Watchlist Module Welcome back to the SOCAutomator series. Did you miss us? Today we’re going to dig into how the STAT module works with Microsoft Sentinel watchlists. But first, let’s define what a watchlist is. Analysts often need the ability to correlate security events and insights with other non-security data sources, such as lists of … Continue reading Automate your SOC – Welcome to the VIP Room
“Yes – it’s more than bathing suit” Security engineering teams need to develop new skills to provide their security analysts with the necessary depth of data and analytics to perform their jobs effectively. Analysts require this data to be readily available in the SIEM during an incident. We must reduce the speed of triage to … Continue reading What to bring to the Data Lake?
“The rise of data and the security data lake” There is a long-standing problem in cybersecurity. There is the ever increasing need to log more sources to provide needed visibility to detect threat activity. The need to ingest raw logs has created an ingestion problem. The SIEM was supposed to be the ultimate solution to … Continue reading Will your SIEM survive?
Threat Intelligence Module This post builds upon your initial installation and provides a deeper understanding of each of the modules (log apps) that make up MSTAT. See the links below for earlier posts to build your knowledge on the capabilities of each module. You can also find all related posts by searching this blog. The … Continue reading Automate your SOC – Known Badness
Microsoft Defender for Endpoint We’re back with another edition of Automate your SOC with Microsoft STAT. Today we’re going to discuss the Microsoft Defender for Endpoint module (MDEModule). This module can retrieve a few pieces of information that can enrich your incident. The module can return the risk level and exposure level from MDE from … Continue reading Automate your SOC – Rise of the machine (risk)
Microsoft Sentinel Related Alerts This post builds upon your initial installation and provides a deeper understanding of each of the modules (log apps) that make up MSTAT. See the links below for earlier posts. You can also find all related posts by searching this blog. The Related Alerts module takes the incident entity data and … Continue reading Automate your SOC – Is there anything else going on?
Giving your incidents a risk score So, you’ve installed STAT using the deployment ARM template? Yes, ok let’s go. If not, see our tutorial on getting it installed here. Let’s start by navigating to your Logic Apps blade in the Azure portal. Here you will see that STAT installed fifteen logic apps. We will go … Continue reading Automate your SOC – Risky Business
Intro to Microsoft Sentinel Triage Assistant (STAT) We wanted to jump right in to help you automate your security operations by introducing the Microsoft Sentinel Triage Assistant or STAT for short. STAT is built on a series of Azure Logic Apps which can be integrated into Microsoft Sentinel, Azure Active Directory, and the 365 Defender … Continue reading Let’s automate your SOC
This post is part of an ongoing series to provide ideas for enhancing security operations through automation. Microsoft Sentinel has built-in SOAR capability, so the prescriptive guidance provided here can be implemented immediately and without much effort. ================================= Microsoft Sentinel is updated constantly, and many customers would like better ways to know when things are … Continue reading Recipes for Automation: Reading About Updated Microsoft Sentinel Content in a Microsoft Teams SOC Channel