Azure Sentinel this Week - Issue #28



Subscribe to our newsletter

By subscribing, you agree with Revue’s Terms of Service and Privacy Policy and understand that Microsoft Sentinel this Week will receive your email address.

Microsoft Sentinel this Week
Azure Sentinel this Week - Issue #28
By Rod Trent • Issue #28 • View online
Good Friday everyone! I hope it was a good week for each of you.
Thanks for continuing this journey with our weekly get-togethers. I truly appreciate each and every one of you and the time you take during each week to contact me with questions, comments, feedback, etc.
Speaking of which, its worth highlighting something important this week. A couple newsletter issues back we delivered the “Azure Sentinel Notebooks” edition. Since then, it became very clear that we needed a special way for customers to contact the Azure Sentinel Notebooks team at Microsoft.
So – voila!
We now have an official way for you to connect with the team. Use the email address to provide feedback, comment, and suggestions.
I know we have a great number of Microsoft folks who subscribe to this newsletter. Just so you know…this same email address is available for you, too. :)
And, then I have one more Azure Sentinel Notebooks piece of information to cover in our newsletter preamble. The first blog post in an Azure Sentinel Notebooks Ninja series was released shortly after last week’s newsletter issue delivered. We were planning to release Part 2 of the series prior to this week’s newsletter delivery so it could be included here - but, unfortunately that didn’t happen. Not everything follows the natural order of things. We had technical difficulties at the last minute that will push Part 2 to release next week instead. So, I apologize for that.
In Part 2, we dig into exactly what MSTICpy is and have produced a video walk-through of the Getting Started notebook that’s provided as part of the out-of-the-box experience for Azure Sentinel. Its a great read (if I do say so myself). And, because we couldn’t officially release Part 2 this week, here’s an excerpt teaser (just for newsletter subscribers) to get you all excited for it…
Many of our pre-built notebooks rely on a Python library called MSTICPy. Originally developed by Microsoft to support Jupyter Notebooks authoring for Azure Sentinel, MSTICPy (Microsoft Threat Intelligence Python Security Tools) is a Python library that addresses three primary requirements for security investigators and hunters:  acquiring and enriching data, analyzing data, and visualizing data. MSTICPy serves to reduce the amount of code that would have to be written using other Python libraries that aren’t tailored for security. While Azure Sentinel on its own provides the ability to do much of the same, Jupyter Notebooks with MSTICpy provides deeper functionality in the following specific areas… 
Tell your friends, neighbors, countrymen, and colleagues about this series. Its gonna go down in history as monumental.
That’s it for my ramblings this week. In the US, we have a 3-day weekend due to Labor Day and while I’ll be starting creation of Part 3 of the Azure Sentinel Notebook Ninja series today, I’m gonna bump off early to begin enjoying myself.
And, hey…just so you all know. Its OK to contact me on LinkedIn and Twitter. Frankly, I wish more of you would do it. Sometimes people hesitate to do it for a number of reasons, but mostly because some feel they don’t want to bother someone. For me, rest assured that’s not the case. I really enjoy the Azure Sentinel questions and discussions. We’re all in this together.
Talk soon.
P.S. Azure Sentinel is not a compliance tool. (more on this later)

Stuff to Read
Becoming an Azure Sentinel Notebooks ninja - the series!
How to Send Feedback to the Azure Sentinel Notebook Team – Azure Cloud & AI Domain Blog
Azure Sentinel and the story of a very persistent attacker | Azure Sentinel 101
Azure Sentinel and Azure AD Conditional Access = Cloud Fail2Ban | Azure Sentinel 101
Audit NTLM using Azure Sentinel
Alert enrichment "how to reduce incident triage and investigation times using dynamic alert details” - Microsoft Tech Community
Detecting EDR Bypass: Malicious Drivers(Kernel Callbacks) | by Mehmet Ergene | Aug, 2021 | Medium
Security Monitoring and Posture Management in Multi-Cloud Scenario – Overview – Sam's Corner
Find your Azure Sentinel data connector | Microsoft Docs
Stuff to Watch/Listen To
Automate threat detection and response with Azure Sentinel and Microsoft 365 Defender
Detect Malicious Base64-Encoded Commands on Linux Hosts
Stuff to Have
Ingestion Cost Spike detection App - Microsoft Tech Community
Kusto-Query-Language-KQL-/Hunt for Chrome 93.0.4577.63 bug fixes at main · AdarshPandey-dev/Kusto-Query-Language-KQL- · GitHub
Sentinel-Queries/OfficeActivity-SummaryofExternalActivity.kql at main · reprise99/Sentinel-Queries · GitHub
Shivammalaviya/Generic Malware
Azure-Sentinel/SuspectedProxyTokenExploitation.yaml at master · Azure/Azure-Sentinel · GitHub
SentinelKQL/ARPPoisoning.txt at master · rod-trent/SentinelKQL · GitHub
New Stuff
What's new in Azure Sentinel | Microsoft Docs
Related Stuff
General availability: Cross service queries between Azure Monitor and Azure Data Explorer | Azure updates | Microsoft Azure
Generally available: Azure Monitor support for Availability Zones | Azure updates | Microsoft Azure
How to prepare for CMMC compliance as a defense industrial base supplier using the Microsoft cloud | Microsoft Security Blog
Incident response playbooks | Microsoft Docs
Darktrace Becomes Member Of Microsoft Intelligent Security Association (MISA)
Reinventing cybersecurity with artificial intelligence
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue