peach Sandstorm deploying a new custom multi-stage backdoor, which we named Tickler. Tickler has been used in attacks against targets in the satellite, communications equipment, oil and gas, as well as federal and state government sectors in the United States and the United Arab Emirates. This activity is consistent with the threat actor’s persistent intelligence gathering objectives and represents the latest evolution of their long-standing cyber operations.
Copilot for Security Things
On Monday September 2, 2024 at 5PM EST - In Episode 225, stop by to learn why Performanta has been recommended for the show for its highly innovative and sophisticated solutions. Looking for evidence of how far a partner can push the integration with Copilot for Security? This is it!
Set a reminder:
Microsoft Sentinel Things
Deep Dive into Microsoft Sentinel Summary Rules - We’re going to dive deep into Microsoft Sentinel summary rules. But first, let’s try to find out why they’re so important. To do that, we’ll take a small detour into the human brain.
Ingest Firewall logs into Sentinel Auxiliary Logs tier using Logstash with only $0.10/GB | LinkedIn - As the Auxiliary logs is currently in preview, we need to understand some limitations. The most pressing limitation is region availability. Also, it's worth to mention, at least currently, only ways to ingest into Auxiliary table are 1) text or JSON file with AMA or 2) Azure Monitor using Logs ingestion API. It remains to be seen if other methods become available over time.
Monitor Copilot for Security with Microsoft Sentinel - The CfSAllinOne plugin for Copilot for Security is a custom plugin built on several KQL queries and tied to a Log Analytics workspace for Microsoft Sentinel. The plugin can be used with non-Sentinel environments, but that requires the effort of creating a new Log Analytics workspace and then manually adding the specific Diag Settings (logs) that supplies the specific data.
Suppressing Defender for XDR Incidents Using Automation Rules in Microsoft Sentinel: A Step-by-Step Guide - Microsoft Sentinel offers powerful automation capabilities, allowing security teams to automatically manage and suppress certain types of incidents based on predefined criteria. In this blog post, we will explore how to suppress Defender for XDR incidents by automatically closing them using an automation rule in Microsoft Sentinel.
Practical Sentinel: Creating Incidents From Networking Data - After identifying what networking data you should ingest into Sentinel and choosing the most efficient ingestion method, the next step is to start creating alerts and incidents using the data.
Save ingestion costs by splitting logs into multiple tables and opting for the basic tier! - In this blog post I am going to talk about splitting logs to multiple tables and opting for basic tier to save cost in Microsoft Sentinel. Before we delve into the details, let’s try to understand what problem we are going to solve with this approach.
Defender for Cloud Things
Detect Container Drift with Microsoft Defender for Containers - Microsoft Defender for Containers introduces the binary drift detection feature in public preview, to detect execution of files in a running container drifting from original Container Image which was scanned, tested, and validated. It's available for the Azure (AKS) V1.29, Amazon (EKS), and Google (GKE) clouds.
Defender XDR Things
Push Iocs With Powershell Via Api - In the fast-paced world of cybersecurity, the ability to swiftly respond to threats is crucial. However, even the most well-oiled Security Operations Center (SOC) can encounter hiccups, such as Role-Based Access Control (RBAC) configuration mishaps that can, for example, hinder the manual registration of Indicators of Compromise (IOCs) in the Microsoft Defender portal and much, much more. When such issues arise, having an alternative method to publish IOCs becomes invaluable.
Defender for Identity Things
Protect and Detect: Microsoft Defender for Identity Expands to Entra Connect Server - We are excited to announce a new Microsoft Defender for Identity sensor for Entra Connect servers. This addition is a significant step in our ongoing commitment to expanding Defender for Identity’s coverage across hybrid identity environments. It reinforces our vision of overseeing and protecting the entire identity fabric, greatly enhancing the SOC’s visibility and protections for these complex environments.
Defender Vulnerability Management
Research Analysis and Guidance: Ensuring Android Security Update Adoption - Microsoft researchers analyzed anonymized and aggregated security patch level data from millions of Android devices enrolled with Microsoft Intune to better understand Android security update availability and adoption across Android device models. In this post, we describe our analysis, and we provide guidance to users and enterprises to keep their devices up to date against discovered vulnerabilities.
Microsoft Entra Things
Entra Private Access/GSA – Automatic Network Detection – This blog covers a custom script solution for Intune, that can be used to automatically detect, if the Entra Private Access (GSA) client is connected to the internal network – or off-site. When the client is connected to the internal network, we don’t want to send the network traffic into the GSA tunnel through Microsoft – but use direct connectivity to the servers.