Adding TI in Bulk to Microsoft Sentinel in Public Preview

Today the ability to upload new Threat Intelligence (indicators) is available in Public Preview. A new Import tab in the Threat Intelligence blade of the Microsoft Sentinel console allows you to import from a flat file (csv or JSON) and also manage existing imports. Import TI The Docs are already available: Add indicators in bulk … Continue reading Adding TI in Bulk to Microsoft Sentinel in Public Preview

Recipes for Automation: Reading About Updated Microsoft Sentinel Content in a Microsoft Teams SOC Channel

This post is part of an ongoing series to provide ideas for enhancing security operations through automation. Microsoft Sentinel has built-in SOAR capability, so the prescriptive guidance provided here can be implemented immediately and without much effort. ================================= Microsoft Sentinel is updated constantly, and many customers would like better ways to know when things are … Continue reading Recipes for Automation: Reading About Updated Microsoft Sentinel Content in a Microsoft Teams SOC Channel

Reusing Microsoft Sentinel Watchlists Across Tenants

Here's a common question (just received it again today, in fact). Q: Is it possible to do cross-tenant retrieval of watchlists? A: Retrieving Watchlist content through API isn't available yet and Repositories doesn't support Watchlists. So, here's suggestions of a couple things you could do: [1] Query the Watchlist and export the results to a … Continue reading Reusing Microsoft Sentinel Watchlists Across Tenants

The Must Learn KQL Community Discussion Board

Among all the myriad of cool things that the Must Learn KQL series has birthed, there's now also a Community Discussion board available. The Discussion board is designed to enable Q&A, feedback, ongoing discussions, code posts, polls, and on and on. Must Learn KQL Discussion Board Jump out to the following link to get engaged … Continue reading The Must Learn KQL Community Discussion Board

Is Moving the Sentinel Workspace to Another Resource Group or Subscription Supported?

This is a common question and one that needs both an answer and a Docs location to always find the answer. Digging around in the Microsoft Sentinel Docs may not yield the answer you're looking for. The answer is located in the Azure Monitor Doc for Workspace move considerations (URL: https://docs.microsoft.com/en-us/azure/azure-monitor/logs/move-workspace#workspace-move-considerations). Per the Doc: Currently, … Continue reading Is Moving the Sentinel Workspace to Another Resource Group or Subscription Supported?

How to: Automate On-Premises AD Users to Microsoft Sentinel Watchlist

Watchlists in Microsoft Sentinel allow you to correlate data from a data source you provide with the events in your Microsoft Sentinel environment. For example, you might create a watchlist with a list of high-value assets, terminated employees, or service accounts in your environment. Microsoft Sentinel customers often ask if there is a chance to … Continue reading How to: Automate On-Premises AD Users to Microsoft Sentinel Watchlist