Microsoft Sentinel this Week - Issue #71



Subscribe to our newsletter

By subscribing, you agree with Revue’s Terms of Service and Privacy Policy and understand that Microsoft Sentinel this Week will receive your email address.

Microsoft Sentinel this Week
Microsoft Sentinel this Week - Issue #71
By Rod Trent • Issue #71 • View online
Its Friday again and at least one thing holds true today like every week - the newsletter is on the wires.
My wife and my youngest daughter are on their annual girls’ trip to the Upper Peninsula (UP) this week which means a couple things:
  1. I miss them dearly and have come to the conclusion that everything I do is centered around them.
  2. I’ve been working way too much. With no one in the house except for the dog and myself, there’s no reason to shut down for the day.
  3. Due to the stress of missing them and burning the midnight hours, I’ve not slept really well. I’m tired.
I can’t wait for them return so everything can get back to normal.
This week we have another couple YAMS (Yet Another Microsoft Survey) for you. Has YAMS as an acronym caught on yet? Hmmm…I wonder.
First off, for planning purposes it would be great to get a feeling of your usage of ADX for Sentinel storage.
Planning Feedback: Understanding ADX Usage
If you have data stored in Azure Data Explorer (ADX), we would like to understand your use cases and feedback when it comes to querying data from ADX. This helps us understand your ADX usage and plan the future ADX capabilities with Microsoft Sentinel.
Secondly - and I know this is a big one for a lot of organizations - we’d love to get your feedback on the RBAC req’s for Microsoft Sentinel.
Microsoft Sentinel RBAC Requirements
We are looking to learn more about your experience with the existing Role-Based Access Control (RBAC) capabilities and explore opportunities for improvement. Please share any of your requirements for role or attribute-based access control (R/ABAC) for configuring your Sentinel workspaces, or accessing any of the content (Analytics, Watchlists, Automation Rules, etc.) within it. 
And, lastly (yes, there’s one more!) …
Survey on Resiliency and BCDR Options for Microsoft Sentinel
SIEMs are deemed to be mission critical systems that are essential in ensuring that the SOC remains operational in the event of any disruption. While the cloud provides inherent resiliency benefits, and the Microsoft Sentinel service is designed with internal resiliency and failover mechanisms, some Enterprises have expressed a desire to have additional Business Continuity and Disaster Recovery (BCDR) capabilities to increase resiliency.
Given that Enterprises have varying BCDR objectives and have to strike a balance between (residual) risk, deployment complexity and cost - we would like to gather your feedback on what BCDR means to you, what is lacking, and how we can do better. 
Among all the myriad of cool things that the Must Learn KQL series has birthed, there’s now also a Community Discussion board available. So, in addition to chatting with me for KQL questions on Twitter and LinkedIn, you can now also hit up the Must Learn KQL community.
Well, that’s it for me this week. I’d say I was looking forward to the weekend but that still means there’s 3 days left before my wife comes home. I’ll make it. I’m sure of it.
Talk soon.

Stuff to Read
Quick Microsoft Sentinel schema and data lookup
Stuff to Watch/Listen To
Microsoft Sentinel Fusion: New Detection Capabilities & Features Explained
Log Analytics | KQL Queries | Intune Audit Operational Logs
Stuff That's Related
Must Learn KQL for SC-200 · Discussion
Must Learn KQL Q&A: How do I make the join between two tables with different fields between them?
Creating custom Azure alerts from Log Analytics: the Kusto query - Catapult - a Quisitive Company
The Open Cloud Vulnerability & Security Issue Database
Stuff in the News
How Microsoft Security partners are helping customers do more with less - Microsoft Security Blog
Stuff to Have
GitHub - Intellisec-Solutions/Microsoft-Sentinel-SIGMA-Rules-Workbook
IBM iSeries SYSLOG SIEM conversion and forwarding tool
GitHub - reversinglabs/iconburst-iocs: IOCs and detections for the IconBurst NPM software supply chain attack
KQL_Intune/Operational-ShowIntuneEnrollmentNotSupportedDevices.kql at main · ugurkocde/KQL_Intune · GitHub
KQL_Intune/Device-ListofDevicesThatAreNotBitlockerEncrypted.kql at main · ugurkocde/KQL_Intune · GitHub
KQL_Intune/Device-NumberOfDevicesAndManufacturers.kql at main · ugurkocde/KQL_Intune · GitHub
KQL_Intune/Device-DevicesAndPrimaryUser.kql at main · ugurkocde/KQL_Intune · GitHub
Did you enjoy this issue?
Rod Trent

The Microsoft Sentinel weekly newsletter helps uncover the new and important features and news for Microsoft's cloud-based SIEM+SOAR security tool.

In order to unsubscribe, click here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue