MITRE ATT&CK Framework Reference Workbook for Azure Sentinel Updated with Latest Techniques

The MITRE Corporation today has announced some changes in it's tactics techniques, including the sunsetting of the PRE-ATT&ACK component only more recently announced. Per the release page: Retirement of PRE-ATT&CK - This release deprecates and removes the PRE-ATT&CK domain from ATT&CK, replacing its scope with two new Tactics in Enterprise ATT&CK Reconnaissance and Resource Development. … Continue reading MITRE ATT&CK Framework Reference Workbook for Azure Sentinel Updated with Latest Techniques →

Microsoft Endpoint Manager – “Defeating Vulnerability Scans”

The Issue In Operations you may get approached by your Security Team from time to time to help them close new Vulnerabilities that have been identified after a Vulnerability Scan was run. It might look like the below and contain a list of Vulnerabilities that need to be addressed. The Investigation If you are lucky … Continue reading Microsoft Endpoint Manager – “Defeating Vulnerability Scans” →

Using Microsoft To-do as a Simple Ticketing System for Azure Sentinel

A customer recently wanted me to suggest a very simple, cost-worthy service ticketing system they could use with Azure Sentinel. The following ended up serving the customer's needs. Microsoft To-do can be a powerful tool for those that like to separate their schedule items from their task lists. For many Office 365 customers, they may … Continue reading Using Microsoft To-do as a Simple Ticketing System for Azure Sentinel →

Resolving WindowsFirewall Log Ingestion Problems for Azure Sentinel

This problem has come up enough in the last month or so that its worth a quick-hit blog post to help folks resolve it. The problem: You enable the Windows Firewall Data Connector in Azure Sentinel, follow the directions, and make sure the Log Analytics agent is installed on the remote system - but the … Continue reading Resolving WindowsFirewall Log Ingestion Problems for Azure Sentinel →

Azure Sentinel Daily Task: Data Connectors

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I’ll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There’s deeper discussions and training that’s required to get a good … Continue reading Azure Sentinel Daily Task: Data Connectors →

Azure Sentinel Daily Task: Analytics Rules

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I'll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There's deeper discussions and training that's required to get a … Continue reading Azure Sentinel Daily Task: Analytics Rules →

Azure Sentinel Tip for Table Details and Descriptions

I wrote a recent article that talks about tips for doing Data Sampling for Azure Sentinel. Data Sampling is a method that allows the Sentinel Analyst to figure out where and what data exists in the Log Analytics workspace to help hone KQL queries to produce good data results. Read that here if you missed … Continue reading Azure Sentinel Tip for Table Details and Descriptions →

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I'll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There's deeper discussions and training that's required to get a … Continue reading Azure Sentinel Daily Task: Hunting Queries and Bookmarks →

Azure Sentinel Daily Task: Investigate Incidents

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I'll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There's deeper discussions and training that's required to get a … Continue reading Azure Sentinel Daily Task: Investigate Incidents →

Newly Expanded Azure Sentinel Feature for Closing Incidents

Working with Azure Sentinel daily I see new features added regularly. I deliver a weeklong workshop and POC for Azure Sentinel and it's rare that I don't discover something new myself during each workshop and then have to learn it and teach about it on-the-fly. But that's a good thing. As with everything in Azure, … Continue reading Newly Expanded Azure Sentinel Feature for Closing Incidents →