Microsoft SIEM and XDR Weekly Wrap

Share this post

Microsoft SIEM and XDR Weekly Wrap
Microsoft SIEM and XDR Weekly Wrap
Microsoft SIEM and XDR Weekly Wrap - Issue #7
Copy link
Facebook
Email
Notes
More

Microsoft SIEM and XDR Weekly Wrap - Issue #7

The Paradox of Blame

Rod Trent
Aug 09, 2024

Share this post

Microsoft SIEM and XDR Weekly Wrap
Microsoft SIEM and XDR Weekly Wrap
Microsoft SIEM and XDR Weekly Wrap - Issue #7
Copy link
Facebook
Email
Notes
More
Share

Things from Me

Happy Friday, all!

In this edition, we delve together into the intricacies of Microsoft Defender and Microsoft Sentinel, exploring their latest enhancements and integrations. From Defender for Endpoint policies to KQL queries for endpoint security, this issue has you covered. Discover how to tackle Defender for Endpoint policy assignments, unravel the mystery behind compressed file KQL results, and get the lowdown on tampering detection and RDP session monitoring. Plus, you’ll be guided through the unified security operations platform, share tips on access issues in Microsoft Sentinel, and celebrate the availability of Microsoft Sentinel All-In-One for Azure Government. Stay ahead of threats with the insights on integrating GitLab Cloud Edition and multi-tier logging, and don’t miss the guide on Cyberint Threat Intel Integration. And lastly, this issue will bridge the security gap from on-premises to cloud and unveil the public preview of Microsoft Entra ID FIDO2 provisioning APIs.

Get ready to enhance your security posture with our latest findings!

-Rod

Things to Watch/Listen To

The Microsoft Security Insights Show
Microsoft Security Insights Show Episode 221 - Thomas Marsh
Join us this episode as we talk with Thomas Marsh, Cybersecurity Analyst at Telstra. Continuing our Passion to Profession month, Thomas has an interesting story to tell about his journey and his experience as a newbie in Cybersecurity…
Listen now
6 months ago · 2 likes · Rod Trent

Things in Techcommunity

Defender for Endpoint policies assignment - I seek clarification regarding the assignment of Defender for Endpoint policies. My objective is to create and implement Defender for Endpoint policies across all devices by default.

Compressed file KQL for endpoint - Based on my understanding of AlertEvidence schema for KQL, there are columns for filename and folderpath. However, my query results in empty filename and folderpath. I am wondering could it be because the files that are detected with virus are zip or rar files and so KQL does not return any values for filename and folderpath? Can someone enlighten me on this?

Things to Have

Defender_Tampering.kql - Hunt for tampering attempts.

RDP_by_IP.kql - Display all processes initiated by a source IP during an RDP session.

Remote_Actions_By_Compromised_Account.kql - Highlight actions performed remotely by a compromised account.

Copilot for Security Things

THE PROMPT for Copilot for Security
THE PROMPT for Copilot for Security is a bi-weekly newsletter that covers Copilot for Security.
By Rod Trent

Microsoft Defender XDR Things

Cybersecurity incident correlation in the unified security operations platform - In this blog post we will share deep insights into the innovative research that infuses powerful data science and threat intelligence to correlate detections across first and third-party data via Microsoft Defender XDR & Microsoft Sentinel with 99% accuracy.

Microsoft Sentinel Things

Frequently asked questions about the unified security operations platform - We recently announced the GA of Microsoft Sentinel in the Defender portal, as part of the unified security operations platform. In this blog we offer answers to many of the questions we’ve heard from our customers and partners, which can be used, along with our documentation , to get started with our new experience.

Solving Access Issues in Microsoft Sentinel: Device registration block - When I recently faced a frustrating access issue with Microsoft Sentinel, it took me on a deep dive into Azure’s Conditional Access settings. This blog post is a comprehensive guide to solving the problem of modifying Data Connectors in Microsoft Sentinel when access is blocked due to unregistered devices, and how I ultimately found the answer in an unexpected place.

Microsoft Sentinel All-In-One now available for Azure Government - More than a year ago, we announced the second version of Microsoft Sentinel All-in-One and one of the most requested features was to have it work with Azure Government tenants. Today, we’re happy to announce a new revamped version that does that.

Enhancing Security Monitoring: Integrating GitLab Cloud Edition with Microsoft Sentinel - The absence of a dedicated connector for GitLab Cloud Edition in Microsoft Sentinel presents a challenge for complete security surveillance for firms using GitLab. To overcome this, we can utilize the API endpoints provided by GitLab to collect logs for integration into Sentinel. Establishing a custom table via Azure Monitor Data Collection Endpoint (DCE) along with Data Collection Rule (DCR), we can efficiently organize and study these logs. The use of Azure Logic Apps coupled with Azure Key Vault ensures that data handling is both secure and effective, and that sensitive credentials are well-protected. This blog will guide readers through the integration process, empowering organizations to maximize Microsoft Sentinel's capabilities. With a consolidated view of their security posture, companies can improve their threat detection and response actions promptly.

Demystifying Microsoft Sentinel Multi-Tier Logging - Multi-tier logging in Azure Monitor Log Analytics and Microsoft Sentinel offers a structured approach to managing diverse logging needs. Categorizing logs into Analytics, Basic, and Auxiliary tiers addresses various requirements for monitoring, compliance, and security. This method streamlines log management, making it both cost-effective and operationally efficient.

Microsoft Sentinel & Cyberint Threat Intel Integration Guide - This guide outlines the steps to integrate Cyberint’s module with Microsoft Sentinel, enabling you to leverage enriched threat intelligence data for more effective security operations.

Defender for Cloud Things

Microsoft Power BI and Microsoft Defender for Cloud – Part 2: Overcoming ARG 1000-Record Limit - In our previous blog, we explored how Power BI can complement Azure Workbook for consuming and visualizing data from Microsoft Defender for Cloud (MDC). In this second installment of our series, we dive into a common limitation faced when working with Azure Resource Graph (ARG) data – the 1000-record limit – and how Power BI can effectively address this constraint to enhance your data analysis and security insights.

Defender for Endpoint Things

Detect compromised RDP sessions with Microsoft Defender for Endpoint - …today Microsoft Defender for Endpoint is enhancing the RDP data by adding a detailed layer of session information, so you can more easily identify potentially compromised devices in your organization. This layer provides you with more details into the RDP session within the context of the activity initiated, simplifying correlation and increasing the accuracy of threat detection and proactive hunting.  

Defender for Office Things

Extend allow in Tenant Allow/Block List allow entries in a transparent data driven manner - Recently we launched the last used date for allowed or blocked domains, email addresses, URLs, or files inside the Microsoft Defender XDR. For block entries, the last used date is updated when the entity is encountered by the filtering system (at time of click or during mail flow). For allow entries, when the filtering system determines that the entity is malicious (at time of click or during mail flow), the allow entry is triggered and the last used date is updated.

Extend allow in Tenant Allow/Block List allow entries in a transparent data driven manner https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/extend-allow-in-tenant-allow-block-list-allow-entries-in-a/ba-p/4213201

#MicrosoftDefender #DefenderforCloud #Security #MicrosoftSecurity #Cybersecurity #DefenderXDR #MicrosoftThreatIntelligence

Microsoft Security Exposure Management Things

Bridging the On-premises to Cloud Security Gap: Cloud Credentials Detection - In this blog, we demonstrate that properly securing cloud environments requires securing credentials in the organization’s non-cloud environments. To this end, we dive into our innovative capability to detect cloud credentials in on-premises environments and user devices. By integrating it with Microsoft Security Exposure Management, customers are able to identify attack paths starting in non-cloud environments and reaching critical cloud assets using cloud credentials. Customers are then able to effectively prioritize and mitigate those attack paths, thereby improving their enterprise and cloud security posture. 

Microsoft Entra Things

Public preview: Microsoft Entra ID FIDO2 provisioning APIs - Today I'm excited to announce a great new way to onboard employees with admin provisioning of FIDO2 security keys (passkeys) on behalf of users.

Securing Microsoft Fabric: User Authentication & Authorization Guidelines - Did you wonder what are the options to define users and permissions to access and operate in Microsoft Fabric? Considering Conditional Access for Fabric users? Looking to understand the best practices to define user roles in workspace level? In this blog, we will talk about authentication and authorization options in Fabric including use case example.

Thanks for reading Microsoft SIEM and XDR Weekly Wrap! Subscribe for free to receive new posts and support my work.

Share this post

Microsoft SIEM and XDR Weekly Wrap
Microsoft SIEM and XDR Weekly Wrap
Microsoft SIEM and XDR Weekly Wrap - Issue #7
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Rod Trent
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More