A couple weeks back during the Microsoft Security Insights Podcast, the topic of Azure Arc came up in reference to the new AMA client that uses DCRs to help filter the Windows events collected from on-prem servers and sent to the Log Analytics workspace for Azure Sentinel. At the time, I suggested Thomas Maurer would … Continue reading July 14: Thomas Maurer on Azure Arc for the Microsoft Security Insights Podcast and Twitch Stream
If you're a long-time Azure Sentinel customer, there's a good chance you enabled the Azure Defender connector long ago and have never gone back into the original connector to look around. I mean if everything is working...who does that, right? There's a new(er) preview capability in this connector that you need to toggle if you … Continue reading How to Enable Bi-directional Alert Sync Between Azure Sentinel and Azure Defender
A new SolarWinds vulnerability has been discovered, this time for the Serv-U product. See SolarWinds Trust Center Security Advisories | CVE-2021-35211 for details. UPDATE: We've now also released an "official" query in response to identifying the true actor behind this exploit. The query is here: Azure-Sentinel/DEV-0322_SolarWinds_Serv-U_IOC.yaml at master · Azure/Azure-Sentinel (github.com) The following represents a … Continue reading How to Use Azure Sentinel to Monitor for the Solarwinds Serv-U Remote Memory Escape Vulnerability
We have been using Internet Explorer since Windows 95, perhaps not so much in recent years since we started using modern browsers. Microsoft recently announced the retirement of the Internet Explorer desktop application. There are some organizations however that still rely on Internet Explorer for legacy sites who may be impacted by this announcement. These legacy sites can still be supported using the Microsoft Edge browser.
Microsoft Defender for Identity (MDI) can be easily integrated with your Syslog server. You can be notified of new suspicious activities by sending security and health alerts to your Syslog server.
Working with a couple customers and some of my colleagues who are working with their customers who are either impacted or curious if they might be impacted by the recent Kaseya REvil situation, the following KQL query was developed as a detection. This should work in all environments, but after testing it you find a … Continue reading How to Detect Kaseya REvil Ransomware with Azure Sentinel
In another of the "Watching the Watchers" series, customers ask periodically to be notified when - or at least to know when - the Log Analytics workspace data retention changes. Here's a quick KQL query to accomplish that. union Operation | where OperationStatus == "Succeeded" | where OperationCategory == "Workspace Configuration" | project TimeGenerated, Detail … Continue reading How to Know When Data Retention Values Have Changed for Azure Sentinel
I have just posted my video that discusses Endpoint Analytics and how to configure it via Intune and ConfigMgr and also explores the kind of data that is at your fingertips after a very easy enablement process. here is a link to the video, Enjoy!
There's been some recent flurry around what folks are calling #PrintNightmare. This has been identified as a Print Spooler flaw with POC code available. For those customers wanting to know more about this, see: Windows Admins Scrambling to Contain 'PrintNightmare' Flaw Exposure | SecurityWeek.Com There's a couple things you can do to start: Install the … Continue reading How to Track PrintNightmare with Azure Sentinel
There's currently two Logic App Connectors for Azure Sentinel that allow you to work with Watchlists. Up until the recent update for Watchlists that brought the ability to modify existing Watchlists, neither of these Logic App Connectors worked. Currently, you can't create a brand new Watchlist using either of these, you can only update existing … Continue reading How to Use the Watchlists Logic App Connector for Azure Sentinel