View profile

Azure Sentinel this Week - Issue #35

Microsoft Sentinel this Week
Azure Sentinel this Week - Issue #35
By Rod Trent • Issue #35 • View online
Happy Friday, everyone and welcome back!
Issue #35 of our weekly check-in puts me on the cusp of my very first work travel since early 2020. I pulled out my travel bag yesterday and found some old business cards that bore my professional title from two roles ago. I was originally a Premier Field Engineer (PFE) - and that role doesn’t even exist anymore within Microsoft.
I’m headed out to South Beach - Miami, Florida - next week. I’m speaking at a conference known for the Endpoint Manager and Intune crowd. I’ll be on-hand introducing everyone to Azure Sentinel (of course). You can get a glance at my session topics here: https://cda.ms/30T.
I began my career working with older versions of Endpoint Manager (SMS and SCCM) and the transition to cybersecurity and Azure Sentinel wasn’t that difficult. Hopefully, I can convince those there of the same. The world needs more, good security people.
I tell you what, though – its been almost 2 years since I’ve spoken in-person. I used to do that regularly. I speak virtually almost everyday now. I delivered over 70 Azure Sentinel workshops in 2020, but those were all virtual events. I hope I can still enthrall a crowd. I’m sure it will be fine, but you wishing me luck would be appreciated.
For those antsy to participate in something - or just those folks that love to click links and answer questions, we have a couple surveys this week where we’d love to get your feedback on a couple things.
The first one, is for the Threat Intelligence Workbook for Azure Sentinel that was released this past week. You can find details on this in the New or Updated Stuff section below. But, once you’ve had a chance to review this new release, jump out to the following link to give us feedback on it: https://cda.ms/30V
The second survey is for getting help with our roadmap for Automation and Playbooks in Azure Sentinel. As we develop our plan for the 2022 first semester, we would like to hear user voices around automation and playbooks to help us better prioritize our backlog. Use the following link to participate: https://cda.ms/30W
This newsletter and the Azure Security Center version have continued to see great success in curating and presenting both Microsoft and community content. So much so, that my group here at Microsoft is in deep discussions to finalize the delivery of a weekly video version - essentially a weekly Microsoft security news show. We’ll have different weekly segments including things like product news, interviews with MVPs and product managers, field reporters, and even roadmap updates.
We need your help, though. As creative as we believe we can be sometimes, we’d love to get your help in naming the security news show.
We have a couple surveys posted up where you can participate. You can vote for one of those we’ve provided or submit something of your own.
On LinkedIn: https://cda.ms/30N
On Twitter: https://cda.ms/30P
Thank in advance for your help!
OK…last thing.
2 and a half years ago when I joined Microsoft I had no clue that I would ever do any of the cool things I’ve done so far. Microsoft is an amazing place to work. There’s opportunity around every single corner.
This week, I’m proud to say I was part of my first product launch. In July, myself and a couple colleagues - Nathan Gau and Cameron Fuller - began developing a unique solution that would tie an on-premises SCOM environment to Azure Sentinel. The idea was that SCOM could handle collection and filtering of security events on-premises and then once those were ready, only the alerts would be sent to Azure Sentinel, minimizing the amount of data ingested from on-premises to the cloud.
There other aspects of this that we’re developing, but here’s the announcement for a clearer picture: Announcing the On-Prem Security Monitoring for Sentinel Solution
Once Microsoft Ignite is over, we’re planning to go the official route and put this into Private Preview and build it as an Azure Sentinel Solution which should make it easier to access and implement. I’ll be talking more about it along the way, too - so stay tuned.
I wish you all a happy and safe week. We’ll talk again next Friday.
-Rod

Stuff to Read
The Azure Sentinel Guide to Microsoft Ignite 2021 – Azure Cloud & AI Domain Blog
Extending Retention to the Limit for the Free Ingestions in Azure Sentinel – Azure Cloud & AI Domain Blog
The Preview Tag Drops from the Windows Security Events Data Connector for Azure Sentinel – Azure Cloud & AI Domain Blog
Defending federal information systems with Azure Sentinel threat intelligence workbook - Azure Government
MITRE ATT&CK technique coverage with Sysmon for Linux - Microsoft Tech Community
UserVoice is Back (sorta) for Azure Sentinel and Azure Security Center – Azure Cloud & AI Domain Blog
Stuff to Watch/Listen To
Automate threat response with Azure Sentinel | Azure Friday
Introduction to Azure Security Automation
Demo: Azure Sentinel threat intelligence workbook
Stuff to Have
GitHub - MSSAPSCA1/Azure_Sentinel: Bulk turn on Analytic rules in Azure Sentinel
Sentinel-Queries/OfficeActivity-SummarizeDownloadActivitybyGuests.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/OAuth-TrackEventsonServicePrincipals.kql at main · reprise99/Sentinel-Queries · GitHub
IRT & SOCT Tools
Sentinel-Queries/SecurityEvent-DetectPrivilegedAADAdminPasswordChange.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-DetectingFirstTimeAccesstoAzureManagement.kql at main · reprise99/Sentinel-Queries · GitHub
Stuff to Attend
Automating Threat Detection and Response with Azure Sentinel | SecTor 2021
New or Updated Stuff
Announcing the On-Prem Security Monitoring for Sentinel Solution – Azure Cloud & AI Domain Blog
Microsoft Defender for Office 365 for Azure Sentinel Now Available – Azure Cloud & AI Domain Blog
Related Stuff
New Microsoft Sysmon report in VirusTotal improves security - Microsoft Security Blog
Everything you wanted to know about Security and Audit Logging in Office 365 | The Cloud Technologist
Azure Privilege Escalation via Service Principal Abuse | by Andy Robbins | Oct, 2021 | Posts By SpecterOps Team Members
Automated response to C2 traffic on your devices - Cloudbrothers
Windows Threat Hunting : Processes of Interest (Part 2) | by Pratinav Chandra | Sep, 2021 | InfoSec Write-ups
Advanced Hunting to Find the Ransomware
Partner Stuff
How Microsoft is partnering with vendors to provide Zero Trust solutions - Microsoft Security Blog
News Stuff
Microsoft achieves a Leader placement in Forrester Wave for XDR - Microsoft Security Blog
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue