A new SolarWinds vulnerability has been discovered, this time for the Serv-U product. See SolarWinds Trust Center Security Advisories | CVE-2021-35211 for details. UPDATE: We've now also released an "official" query in response to identifying the true actor behind this exploit. The query is here: Azure-Sentinel/DEV-0322_SolarWinds_Serv-U_IOC.yaml at master · Azure/Azure-Sentinel (github.com) The following represents a … Continue reading How to Use Azure Sentinel to Monitor for the Solarwinds Serv-U Remote Memory Escape Vulnerability →

Working with a couple customers and some of my colleagues who are working with their customers who are either impacted or curious if they might be impacted by the recent Kaseya REvil situation, the following KQL query was developed as a detection. This should work in all environments, but after testing it you find a … Continue reading How to Detect Kaseya REvil Ransomware with Azure Sentinel →

In another of the "Watching the Watchers" series, customers ask periodically to be notified when - or at least to know when - the Log Analytics workspace data retention changes. Here's a quick KQL query to accomplish that. union Operation | where OperationStatus == "Succeeded" | where OperationCategory == "Workspace Configuration" | project TimeGenerated, Detail … Continue reading How to Know When Data Retention Values Have Changed for Azure Sentinel →

There's been some recent flurry around what folks are calling #PrintNightmare. This has been identified as a Print Spooler flaw with POC code available. For those customers wanting to know more about this, see: Windows Admins Scrambling to Contain 'PrintNightmare' Flaw Exposure | SecurityWeek.Com There's a couple things you can do to start: Install the … Continue reading How to Track PrintNightmare with Azure Sentinel →

There's currently two Logic App Connectors for Azure Sentinel that allow you to work with Watchlists. Up until the recent update for Watchlists that brought the ability to modify existing Watchlists, neither of these Logic App Connectors worked. Currently, you can't create a brand new Watchlist using either of these, you can only update existing … Continue reading How to Use the Watchlists Logic App Connector for Azure Sentinel →

The Azure Sentinel Hackathon has my creative juices in full swing. For my first feat, I talked earlier this week about How to Build an Alexa Skill to Report Critical Azure Sentinel Incidents Generated Overnight. I'm still working on deeper integration for Alexa and Azure Sentinel, but as is the case, I keep having squirrel … Continue reading How to Create an Azure Sentinel SOC Alerting System →

So, my first Fireside chat with our partner, Difenda, went so well - they invited me back for a Part 2! This was an absolute hoot and truly enjoyed myself. In this particular event we dove into the partner ecosystem for Azure Sentinel. Our partner ecosystem is a strong one and encompasses the following areas: … Continue reading Replay: Azure Sentinel Fireside Chat – Part 2 →

I generally hate it when someone takes a blog and writes an article or blog about it. There's a number of websites that do this and it drives me nuts. HOWEVER, you're going to catch me doing this today - but for good reason. A significant change in a Data Connector is worth highlighting twice. … Continue reading A Blog about a Blog: Upgrade Your Azure Sentinel AzureActivity Data Connector →

A colleague of mine, Sonia Cuff, put together an interesting blog post recently that talks about how to integrate Azure Monitor with LIFX lighting devices. See: How to display Azure Monitor alerts with smart lights and no code. That article really got my creative juices flowing. I've since ordered one of the LIFX light bulbs … Continue reading How to Build an Alexa Skill to Report Critical Azure Sentinel Incidents Generated Overnight →