View profile

Microsoft Sentinel this Week - Issue #52

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #52
By Rod Trent • Issue #52 • View online
Hi, all! Welcome to the weekly newsletter. And, welcome to all the new subscribers this week! For whatever reason, we had an even larger new subscriber week. Hey, I’m not complaining. The more the merrier.
This week, there’s a couple things I’d like to make mention of before leaving you with the week’s newsletter content.
First off, we have new survey available where you can supply your feedback. This one is around using more automation to help with investigation and incident workflow. The survey won’t take much of your time, but the results could be far reaching. So, if you time, please supply your feedback:
Sentinel Incident Workflow survey
Today, Microsoft Sentinel Automation rules and Playbooks can help automate the incident handling process and run some tasks on-demand. We have heard from customers that this doesn’t quite solve the “incident workflow” problem completely. We are looking to better solve this, end-to-end, and are open to creating new features to accomplish this. To scope the effort, we would love to hear from our customers.
Secondly, I don’t know if you caught it this week, but we have a new SC-series exam coming: SC-100- Microsoft Cybersecurity Architect.
Skills measured
  • Design a Zero Trust strategy and architecture (30–35%)
  • Evaluate Governance Risk Compliance (GRC) technical strategies and security operations strategies (20–25%)
  • Design security for infrastructure (20–25%)
  • Design a strategy for data and applications (20–25%)
The exam is supposed to drop in beta in April and once you take it with one of the other security focused exams (SC-200, SC-300, AZ-500, or MS-500) you level-up to Microsoft Certified: Cybersecurity Architect Expert.
I’m really looking forward to this exam. To hear more and keep tabs on when it officially releases, see:
Lastly…I think it’s worth trumpeting that I delivered the 500th assessment certificate for the Must Learn KQL learning series this week! That’s a major accomplishment and something I didn’t expect. The series completed and the assessment made available only a couple weeks ago. Congratulations to all that have completed the series and passed the assessment!
Part of my daily workload now is to deliver certificates each morning, and the flow has been steady. If you’re still trying to get started with KQL and haven’t heard of this series yet, check out:
For those working through the training and getting ready to take the assessment - I have a certificate with your name on it!
That’s it from me for this week. Have a wonderful weekend all!
Talk soon.

Stuff to Read
Cyber threat intelligence in Microsoft Sentinel - Azure Example Scenarios | Microsoft Docs
How to spot time-series issues in real-time with Anomaly Detection - Microsoft Tech Community
Automate Sentinel integration with Azure DevOps - Azure Example Scenarios | Microsoft Docs
Stuff to Watch/Listen To
Understanding Azure Sentinel + KQL | Matt Zorich on Cloud Conversations | Ep 43
9. MustLearnKQL: The Take/Limit Operator
Stuff to Attend
SOC Analyst Training Webinar - Azure Sentinel & KQL
CEE Cybersecurity Forum
Stuff That's New or Updated
Create a large watchlist from file in Azure Storage (public preview)
What’s new: Unified Microsoft SIEM and XDR GitHub Community - Microsoft Tech Community
Microsoft Sentinel Support for Ingestion-Time Data Transformations - Microsoft Tech Community
Stuff That's Related
Using Query results cache in Azure Data Explorer (aka Kusto) from Power BI - Microsoft Tech Community
Operations Task Management for Azure Alerts
Detecting Kerberos Relaying Attacks | by Mehmet Ergene | Feb, 2022 | Medium
SC-100 Study Guide: Microsoft Cybersecurity Architect - CHARBEL NEMNOM - MVP | MCT | CCSP - Cloud & CyberSecurity
Stuff from Partners
Comments on Microsoft Sentinel in Q2-2022 Report - Seculyze
Stuff to Have
Microsoft Sentinel Transformations Library
Sentinel-Queries/Identity-PotentialMFASpam.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/IdentityLogonEvents-SummarizeNTLM.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Vuln-KnownExploitableVuln.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Device-NewASREvents.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/EmailEvents-PotentialNewSpammer.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-SummarizeMFATop20Apps.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Device-SSHTrafficOnNonStandardPort.kql at main · reprise99/Sentinel-Queries · GitHub
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue