Microsoft SIEM and XDR Weekly Wrap - Issue #12

Igniter

Things from Me

🎉 Microsoft Ignite 2024: Register Now and Let’s Connect! 🎉

Dear Ignite Enthusiasts,

The wait is over! 🌟 Microsoft Ignite 2024 registration is officially open, and I couldn’t be more thrilled to share this news with you. Whether you’re a seasoned tech aficionado or just dipping your toes into the digital ocean, Ignite promises an electrifying lineup of sessions, keynotes, and networking opportunities.

🔗 Register Here: Microsoft Ignite Registration

In-person in Chicago
November 19-22, 2024
Optional Pre-day: Afternoon of November 18, 2024

Online
November 19-21, 2024

As we gear up for this year’s conference, I find myself eagerly anticipating the chance to reconnect with familiar faces and meet new ones. There’s something magical about being in a room with fellow tech enthusiasts—swapping ideas, debating the latest trends, and occasionally geeking out over obscure APIs. 🤓

What can you expect at Ignite 2024?

Well, imagine a whirlwind of innovation, sprinkled with a dash of demos and AI breakthroughs. From deep dives into possible discussions on quantum computing, this conference promises to ignite (see what I did there?) your curiosity and fuel your passion for all things tech.

So, mark your calendars, set your reminders, and prepare to embark on a knowledge-packed adventure. Whether you’re tuning in from your home office, a cozy coffee shop, a hammock in the Great Northwest forests or in-person like it should be, Ignite is where ideas collide, friendships form, and that elusive “aha!” moment strikes.

See you there, fellow Igniters! Let’s make this conference one for the books. 📚🔥

Warmly, Your Excited Ignite Ambassador 🚀

P.S. If you spot me during a session, in the expo, or in the hallways, please stop me to say hello. I’ll be offended if you don’t.

Talk soon.

-Rod

Things to Watch/Listen To

Microsoft Security Insights Show Episode 226 - Mark Simos

Things in Techcommunity

Question regarding Brute Force (NTLM/Kerberos/LDAP) and Account Enumeration - The alerts we get the most from our customers are related to MDI.

• "Suspected Brute Force Attack (NTLM/Kerberos) or (LDAP)"

• "Account Enumeration Reconnaissance"

Often, the alerts provide useful information, such as which computer initiated the attempts and which computers were targeted, along with details on the users involved and whether the logins were successful. However, they rarely explain the root cause of why these alerts are triggered or who the actor is. (e.g., "An actor on a computer performed...")

My Exposure Management > Attack Surface > Attack Paths still has nothing to show - I tried for many tenants, many cases. All tenants have MDE, Sentinel, Other 365 Defender like MDO, MDI, MDCA licenses enabled already, even I added more defined critical assets. I still cannot see anything from this Attack Paths page. Is there anything else I should do or check to use this feature?

Things in the News

Quorum Cyber Accelerates Growth with Strategic Acquisition of Difenda - Quorum Cyber – with offices in Edinburgh, UK, and Tampa, Florida – today announced the acquisition of  Difenda, a Canadian-based, full-stack Microsoft Security Managed Services company. The announcement underscores Quorum Cyber’s global momentum and strengthens its position as a leader of Microsoft Security services. 

With the news that Quorum Cyber has acquired Difenda, it might be good to go back and review both company’s recent episodes on the Microsoft Security Insights show where we showcased their Copilot for Security advances.

• Microsoft Security Insights Show Episode 204 - Quorum Cyber

• Microsoft Security Insights Show Episode 214 - Difenda and CfS

Things to Have

Summary_Rule_SCU_Baseline.kql - KQL query for a Sentinel Summary Rule to track SCU changes over time to set requirements baseline.

Things that are Related

Taking steps that drive resiliency and security for Windows customers - On Tuesday, Sept. 10, we hosted the Windows Endpoint Security Ecosystem Summit. This forum brought together a diverse group of endpoint security vendors and government officials from the U.S. and Europe to discuss strategies for improving resiliency and protecting our mutual customers’ critical infrastructure. Although this was not a decision-making meeting, we believe in the importance of transparency and community engagement. Therefore, we’re sharing the key themes and consensus points discussed during the summit, offering insights into our initial conversations.

Copilot for Security Things

THE PROMPT for Copilot for Security

THE PROMPT for Copilot for Security is a bi-weekly newsletter that covers Copilot for Security.

By Rod Trent

Microsoft Sentinel Things

Exploring the Microsoft Sentinel Codeless Connector Platform (CCP) - There are many different ways of getting your security data into Microsoft Sentinel: You can use agent-based software, play around with Diagnostic Settings of Azure Resources, use API’s to send data directly to Sentinel or use one of the many out-the-box Microsoft integrations. However, there’s a hidden gem which, in my humble opinion, is probably the best option for most Sentinel integrations: The Codeless Connector platform. This article will explore the background of the CCP: What is it, how does it work and what’s the big difference with the “classic” methods of onboarding a data source? Let’s dive in!

SIEM Migration Update: Now Migrate with contextual depth in translations with Microsoft Sentinel! - The process of moving from Splunk to Microsoft Sentinel via the SIEM Migration experience has been enhanced with three key additions that help customers get more context aware translations of their detections from Splunk to Sentinel.

The power of Data Collection Rules: Collecting events for advanced use cases in Microsoft USOP - Using Microsoft Sentinel to collect Windows events via Azure Monitor agent (AMA) provides you with an easy way to configure and filter events of interest. In this blog post we will discuss some attacks and how to discover them using KQL queries for analytics, custom detections, hunting queries, etc.

Microsoft Sentinel now generally available (GA) in Azure Israel Central - Microsoft Sentinel is now available in the Israel Central Azure region, with the same feature set as all other Azure Commercial regions. For more information, see as Microsoft Sentinel feature support for Azure commercial/other clouds and Geographical availability and data residency in Microsoft Sentinel.

New Connectors developed using the codeless connectors platform (CCP) :

1. GCP Audit Logs – released to GA.

2. GCP Security Command Center – released to GA.

3. Atlassian Jira Audit – released to GA.

4. Okta Single Sign-On – released to GA.

5. Sophos Endpoint Protection – released to GA.

6. Workday User Activity Logs – released to public preview.

7. AWS S3 Web Application Firewall – released to private preview.

8. GCP VPC Firewall Rules Logs – released to private preview.

9. SentinelOne – released to limited private preview.

10. Monday.com Audit Logs – released to limited private preview.

Use Cases For Sentinel Summary Rules - Microsoft has announced a new Sentinel feature: Summary Rules. Those rules are aimed at aggregating large sets of data in the background for a smoother security operations experience across all log tiers (Documentation). This blog describes multiple use cases to get started with this new feature.

Defender for Experts Things

Welcome to the Microsoft Incident Response Ninja Hub - We’re excited to announce the Microsoft Incident Response Ninja Hub. This page includes a compilation of guides and resources that the Microsoft Incident Response team has developed on threat hunting, case studies, incident response guides, and more. Many of these pieces were also developed in collaboration with Microsoft’s partners across Microsoft Security, providing a unique view into how the Microsoft Security ecosystem leans on cross-team collaboration to protect our customers.

Defender for Identity Things

Microsoft Defender for Identity: the critical role of identities in automatic attack disruption - In today's digital landscape, cyber-threats are becoming increasingly sophisticated and frequent. Advanced attacks are often multi-workload and cross-domain, requiring organizations to deploy robust security solutions to counter this complexity and protect their assets and data. Microsoft Defender XDR offers a comprehensive suite of tools designed to prevent, detect and respond to these threats. With speed and effectiveness being the two most important elements in incident response, Defender XDR tips the scale back to defenders with automatic attack disruption.  

Defender for Office Things

Improve end user resilience against QR code phishing - In addition to prevention, detection, and investigation capabilities, we are excited to share that Microsoft Defender for Office 365 has also made several updates to its simulation and training features.

Microsoft Entra Things

The Magnificent 8 Conditional Access Policies of Microsoft Entra - The title says it all! I noticed recently as we’re constantly discussing CAPs (Conditional Access Policies) in InfoSec Twitter that people rarely talk about what policies are important for the standard customer. Today, we will discuss just that.