View profile

Microsoft Sentinel this Week - Issue #41

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #41
By Rod Trent • Issue #41 • View online
Well, well. Here we are once again for our weekly Microsoft Sentinel check-in. Who would’ve thought that we’d be 41 weeks into this newsletter and it would be such a success? Isn’t this awesome! It was started on a whim to supply a need from customer requests to stay abreast of Microsoft Sentinel updates and happenings and here we are all together once again.
It reminds somewhat of the movie The Postman. If you’re not familiar, in a post-apocalyptic America the lead character, played by Kevin Costner, picks up an errant mailbag and begins to put the world back together again by resurrecting the old Pony Express. I’m not saying this newsletter is in any way that monumental, but with our community numbers growing so rapidly, it has had a direct impact on Microsoft Sentinel.
I have to say, though, the most successful things I’ve done in my life and career have been unintended, so this is really not a rarity for me, nor is it entirely unexpected. It is, however, a true blessing.
I think about those things this time of year. Thinking about who I’ve lost, what I’ve gained, and where to focus my thankfulness. As the year comes to a close, I want to thank all of you for being here. And, I hope that you’ll stick around for more.
With that, as has become commonplace, there are a few extra items to highlight this week.
First, it’s worth noting that as of midnight December 1st, the updated Microsoft Sentinel Offer is now officially live. This is an amazing offer where E5, A5, and G5 customers get lots more for lots less. Here’s a couple resources to look through:
Secondly, the product team is working on the next updates for the Teams integration with Microsoft Sentinel and would like your feedback to help.
To make incident mitigation and cross-team collaboration easier, we developed an integration between Microsoft Teams and Microsoft Sentinel. The integration includes the ability to create a team in Teams for chosen incidents with automatic addition of users\groups. The key use case is a dedicated “war room” for central communication and coordination, and a dedicated conference bridge for high severity ongoing incidents. The incident includes the incident page in Sentinel as a web page tab. The incident is archived when the incident is closed.
We would like to ask for your feedback and thoughts to help us identify the most crucial missing capabilities. 
Please complete this survey before December 10, 2021:
And, lastly, a couple community folks - both are MVPs, I believe - are starting up a podcast specifically for KQL. All the details, including how to follow and find the podcast are available on the podcast website:
P.S. I may show up as a guest sometime in the new year.
Thanks again everyone for your engagement and participation in this community. This community extends far beyond this mailbag newsletter and I appreciate each and every of you that reaches out, connects, ask questions, offers thanks, offers assistance, and everything else. You are a true community.
As a last note, I mentioned in our sister publication, the Microsoft Defender for Cloud Wrap bi-weekly newsletter, that because operations at Microsoft are beginning to pause and I need to take the remainder of my personal time off, I’ll be out of the office soon for the rest of the year. With that, this will be the last newsletter delivery for the year. Yes, I’m sad about that, too. But until then you can still find any content and feature updates talked about in the #MicrosoftSentinel hashtag on Twitter or in the Microsoft Sentinel community on LinkedIn.
I hope you all have a wonderful holiday season and a Happy New Year. You all have made me truly blessed and thank you for allowing me some small part in your life.
Talk soon.

Stuff to Read
Must Learn KQL Part 5: Turn Search into Workflow – Azure Cloud & AI Domain Blog
Must Learn KQL Part 6: Interface Intimacy – Azure Cloud & AI Domain Blog
Using Logic Apps and Microsoft Sentinel to alert on expiring Azure AD Secrets | Microsoft Sentinel 101
Quick Tip: Monitoring Log Analytics Issues for Microsoft Sentinel – Azure Cloud & AI Domain Blog
Manage Security Content as Code with Microsoft Sentinel - CHARBEL NEMNOM - MVP | MCT | CCSP - Cloud & CyberSecurity
How to Monitor When the Microsoft Sentinel Trial Expires – Azure Cloud & AI Domain Blog
Create an alert with custom entity mapping using Microsoft Sentinel REST API -Notes of Azure Security + Governance
Using the Microsoft Sentinel Cost Workbook – Azure Cloud & AI Domain Blog
Protect Teams with Microsoft Sentinel - Part 4 |
How to build Azure Log Analytics URL with KQL Query?
Stuff to Watch/Listen To
Mastering Automation with Microsoft Sentinel (SOAR)
Integrating Microsoft Defender with Microsoft Sentinel
Stuff to Have
GitHub - sreedharande/Microsoft-Sentinel-As-A-Code: Export Microsoft Sentinel artifacts like Analytical Rules, Hunting Queries, Workbooks in order to support new feature Repositories CI/CD Pipeline
GitHub - reprise99/Sentinel-Queries: Collection of KQL queries
Sentinel-Queries/Device-FindUsersWhoClickedonPhishing.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityAlert-FindUsersWhoSigninfromMaliciousIPs.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-VisualizeMFAMethods.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Device-FindDevicesNoLongerSendingEvents.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Device-DetectRDPRecon.kql at main · reprise99/Sentinel-Queries · GitHub
Stuff to Attend
MSTICPy Hackathon - January 2022 - Microsoft Tech Community
Stephen Leuthold on LinkedIn: 🙉 HASMUG 🔒 Security Edition... Less than two weeks away and space
Webinar: Defending your cloud against AD FS attacks - Microsoft Tech Community
Stuff That's New or Updated
Three New MITRE ATT&CK Tactics to Use for Microsoft Sentinel Hunting and Analytics Rules – Azure Cloud & AI Domain Blog
MSTICPY v1.5.0 Release RiskIQ, Sentinel Incident Explorer, Kusto and MS Defender · microsoft/msticpy · GitHub
Stuff That's Related
Microsoft Security Best Practices module: Security operations | Microsoft Docs
PECmd - Windows Prefetch Analysis For Incident Responders
Lateral Movement with Managed Identities of Azure Virtual Machines | Microsoft 365 Security
Deep Dive on Azure Active Directory Identity Protection - Microsoft Tech Community
Choosing the right SOC tools
Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01 | by Olaf Hartong | FalconForce | Oct, 2021 | Medium
Stuff About Partners
Azure Sentinel Online Training Course | InfosecTrain
TD SYNNEX Launches New Global Security, Data and IoT Click-to-Run™ Solutions
How Red Canary and Microsoft can help reduce your alert fatigue - Microsoft Security Blog
Stuff from the News
Behind the unprecedented effort to protect customers against the NOBELIUM nation-state attack - Microsoft Security Blog
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue