Public Preview: The MITRE ATT&CK Framework Blade in Microsoft Sentinel

The MITRE ATT&CK framework provides probably the best basis for understanding attack techniques and tactics. Try to say that 10 times real fast: attack techniques and tactics. Many organizations rely on it and over time Microsoft Sentinel has provided more and deeper integration. That integration is even more pronounced in the MITRE blade that has … Continue reading Public Preview: The MITRE ATT&CK Framework Blade in Microsoft Sentinel

How to Get Started with Basic Logs for Microsoft Sentinel

Cost is the topic of discussion for any SIEM or security tool that collects and analyzed data. Among a bevy of security announcements today, we also unveiled a long anticipated logs capability to enable archiving (or semi-cold storage) and cheaper long term storage. See the following announcements for more information: The next evolution of Azure … Continue reading How to Get Started with Basic Logs for Microsoft Sentinel

Take the Assessment, Get Your Must Learn KQL Certificate

The Must Learn KQL series has reached its completion, but that doesn't mean it's over. In March, I'll kick off the next step in KQL learning in an advanced series called Addicted to KQL. For those just catching on, the Must Learn KQL series has educated close to 5,000 people since it started in November … Continue reading Take the Assessment, Get Your Must Learn KQL Certificate

How to Manually Run a Playbook Against an Incident from the Tasks Menu

Now, in public preview, the Microsoft Sentinel UI makes it easy to run an existing Playbook against an Incident. Now available in the Actions menu to make this capability more accessible, you can quickly select from the list of Playbooks to provide additional enrichment to the Incident. Details in the Docs: Run a Playbook Manually … Continue reading How to Manually Run a Playbook Against an Incident from the Tasks Menu

Microsoft Sentinel Incident Comments Gets a Limitation Bump

For those customers looking to add more to the comments section of Microsoft Sentinel Incidents, you can now provide a bit more context and content. One of the top asks from customers for improving Microsoft Sentinel was that the 3k character limitation in commenting could be bumped up. This has now been increased to 30k … Continue reading Microsoft Sentinel Incident Comments Gets a Limitation Bump

Must Learn KQL Part 20: Building Your First Microsoft Sentinel Analytics Rule

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days… The full series index (including code and queries) is located here: https://aka.ms/MustLearnKQL The book … Continue reading Must Learn KQL Part 20: Building Your First Microsoft Sentinel Analytics Rule

Bulk Update Reaches GA for Microsoft Sentinel Watchlists

Customers have continually requested the ability to update Microsoft Sentinel Watchlists en masse instead of manually adding a handful of new items at a time. I know that there are many Microsoft Sentinel customers that are reluctant - or even prohibited by policy - to use preview features in production. Those customers can now take … Continue reading Bulk Update Reaches GA for Microsoft Sentinel Watchlists

The Unified Microsoft Sentinel and Microsoft 365 Defender Repository

As product and services always to continue to align its great to see movement in areas that provide pure value. The Microsoft Sentinel GitHub repository has now made room to house Microsoft 365 Defender Hunting queries. KQL is the tie that binds these two security services, and because of that, Hunting queries for Microsoft 365 … Continue reading The Unified Microsoft Sentinel and Microsoft 365 Defender Repository

Must Learn KQL Part 19: The Join Operator

This post is part of an ongoing series to educate about the simplicity and power of the Kusto Query Language (KQL). If you’d like the 90-second post-commercial recap that seems to be a standard part of every TV show these days… The full series index (including code and queries) is located here: https://aka.ms/MustLearnKQL The book … Continue reading Must Learn KQL Part 19: The Join Operator