Microsoft Sentinel this Week - Issue #43



Subscribe to our newsletter

By subscribing, you agree with Revue’s Terms of Service and Privacy Policy and understand that Microsoft Sentinel this Week will receive your email address.

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #43
By Rod Trent • Issue #43 • View online
Happy new year, everyone!
It’s great to be back. After the holiday hiatus, we’re ready to head deep into 2022 with lots of Microsoft Sentinel goodness. I hope all of you are ready for it.
I also hope - for those that celebrate during the holiday season - that you had time to rest and reflect and that you had the opportunity to enjoy family and friends.
The holiday season can be a busy time. It was for us as we scrambled to make sure all of our family’s schedules aligned. But, despite the busyness, we somehow found a way to all be together and enjoy the togetherness. The older my kids get, the harder it is to get all of them together under the same roof. So, this time of year is extra special to me.
I spent the last part of my time off with my best friend who is a chiropractor that lives in Ohio Amish country. So, the last week of my vacation was glorious. The Amish way of life is very different than ours. It’s a much slower life. And the Internet connection is horrible - which lends itself to many more quiet moments than you wish for.
All-in-all it was fantastic for us.
I want to highlight a few things before handing you off to the newsletter content - which is massive considering it’s been about a month since we’ve all been together.
First off, unless you’ve been living under a rock, you should know about the Must Learn KQL series. This is a series that I started in November to help our customers learn the query language. It started as a blog series, then turned into an eBook, and now I’ve heard from someone enjoying the series that they are going to take it and turn it into a video series. That is super awesome! The more folks can become comfortable with this simple query language, the more comfortable they will be using anything data-centric in Azure. It’s a very strategic skill.
But, beyond the engagement around the series, I’m happy to say - shocked even - that the effort is seeing real dividends. The series has exploded in popularity and has become more successful than I imagined. Based on a recent poll, many of you are planning to learn KQL as part of a New Year’s resolution. Please, please, please - I entreat that if you know someone that needs to learn this query language, send them the information on how to get started.
Must Learn KQL series:
Additionally, I opened a merch store for the series where all proceeds go to St. Jude Children’s Research Hospital. I’ll admit, the coffee/tea mugs that are available for purchase are absolutely over-priced, but they’re high quality and your purchase supports a very worthy cause.
Must Learn KQL merch store:
A week or so ago, I updated the Microsoft Sentinel community resources list and the known available books list. For those wanting that want to get deeper engaged this year, here’s those updated links:
Microsoft Sentinel Community resources:
Books for Microsoft Sentinel:
Lastly, as a bit of levity - with every rebranding that Microsoft does, there’s a lot more to it than just choosing a name and sticking the new name on a blog or doc somewhere and forcing our customers to start using it. You’ll be happy to know that Microsoft submitted for an official trademark for Microsoft Sentinel in mid-December.
Whew! I’m crossing my fingers that it passes.
With that, I’ll leave you to this week’s massive newsletter content.
Talk soon.

Stuff to Read
Must Learn KQL Part 11: The Summarize Operator – Azure Cloud & AI Domain Blog
Parameterized functions in Azure Log Analytics
Cloud Service Provider Access to Microsoft Sentinel Content Hub – Azure Cloud & AI Domain Blog
Logging User Access Admin elevations to Microsoft Sentinel – Adriaans ramblings
Updated Log4j Microsoft Sentinel Solution Requires Manual Updating – Azure Cloud & AI Domain Blog
Set up Microsoft Sentinel as a single pane of glass for Microsoft 365 alerts
Detecting privilege escalation with Azure AD service principals in Microsoft Sentinel – Microsoft Sentinel 101
Configuring table level retention in Microsoft Sentinel - Microsoft 365 Security for IT Pros
Integrating Canary Tokens with Microsoft Sentinel
Forward On-Premises Windows Security Event Logs to Microsoft Sentinel - Microsoft Tech Community
Add Hunting Queries (for Log4Shell) faster to Microsoft Sentinel |
Ollie, your personal Microsoft Sentinel assistant | The Collective
Bulk upload Log4Shell IoC to Microsoft Sentinel Threat Intelligence -Notes of Azure Security + Governance
Building SOC Efficiency with Microsoft Sentinel – Azure Cloud & AI Domain Blog
Enabling the Log4j Vulnerability Exploit Analytics Rule for Microsoft Sentinel – Azure Cloud & AI Domain Blog
Enabling the Network Security Groups Connector for Microsoft Sentinel – Azure Cloud & AI Domain Blog
FalconFriday —Monitoring for public shares — 0xFF1A | by Jos van der Peet | FalconForce | Dec, 2021 | Medium
Microsoft Sentinel and the power of functions | Microsoft Sentinel 101
Why Microsoft Sentinel should be your first choice for a SIEM  - Atech
Dastardly Detection of DirSync Deleted Groups
Microsoft Sentinel Jupyter Notebooks knowledge check test - Microsoft Tech Community
ServiceNow Integration (part 1)
ServiceNow Integration (part 2)
Stuff to Watch/Listen To
AzureFunBytes Episode 64 - Building SOC Efficiency with @Azure Sentinel with @rodtrent
Azure Sentinel: How to deploy a SOC service in seconds - Drew Perry
KQL - The Next Query Language You Need to Learn | Data Exposed: MVP Edition - Microsoft Tech Community
Microsoft Sentinel Best Practice for Admin Users
Learning with the Microsoft Sentinel Training Lab - Microsoft Sentinel in the Field #2
Hunt for Log4Shell with Azure Sentinel, the fastest way, find obfuscations
Stuff to Have
Sentinel-Queries/Identity-ManagedIdentityAccessingNewResources.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityIncident-DaysSinceLastIncident.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/OfficeActivity-DetectFullMailboxAccess.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-playground/Update-DetectionRules.ps1 at main · SecureHats/Sentinel-playground · GitHub
GitHub - mdecrevoisier/Windows-auditing-mindmap: Set of Mindmaps providing a detailed overview of the different #Windows auditing capacities and event log files.
Sentinel-Queries/Identity-ServicePrincipalSigninsbyIP.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Azure-ServicePrincipalAddedtoAzure.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-VisualizeGuestRedemptionswithTrend.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-InactivePrivilegedUsers.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Device-ASRAudit.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-MFAPercentageperapp.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Device-VisualizeOSBuildspermonth.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-ServicePrincipalSigninfromnewIP.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityAlert-DefenderforIDRecon.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-VisualizeMFAChallengevsPreviouslySatisfied.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Bastion-AuditUsage.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/OfficeActivity-DetectNewExchangeAdminRole.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-YourUsersSigningIntoOtherTenantsAsGuests.kql at main · reprise99/Sentinel-Queries · GitHub
Microsoft Sentinel Log4j Ubiquiti Analytic Rule
Sentinel-Queries/OfficeActivity-NewTeamsAppInstalled.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityAlert-FindSigninsforAnomalousToken.kql at main · reprise99/Sentinel-Queries · GitHub
Kusto-Query-Language-KQL-/Log4j_Threat_Hunting at main · AdarshPandey-dev/Kusto-Query-Language-KQL- · GitHub
Sentinel-Queries/IdentityDirectoryEvents-EncryptionChange.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/SecurityAlert-RetrieveEmailforSuspiciousEmailPatterns.kql at main · reprise99/Sentinel-Queries · GitHub
Stuff to Attend
Microsoft Tech Talks - Microsoft Sentinel 101 - what's new, aside from the name! (MTT0AEDT)
MYTHIC Webinar - Sign up
Stuff That's New or Updated
Build and monitor Zero Trust (TIC 3.0) security architectures with Microsoft Sentinel | Microsoft Docs
What’s New: Detecting Apache Log4j vulnerabilities with Microsoft Sentinel - Microsoft Tech Community
Advanced KQL Framework Workbook - Empowering you to become KQL-savvy - Microsoft Tech Community
Stuff That's Related
Leveraging the Power of KQL in Incident Response - Microsoft Tech Community
An Adaptive Security Strategy Is Critical for Stopping Advanced Attacks
Stuff from Partners
Azure Sentinel deployment | Adatis
No-Code Security Automation Funding: ContraForce Raises $2 Million - MSSP Alert
Cyber Risk Aware’s Security Behaviour Change Training Platform Now Available in the Microsoft Azure Marketplace - Cyber Risk Aware
Introducing Senserva's open-source toolkit - Senserva
Wipro Deepens Microsoft Cybersecurity Expertise -
Stuff from the News
Google Cloud acquires SOAR provider Siemplify for a reported $500 million | SC Media
Microsoft Sentinel Launches New Log4j Vulnerability Solution In Public Preview
Hunt for Log4Shell with Azure Sentinel, the fastest way, find obfuscations
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue