How to Send Azure SQL Server Audit Logs to Azure Sentinel

Still in preview, you can send your Azure-based SQL Server Audit logs to the same Log Analytics workspace that is being used by Azure Sentinel. In many other services, you would enable a Diagnostic Setting to send the logs to Azure Sentinel. But, Azure SQL Server is a bit different so it's good to highlight. … Continue reading How to Send Azure SQL Server Audit Logs to Azure Sentinel

How to Be Notified When an Azure Sentinel Analytics Rule Has been Created or Modified

It may seem a bit anal (personally, I don't think it is), but for security teams that want to "watch the watchers" they want to be notified when certain things in the Azure Sentinel structure are modified or created. I've been asked about this numerous times for the various areas in Azure Sentinel. To start … Continue reading How to Be Notified When an Azure Sentinel Analytics Rule Has been Created or Modified

MITRE ATT&CK Framework Reference Workbook for Azure Sentinel Updated with Latest Techniques

The MITRE Corporation today has announced some changes in it's tactics techniques, including the sunsetting of the PRE-ATT&ACK component only more recently announced. Per the release page: Retirement of PRE-ATT&CK - This release deprecates and removes the PRE-ATT&CK domain from ATT&CK, replacing its scope with two new Tactics in Enterprise ATT&CK Reconnaissance and Resource Development. … Continue reading MITRE ATT&CK Framework Reference Workbook for Azure Sentinel Updated with Latest Techniques

What is the app@sharepoint Account in my Azure Sentinel Data?

This is just a quick blog post for clarification purposes. We've had some internal discussion around this, but what predicated this blog post is the number of customers who've also asked about this most recently. Because we're continuing to improve the data and types of data that are exposed through our table schema and automated … Continue reading What is the app@sharepoint Account in my Azure Sentinel Data?

How to Achieve SOC Operational Efficiency for Azure Sentinel Hunting

I have a new Azure Sentinel series I'm working on that is specific to obtaining better efficiency for your security teams using our cloud-based SIEM/SOAR. I delivered the first one internally a couple weeks ago to rave reviews, titled: "Achieving SOC Operational Efficiency for Azure Sentinel Hunting" As you know, Hunting is still very much … Continue reading How to Achieve SOC Operational Efficiency for Azure Sentinel Hunting

How to be Notified When Azure Sentinel Data Stops Flowing

This is early days for something I've been working on for a couple customers so expect the solution to change quite a bit. But the concept is solid and sound. The idea is to be alerted when data ingestion has stopped for a specific table or originating service, i.e., ingestion health. As a security analyst, … Continue reading How to be Notified When Azure Sentinel Data Stops Flowing

How to Add the Antimalware Assessment to Your Azure Sentinel Workspace

The Antimalware Assessment has been part of the Azure Marketplace for a long while and contains some valuable information like Threat Status Rank, Threat Status, Threat Status Details, Protection Status Rank, Protection Status, Protection Status Details, Type of Protection, Scan Date, Date Collected, Product Version, and others. With all this valuable information wouldn't it be … Continue reading How to Add the Antimalware Assessment to Your Azure Sentinel Workspace

How to Obtain and Import Data into the Azure Sentinel Watchlist Preview

The Watchlist feature for Azure Sentinel in public preview. I will cover this more in depth at a later date, but I wanted to answer a question that has become more common recently with customers I've been working with recently when this showed up in their own Azure Sentinel consoles. The question? What are some … Continue reading How to Obtain and Import Data into the Azure Sentinel Watchlist Preview

How to Use HTML and Markdown in Azure Sentinel Incident Comments

Just recently the Azure Sentinel team has added the capability for customers to use HTML and Markdown in the Comment section of Incidents. And, to ensure that there's enough room for the additional content, the comments field has been expanded to support 3,000 characters (1,000 was the default limit). This gives customer the ability to … Continue reading How to Use HTML and Markdown in Azure Sentinel Incident Comments

How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel

In August, we released security updates to resolve a vulnerability (CVE-2020-1472) for all affected systems. With August or September security updates deployed, Domain, Trust and Windows machine accounts will be protected. However, for those organizations that want to monitor for those systems that are either compliant or non-compliant - and find those systems that might … Continue reading How to Monitor Compliant and Non-compliant Systems for Zerologon Using Azure Sentinel