View profile

Microsoft Sentinel this Week - Issue #39

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #39
By Rod Trent • Issue #39 • View online
Welcome all to issue and week #39 of our most times quad-monthly time to spend together. Some of you I get to spend even more time with during the week over Teams, Twitter, LinkedIn, Slack, WhatsApp, and other places. I’m truly thankful to have so many friends, acquaintances, and colleagues to make the days and weeks fly by.
Speaking of being thankful…we’re just on the rim of the upcoming US holiday, Thanksgiving. In fact, I’m so close to the edge, I’m one day away from toppling into it completely. Or, rather, starting Tuesday next week I’ll be out of the office. with the intent to enjoy family and friends for the holiday season.
With that in mind, depending on a few things, this newsletter may miss delivery next Friday which is the day after Thanksgiving. I know, I know - what will life be like without the weekly delivery? It may still deliver, but it really depends on everyone else. If the rest of the world decides to be as unproductive as myself next week there may not be much to report on, hence, no newsletter delivery. However, idle time in one area sometimes means even more activity in another. I’ll just bide my time and see what happens.
So, I’m leaving next Friday open. You may or may not receive this newsletter next week. Time will tell and it will be a surprise to us all.
Here’s something worth knowing and something you won’t want to miss if you’re still a die-hard RSS fan like I am. Our new branding is still slowly filtering through to many places (i.e., the portal still reads Azure Sentinel). It takes time to reach everywhere. This past week, it finally seeped into the RSS feed for the official Microsoft Sentinel blog. The blog name changed a while ago, but the RSS feed was just now adjusted. You can get the new feed here: https://cda.ms/3f0
Make sure to update your feed readers.
Are you interested in deploying Microsoft Defender for Cloud, Microsoft Sentinel and Azure Network Security to federal customers? Are you a cleared resource?
There’s an interesting opportunity that’s opened up for a Senior Program Manager here at Microsoft. This is something I’d even be interested in if I was looking to change my current role and didn’t mind moving.
If your interest is piqued, see: https://cda.ms/3f3
Surprising to me, apparently knowledge of the KQL query language is big barrier for many of our customers to use Sentinel. I had no idea until a happenstance discussion this past week. That spurred me to action.
In a previous role at Microsoft, I regularly delivered KQL workshops to our customers. Much of that workshop and more is being fused into a new, continuing blog series I call “Must Learn KQL.” Parts 1 and 2 are up already. Please, if you’re one of those that need this knowledge, check into it. It will conversational and fun with hands-on opportunities sprinkled throughout. If you’re one of those that are already comfortable with the topics but know someone who needs it, please, please, PLEASE share it with them. I don’t want to see any piece of our solutions or pieces of those solutions to ever be a barrier for providing proper security monitoring.
BTW: Excitement for this series is already going gangbusters. Within a single day, Part 1 amassed about 3,000 readers and internally we’re already discussing reusing some of the content in a Learn module.
And, with that, its just about time for me to sign-off for the week. I truly appreciate all of you and so thankful that our journey and our paths have merged even if just for a minute. Even if you don’t observe the Thanksgiving holiday, there’s nothing stopping you from taking a moment or two to really consider the events and people in your life for which you can be truly thankful. And, saying it out loud helps.
For me, I’m thankful for my family - my wife, my kids, my new grandbaby. I’ll spend my first Thanksgiving ever without my Dad, which will be truly sad, but his lingering memory and my assuming his legacy and his role in this holiday now makes it even more special.
Be good to each other. Talk soon.
-Rod

Stuff to Read
Microsoft Sentinel Log Usage
Creating your first Microsoft Sentinel Notebook - Microsoft Tech Community
The Short Takes Version of the updated Microsoft Sentinel Trial and Customer Benefit Offers – Azure Cloud & AI Domain Blog
Microsoft Sentinel content hub: Using solutions and start with the Training Lab content 
Must Learn KQL Part 1: Tools and Resources – Azure Cloud & AI Domain Blog
Must Learn KQL Part 2: Just Above Sea Level – Azure Cloud & AI Domain Blog
Monitoring What’s New for Microsoft Sentinel Using RSS – Azure Cloud & AI Domain Blog
Using Code Snippets to build your own Sentinel Notebooks
Azure Sentinel Logs & Writing Queries (part 1 of 3)
Azure Sentinel Logs & Writing Queries (part 2 of 3)
Azure Sentinel Logs & Writing Queries (part 3 of 3)
Stuff to Watch/Listen To
Managing security content as code - Microsoft Sentinel in the Field #1
Create Your Own Microsoft Sentinel Solutions
Export and submit logic app as code for deployment
Stuff to Have
Sysmon Cheat Sheet
PowerShell script to show table retention
Sentinel-Queries/Identity-MFARegistrationfollowedbySSPR.kql at main · reprise99/Sentinel-Queries · GitHub
Microsoft Sentinel Central Workbook v2.0
Azure-Sentinel/Solutions/IoTOTThreatMonitoringwithDefenderforIoT at master · Azure/Azure-Sentinel · GitHub
Sentinel-Queries/OfficeActivity-GuestDomainsHighestDownloads.txt at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/IP-LabelDowngradeThenEmail.kql at main · reprise99/Sentinel-Queries · GitHub
aad-app-credential-tools/azuread-application-credential-assessment-sentinel-guide.md at main · microsoft/aad-app-credential-tools · GitHub
Pre-Release: RiskIQ, Sentinel Incident Explorer, Kusto and MS Defender
Sentinel-Queries/SecurityEvent-VisualizeAccountsCreatedDisabledDeleted.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityEvent-VisualizeAccountsCreatedDisabledDeleted.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Device-DetectFirstTimeTeamviewerUsage.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Audit-BitLockerKeyRetrieved.kql at main · reprise99/Sentinel-Queries · GitHub
Stuff to Attend
Recordings | Security Community Webinars - Microsoft Tech Community
New and Updated Stuff
Connect Microsoft Sentinel to Amazon Web Services (AWS) to ingest service log data | Microsoft Docs
Announcing the Microsoft Sentinel: Microsoft Insider Risk Management Solution - Microsoft Tech Community
Microsoft Sentinel Network Session normalization schema reference (Public preview) | Microsoft Docs
Related Stuff
Detecting Office365 Azure AD Environment Backdoors
Interacting with Key Vault from Logic Apps securely – 365 by Thijs
What's the difference between Azure AD Graph, Azure Resource Graph and Microsoft Graph?
Partner Stuff
Microsoft Sentinel benefit for Microsoft 365 E5 customers
Arista Joins Microsoft Intelligent Security Association for Integration with Microsoft Azure Sentinel to Help Improve Customer Security
News Stuff
Iranian targeting of IT sector on the rise - Microsoft Security Blog
Microsoft unpacks comprehensive security at Gartner and Forrester virtual events - Microsoft Security Blog
How Open Systems uses Microsoft tools to improve security maturity - Microsoft Security Blog
SOC Prime Delivers One-Click Threat Hunting Capabilities with Quick Hunt Module | Business Wire
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue