MITRE ATT&CK Framework Reference Workbook for Azure Sentinel Updated with Latest Techniques

The MITRE Corporation today has announced some changes in it's tactics techniques, including the sunsetting of the PRE-ATT&ACK component only more recently announced. Per the release page: Retirement of PRE-ATT&CK - This release deprecates and removes the PRE-ATT&CK domain from ATT&CK, replacing its scope with two new Tactics in Enterprise ATT&CK Reconnaissance and Resource Development. … Continue reading MITRE ATT&CK Framework Reference Workbook for Azure Sentinel Updated with Latest Techniques

What is the app@sharepoint Account in my Azure Sentinel Data?

This is just a quick blog post for clarification purposes. We've had some internal discussion around this, but what predicated this blog post is the number of customers who've also asked about this most recently. Because we're continuing to improve the data and types of data that are exposed through our table schema and automated … Continue reading What is the app@sharepoint Account in my Azure Sentinel Data?

How to Achieve SOC Operational Efficiency for Azure Sentinel Hunting

I have a new Azure Sentinel series I'm working on that is specific to obtaining better efficiency for your security teams using our cloud-based SIEM/SOAR. I delivered the first one internally a couple weeks ago to rave reviews, titled: "Achieving SOC Operational Efficiency for Azure Sentinel Hunting" As you know, Hunting is still very much … Continue reading How to Achieve SOC Operational Efficiency for Azure Sentinel Hunting

Intune – “Conditional Access, Terms of Use and The Company Portal”

The Issue We recently had an issue where we tried to use the Conditional Access setting and only granting Terms of Use for an Android Device Enrollment. The Investigation What happens now is as described in our docs article Terms of use - Azure Active Directory | Microsoft Docs - The authenticator app installs... Why … Continue reading Intune – “Conditional Access, Terms of Use and The Company Portal”

How to be Notified When Azure Sentinel Data Stops Flowing

This is early days for something I've been working on for a couple customers so expect the solution to change quite a bit. But the concept is solid and sound. The idea is to be alerted when data ingestion has stopped for a specific table or originating service, i.e., ingestion health. As a security analyst, … Continue reading How to be Notified When Azure Sentinel Data Stops Flowing

How to Add the Antimalware Assessment to Your Azure Sentinel Workspace

The Antimalware Assessment has been part of the Azure Marketplace for a long while and contains some valuable information like Threat Status Rank, Threat Status, Threat Status Details, Protection Status Rank, Protection Status, Protection Status Details, Type of Protection, Scan Date, Date Collected, Product Version, and others. With all this valuable information wouldn't it be … Continue reading How to Add the Antimalware Assessment to Your Azure Sentinel Workspace

How to Obtain and Import Data into the Azure Sentinel Watchlist Preview

The Watchlist feature for Azure Sentinel in public preview. I will cover this more in depth at a later date, but I wanted to answer a question that has become more common recently with customers I've been working with recently when this showed up in their own Azure Sentinel consoles. The question? What are some … Continue reading How to Obtain and Import Data into the Azure Sentinel Watchlist Preview

Publish Custom PowerShell Workflows to Azure Automation

Introduction Writing Runbooks in Az Automation is possible in the following languages: PowerShell and Python, in PowerShell it is also possible to write PowerShell Workflow. In this blog post, I will walk through some highlights in writing 'PowerShell Workflow' and how to upload it to 'Runbook gallery' in Azure Automation. The pros and cons of using Workflow The … Continue reading Publish Custom PowerShell Workflows to Azure Automation

Microsoft Endpoint Manager – “Defeating Vulnerability Scans”

The Issue In Operations you may get approached by your Security Team from time to time to help them close new Vulnerabilities that have been identified after a Vulnerability Scan was run. It might look like the below and contain a list of Vulnerabilities that need to be addressed. The Investigation If you are lucky … Continue reading Microsoft Endpoint Manager – “Defeating Vulnerability Scans”