Multi-selecting Analytics Rules to Enable More than One at Once

Wouldn't it be super nice if - in the Microsoft Sentinel UI - that you could multi-select Analytics Rules templates to enable and just hit a "Enable All" button? I swear this has been a common customer ask for a couple years now. The idea is that when you stand-up Microsoft Sentinel for the first … Continue reading Multi-selecting Analytics Rules to Enable More than One at Once

The Security Content Guide to Microsoft Build 2022

Build 2022 has a LOT of awesome security-focused content along with the great content to be consumed for any number of focus areas. For my area of focus -- security -- here's the things I'm most interested in and the sessions that I'll be focusing on to glean knowledge for the things I'm tasked with … Continue reading The Security Content Guide to Microsoft Build 2022

Deploying Microsoft Sentinel Analytics Rules that are Already Enabled

The Repositories feature in Microsoft Sentinel is a popular way to deploy uniform content using a CI/CD pipeline to a single or to multiple Sentinel workspaces. The default for Analytics Rules is to deploy into the workspace as disabled. But many organizations prefer to deliver the updated or new content as ready-to-go and enabled already. … Continue reading Deploying Microsoft Sentinel Analytics Rules that are Already Enabled

SC-100: Microsoft Cybersecurity Architect Gets a Learning Path

For those of us that took the SC-100 beta exam, there's a strong indicator today that the exam results could show up soon. That indicator is a new SC-100 Learn path. The Learn path is a set of modules that are repurposed from other exams, but it's a Learn path, nonetheless. The following is the … Continue reading SC-100: Microsoft Cybersecurity Architect Gets a Learning Path

Estimating the Size of the M365 Advanced Tables for Microsoft Sentinel Enablement

The Microsoft 365 Defender Connector in Microsoft Sentinel is coming along nicely with all the table sources now available to select. The Connector is still in public preview, but the progress is a very welcome sight. All the logs Even though ingesting the M365 Advanced logs is considered necessary, enabling them will cost something. There … Continue reading Estimating the Size of the M365 Advanced Tables for Microsoft Sentinel Enablement

Better Accessibility for the Vision Impaired in Microsoft Sentinel

Last year in July, my colleague Innocent Wafula talked about Accessibility and usability for all in Azure Sentinel. Things like responsive design, content reflow, and linear order go a long way to provide better accessibility value for Microsoft Sentinel but also the Azure portal, in general. But there's more that can be done. And, while it … Continue reading Better Accessibility for the Vision Impaired in Microsoft Sentinel

Microsoft Sentinel Watchlist for Verifying First-party Microsoft Applications in Sign-in reports

In the Sign-in logs you will regularly see Application IDs as user accounts. Most generally, these will be our own application IDs for commonly used services and products. These are generally considered non-nefarious, but they can show up in Incidents and take time to investigate. So, here's a Watchlist you can employ in your Microsoft … Continue reading Microsoft Sentinel Watchlist for Verifying First-party Microsoft Applications in Sign-in reports

Using Logic App Parameters with Microsoft Sentinel Playbooks

I recently made a recommendation about the importance of Making Use of Variables in Microsoft Sentinel Playbooks. In this post I want to take this just a bit further and make an addendum recommendation. Have you ever wondered how to generate those fill-in blanks that are produced during deployment of an ARM template (as shown … Continue reading Using Logic App Parameters with Microsoft Sentinel Playbooks

Receive an Email Notification Each Morning with the List of Daily Microsoft Sentinel Incidents Created

Would you like to have an email notification show up daily in your inbox (or your security team's share inbox) with a list of the Incidents created while you were sleeping? Here's a Logic App that is ready to fully deploy to your environment that delivers at 7am each morning and includes the list of … Continue reading Receive an Email Notification Each Morning with the List of Daily Microsoft Sentinel Incidents Created

Making Use of Variables in Microsoft Sentinel Playbooks

Creating Playbooks in Microsoft Sentinel is made easy through the use of the Logic Apps service. Most operations are just click-to-select when creating the logic steps. But this ease of use can create bad habits. When you click and choose organization-specific content to be included in each step this is actually stored and retained in … Continue reading Making Use of Variables in Microsoft Sentinel Playbooks