View profile

Microsoft Sentinel this Week - Issue #38

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #38
By Rod Trent • Issue #38 • View online
Happy Friday all! As we embark on issue and week #38 of our weekly time together, I’m reminded of what time of year it is. This time of year is my favorite. Sure, it gets cold here where I live in Ohio, but the warmth of family and friends abounds during the holiday season. I hope you, too, are in a place where you can be hopeful and excited about spending idle moments with loved ones. And, in some small way, I hope you also enjoy spending time with all of us in this Microsoft Sentinel community.
Speaking of community, I know many of you know me only through my efforts at Microsoft, through this newsletter, or through the security community at large, but my career started long ago. I’ve been blessed to be part of many large and vibrant communities - some of which I actually led and managed.
An old friend of mine from those early communities, Tim Flower, reached out recently in his role at his current company Nexthink. Tim wanted to sit down and reminisce about those old days and then talk about how those reflections still might matter today in this era. So, we did that. And, of course, as is the day we live in, we recorded it. What resulted was a fun and reflective time. And, I surprised myself in that it gave me an opportunity to work out in my head some issues with today’s communities that I’ve been harboring. I think you’ll enjoy it.
You can listen in here: Being Kind to Newbies: IT Community Building w/ Rod Trent (Microsoft)
So, hey - it wouldn’t be an issue of this newsletter without a little ask from the product team from all of you. So, there’s two asks this issue…
First, one of my colleagues is working to enhance the Microsoft Sentinel ingestion calculator. This is a popular tool for many customers and Microsoft field folks alike and any improvements to it are always welcome.
There’s a short survey available where you can supply your suggestions to help drive this improvement. You can participate here: Sentinel ingestion calculator survey
The second ask again comes from the product group, but this time in relation to the recently announced Deception (Honeytokens) Solution.
We want to drive awareness around this. Here’s some links to get you started if you’re not already aware of this valuable offering:
And, of course, once you’ve had time to look at it, we have a feedback form that delivers directly to the product team: Feedback: HoneyTokens Preview
That’s just about it from me for this week, folks. It’s been a while since I’ve talked about how quickly this community is growing, so maybe I’ll dig into that next issue. The short story is that we’re continuing to see significant growth here and across the entire Microsoft Sentinel community. It’s truly amazing.
But there’s always room for more. I’m sure many of you know colleagues that would love to join us. If that’s the case, send them this newsletter issue and invite them to come participate.
Have a wonderful week!
-Rod

Stuff to Read
How to use Microsoft Sentinel Near Real Time detections - Microsoft Tech Community
How to use Microsoft Sentinel Near Real Time detections - Microsoft Tech Community
What are near-real-time (NRT) analytics rules? When you are faced with security threats, time and speed are of the essence. You need to be aware of
techcommunity.microsoft.com  •  Share
Detecting NTLM Relay Attacks. It is possible to detect NTLM relaying… | by Mehmet Ergene | Nov, 2021 | Medium
Detecting NTLM Relay Attacks. It is possible to detect NTLM relaying… | by Mehmet Ergene | Nov, 2021 | Medium
NTLM relaying attacks increased its popularity after critical vulnerabilities have been discovered recently. Although the NTLM relay attack seems quite popular, I haven’t seen adversaries using it a…
posts.bluraven.io  •  Share
Protect Teams with Microsoft Sentinel - Part 3 | Thoor.tech
Protect Teams with Microsoft Sentinel - Part 3 | Thoor.tech
In the two first posts in this series we went over how to enabled Office 365 Audit Logs, how we enabled the Office 365 data connector and Microsoft Sentinel, to…
thoor.tech  •  Share
Blogpost: Sentinel RBAC options – Cloudblogger
Blogpost: Sentinel RBAC options – Cloudblogger
In that Blogpost, I’ll show you, the optional that you have to assign permissions to Microsoft Sentinel.
www.cloudblogger.at  •  Share
Passing the Microsoft Sentinel Ninja Training - CHARBEL NEMNOM - MVP | MCT | CCSP - Cloud & CyberSecurity
Passing the Microsoft Sentinel Ninja Training - CHARBEL NEMNOM - MVP | MCT | CCSP - Cloud & CyberSecurity
In this article, I will share with you how to prepare and pass the Microsoft Sentinel (formerly known as Azure Sentinel) Ninja Training.
charbelnemnom.com  •  Share
Automate more with 200+ OOTB playbooks - Microsoft Tech Community
Automate more with 200+ OOTB playbooks - Microsoft Tech Community
This post presents a shared effort which includes , , , Vidhi Agarwal, , , , , , and the CXE team. Also thanks for authoring the respective docs.
techcommunity.microsoft.com  •  Share
Azure Sentinel Parse Symantec EDR Logs
Azure Sentinel Parse Symantec EDR Logs
In this article I’m showing how to connect Symantec EDR to Azure Sentinel and How to parse it. To parse your Symantec EDR logs (JSON), You need to collect the logs, create a new custom logs in Azure Sentinel portal and create a new function to parse the logs.
www.linkedin.com  •  Share
Protecting Federal Information Systems with the Microsoft Insider Risk Management Solution - Microsoft Tech Community
Protecting Federal Information Systems with the Microsoft Insider Risk Management Solution - Microsoft Tech Community
Insider risk management remains at the forefront of priorities in protecting federal information systems. Federal requirements such as Executive Order
techcommunity.microsoft.com  •  Share
Microsoft Sentinel - geo Location
Microsoft Sentinel - geo Location
Recently Microsoft Sentinel added Geo Location and Whois info to the Threat feeds (TI). See blog: What’s new in Azure Sentinel | Microsoft Docs You can also do an occasional lookup using the REST API Enrich entities with geolocation data in Azure Sentinel using REST API | Microsoft Docs You can choo
www.linkedin.com  •  Share
Stuff to Watch/Listen To
Microsoft Security Insights Podcast - microsoftsecurityinsights on Twitch
Microsoft Security Insights Podcast - microsoftsecurityinsights on Twitch
microsoftsecurityinsights went live on Twitch. Catch up on their Science & Technology VOD now.
www.twitch.tv  •  Share
Decrease Your SOC’s MTTR by Integrating Microsoft Sentinel with Microsoft Teams
Decrease Your SOC’s MTTR by Integrating Microsoft Sentinel with Microsoft Teams
Wednesday, November 10, 2021, 11:00 AM ET / 8:00 AM PT (webinar recording date) Microsoft Sentinel Webinar | Decrease Your SOC’s MTTR (Mean Time to Respond)…
www.youtube.com  •  Share
Microsoft Sentinel Threat Hunting Deep Dive
Microsoft Sentinel Threat Hunting Deep Dive
Microsoft Sentinel Threat Hunting Deep Dive ————————————————————————————————–🔔 Subscribe …
www.youtube.com  •  Share
Azure Sentinel Introduction and Walkthrough of Resources
Azure Sentinel Introduction and Walkthrough of Resources
We walk through the latest SIEM response tool unveiled by Microsoft.
www.youtube.com  •  Share
Azure Sentinel webinar: Tackling identity
Azure Sentinel webinar: Tackling identity
Learn how to get started with identity threats in Azure Sentinel including uses cases, data sources, attributes, and fields.► Subscribe to Microsoft Security…
www.youtube.com  •  Share
Microsoft Defender Services Names
Microsoft Defender Services Names
Sit back. Relax. The super-sexy version of all the updated Microsoft Defender service names – plus the new offering…
www.youtube.com  •  Share
For each and Condition checks in Security Automation
For each and Condition checks in Security Automation
In this video you will learn how to leverage Controls like For each and Condition to run through each audit event and filter out unique email addresses of ca…
www.youtube.com  •  Share
Stuff to Have
AZMEMCM
AZMEMCM
Modern auditing solution for Configuration Manager. This solution allows to upload certain admin activities to Log Analytics etc.
github.com  •  Share
GitHub - David-Summers/Azure-Design: My Azure stencil collection for Visio. Highly functional and always up to date.
GitHub - David-Summers/Azure-Design: My Azure stencil collection for Visio. Highly functional and always up to date.
Azure stencil collection for Visio. Highly functional and always up to date.
github.com  •  Share
SentinelKQL/UsersConnectFromMultipleCity.txt at master · rod-trent/SentinelKQL · GitHub
SentinelKQL/UsersConnectFromMultipleCity.txt at master · rod-trent/SentinelKQL · GitHub
Reports users who have connected from more than 1 location
github.com  •  Share
GitHub - eshlomo1/Azure-Sentinel-4-SecOps: Azure Sentinel 4 SecOps
GitHub - eshlomo1/Azure-Sentinel-4-SecOps: Azure Sentinel 4 SecOps
Azure Sentinel 4 SecOps Welcome to the Azure Sentinel 4 SecOps! This repository contains many Azure Sentinel content with queries for exploration, hunting, and other activities.
github.com  •  Share
Sentinel-Queries/Function-IdentityInfowithSigninRisk.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Function-IdentityInfowithSigninRisk.kql at main · reprise99/Sentinel-Queries · GitHub
This will join the users identity information, sign in data and any risky signins for your query
github.com  •  Share
Sentinel-Queries/Heartbeat-VisualizeDistinctComputersperMonth.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Heartbeat-VisualizeDistinctComputersperMonth.kql at main · reprise99/Sentinel-Queries · GitHub
Visualize how many machines you are onboarding or offboarding to Sentinel per month
github.com  •  Share
SentinelKQL/NewAdmins.txt at master · rod-trent/SentinelKQL · GitHub
SentinelKQL/NewAdmins.txt at master · rod-trent/SentinelKQL · GitHub
Azure Sentinel KQL. Contribute to rod-trent/SentinelKQL development by creating an account on GitHub.
github.com  •  Share
SentinelKQL/MimiKatzDetection.txt at master · rod-trent/SentinelKQL · GitHub
SentinelKQL/MimiKatzDetection.txt at master · rod-trent/SentinelKQL · GitHub
Detects Mimikatz has been found and shows compromise host. Requires Microsoft Defender for Endpoint connection.
github.com  •  Share
Sentinel-Queries/Identity-RiskEventfollowedbyMFAchanges.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-RiskEventfollowedbyMFAchanges.kql at main · reprise99/Sentinel-Queries · GitHub
Detects when a user flags an Azure AD risk event followed by changes to their MFA profile
github.com  •  Share
Sentinel-Queries/Heartbeat-NoHeartbeatinTimeframe.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Heartbeat-NoHeartbeatinTimeframe.kql at main · reprise99/Sentinel-Queries · GitHub
Finds agents that haven’t sent a heartbeat in the specified timeframe and retrieve last heartbeat time
github.com  •  Share
Sentinel-Queries/Identity-GuestsInvitedbutnotRedeemed.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-GuestsInvitedbutnotRedeemed.kql at main · reprise99/Sentinel-Queries · GitHub
Lists guests who have been invited but not yet redeemed their invites. Excludes newly invited guests (last 30 days).
github.com  •  Share
SentinelKQL/RulesRuninLast30d.txt at master · rod-trent/SentinelKQL · GitHub
SentinelKQL/RulesRuninLast30d.txt at master · rod-trent/SentinelKQL · GitHub
Analytics Rules that generated alerts (and how many) in the last 30 days
github.com  •  Share
Stuff to Attend
Rod Trent – AVD Tech Fest 2021
Rod Trent – AVD Tech Fest 2021
Monitoring Security for Cloud PCs with Microsoft Sentinel
wvdtechfest.com  •  Share
Day 2: Modern SOC 17 November 2021, 2:00 – 6:00 PM | (GMT+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna When it comes to incident response and fighting threats in real time, seconds matter. Your organization depends on you to help it stay strong and resilient through any type of threat. With cutting-edge tools and strategies on your side, you can lead through uncertain times with confidence and be the needed calm within the storm.
info.microsoft.com  •  Share
Get Smart with Data ingestion & Retention in Azure Sentinel | Meetup
Get Smart with Data ingestion & Retention in Azure Sentinel | Meetup
Sat, Nov 13, 2021, 6:00 PM: We will discuss about the various options of data ingestion.How to plan the data retention.Monitor data pattern ingestion and act upon the peaks of your data.
www.meetup.com  •  Share
New and Updated Stuff
Learning with the Microsoft Sentinel Training Lab - Microsoft Tech Community
Learning with the Microsoft Sentinel Training Lab - Microsoft Tech Community
In our conversations with Microsoft Sentinel customers/partners, one very common ask is: “How do I get hands-on experience with Microsoft Sentinel? Is
techcommunity.microsoft.com  •  Share
This post is written together with . Today, we are announcing the Public Preview of the Playbook Templates Tab , which you can find under the Automation
techcommunity.microsoft.com  •  Share
Azure Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks - the Grand List - Microsoft Tech Community
Azure Sentinel Notebooks Ninja Part 3: Overview of the Pre-built Notebooks - the Grand List - Microsoft Tech Community
This installment is part of a broader learning series to help you become a Jupyter Notebook ninja in Azure Sentinel. The installments will be bite-sized
techcommunity.microsoft.com  •  Share
What’s new: Microsoft Sentinel Deception Solution
What’s new: Microsoft Sentinel Deception Solution
Introducing the Microsoft Sentinel Deception Solution We are excited to announce the Microsoft Sentinel Deception Solution is now in public preview. This solution moves away from traditional approaches and uses the concept of ‘honeytokens’ by injecting decoy objects into existing workloads. Detection principles remains the same, because there is no legitimate reason to access a honeytoken, any activity indicates the presence of a user who is not familiar with the environment, and could potentially be an attacker.
techcommunity.microsoft.com  •  Share
Hunt with MITRE ATT&CK techniques using refreshed hunting dashboard - Microsoft Tech Community
Hunt with MITRE ATT&CK techniques using refreshed hunting dashboard - Microsoft Tech Community
Hunting Dashboard Refresh Now in GA, a refreshed hunting query experience helps you find undetected threats more quickly and with more precision. Hunting
techcommunity.microsoft.com  •  Share
Enable Continuous Deployment Natively with Microsoft Sentinel Repositories! - Microsoft Tech Community
Enable Continuous Deployment Natively with Microsoft Sentinel Repositories! - Microsoft Tech Community
Today we are announcing Microsoft Sentinel Repositories , a new capability that allows users to manage their Microsoft Sentinel content as code from a
techcommunity.microsoft.com  •  Share
Customize your hunting experience with MITRE ATT&CK techniques and more entity types - Microsoft Tech Community
Customize your hunting experience with MITRE ATT&CK techniques and more entity types - Microsoft Tech Community
Now in preview, you can verify, identify, and address gaps in MITRE technique coverage by mapping your custom hunting queries to MITRE ATT&CK techniques.
techcommunity.microsoft.com  •  Share
Design your Azure Sentinel workspace architecture | Microsoft Docs
Design your Azure Sentinel workspace architecture | Microsoft Docs
Decision tree The following image shows a full decision tree flow chart to help you understand how to best design your workspace.
docs.microsoft.com  •  Share
Related Stuff
Azure Monitor - Log Analytics (part 1 of 4)
Azure Monitor - Log Analytics (part 1 of 4)
Introduction to Azure Monitor Log Analytics Azure Monitor can accumulate logs as well as metrics and then use them to make insights, visualizations, and automated responses while Log Analytics is an important service that can analyze the collected logs. 
ashwinitpro.blogspot.com  •  Share
Using a command-line interface Notebooks can be run from your terminal using the execute subcommand. It expects notebook paths as input arguments and accepts optional flags to modify the default behavior.
jupyter.readthedocs.io  •  Share
Kerberoast with OpSec | Microsoft 365 Security
Kerberoast with OpSec | Microsoft 365 Security
You must have been thinking… Is this another blog post about Kerberoasting? Well yes and no. During this time, we will be discussing how to Kerberoast accounts, while trying to stay under the radar from a defender’s perspective. The focus is primary on the technique itself, and not the fact that I’m using PowerShell ;-)…
m365internals.com  •  Share
Partner Stuff
Dark Reading | Security | Protect The Business - Enable Access
Dark Reading | Security | Protect The Business - Enable Access
Cyber security’s comprehensive news site is now an online community for security professionals, outlining cyber threats and the technologies for …
www.darkreading.com  •  Share
Softline nominated to Microsoft Intelligent Security Association – India Education | Latest Education News | Global Educational News | Recent Educational News
Softline nominated to Microsoft Intelligent Security Association – India Education | Latest Education News | Global Educational News | Recent Educational News
Softline, a leading global IT solutions and services provider with a focus on digital transformation, cloud and cybersecurity, has joined the Microsoft Intelligent Security Association (MISA)
indiaeducationdiary.in  •  Share
Vectra AI threat detection software now available in the Microsoft Azure Marketplace, an online store with services for Microsoft’s cloud computing service.
www.itp.net  •  Share
News Stuff
Rudin Management proactively safeguards operational networks with Microsoft Defender for IoT
Rudin Management proactively safeguards operational networks with Microsoft Defender for IoT
Microsoft customer stories. See how Microsoft tools help companies run their business.
customers.microsoft.com  •  Share
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue