View profile

Microsoft Sentinel this Week - Issue #60

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #60
By Rod Trent • Issue #60 • View online
Happy Friday all!
I’m out and about this week at an in-person conference at the Mall of America in Bloomington, MN. It’s been a fantastic week talking about Defender for Cloud and Microsoft Sentinel to a group of folks that aren’t normally focused on security. There’s real interest in how Microsoft security offerings can bolster a career and can be integrated with current workloads without overwhelming.
I’ll have more to share about this week’s experiences in next week’s newsletter.
We have a couple new surveys this week that I know is of interest to a large number of people.
For the first one, I published a Playbook template for sending a daily email of Sentinel Incidents recently that a lot of you found useful. We’re trying to simplify this capability because it is so popular and valuable.
From the product team:
Today, emails can be sent automatically when incidents and alerts are created using playbooks. There are playbook templates ready-to-use, which leverage the Outlook Logic Apps connector. 
Using playbooks for sending emails has great benefits: It allows full customization of the email message and advanced capabilities such as approvals. On the other hand, we hear customer challenges using this method.
We are looking to allow customers to easily send emails by Automation Rules. We are seeking to learn about real-life email-scenarios to make sure we design the feature to fit your needs.
We appreciate your feedback on our form. We are committed to reviewing every data point in detail and we will get back to you if we have questions. Please note that in some cases, platform limitations prevent us from developing an integration. Also, we may have limited resources, so not every request will be prioritized. 
Participate in the following survey: Send email from automation rules
The second one is focused on Microsoft Sentinel Fusion.
Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or activities. By design, these incidents are low-volume, high-fidelity, and high-severity.
As we continue to expand the Fusion coverage to help you detect emerging and advanced attacks, and improve the experiences to help you speed up the investigation, we’d like to learn more from you. In this survey, we’d like to get your perspectives on:
  • Fusion detection
  • Customization/configuration options for Fusion
You can participate in this one here: Microsoft Sentinel Fusion Survey
Lastly, I had awesome discussions with customers this week. Delivering Microsoft Sentinel sessions to a group of folks who have zero knowledge of the product was absolutely rewarding. I could see lightbulbs go off as I was describing the features and value. One individual - experienced with “other” SIEMs who is now sold on Sentinel - invented a new tagline which has now been turned into a T-shirt.
I present, the “My SOC Doesn’t SUC” T-shirt:
All proceeds go to St. Jude.
That’s it for me for this week. It’s time to pack up and head home.
Talk soon.

Stuff to Read
Transferring Microsoft Sentinel scheduled alert rules between different workspaces using PowerShell - Microsoft Tech Community
PowerShell Hunting with Microsoft Sentinel
Get the number of MS Sentinel rules looking at tables (approximately) – Yet Another Security Blog
Microsoft Sentinel Watchlist for Verifying First-party Microsoft Applications in Sign-in reports - Azure Cloud & AI Domain Blog
Better Accessibility for the Vision Impaired in Microsoft Sentinel - Azure Cloud & AI Domain Blog
Microsoft Sentinel and Sysmon 4 Blue Teamers
The definitive guide to Microsoft Sentinel: Everything you need to know to get started with Microsoft’s cloud SIEM
Stuff to Watch/Listen To
Unleash the Power of Analytics to Strengthen Your SOC Against Threats | Microsoft Sentinel Webinar
Stuff That's New or Updated
Export Microsoft Sentinel Playbooks or Azure Logic Apps with Ease - Microsoft Tech Community
New watchlist actions available for watchlist automation using Microsoft Sentinel SOAR - Microsoft Tech Community
Stuff from Partners
Automating your Microsoft security suite with D3 XGEN SOAR   - Microsoft Security Blog
Stuff to Have
Sentinel-Queries/SecurityEvent-AccountPreAuthChanges.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/DCA-PivotTableAdminActions.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Audit-DetectNewCrossTenantSetting.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/OfficeActivity-TeamsRoleChanges.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/EmailEvents-VisualizeDeliveryActions.kql at main · reprise99/Sentinel-Queries · GitHub
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue