There’s some good instructions available on how to configure the Anomali feeds for Azure Sentinel. See: https://cda.ms/2sC When you enabled and configure the Threat intelligence - TAXII (Preview), data is stored in the ThreatIntelligenceIndicator data table, which includes a ConfidenceScore column. The Anomali feeds contain a confidence score, however, its stowed away in a ThreatType…

Following in the footsteps of the rest of the Microsoft security platform tools, Azure Sentinel training now has its own completion certificate! My original post on All the Microsoft Ninja Training I Know About noted that every product except Security Center and Sentinel provided knowledge checks with a resulting completion certificate. But, I’ve since updated…

Security teams often face the requirement to report on incidents to management or other stakeholders who do not have access to the security toolkit. In some cases dashboards or Power BI can satisfy these needs, but for many organisations it is still the case that certain processes call for good-old Office document based reporting. I’ve lately been thinking about ways to automate these workflows as much as possible, and in this blog post I describe a quick proof-of-concept for automated reporting from Azure Sentinel to a preformatted Word document stored in Sharepoint.

IOC’s.  You can’t afford one of those $70,000 feeds of hashes and IP addresses (and larger companies may be wasting their money anyway), but from time to time you receive you receive a bunch of indicators from a reliable source and you don’t want them to go to waste.

While the botnet itself is not new, Microsoft’s IoT security researchers recently discovered that Mozi has evolved to achieve persistence on network gateways manufactured by Netgear, Huawei, and ZTE. It does this using clever persistence techniques that are specifically adapted to each gateway’s particular architecture.

Your organization is subject to increasingly sophisticated threats and attacks across your on-premise and multi-cloud network environments. Hunting down these threats can be a costly endeavor. Trying to aggregate relevant data from multiple sources and identify what’s truly important often leads to alert fatigue.

Daniel Stefaniak (@d0m3l). Program Manager for Azure Active Directory. Geek of all trades. In free time watches lots of starcraft, and listens to many podcasts.

Watch how Microsoft’s cloud-based SIM, Azure Sentinel, along with our XDR technologies, including Microsoft 365 Defender, provide an automated approach to th…

This one-page diagram required a bit of effort in consolidating the large numbers of connections and signal exchange pipelines between the Microsoft security controls.

Sentinel ATT&CK aims to simplify the rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel.

CryptoCurrency Mining Pools domains Detection

Azure Sentinel KQL. Contribute to rod-trent/SentinelKQL development by creating an account on GitHub.

Check the Exchange Server for ProxyShell vulnerability scanning

Identifies when a user is added and then removed to an Azure Key Vault access policy within a short time period. This may be a sign of credential access and persistenc

Searches device info table for non server operating systems then return any users who have logged on interactively as an admin and devices as a set per account.

Detection for APT31 new dropper

Searches device info table for non server operating systems then return any users who have logged on interactively as an admin as a set per device.

RITA Beacon Analyzer for Palo Alto Firewall

An Empirical Assessment of Endpoint Detection and Response Systems against Advanced Persistent Threats Attack Vectors

This is a Microsoft Sysinternals Sysmon configuration file template with default high-quality event tracing

Detects Conti Ransomware

This repository provides a custom watchlist import solution which can be used to work around Sentinels native watchlist file import size limitation of 3.8 MB.

Audit logs for operations performed by Azure Sentinel resources such as Data Connectors, Analytic Rules and more. These logs can be used to monitor the health of your Sentinel resources.

New Detections, Hunting Queries and Response Automation in the Firewall Solution for Azure Sentinel

Announcing the Azure Sentinel Ninja Training knowledge check! Think you’re a true Sentinel Ninja? Take the knowledge check and find out. If you pass the

Released in Preview in June of this year, the column chooser in the Incident blade of Azure Sentinel is now generally available. You might think this is a pretty low value feature release, but its not. This capability allows analysts to customize the view to show only those areas of content that will be valuable…

Sitting through roadmap sessions over the last few weeks I know Ignite (November 2–4, 2021) is going to be monumental. Add the event to your calendar! https://cda.ms/2rN #MSIgnite 

MITRE ATT&CK framework has been widely adopted by the industry, and almost everyone counts on it. Unfortunately, however, many people use the framework in a way that proper threat detection coverage…

For the first time, organisations can visually see what Azure security controls can offer in terms of protection, detection and response. With 45 native Azure security control mappings, defenders can start focusing on not only TTPs in the context of Azure threats, but also how each native Azure security control might shield them from related TTPs in Azure. The post Azure Security Stack Mappings: The Top Native Security Controls for Ransomware appeared first on AttackIQ.

Azure Data Explorer Insights (ADX Insights) provides a unified view of your clusters' usage, performance, and health. Now, you can monitor ingestion operations from ADX using the new "Ingestion" tab (specifically, batching ingestion).

Log Analytics Legacy Queries (Query Explorer queries) save and edit flow is now upgraded to a new modern look

Earlier this year, QNET, a prominent Asian direct selling company with a global customer base and one of the earliest in the direct selling industry to go online in 1998, detected suspicious behaviour from the account of one of its distributors. A hacker was lurking and trying to evade detection by repeatedly attempting to log into QNET’s applications every few hours.

While some businesses would have taken months to discover this breach, it took only a matter of days for QNET. The firm immediately secured the account with Microsoft Azure Sentinel, a cloud-native security incident and event management solution. Through advanced artificial intelligence and security analytics, Sentinel recognised the hacker’s behaviour and blocked it.

In May 2021, the Biden Administration signed Executive Order (EO) 14028, placing cloud security at the forefront of national security. Federal agencies