What are DEV-#### indicator designations for detections?

I had this question come up today, but I've been asked a few times before recently, so I believe it's prudent to supply and explanation and guidance on what to do with these. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC … Continue reading What are DEV-#### indicator designations for detections?

Estimating the Size of the M365 Advanced Tables for Microsoft Sentinel Enablement

The Microsoft 365 Defender Connector in Microsoft Sentinel is coming along nicely with all the table sources now available to select. The Connector is still in public preview, but the progress is a very welcome sight. All the logs Even though ingesting the M365 Advanced logs is considered necessary, enabling them will cost something. There … Continue reading Estimating the Size of the M365 Advanced Tables for Microsoft Sentinel Enablement

Microsoft Defender for Endpoint Workbook for Microsoft Sentinel

There's a new Workbook available in the Microsoft Sentinel console that I'm pretty sure you'll overlook because it's been released without much fanfare. However, for those taking advantage of Microsoft Defender for Endpoint and the connection to Microsoft Sentinel, this Workbook contains valuable information. To locate it, in Workbook - Templates, to a quick filter … Continue reading Microsoft Defender for Endpoint Workbook for Microsoft Sentinel

The Microsoft Security Insights Podcast is Coming to Microsoft Reactor

For fans of the weekly Microsoft Security Insights podcast, Frank, Edward, Brodie, and I have some awesome news to share. The popularity of the podcast continues to grow. Not only is the listener audience in an exploding growth spurt, but there are many security experts coming out of the woodwork asking to come on the … Continue reading The Microsoft Security Insights Podcast is Coming to Microsoft Reactor

All the Ways to Read the Weekly Newsletters for Microsoft Sentinel and Microsoft Defender

The weekly newsletters for Microsoft Sentinel and Defender continue to skyrocket in subscribers. It's amazing how far each of these resources have come and how dedicated and loyal the inbox subscribers are. But there are many out there that prefer not to receive yet another newsletter in their inbox, or who would like to sample … Continue reading All the Ways to Read the Weekly Newsletters for Microsoft Sentinel and Microsoft Defender

The Unified Microsoft Sentinel and Microsoft 365 Defender Repository

As product and services always to continue to align its great to see movement in areas that provide pure value. The Microsoft Sentinel GitHub repository has now made room to house Microsoft 365 Defender Hunting queries. KQL is the tie that binds these two security services, and because of that, Hunting queries for Microsoft 365 … Continue reading The Unified Microsoft Sentinel and Microsoft 365 Defender Repository

Must Learn KQL Part 13: The Extend Operator

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days… The full series index (including code and queries) is located here: https://aka.ms/MustLearnKQL The book … Continue reading Must Learn KQL Part 13: The Extend Operator

KQL Basics and Advanced KQL Hunting for Microsoft 365 Defender

Since it seems I've become all things KQL for our security platforms (which I don't mind at all, btw), I thought I'd step outside the Sentinel realm for a moment and share some recent releases for using KQL with Microsoft 365 Defender. Here's some awesome video content learning... M365D KQL Basics: https://cda.ms/3D3 M365D Advanced Hunting: … Continue reading KQL Basics and Advanced KQL Hunting for Microsoft 365 Defender

“Server error Category A is not supported” message when enabling Microsoft Defender for Office 365 in the Microsoft Sentinel Connector

Recently, a few of us were confused about an error message that exhibited itself when attempting to enable the Microsoft Defender for Office 365 option in the Microsoft 365 Defender connector for Microsoft Sentinel. Never experiencing something like this yourself, makes it even more difficult to troubleshoot. You know the scenario - user or customer … Continue reading “Server error Category A is not supported” message when enabling Microsoft Defender for Office 365 in the Microsoft Sentinel Connector

Must Learn KQL Part 11: The Summarize Operator

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days… The full series index (including code and queries) is located here: https://aka.ms/MustLearnKQL The book … Continue reading Must Learn KQL Part 11: The Summarize Operator