Microsoft SIEM and XDR Weekly Wrap - Issue #21
Who'd have thought they'd lead ya, back here where we need ya
Things from Me
Welcome Back, Readers!
As we usher in 2025, I am thrilled to reconnect with all of you after our brief hiatus over the festive season. The holidays were a mixed bag for me, and I wanted to share a bit of my journey with you.
My year-end adventure to Toronto for the AI Tour was unforgettable, though not quite in the way I had hoped. Shortly after my return, I was struck by an illness that quite literally stole my voice for three weeks! To add to the chaos, the bug didn’t stop with me—it swept through our entire family, leaving us all in recovery mode. As if that wasn't enough, our basement flooded despite having invested a small fortune to have it waterproofed.
But amidst the chaos, there was a silver lining. The holidays blessed me with precious moments that I wouldn’t trade for the world. I was able to spend time with my best friend and relish the rare occasion of having all our kids and grandkids under one roof. The laughter, the sound of children playing board games, and the heartfelt conversations brought back nostalgic memories of yesteryears. The camaraderie and joy were tearfully overwhelming, and it reminded me of the true essence of family and togetherness.
Looking ahead, I am incredibly excited about what 2025 holds for our newsletter and the security community. We have a plethora of initiatives, insights, and engaging content lined up that I can’t wait to share with you. Your support and enthusiasm mean the world to me, and I’m so happy to have everyone onboard for what promises to be an incredible journey.
Here’s to new beginnings, shared wisdom, and a year filled with growth and innovation. Welcome back, and let’s make 2025 remarkable together!
Things to Attend
How to Architect AI Safety & Security - Thursday, January 23 • 1:00 PM - With AI Safety & Security as the main priority of Microsoft, this session will help engineering teams adopt the mindset of how to consider AI Safety and Security risks from the very beginning when they are building a product. The session will also describe how field sellers unblock customers’ AI Security concerns.
Things that are Related
Learn KQL in one month (2025 edition) - If you want to start with KQL, this book is for you. The goal is to learn KQL in 30 days of exercises. Every day you will have exercises with key words to make your own research on the web. You will then find the solution and explanation.
Learning basic KQL for the SC-200 - This guide is my response to that question. It’s designed to help those preparing for the SC-200 focus on the initial most impactful parts of KQL, providing the skills and confidence to not only pass the exam but also apply KQL effectively in real-world scenarios.
Things to Have
Security Certification Roadmap
Things from Partners
Quorum Cyber Continues Expansion with Kivu Acquisition - Quorum Cyber expands its Incident Response capabilities by adding digital forensics, business restoration, and ransom negotiations to its service catalogue with the acquisition of the U.S. based company.
Security Risk Advisors joins the Microsoft Intelligent Security Association - Security Risk Advisors today announced it has become a member of the Microsoft Intelligent Security Association (MISA), an ecosystem of independent software vendors (ISVs) and managed security service providers (MSSPs) that have integrated their solutions with Microsoft Security technology to better defend our mutual customers against a world of increasing cyber threats.
Security Copilot Things
Microsoft Sentinel Things
Creating a Custom Sentinel GCP WAF /Load balancer Data Connector - Google Cloud Platform (GCP) is a comprehensive suite of cloud computing services. Integrating GCP with Azure Sentinel enhances security monitoring and management by centralizing logs and alerts. While the existing GCP Pub/Sub connector ingests only audit logs, a custom data connector can be built using an Azure Resource Manager (ARM) template to ingest a broader range of logs like WAF /Load balancer logs.
Microsoft Sentinel Analytics Rules - This website is a (sort of) beautified catalog of the official Microsoft Sentinel GitHub repository. Because the official GitHub offers no good option to search for interesting Analytics Rules by technique, tactic or data connector, I created this site to make it easier to browse the vast number of analytics rules.
Microsoft Sentinel: Transforming Cloud Security with Advanced SIEM - In today’s fast-paced digital world, protecting data and systems from cyber threats is a top priority. Microsoft Sentinel, a cloud-native Security Information and Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution, is designed to meet the evolving demands of cybersecurity. With its advanced features and integration capabilities, Sentinel empowers organizations to identify, investigate, and respond to security incidents in real-time.
Build custom email security reports and dashboards with workbooks in Microsoft Sentinel - We previously shared an example of how you can leverage Power BI and the Microsoft Defender XDR Advanced Hunting APIs to build a custom dashboard and shared a template that you can customize and extend. In this blog, we will showcase how you can use workbooks in Microsoft Sentinel to build a custom dashboard for Defender for Office 365. We will also share an example workbook that is now available and can be customized based on your organization’s needs.
Unified coverage management across SIEM and XDR in SOC optimization - SOC optimization aims to help SOC teams enhance security efficiency by providing tailored recommendations to close coverage gaps, reduce unnecessary data ingestion, and adapt to evolving threats, maximizing value from Microsoft Sentinel while minimizing the need for manual efforts.
How to successfully evaluate the SAP for Sentinel solution and implement it in production (Part 2) - In the first part of this blog, we covered how to get stated with your proof of value by gathering stakeholders, set success criteria and how to use watchlists and workbooks. In this part, we will look at how you can create and handle incidents and use the SOAR capabilities. We will continue describing the functionality of the Microsoft Sentinel solution for SAP in the form of use cases such as “As a <role>, I want to achieve <goal>”.
Automation Rules to automatically Isolate MDE Device using Sentinel Playbooks - In this article, I will demonstrate how to implement Sentinel Playbooks from the templates, create and configure Managed Identities for our playbook to authentication, and then show off Sentinel’s other SOAR capabilities by demonstrating how to automate Incident response by automatically running a playbook when an incident is generated by Defender XDR using Automation rules. I briefly discuss the associated costs with Logic Apps and Sentinel as well.
Defender for Cloud Things
Considerations for risk identification and prioritization in Defender for Cloud - As part of our ongoing series building on "Strategy to Execution: Operationalizing Microsoft Defender CSPM," this article demonstrates how Microsoft Defender for Cloud's CSPM capabilities can help organizations proactively identify and prioritize vulnerabilities in complex, multicloud environments. By detailing operational workflows for continuous vulnerability scanning, contextual risk assessment, automated remediation, and SIEM/XDR integration, it provides a practical blueprint for refining cloud security strategies and ensuring critical threats receive immediate attention.
Defender for Endpoint Things
Exciting News: Microsoft Defender for Endpoint Extends Support to ARM-Based Linux Servers - ARM64 processors are rapidly gaining traction due to their exceptional efficiency and performance, particularly in data centres and cloud environments. Defender for Endpoint’s Linux solution is built specifically for Linux devices, so our protection is tailor-made with the particular needs and uses of Linux devices in mind.
Microsoft Entra Things
Microsoft Entra: Top 50 features of 2024 - Do you feel like you’re still catching up with all the Microsoft Entra product innovation and security improvements from 2024? Not to worry – the team from “What’s New in Microsoft Entra” has created a retrospective highlighting 50 newsworthy solutions and new capabilities.
What Are You Doing to Protect Critical Privileged Roles? (Part 2 of 2) - This article focuses on configuring an Entra ID Restricted Management Administrative Unit to address the challenges posed by helpdesk personnel managing group assignments while maintaining operational efficiency and adhering to least privilege principles.
if you have any articles on creating custom Sentinel data connectors using Functions, I'm interested! eg. for Ping One. (not Federate).
Also if you have any readers interested in Cyber defense topics, I have 30+ blog posts here, including a 'fun' backstory. Happy to expand on this if there's any interest.
https://github.com/SpiderLabs/zpminternational