View profile

Microsoft Sentinel this Week - Issue #58

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #58
By Rod Trent • Issue #58 • View online
Happy Friday everyone! Thanks to everyone that’s been here for a while and welcome to all the new subscribers this week.
Before getting into the content of the newsletter, there’s a few things to highlight…
First off, we have a couple YAMS (yet another Microsoft survey). It’s getting near the end of the fiscal year at Microsoft, so expect a few more of these to filter through in the coming weeks as planning for product features and enhancements commences. Not that Sentinel isn’t already in a continual update cycle, just that there’s some decision points that need to be made and we need your help to decide where to focus.
The first one is focused on the Out-of-the-box Content that Microsoft Sentinel provides.
Microsoft Sentinel provides more than 100+ Solutions, 190+ data connectors and thousands of individual contents (workbooks, playbooks, watchlist, hunting queries, analytics rules etc.) available out of the box. 
Your feedback will help us better understand the content that is most useful to you and will help your experience with the product. 
Survey link:
The second one, is about the URL detonation feature.
Security operations center (SOC) analysts constantly face the challenge of determining where to focus. URL detonation in Microsoft Sentinel provides insights that can enable SOC analysts to triage alerts faster. For example, logs ingested by Microsoft Sentinel can contain URLs. For alerts that include a URL (e.g., a URL visited by a user from within the corporate network), that URL can be automatically detonated to gain added insight that can help accelerate the triage process.
We are looking to better understand how you utilize the URL detonation feature for your investigation efforts and how we can improve the capability.
Survey link:
Well, we made it. Myself and my colleagues kicked off the inaugural episode of the Microsoft Security Insights show on Microsoft Reactor Wednesday evening. The show was a good one. Some of you showed up for the live event and provided commentary and questions. I hope you enjoyed listening and watching.
For those that missed it, the replay is available now. With Matt Soseman as our guest, the conversation turned to the obvious topics of Zero Trust and Identity security. Each time I talk to Matt, I feel like I’m smarter afterward. And I know you’ll feel that way, too.
Catch the latest episode here:
And you can prepare now for our next Microsoft Reactor episode on May 25th when our good friend and Microsoft Sentinel PM, Jing Nghik will be on.
You can jump out and set a reminder to tune in here:
I have a few other things I wanted to chat about this week, but I’ll save that for next issue as I’m fighting through a head cold as I write this.
Have a great week, everyone!
Talk soon…

Stuff to Read
Incorrect creation time for incident creation in Microsoft Sentinel – 365 by Thijs
A Powerful Conditional Access Change Dashboard for Microsoft Sentinel – Daniel Chronlund Cloud Tech Blog
Sentinel as a purple team tool | Medium
Azure KQL: Access sub-columns using the bag_unpack plugin – Yet Another Security Blog
Intune Devices investigation with MDE & Microsoft Sentinel
Legacy & Cloud-Native SIEM
Use the bulk update feature with Microsoft Sentinel Watchlists - Microsoft Tech Community
Stuff to Watch/Listen To
Microsoft Security Insights Show Ep. 103
Stuff to Attend
Microsoft Security Summer Series Webinars
Azure Sentinel Online Training Course | InfosecTrain
KQL - Detections, Tue, Apr 26, 2022, 6:00 PM | Meetup
Stuff from Partners
Just Announced: MDR for OT now available on Azure Marketplace - Difenda
Stuff to Have
Sentinel-Queries/Identity-SummarizeOutboundGuestActivity.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-SummarizeAppUsageMonthonMonth.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Function-ADGroupChanges.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/DCA-RiskEventFollowedbyMailboxRuleChanges.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Device-DetectPotentialNetworkRecon.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-ConditionalAccessPivotTable.kql at main · reprise99/Sentinel-Queries · GitHub
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue