Modernize Security for Efficiency and Scale Using Azure Sentinel from Microsoft

Recently, I let you know about an upcoming talk I'm giving about "How to Achieve SOC Operational Efficiency for Azure Sentinel Hunting." Check that out if it interests you. There may still be tickets available. It happens on Thursday, November 19, 2020. But, I now have another talk coming up even sooner. This one is … Continue reading Modernize Security for Efficiency and Scale Using Azure Sentinel from Microsoft

How to Send Azure SQL Server Audit Logs to Azure Sentinel

Still in preview, you can send your Azure-based SQL Server Audit logs to the same Log Analytics workspace that is being used by Azure Sentinel. In many other services, you would enable a Diagnostic Setting to send the logs to Azure Sentinel. But, Azure SQL Server is a bit different so it's good to highlight. … Continue reading How to Send Azure SQL Server Audit Logs to Azure Sentinel

How to Be Notified When an Azure Sentinel Analytics Rule Has been Created or Modified

It may seem a bit anal (personally, I don't think it is), but for security teams that want to "watch the watchers" they want to be notified when certain things in the Azure Sentinel structure are modified or created. I've been asked about this numerous times for the various areas in Azure Sentinel. To start … Continue reading How to Be Notified When an Azure Sentinel Analytics Rule Has been Created or Modified

MITRE ATT&CK Framework Reference Workbook for Azure Sentinel Updated with Latest Techniques

The MITRE Corporation today has announced some changes in it's tactics techniques, including the sunsetting of the PRE-ATT&ACK component only more recently announced. Per the release page: Retirement of PRE-ATT&CK - This release deprecates and removes the PRE-ATT&CK domain from ATT&CK, replacing its scope with two new Tactics in Enterprise ATT&CK Reconnaissance and Resource Development. … Continue reading MITRE ATT&CK Framework Reference Workbook for Azure Sentinel Updated with Latest Techniques

What is the app@sharepoint Account in my Azure Sentinel Data?

This is just a quick blog post for clarification purposes. We've had some internal discussion around this, but what predicated this blog post is the number of customers who've also asked about this most recently. Because we're continuing to improve the data and types of data that are exposed through our table schema and automated … Continue reading What is the app@sharepoint Account in my Azure Sentinel Data?

How to Achieve SOC Operational Efficiency for Azure Sentinel Hunting

I have a new Azure Sentinel series I'm working on that is specific to obtaining better efficiency for your security teams using our cloud-based SIEM/SOAR. I delivered the first one internally a couple weeks ago to rave reviews, titled: "Achieving SOC Operational Efficiency for Azure Sentinel Hunting" As you know, Hunting is still very much … Continue reading How to Achieve SOC Operational Efficiency for Azure Sentinel Hunting

Intune – “Conditional Access, Terms of Use and The Company Portal”

The Issue We recently had an issue where we tried to use the Conditional Access setting and only granting Terms of Use for an Android Device Enrollment. The Investigation What happens now is as described in our docs article Terms of use - Azure Active Directory | Microsoft Docs - The authenticator app installs... Why … Continue reading Intune – “Conditional Access, Terms of Use and The Company Portal”

How to be Notified When Azure Sentinel Data Stops Flowing

This is early days for something I've been working on for a couple customers so expect the solution to change quite a bit. But the concept is solid and sound. The idea is to be alerted when data ingestion has stopped for a specific table or originating service, i.e., ingestion health. As a security analyst, … Continue reading How to be Notified When Azure Sentinel Data Stops Flowing

How to Add the Antimalware Assessment to Your Azure Sentinel Workspace

The Antimalware Assessment has been part of the Azure Marketplace for a long while and contains some valuable information like Threat Status Rank, Threat Status, Threat Status Details, Protection Status Rank, Protection Status, Protection Status Details, Type of Protection, Scan Date, Date Collected, Product Version, and others. With all this valuable information wouldn't it be … Continue reading How to Add the Antimalware Assessment to Your Azure Sentinel Workspace