View profile

Microsoft Sentinel this Week - Issue #62

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #62
By Rod Trent • Issue #62 • View online
Happy Friday all!
Welcome to the 62nd issue of our fine Microsoft Sentinel newsletter. There’s lots of great content this week (as usual some would say) and only a couple additional things to highlight.
First off, of all places, I’m driving to Ft. Wayne, Indiana on Saturday. I’ll be driving 3 hours to make my session time for BSides Security Ft. Wayne. This is an annual security conference held at Sweetwater Sound. If you’re not familiar, Sweetwater is one of the largest music equipment distributors in the US. I’ve never been there before, but my youngest son (the drummer in the band, Urbania) loves the place and visits a couple times a year.
So, I’m really looking forward to talking about SOC Efficiency with this group. Wish me luck!
And if you happen to be attending this thing, let me know.
Due to the 3-hour drive each way, I probably won’t be hanging around for too long after I deliver my session.
And even if you can’t join in-person, you can join virtually:
Live Stream: https://lnkd.in/g9M5rbfi
We have a YAMS (Yet Another Microsoft Survey) this week. Help us help you!
Feedback for Microsoft Sentinel Tutorials
The Microsoft Sentinel engineering team is looking to improve and increase the list of Microsoft Sentinel tutorials that you can find at https://docs.microsoft.com/azure/sentinel/, under the section Tutorials (see picture in the first question). The tutorials are created to help customers who are either at the initial steps of their Microsoft Sentinel deployments, or expanding them, and who are looking for guidance on securing their most important scenarios. 
Respond here: https://cda.ms/4jM
Before leaving you to the newsletter content, I have one more big note.
The Must Learn KQL learning series is an unequivocal success but more needs to be done. I outline in a recent post the number of completion certificates I’ve handed out already and while that number is wonderful, more people need to get the message how important learning KQL really is.
So, the Must Learn KQL book is now available on Amazon!
Kindle version: https://amzn.to/3MyMOOS
This gives it a much wider audience and like everything that’s part of this learning series, any and all profit goes directly to St. Jude Children’s Research Hospital.
I owned and sold an eBook publishing company (NetImpress) way back in 2004-2005 before even Amazon had concocted its own eBook production methods. It was revolutionary at the time and most of what our company did had to be invented. And, while many of the same things I learned through NetImpress are still valid and useful today, there are many aspects that have changed or just didn’t exist. Developing and delivering Must Learn KQL series has been a pioneering experience on all the nuances of producing a learning series in this manner and I suspect others will take notice and begin duplicating my efforts.
There are some other things to tweak, but I do know that I’ll be doing it again with another series in the very near future. Stay tuned.
That’s it for now. Have a wonderful weekend and week ahead.
Talk soon.
-Rod

Stuff to Read
Use Sentinel Basic and Archive logs | by Koos Goossens | Wortell | May, 2022 | Medium
Azure KQL – Time After Time – Yet Another Security Blog
Microsoft Sentinel–Automations do not run | Marcelo Sincic [MVP]
Automating bulk onboarding of Azure IaaS and PaaS resources into Microsoft Sentinel - Microsoft Tech Community
Hunting Service Principal with Microsoft Sentinel
Part-2: Malicious traffic in Sentinel
Similar incidents (preview)
Stuff to Watch/Listen To
Microsoft Security Insights Show Ep. 98 - microsoftsecurityinsights on Twitch
Episode 22: Managing Microsoft Sentinel Table Plans and Retention and Archiving Policies
Microsoft Sentinel: NIST SP 800-53 Solution | Demo
Government of Nunavut comes back stronger after ransomware attack with Microsoft security solutions
Stuff to Attend
Microsoft Sentinel: Live Webinar
Collaboration & Automation: Building an analyst force multiplier
Stuff That's New or Updated
What's new: Similar incidents in Microsoft Sentinel - Microsoft Tech Community
Microsoft Sentinel: NIST SP 800-53 Solution - Microsoft Tech Community
Announcing the Microsoft Sentinel: NIST SP 800-53 Solution - Microsoft Tech Community
Stuff That's Related
Must Learn KQL Now Available from Amazon - Azure Cloud & AI Domain Blog
Sentinel vs Advanced Hunting
Use LightIngest to ingest data into Azure Data Explorer. | Microsoft Docs
Simplified Log Analytics Table Management - Microsoft Tech Community
Stuff from Partners
Kocho unveils Managed XDR service, empowering clients to detect and respond to complex cyber threats
Canberra security ISV ArchTIS gets NC Protect platform on Microsoft Azure Marketplace - Security - CRN Australia
Stuff to Have
Sentinel-Queries/DCA-FindNewEvents.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/DCA-PotentialConsentPhishing.kql at main · reprise99/Sentinel-Queries · GitHub
SentinelKQL/WatchListAudit.txt at master · rod-trent/SentinelKQL · GitHub
Sentinel-Queries/Identity-LegacyAuthPivotTable.kql at main · reprise99/Sentinel-Queries · GitHub
Sentinel-Queries/Identity-AppsWithMoreGuests.kql at main · reprise99/Sentinel-Queries · GitHub
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue