How to Create a Pie Chart Showing Threat Protection Signature Versions

If you'd like to get a sense of the versions for the threat protection signature files that are installed in your environment, here's a quick KQL query to do that. ProtectionStatus | project DeviceName, ThreatStatus, TenantId, ProtectionStatus, SignatureVersion, ScanDate, ProtectionStatusDetails | summarize sig_count=count() by SignatureVersion | render piechart by sig_count This particular KQL query displays … Continue reading How to Create a Pie Chart Showing Threat Protection Signature Versions

How to Send Feedback to the Azure Sentinel Notebook Team

There's a mighty effort underway to ensure that Azure Sentinel customers have as much knowledge and understanding about the Notebooks feature as possible. Azure Sentinel Notebooks is a valuable asset for investigative and hunting analysts alike. There's an introductory blog post available now that is a compliment to the upcoming free training series. See: Becoming … Continue reading How to Send Feedback to the Azure Sentinel Notebook Team

How to Extract the Confidence Score from the Anomali Feeds for Azure Sentinel

There's some good instructions available on how to configure the Anomali feeds for Azure Sentinel. See: https://cda.ms/2sC When you enable and configure the Threat intelligence - TAXII (Preview), data is stored in the ThreatIntelligenceIndicator data table, which includes a ConfidenceScore column. The Anomali feeds contain a confidence score, however, its stowed away in a ThreatType … Continue reading How to Extract the Confidence Score from the Anomali Feeds for Azure Sentinel

Tip: Duplicate and Deprecate to Modify Azure Sentinel Analytics Rules

Just a quick heads-up tip for those that might be affected by this scenario eventually. Some might call this a "best practice" but I know many people hate that term. Hence, my use of the term "tip" instead. When Azure Sentinel Analytics Rules are updated from Microsoft, any changes you have made to the original … Continue reading Tip: Duplicate and Deprecate to Modify Azure Sentinel Analytics Rules

How to Get the Network Security Dashboard for Security Center

There's a new dashboard in town for Azure Security Center. This particular dashboard (workbook) contains the following: Overview - a summary of all monitored network-related security components.Public IPs & Exposed Ports - Public IP and Asset Types and Ports Exposed to the InternetNetwork Security Services- DDoS Protection Plans, Azure Firewalls and Firewall Policies, Azure WAF … Continue reading How to Get the Network Security Dashboard for Security Center

Azure Sentinel Gets Its Own Knowledge Check and Completion Certificate

Following in the footsteps of the rest of the Microsoft security platform tools, Azure Sentinel training now has its own completion certificate! My original post on All the Microsoft Ninja Training I Know About noted that every product except Security Center and Sentinel provided knowledge checks with a resulting completion certificate. But, I've since updated … Continue reading Azure Sentinel Gets Its Own Knowledge Check and Completion Certificate

Azure Sentinel Incident View Column Chooser Reaches GA

Released in Preview in June of this year, the column chooser in the Incident blade of Azure Sentinel is now generally available. You might think this is a pretty low value feature release, but its not. This capability allows analysts to customize the view to show only those areas of content that will be valuable … Continue reading Azure Sentinel Incident View Column Chooser Reaches GA

How to Monitor for ProxyShell Microsoft Exchange Vulnerabilities using Azure Sentinel

Based on recent reporting and evidence its worthwhile to utilize Azure Sentinel to monitor for potential vulnerabilities in ProxyShell for Microsoft Exchange. See: Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit Here's a quick KQL query to use to Hunt for this vulnerability in your environment. The query can be turned into an Analytics Rule … Continue reading How to Monitor for ProxyShell Microsoft Exchange Vulnerabilities using Azure Sentinel

How to Control Deployment of Defender for Endpoint to your Linux machines

Azure Security Center now supports (in preview) the automatic deployment of Defender for Endpoint to your Linux machines. To enable this... [1] In Azure Security Center go to Pricing & Settings for the Security Center enabled subscription and then Integrations. [2] Click the Enable for Linux Machines (Preview) button and click Save. [3] Finally, verify … Continue reading How to Control Deployment of Defender for Endpoint to your Linux machines

Security Center Compliance Over Time Report Now in Public Preview

The Microsoft Security Center team has now released an integrated report that gives customers the ability to track compliance status over time. This is a valuable report to enable managers and workers to view continuing progress toward a compliant environment. The Compliance Over Time workbook requires continuous export to export data to a Log Analytics … Continue reading Security Center Compliance Over Time Report Now in Public Preview