Viewing Microsoft Sentinel Rules with MITRE Tactics Directly in Excel

Periodically, customers will ask to be able to review the list of Microsoft Sentinel detection rules (Analytics Rules) with the associated MITRE ATT&CK tactics. This is a good ask. Before I jump directly into uncovering a relatively unknown option for viewing this data, I think it will help to expose those options that are more … Continue reading Viewing Microsoft Sentinel Rules with MITRE Tactics Directly in Excel

How to Query HaveIBeenPwned Using a Microsoft Sentinel Playbook

I've known Troy Hunt for a number of years and his contributions to the security and privacy industry have been hugely valuable and much appreciated by the masses. HaveIBeenPwned is a great resource developed and maintained by Troy. It provides the ability to query against its database to expose domains or user accounts that have … Continue reading How to Query HaveIBeenPwned Using a Microsoft Sentinel Playbook

How to Use a Playbook to Add Geographical Data for IP Addresses to a Microsoft Sentinel Incident

We have a Playbook out on the official GitHub Repo that queries the IP-API.com website with IP addresses and then writes the geographical information to an Incident's Tags. This is useful, but it's been found to be too limiting based on the amount of information IP-API returns versus how little data a Tag can hold. … Continue reading How to Use a Playbook to Add Geographical Data for IP Addresses to a Microsoft Sentinel Incident

Multi-selecting Analytics Rules to Enable More than One at Once

Wouldn't it be super nice if - in the Microsoft Sentinel UI - that you could multi-select Analytics Rules templates to enable and just hit a "Enable All" button? I swear this has been a common customer ask for a couple years now. The idea is that when you stand-up Microsoft Sentinel for the first … Continue reading Multi-selecting Analytics Rules to Enable More than One at Once

What are DEV-#### indicator designations for detections?

I had this question come up today, but I've been asked a few times before recently, so I believe it's prudent to supply and explanation and guidance on what to do with these. Microsoft uses DEV-#### designations as a temporary name given to an unknown, emerging, or a developing cluster of threat activity, allowing MSTIC … Continue reading What are DEV-#### indicator designations for detections?

The Security Content Guide to Microsoft Build 2022

Build 2022 has a LOT of awesome security-focused content along with the great content to be consumed for any number of focus areas. For my area of focus -- security -- here's the things I'm most interested in and the sessions that I'll be focusing on to glean knowledge for the things I'm tasked with … Continue reading The Security Content Guide to Microsoft Build 2022

Deploying Microsoft Sentinel Analytics Rules that are Already Enabled

The Repositories feature in Microsoft Sentinel is a popular way to deploy uniform content using a CI/CD pipeline to a single or to multiple Sentinel workspaces. The default for Analytics Rules is to deploy into the workspace as disabled. But many organizations prefer to deliver the updated or new content as ready-to-go and enabled already. … Continue reading Deploying Microsoft Sentinel Analytics Rules that are Already Enabled

SC-100: Microsoft Cybersecurity Architect Gets a Learning Path

For those of us that took the SC-100 beta exam, there's a strong indicator today that the exam results could show up soon. That indicator is a new SC-100 Learn path. The Learn path is a set of modules that are repurposed from other exams, but it's a Learn path, nonetheless. The following is the … Continue reading SC-100: Microsoft Cybersecurity Architect Gets a Learning Path

Estimating the Size of the M365 Advanced Tables for Microsoft Sentinel Enablement

The Microsoft 365 Defender Connector in Microsoft Sentinel is coming along nicely with all the table sources now available to select. The Connector is still in public preview, but the progress is a very welcome sight. All the logs Even though ingesting the M365 Advanced logs is considered necessary, enabling them will cost something. There … Continue reading Estimating the Size of the M365 Advanced Tables for Microsoft Sentinel Enablement

Better Accessibility for the Vision Impaired in Microsoft Sentinel

Last year in July, my colleague Innocent Wafula talked about Accessibility and usability for all in Azure Sentinel. Things like responsive design, content reflow, and linear order go a long way to provide better accessibility value for Microsoft Sentinel but also the Azure portal, in general. But there's more that can be done. And, while it … Continue reading Better Accessibility for the Vision Impaired in Microsoft Sentinel