Microsoft SIEM and XDR Weekly Wrap - Issue #13
Recess Bell
Things from Me
Happy Friday everyone!
As you’re reading this, I’m on the 2nd day of a mental recess. Things have been super busy here at Microsoft already this fiscal year and looking forward to the near future there’s no slowing down. So, I’m taking the necessary time I know I need. If things have gone as planned, I spent Thursday disconnected completely. I’ll have to look back from the future to see how successful I was.
But buckle up because this edition is packed with more excitement than a hacker at a password convention! From the latest on Microsoft’s Secure Future Initiative to tips on migrating from Splunk to Sentinel there’s plenty to learn. And don’t miss our exclusive chat with Nishan DeSilva—it’s like getting a backstage pass to the rock concert of cybersecurity! 🎸
Talk soon.
-Rod
Things that are Related
Microsoft's Secure Future Initiative - At Microsoft, one of the ways that we help counter these threats is to promote a security-first culture—security above all else. We continuously apply what we’ve learned from security incidents to improve our methods and practices. To that end, we’ve created the Microsoft Secure Future Initiative (SFI), our commitment to advance the way we design, build, test, and operate our technology so our solutions can meet the highest possible security standards.
Announcing the Public Preview of Azure Monitor Metrics Export - We are excited to announce a platform metrics from Azure Monitor. This powerful addition allows customers to export metrics for their Azure resources on a large scale with full fidelity and low latency, along with the new added ability to filter particular metrics while configuring exports.
Things to Watch/Listen To
Things in Techcommunity
Feed data location to run against Sentinel's KQL function - We have a feed consisting of around 250,000-300,000 entries and will be imported daily. We do not intend to store this data in Sentinel as a table and would like to store it somewhere else (Cosmos, storage, etc.) from where we can grab this data and run it against one of our Sentinel's KQL functions to generate Alerts.
Things from Partners
11 Essential Steps for a Successful Splunk to Sentinel Migration - Splunk has long been a popular choice for security information and event management (SIEM) due to its robust data analytics and log management capabilities. However, many organizations are now considering a migration to Microsoft Sentinel—a cloud-native SIEM solution that offers a more scalable, cost-effective, and integrated approach to modern security operations.
Things in the News
Microsoft is building new Windows security features to prevent another CrowdStrike incident - There’s no talk of locking down the Windows kernel just yet, but Microsoft clearly wants to move endpoint security systems out of there.
Copilot for Security Things
Defender for Cloud Things
September 18 - GA - General Availability of File Integrity Monitoring based on Microsoft Defender for Endpoint
September 18 - GA - FIM migration experience is available in Defender for Cloud
September 18 - Deprecation - Deprecation of MMA auto-provisioning capability
Microsoft Sentinel Things
Log Source Availability Monitoring with KQL in Microsoft Sentinel: An Essential Query for SOC Teams - In this blog, we will explore a KQL (Kusto Query Language) query designed to monitor data freshness and detect potential delays in security logs across multiple data sources in Microsoft Sentinel. This query helps SOC teams identify gaps in log ingestion, allowing them to take action before missing data leads to missed threats.
Optimize Costs using Auxiliary Logs for Verbose Logging - Today, we use logging for many purposes including security hunting with SIEM (Sentinel), troubleshooting, performance telemetry, compliance reporting – but it can also be very costly. In my blog below, I will show you how I reduced my log-costs with 89% of the costs (ingestion & query) – with 96% cost reduction on log ingestion alone.
Troubleshooting & Monitoring of Log Ingestion with Data Collection Rules - This blog covers how we can monitor the health and analyze metrics/performance of the log ingestion using Data Collection Rules.
The power of Data Collection Rules: Monitoring PowerShell usage - In this article we will look how you can set up your own monitoring mechanism to spot executed PowerShell code in your environment using Microsoft Sentinel and the Unified SecOps Platform.
Microsoft Sentinel Sizing And Pricing – Optimize Costs And Enhance Security - You can now sign up for pre-purchase plans for Microsoft Sentinel, a type of Azure reservation. When you purchase a pre-purchase plan, you receive commit units (CUs) at discounted tiers for Microsoft Sentinel. These Microsoft Sentinel commit units (SCUs) can be used to pay eligible costs in your Log Analytics workspace. Opting for the right pre-purchase plan can save you money when you have predictable costs!
Azure reservations now have pre-purchase plans available for Microsoft Sentinel
Import/export of automation rules now generally available (GA)
Google Cloud Platform data connectors are now generally available (GA)
Microsoft Sentinel now generally available (GA) in Azure Israel Central
Defender XDR Things
Detect Ransomware Poortry or BurntCigar with Defender for XDR - Defenders are on high alert, as a powerful tool used by notorious ransomware gangs just got a major upgrade—like a villain giving their evil lair Wi-Fi! It’s faster, smarter, and more annoying than that one pop-up ad that refuses to close. Buckle up, because the cyber bad guys are coming in hot, and this time they’ve got a shiny new toy.
Detecting browser anomalies to disrupt attacks early - This blog post offers insights into utilizing browser anomalies and malicious sign-in traits to execute attack disruption at the earliest stages, preventing attackers from achieving their objectives.
Microsoft Entra Things
Entra ID federation with Google Workspace - Google Workspace federation allows you to manage user identities in your Entra ID tenants while authenticating these users through Google. This can be beneficial if your company wants to use a single source of identities across different cloud platforms. This article covers the scenario where your domain is already added and verified in Entra ID.
Enhanced data protection with Windows and Microsoft Copilot - As generative AI usage continues to surge and become an integral part of daily workflows, organizations are prioritizing privacy and security—and we continue to evolve Copilot experiences in Windows to address these needs. Starting later this month, for organizations with managed PCs running the Pro or Enterprise edition of Windows, users signing in with a work or school account will receive an updated experience.
Introducing Reporting and Entra ID Authentication for Microsoft Playwright Testing - Microsoft Playwright Testing is a managed service built for running Playwright tests easily at scale. As we aim to improve the developer experience, and through our interactions with users, we recognize the need for simpler, more efficient troubleshooting. Today, we’re excited to introduce a new web-hosted reporting dashboard to help speed up the troubleshooting and make it easier for developers to identify and resolve issues. To further enhance security, we’re also implementing Microsoft Entra ID as the default authentication method, providing a more secure and seamless workflow.
Microsoft Entra Internet Access now generally available - With the rise of hybrid work, identity and network security professionals are now at the forefront of protecting their organizations. Traditional network security tools fall short in meeting the integration, complexity, and scale requirements of anywhere access, leaving organizations exposed to security risks and poor user experiences. To address this, network security and identity must function as a unified force in defense. Only when identity and network controls deeply integrate into secure access, can we fully deliver on the core Zero Trust principles, where trust is never implicit, and access is granted on a need-to-know and least-privileged basis across all users, devices, and applications.