The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

The Azure Sentinel product group continues to crank out new Data Connector after new Data Connector. There is a significant goal to provide as many customer requested Data Connectors as possible and I hope you've seen the mighty effort in place toward this goal. There's new Data Connectors available constantly. The Data Connector is intended … Continue reading The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting →

Microsoft Intune and Log Analytics Integration

The ability to leverage your data for rich analytics, alerting and automated response is a powerful capability and useful in many environments. Intune data is no different. Use the integration between Intune data and Log Analytics in Azure to develop rich queries to pinpoint the exact data of interest, built alerting around relevant findings and … Continue reading Microsoft Intune and Log Analytics Integration →

Flowing gMSA accounts into MIM Portal

The purpose for this document is to guide someone through adding Group Managed Service Accounts (gMSA) into the MIM Portal. At my customer, we have started utilizing gMSA’s more and more as opposed to regular service accounts. With increased usage this means that gMSA’s are showing up as members of various Security Groups. Anyone who … Continue reading Flowing gMSA accounts into MIM Portal →

An Azure Sentinel GitHub Reorg and a Playbook to Auto-close MCAS Alerts

I hear from customers quite a bit that it's hard to identify what's new for Azure Sentinel -- both in new console features and in additional GitHub repository collateral. Personally, I use the RSS feed to monitor what's new. And, you can too. Load the following up in your favorite RSS reader... Azure Sentinel GitHub … Continue reading An Azure Sentinel GitHub Reorg and a Playbook to Auto-close MCAS Alerts →

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

I noted recently how powerful and valuable Microsoft Cloud App Security (MCAS) is, but also how noisy it can make the Azure Sentinel console unless the MCAS policies are tuned correctly. See: Tuning the Noise Out of MCAS for Azure Sentinel That post struck a chord with a number of people. So, I thought I'd … Continue reading Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation →

Tuning the Noise Out of MCAS for Azure Sentinel

It's funny, the first question out of my mouth when a customer asks for help tuning the noise for Azure Sentinel is: "Is your noisiest connection MCAS, by any chance?" 95% of the responses are a resounding: "Yes" Most customers think that it's Azure Sentinel's problem, but it's not. It's actually a tuning issue for … Continue reading Tuning the Noise Out of MCAS for Azure Sentinel →

SOC Prime Extends Its Azure Sentinel Promotion Until the End of 2021

In November of 2020, Ofer posted about a cool offer from SOC Prime that enabled Azure Sentinel customers to take advantage of free content including Rule Packs and Playbooks. SOC Prime has now extended the offer to the end of 2021. This is an awesome opportunity to connect your Azure Sentinel environment to the SOC … Continue reading SOC Prime Extends Its Azure Sentinel Promotion Until the End of 2021 →

Follow-up: Microsoft Tech Talks Practical Sentinel: A Day in the Life of a Sentinel Analyst

We delivered a Microsoft Tech Talk on Azure Sentinel on Friday, February 12, 2021. Thanks so much for all those that registered and attended. Due to policy, there is no replay for this, but we're talking now about turning this in a continuing series for Azure Sentinel. So stay tuned for that. That said, the … Continue reading Follow-up: Microsoft Tech Talks Practical Sentinel: A Day in the Life of a Sentinel Analyst →

New Search Capability for Azure Sentinel Incidents

New improved search capability for the Azure Sentinel Incidents blade is rolling out. Better search Originally, you could only search through the list of available Incidents by ID or title. With this improved capability, you can now search for ID, title, tags, owner, and product name. This capability is continuing to rollout. If you don't … Continue reading New Search Capability for Azure Sentinel Incidents →

Changes in How Running Hunting Queries Works in Azure Sentinel

Unless you're in the Azure Sentinel console every single day talking about all existing features with customers like I am, you may have missed a slight change in the UI and in operation. Up until a short while ago, when you went into the Hunting blade in the Azure Sentinel console and clicked the "Run … Continue reading Changes in How Running Hunting Queries Works in Azure Sentinel →