AC&AI domain is the largest technology domain within the Microsoft Consulting Services Organization. We aim to deliver world-class solutions with our team of expert Consultants, Project Managers and Architects across Data & AI, Apps, Security and Azure Infrastructure
This problem has come up enough in the last month or so that its worth a quick-hit blog post to help folks resolve it. The problem: You enable the Windows Firewall Data Connector in Azure Sentinel, follow the directions, and make sure the Log Analytics agent is installed on the remote system - but the … Continue reading Resolving WindowsFirewall Log Ingestion Problems for Azure Sentinel
This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I’ll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There’s deeper discussions and training that’s required to get a good … Continue reading Azure Sentinel Daily Task: Data Connectors
This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I'll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There's deeper discussions and training that's required to get a … Continue reading Azure Sentinel Daily Task: Analytics Rules
Network security plays a vital role in public cloud infrastructure design. Azure cloud is providing multiple network security options for the cloud infra and application services. Few of Azure offerings in network and application security service are below Network Security GroupApplication Security GroupIsolated Virtual NetworkAccess Control ListAzure DDoS protectionAzure Front DoorApp Service EnvironmentAzure Firewall (firewall-as-a-service)Third … Continue reading Azure Firewall vs Network Virtual Appliances
We've had a lot of interest from customers to be able to review multiple workspaces in Azure Sentinel. Prior to this release, this was only available through Azure Lighthouse or, alternatively, you could do cross-workspace KQL queries to view merged data. Now, with the multi-workspace view, you can select multiple workspaces as you enter into … Continue reading Multi-workspace View for Azure Sentinel Now in Public Preview
I teach a couple KQL courses focused on Azure Sentinel - one beginner and one more advanced. The beginner course (level 100-200), coupled with our KQL docs (aka.ms/KQLDocs), is usually enough though to get customers on the right path to learning the Kusto Query Language. Whenever I deliver an Azure Sentinel workshop, it's the moment … Continue reading Tools and Resources to Practice Your Azure Sentinel KQL-fu
I had the occasion recently to work with a customer that had domain controllers that were disconnected from the Internet, but still wanted to ingest the server event logs into Azure Sentinel. Sifting through research I found there's a myriad of ways to do it (including standing up a Log Analytics gateway) but one of … Continue reading Exporting Events from Disconnected Systems to Ingest into Azure Sentinel
I wrote a recent article that talks about tips for doing Data Sampling for Azure Sentinel. Data Sampling is a method that allows the Sentinel Analyst to figure out where and what data exists in the Log Analytics workspace to help hone KQL queries to produce good data results. Read that here if you missed … Continue reading Azure Sentinel Tip for Table Details and Descriptions
Importing the Security Baselines into AD easily The easiest method of importing all the settings into AD is a script that is included with the baselines, its stored beneath the Scripts folder named "Baseline-ADImport.ps1". Baseline-ADImport.ps1 Imported GPO's in AD In the image above you can see everything that is imported with the Security Baseline for … Continue reading Understanding Microsoft Security Baselines and Applying Them – Part 2
When you're working against the data ingested in your Azure Sentinel Log Analytics workspace, you sometimes don't know right away exactly where the data exists or even what data is available. For example, what if you simply want to figure out if 'zoom.exe' exists in your data store? A lot of times someone has already … Continue reading Tips for KQL Data Sampling as part of Azure Sentinel Investigations