We've had a lot of interest from customers to be able to review multiple workspaces in Azure Sentinel. Prior to this release, this was only available through Azure Lighthouse or, alternatively, you could do cross-workspace KQL queries to view merged data. Now, with the multi-workspace view, you can select multiple workspaces as you enter into … Continue reading Multi-workspace View for Azure Sentinel Now in Public Preview
I teach a couple KQL courses focused on Azure Sentinel - one beginner and one more advanced. The beginner course (level 100-200), coupled with our KQL docs (aka.ms/KQLDocs), is usually enough though to get customers on the right path to learning the Kusto Query Language. Whenever I deliver an Azure Sentinel workshop, it's the moment … Continue reading Tools and Resources to Practice Your Azure Sentinel KQL-fu
I had the occasion recently to work with a customer that had domain controllers that were disconnected from the Internet, but still wanted to ingest the server event logs into Azure Sentinel. Sifting through research I found there's a myriad of ways to do it (including standing up a Log Analytics gateway) but one of … Continue reading Exporting Events from Disconnected Systems to Ingest into Azure Sentinel
I wrote a recent article that talks about tips for doing Data Sampling for Azure Sentinel. Data Sampling is a method that allows the Sentinel Analyst to figure out where and what data exists in the Log Analytics workspace to help hone KQL queries to produce good data results. Read that here if you missed … Continue reading Azure Sentinel Tip for Table Details and Descriptions
Importing the Security Baselines into AD easily The easiest method of importing all the settings into AD is a script that is included with the baselines, its stored beneath the Scripts folder named "Baseline-ADImport.ps1". Baseline-ADImport.ps1 Imported GPO's in AD In the image above you can see everything that is imported with the Security Baseline for … Continue reading Understanding Microsoft Security Baselines and Applying Them – Part 2
When you're working against the data ingested in your Azure Sentinel Log Analytics workspace, you sometimes don't know right away exactly where the data exists or even what data is available. For example, what if you simply want to figure out if 'zoom.exe' exists in your data store? A lot of times someone has already … Continue reading Tips for KQL Data Sampling as part of Azure Sentinel Investigations
One of the suggested recommendations in the continuing Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel series is to keep track of updates for a variety of the Azure Sentinel components. Our GitHub repository is a valuable resource for new and updated KQL queries, Workbooks, etc. It is updated constantly by our Sentinel teams, … Continue reading Tip: Keeping Track of Azure Sentinel GitHub Updates
As organizations are asking employees to work from home to slow the spread of COVID-19, it’s even more important that users are registered for MFA and SSPR. We want to make it easier for remote workers to keep their accounts secure.
In this post I will take you through the steps to deploy Azure ATP in your on-premise Active Directory to detect and investigate threats in your environment.
This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I'll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There's deeper discussions and training that's required to get a … Continue reading Azure Sentinel Daily Task: Hunting Queries and Bookmarks