View profile

Microsoft Sentinel this Week - Issue #37

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #37
By Rod Trent • Issue #37 • View online
Welcome everyone to our 37th issue of this newsletter. As you’ll notice, our newsletter got the same rebranding as many of our products this week at Microsoft Ignite.
Among the other name changes, Azure Sentinel has become Microsoft Sentinel, hence our newsletter name adjustment. This was an effort to bring our security services better inline with their actual purpose - and that’s to monitor and secure not just Azure, but anything a customer needs to protect. Sentinel has long been a platform where anything can be connected whether its on-prem or other clouds. So, I think you’ll agree the name change makes sense. Our last rebranding left some products and services incomplete. And, many folks saw the writing on the wall that these remaining services would need to be changed, too. 
Here’s the full list…
  • Azure Sentinel => Microsoft Sentinel
  • Azure Defender and Azure Security Center => Microsoft Defender for Cloud
  • Azure Defender for IoT = > Microsoft Defender for IoT
  • Microsoft Cloud App Security => Microsoft Defender for Cloud Apps
Incidentally, I delivered a keynote during a partner event yesterday morning and I messed up the new names several times even though I spent hours excruciatingly updating my slide deck. It will take a bit before it becomes muscle memory.
Speaking of Microsoft Ignite there’s a special Ignite section in this issue of the newsletter and its massive. I highly recommend reading each item. But, if you’re like me and just want a quick update, you can catch up on all the Microsoft Sentinel news in less than 3 minutes with the Security News Now - Microsoft Ignite 2021 Sentinel Edition.
My team here at Microsoft is steadily working on an official, weekly news show. This week we’re providing samples of what’s coming in a couple Ignite specials, including one for Microsoft Defender for Cloud (the new name for Azure Security Center).
As you can tell by the numerous Microsoft Sentinel announcements from Ignite, the product teams are hard at work. But noone wants to work in a vacuum. For that reason, the product teams are constantly looking for customer feedback to help drive new features and enhancements and product direction. Here’s a couple new surveys this week where you can provide your feedback and have significant impact on Microsoft Sentinel:
  1. Microsoft Sentinel Notebooks Survey - Jupyter Notebooks is an integral part of the analysts’ toolkit in Microsoft Sentinel. Today, we provide many pre-built notebooks to get you started with your investigation and hunting processes. We are working on the next set of capabilities to take your Notebooks experience to the next level. We would like your feedback on your Notebooks experience to better understand your pain points and the most important scenarios you would like to have notebooks for. This will help us prioritize the notebook content to better fit your security requirements.
  2. Survey on Visualizations, Dashboards and Reporting in Microsoft Sentinel - With the vast amounts of data ingested into Microsoft Sentinel, the ability to do data visualizations, build dashboards, and generate reports is essential for the SOC. With the Workbooks feature today, Microsoft Sentinel users are able to leverage the many default Workbooks provided to explore their data, utilize it for investigations and interactively work with their data. With its flexibility, users are also able to modify the default Workbooks or create entirely new ones for themselves. We would like to gather your feedback on what Visualizations, Dashboarding and Reporting means to you, how Workbooks has fared so far in meeting your needs, and how we can do better.
Virtual Ninja trainings are being planned, but, Sr. Program Manager at Microsoft, Heike Ritter needs your help determining how best to accomplish them - specifically how often and how long each session should be.
If this interests you, please supply your thoughts here: https://cda.ms/35V
OK…that’s it from me for this week. There’s plenty to see, read, and discuss in this week’s issue - so I’ll leave you to it!
We’ll talk again next week.
-Rod

Stuff to Read
Books for Azure Sentinel – Azure Cloud & AI Domain Blog
Books for Azure Sentinel – Azure Cloud & AI Domain Blog
Despite sometimes feeling like I read 10 books a day already from the emails, Teams messages, and web links I manage, I do like to sit down with an actual book. Well…I take that back. I do prefer to read eBooks instead of holding a stack of bound papers in my hand. But, still. And,…
azurecloudai.blog  •  Share
Who Watches the SOC Team? Enabling Audit/Risk Teams to Monitor the SOC - Microsoft Tech Community
Who Watches the SOC Team? Enabling Audit/Risk Teams to Monitor the SOC - Microsoft Tech Community
Big thanks to my colleagues and for helping me with this post. This blog is going to be discussing methods to monitor the actions of the SOC team from a
techcommunity.microsoft.com  •  Share
Protect Teams with Azure Sentinel | Thoor.tech
Protect Teams with Azure Sentinel | Thoor.tech
It’s really no news that Microsoft Teams have been growing so much during the pandemic and many companies have been forced to take the digitalization and the…
thoor.tech  •  Share
Protect Teams with Microsoft Sentinel - Part 2 | Thoor.tech
Protect Teams with Microsoft Sentinel - Part 2 | Thoor.tech
In the first part of this series we enabled the logging capability of Microsoft Teams into Microsoft (previously Azure) Sentinel. In this post we will focus on enabling a solution from the new Content Hub within Sentinel.
thoor.tech  •  Share
Near-real-time (NRT) Analytics Rules in Microsoft Sentinel – Azure Cloud & AI Domain Blog
Near-real-time (NRT) Analytics Rules in Microsoft Sentinel – Azure Cloud & AI Domain Blog
A new type of Analytic Rule has hit the horizon in the Microsoft Sentinel console. The NRT rule works similarly as LiveStream in the Hunting blade in that it forces the KQL query to run every single minute. But, while LiveStream doesn’t produce alerts and Incidents, the NRT rule does. NRT query rule The steps…
azurecloudai.blog  •  Share
Utilize Watchlists to Drive Efficiency During Microsoft Sentinel Investigations - Microsoft Tech Community
Utilize Watchlists to Drive Efficiency During Microsoft Sentinel Investigations - Microsoft Tech Community
This post was in collaboration with and When it comes to incident management and response, time is everything. Impact and damage from a malicious actor
techcommunity.microsoft.com  •  Share
Automation Rules inside Azure Sentinel
Automation Rules inside Azure Sentinel
Nowadays, automation is part of our day-to-day life. To be able to react to security incidents, it is not enough to detect them. We need a mechanism that can trigger an action when an incident is detected. 
vunvulearadu.blogspot.com  •  Share
Hunting for potential network beaconing patterns using Apache Spark via Azure Synapse – Part 1 - Microsoft Tech Community
Hunting for potential network beaconing patterns using Apache Spark via Azure Synapse – Part 1 - Microsoft Tech Community
Introduction We previously blogged about Detect Network beaconing via Intra-Request time delta patterns in Microsoft Sentinel using native KQL from This
techcommunity.microsoft.com  •  Share
Stuff to Watch/Listen To
Security News Now - Microsoft Ignite 2021 Sentinel Edition
Security News Now - Microsoft Ignite 2021 Sentinel Edition
Catch up on the breadth of Microsoft security announcements for Microsoft Sentinel from Microsoft Ignite 2021 and get a taste of our upcoming Security News N…
www.youtube.com  •  Share
Learn about the Azure Sentinel Insecure Protocols Workbook to gain visbility into the usage of insecure protocols across your environment.► Subscribe to Micr…
www.youtube.com  •  Share
HTTP Actions in Security Automation
HTTP Actions in Security Automation
In this video you will learn how to leverage the HTTP action to invoke a Azure Rest API in Logic Apps. You will explore Microsoft Defender for Cloud, Logic A…
www.youtube.com  •  Share
Stuff to Have
SentinelKQL/Windows10LoggedInLast7Days.txt at master · rod-trent/SentinelKQL · GitHub
SentinelKQL/Windows10LoggedInLast7Days.txt at master · rod-trent/SentinelKQL · GitHub
Shows the Windows 10 computers that have logged in over the last 7 days
github.com  •  Share
Sentinel-Queries/Device-DetectInternaltoExternalTeamviewer.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Device-DetectInternaltoExternalTeamviewer.kql at main · reprise99/Sentinel-Queries · GitHub
Detects successful TeamViewer connections from internal to external IP addresses
github.com  •  Share
Sentinel-Queries/Identity-AdminUpdatingSecurityInfo.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-AdminUpdatingSecurityInfo.kql at main · reprise99/Sentinel-Queries · GitHub
Detects an admin changing authentication phone details for another user
github.com  •  Share
Sentinel-Queries/Identity-AppAccessMembersvsGuests.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-AppAccessMembersvsGuests.kql at main · reprise99/Sentinel-Queries · GitHub
Creates a list of your applications and summarizes successful signins by members vs guests
github.com  •  Share
Sentinel-Queries/OAuth-SummarizeServicePrincipalInactivity.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/OAuth-SummarizeServicePrincipalInactivity.kql at main · reprise99/Sentinel-Queries · GitHub
Summarize the last time your service principals signed in, grouped by month
github.com  •  Share
Sentinel-Queries/Identity-SummarizeGuestInactivity.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-SummarizeGuestInactivity.kql at main · reprise99/Sentinel-Queries · GitHub
Month by month breakdown of when your Azure AD guests last signed in SigninLogs
github.com  •  Share
Sentinel-Queries/SecurityEvent-UnconstrainedDelegationtoUser.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityEvent-UnconstrainedDelegationtoUser.kql at main · reprise99/Sentinel-Queries · GitHub
Detects when unconstrained kerberos delegation is enabled on a user object
github.com  •  Share
Stuff to Attend
During this webinar, you will:
• Learn more about the Security Monitoring Management Pack and Azure Sentinel
• Understand the value of integrating SCOM and Azure Sentinel and why this is relevant to SCOM administrators
• See a demo of the MP and how it sends data to Azure Sentinel
cda.ms  •  Share
Eventbrite - HASMUG presents HASMUG 2021 | Security Edition - December 10th - Friday, December 10, 2021 at Studio Movie Grill, Houston, TX. Find event and registration information.
www.eventbrite.com  •  Share
Ignite Stuff
A big thank you to the Microsoft Sentinel CxE team for helping make this happen and a big thank you to Batami Gold for putting the documents together and
techcommunity.microsoft.com  •  Share
Azure Sentinel near-real-time (NRT) Analytics Rule ARM Template -Microsoft Azure Security Randomness
Azure Sentinel near-real-time (NRT) Analytics Rule ARM Template -Microsoft Azure Security Randomness
This article gives you a sample ARM template to create a new near-real-time analytics rule in Azure Sentinel to support your CICD.
azsec.azurewebsites.net  •  Share
What's New: Microsoft Sentinel Watchlist Support for ARM Templates! - Microsoft Tech Community
What's New: Microsoft Sentinel Watchlist Support for ARM Templates! - Microsoft Tech Community
To add to the list of exciting announcements for Microsoft Sentinel, we are happy to announce that Watchlists now support ARM templates! Moving forward,
techcommunity.microsoft.com  •  Share
Detection tuning – “Making the tuning process simple - one step at a time.” - Microsoft Tech Community
Detection tuning – “Making the tuning process simple - one step at a time.” - Microsoft Tech Community
Overview: Creating a new detection consists of identifying the security vulnerability, writing the detection, and tuning it. This delicate and continuous
techcommunity.microsoft.com  •  Share
Introducing Microsoft Sentinel Content hub! - Microsoft Tech Community
Introducing Microsoft Sentinel Content hub! - Microsoft Tech Community
We are announcing Content hub in public preview, featuring a rich set of 92 Microsoft Sentinel solutions to deliver instant out-of-the-box content value
techcommunity.microsoft.com  •  Share
Detecting Emerging Threats with Microsoft Sentinel Fusion - Microsoft Tech Community
Detecting Emerging Threats with Microsoft Sentinel Fusion - Microsoft Tech Community
The volume of security events continues to grow, and the scope and sophistication of attacks are increasing. We can define the known attack scenarios, but
techcommunity.microsoft.com  •  Share
New and Updated Stuff
Deploy and monitor Azure Key Vault honeytokens with Azure Sentinel | Microsoft Docs
Deploy and monitor Azure Key Vault honeytokens with Azure Sentinel | Microsoft Docs
Plant Azure Key Vault honeytoken keys and secrets, and monitor them with Azure Sentinel.
docs.microsoft.com  •  Share
Detect threats quickly with near-real-time (NRT) analytics rules in Azure Sentinel | Microsoft Docs
Detect threats quickly with near-real-time (NRT) analytics rules in Azure Sentinel | Microsoft Docs
When you’re faced with security threats, time and speed are of the essence. You need to be aware of threats as they materialize so you can analyze and respond quickly to contain them. Azure Sentinel’s near-real-time (NRT) analytics rules offer you faster threat detection - closer to that of an on-premises SIEM - and the ability to shorten response times in specific scenarios.
docs.microsoft.com  •  Share
Manage custom content for Azure Sentinel in your own repository | Microsoft Docs
Manage custom content for Azure Sentinel in your own repository | Microsoft Docs
This article describes how to create connections with a GitHub or Azure DevOps repository where you can save your custom content.
docs.microsoft.com  •  Share
Plan and manage costs for Azure Sentinel | Microsoft Docs
Plan and manage costs for Azure Sentinel | Microsoft Docs
This article describes how to plan for and manage costs for Azure Sentinel. First, you use the Azure pricing calculator to help plan for Azure Sentinel costs, before you add any resources for the service. Next, as you add Azure resources, review the estimated costs.
docs.microsoft.com  •  Share
Best practices for data collection in Azure Sentinel | Microsoft Docs
Best practices for data collection in Azure Sentinel | Microsoft Docs
This section reviews best practices for collecting data using Azure Sentinel data connectors.
docs.microsoft.com  •  Share
Best practices for Azure Sentinel | Microsoft Docs
Best practices for Azure Sentinel | Microsoft Docs
This collection of best practices provides guidance to use when deploying, managing, and using Azure Sentinel, including links to other articles for more information.
docs.microsoft.com  •  Share
Normalization and the Azure Sentinel Information Model (ASIM) | Microsoft Docs
Normalization and the Azure Sentinel Information Model (ASIM) | Microsoft Docs
Azure Sentinel ingests data from many sources. Working with various data types and tables together requires you to understand each of them, and write and use unique sets of data for analytics rules, workbooks, and hunting queries for each type or schema.
Sometimes, you’ll need separate rules, workbooks, and queries, even when data types share common elements, such as firewall devices. Correlating between different types of data during an investigation and hunting can also be challenging.
This article provides an overview of the Azure Sentinel Information model (ASIM), which provides a solution for the challenges of handling multiple types of data.
docs.microsoft.com  •  Share
Understand threat intelligence in Azure Sentinel | Microsoft Docs
Understand threat intelligence in Azure Sentinel | Microsoft Docs
View your GeoLocation and WhoIs data enrichments (Public preview) Microsoft enriches each indicator with extra GeoLocation and WhoIs data, providing more context for investigations where the selected indicator of compromise (IOC) is found.
You can view GeoLocation and WhoIs data on the Threat Intelligence pane for each indicator of compromise that you’ve imported into Azure Sentinel.
For example, use GeoLocation data to find details like Organization or Country for the indicator, and WhoIs data to find data like Registrar and Record creation data.
docs.microsoft.com  •  Share
Pre-deployment activities and prerequisites for deploying Azure Sentinel
Pre-deployment activities and prerequisites for deploying Azure Sentinel
This article introduces the pre-deployment activities and prerequisites for deploying Azure Sentinel.
docs.microsoft.com  •  Share
Advanced multistage attack detection in Azure Sentinel | Microsoft Docs
Advanced multistage attack detection in Azure Sentinel | Microsoft Docs
Use Fusion technology in Azure Sentinel to reduce alert fatigue and create actionable incidents that are based on advanced multistage attack detection.
docs.microsoft.com  •  Share
Commonly used Azure Sentinel workbooks | Microsoft Docs
Commonly used Azure Sentinel workbooks | Microsoft Docs
The following table lists the most commonly used, built-in Azure Sentinel workbooks.
docs.microsoft.com  •  Share
Partner Stuff
Senserva helping customers with Microsoft Sentinel Notebooks - Senserva
Senserva helping customers with Microsoft Sentinel Notebooks - Senserva
We have been seeing a strong interest in using our open source solutions for quick creation of  Microsoft Sentinel Notebooks.
Please let us know if have specific needs and we will work with you to create Notebooks for you.
www.senserva.com  •  Share
Discover what’s new and gain technical expertise from MISA at Ignite - Microsoft Security Blog
Discover what’s new and gain technical expertise from MISA at Ignite - Microsoft Security Blog
It’s hard to believe we’re so close to the end of another year, and what a year it’s been. For too brief a time in some places, our masks were tossed away, only to find us digging them out of drawers again not long after. But masked up or not, it’s been good to see local restaurants buzzing with activity again, along with fans enjoying sporting events, concerts, and even some shows on Broadway. There’s a sense of expectation in the air, and I’m excited to see what 2022 has in store for all of us.
www.microsoft.com  •  Share
archTIS Joins Microsoft Intelligent Security Association
archTIS Joins Microsoft Intelligent Security Association
Canberra, ACT (PRWEB) November 02, 2021 – archTIS, a global technology provider of innovative solutions for secure collaboration of sensitive information,
www.prweb.com  •  Share
/PRNewswire/ – Vectra AI today announced the availability of Vectra Detect in the Microsoft Azure Marketplace, an online store providing applications and…
www.prnewswire.com  •  Share
Sonrai Security Joins Microsoft Intelligent Security Association; Sonrai Dig Listed as Preferred Solution on Microsoft Azure Marketplace - Sonrai Security
Sonrai Security Joins Microsoft Intelligent Security Association; Sonrai Dig Listed as Preferred Solution on Microsoft Azure Marketplace - Sonrai Security
Sonrai strengthens its relationship with Microsoft by joining the Microsoft intelligent Security Association (MISA) for integrations.
sonraisecurity.com  •  Share
IronNet Joins Microsoft Intelligent Security Association (MISA) | Business Wire
IronNet Joins Microsoft Intelligent Security Association (MISA) | Business Wire
IronNet’s bi-directional integration with Microsoft Azure Sentinel enables customers to better protect their on-premises, cloud, or hybrid infrastructure. This integration builds on IronNet’s Azure virtual sensor, which provides on-premises protection of cloud workloads as well as IronNet’s threat-detection integration with Microsoft 365. By using anonymized threat information gathered by both IronNet and Microsoft, IronNet’s industry-leading Network Detection and Response (NDR) and Collective Defense capabilities equip enterprise customers with best-in-class tools to manage heightened security challenges brought on by accelerated digital transformation.
www.businesswire.com  •  Share
Apply Least Privilege, Least Access Policy from Azure Sentinel, with insights from Sonrai Dig
Apply Least Privilege, Least Access Policy from Azure Sentinel, with insights from Sonrai Dig
Sonrai strengthens partnership with Microsoft Azure Sentinel integration that lets users understand cloud permissions using Sonrai Dig
sonraisecurity.com  •  Share
Archtis Ltd NC Protect Data Connector now available in Microsoft Azure Marketplace
Archtis Ltd NC Protect Data Connector now available in Microsoft Azure Marketplace
The new NC Protect Data Connector enables customers to get advanced auditing capability by aggregating NC Protect user access and data…
www.proactiveinvestors.com.au  •  Share
Related Stuff
Secure your Azure environments with the new Azure Security Benchmark v3
techcommunity.microsoft.com  •  Share
Protect your business with Microsoft Security’s comprehensive protection - Microsoft Security Blog
Protect your business with Microsoft Security’s comprehensive protection - Microsoft Security Blog
And with hybrid work here to stay, the attack surface has expanded as personal devices become an essential part of the corporate network. Many security teams I speak with have been shifting their strategy to increase business resilience and, smartly, many have adopted a Zero Trust approach. I am so inspired by the fearlessness I see in these teams. They work tirelessly and confidently behind the scenes to protect their people and their organization from harm. With these superheroes in mind, I have exciting news to share today about how Microsoft Security provides the most comprehensive approach to security, enabling organizations of every size to be fearless as they grow, create, and innovate.
www.microsoft.com  •  Share
Logic Apps Standard Plan updates in public preview | Azure updates | Microsoft Azure
Logic Apps Standard Plan updates in public preview | Azure updates | Microsoft Azure
Logic Apps Standard was released at Ignite 2020 and since then we have added a lot of features to enable better enterprise integration between mission critical systems on cloud, on premises, and in a hybrid way with runtime available on Azure, Azure Arc and locally. This post includes capabilities now available in public preview.
azure.microsoft.com  •  Share
General availability: Azure Data Explorer Insights | Azure updates | Microsoft Azure
General availability: Azure Data Explorer Insights | Azure updates | Microsoft Azure
Azure Data Explorer Insights provides comprehensive monitoring of your clusters by delivering a unified view of your cluster performance, usage, ingestion operations, cache, and more.
azure.microsoft.com  •  Share
News Stuff
How Microsoft narrows the threat funnel on over 600 billion monthly security events - Inside Track Blog
How Microsoft narrows the threat funnel on over 600 billion monthly security events - Inside Track Blog
Microsoft sees billions of security events every day, but a carefully orchestrated response allows them to separate innocuous alerts from harmful threats.
www.microsoft.com  •  Share
Moving to next-generation SIEM with Azure Sentinel
Moving to next-generation SIEM with Azure Sentinel
Microsoft Digital recently implemented Azure Sentinel to replace a preexisting, on-premises solution for security information and event management (SIEM). Azure Sentinel supplies cloud-scale SIEM functionality that enables ingestion of, and response to, more than 20 billion cybersecurity events per day.
www.microsoft.com  •  Share
Tradewinds adds eSentire MDR to cyber portfolio - Distribution - Security - CRN Australia
Tradewinds adds eSentire MDR to cyber portfolio - Distribution - Security - CRN Australia
Tradewinds Technology Brokerage has added US-based managed detection and response vendor eSentire to its APAC cybersecurity distribution portfolio.
www.crn.com.au  •  Share
Microsoft brings enterprise security to nonprofits and SMBs | VentureBeat
Microsoft brings enterprise security to nonprofits and SMBs | VentureBeat
As part of a “security for all” push, Microsoft says it is bringing enterprise security to small to midsize businesses and nonprofits.
venturebeat.com  •  Share
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue