Azure Sentinel Incident View Column Chooser Reaches GA

Released in Preview in June of this year, the column chooser in the Incident blade of Azure Sentinel is now generally available. You might think this is a pretty low value feature release, but its not. This capability allows analysts to customize the view to show only those areas of content that will be valuable … Continue reading Azure Sentinel Incident View Column Chooser Reaches GA

How to Monitor for ProxyShell Microsoft Exchange Vulnerabilities using Azure Sentinel

Based on recent reporting and evidence its worthwhile to utilize Azure Sentinel to monitor for potential vulnerabilities in ProxyShell for Microsoft Exchange. See: Microsoft Exchange Servers Still Vulnerable to ProxyShell Exploit Here's a quick KQL query to use to Hunt for this vulnerability in your environment. The query can be turned into an Analytics Rule … Continue reading How to Monitor for ProxyShell Microsoft Exchange Vulnerabilities using Azure Sentinel

How to Control Deployment of Defender for Endpoint to your Linux machines

Azure Security Center now supports (in preview) the automatic deployment of Defender for Endpoint to your Linux machines. To enable this... [1] In Azure Security Center go to Pricing & Settings for the Security Center enabled subscription and then Integrations. [2] Click the Enable for Linux Machines (Preview) button and click Save. [3] Finally, verify … Continue reading How to Control Deployment of Defender for Endpoint to your Linux machines

Security Center Compliance Over Time Report Now in Public Preview

The Microsoft Security Center team has now released an integrated report that gives customers the ability to track compliance status over time. This is a valuable report to enable managers and workers to view continuing progress toward a compliant environment. The Compliance Over Time workbook requires continuous export to export data to a Log Analytics … Continue reading Security Center Compliance Over Time Report Now in Public Preview

Using PowerShell to create Windows 10 Custom Device Policy from the output of Endpoint Manager Group Policy Analytics

In 2020 Microsoft released the Endpoint Manager Group Policy Analytics (still in Preview). This can be very useful to determine your level of modern management support. At this point Group Policy analytics only provides you with the MDM Supported values in CSP mappings and do not provide any further options to create the policies. As … Continue reading Using PowerShell to create Windows 10 Custom Device Policy from the output of Endpoint Manager Group Policy Analytics

How to Obtain a Completion Certificate for Azure Security Center Ninja Training

Many of the Microsoft Ninja trainings have completion certificates available after a brief knowledge measure and a passing score. As of August 11th, this also goes for the Ninja training for Azure Security Center/Azure Defender. The knowledge measure for ASC consists of 30 questions. I've taken it myself and am pretty happy to say I … Continue reading How to Obtain a Completion Certificate for Azure Security Center Ninja Training

Field Notes: Active Directory tombstone lifetime

The days of updating the default tombstone lifetime for Active Directory may be long forgotten, but if your Active Directory Forest has been running since Windows Server 2000/2003 and you have never verified the tombstone lifetime, it may be worthwhile to do so. As I have found first-hand with my customer, there are some deployments out there that may still be using a tombstone lifetime of 60 days. Expecting a value of 180 days and realizing too late that this is not the case may cause unnecessary complications in the future.

Shortcut Way to Create Your XPath Queries for Azure Sentinel DCRs

I talked recently about XPath queries in relations to the new Windows Security Events Data Connector in Azure Sentinel. To catch up to that discussion, see: How to Limit What Azure Sentinel Collects from Windows Systems. XPath queries are something you'll need to become comfortable with creating to use Data Collection Rules (DCRs) that are … Continue reading Shortcut Way to Create Your XPath Queries for Azure Sentinel DCRs

How to Save Your Azure Sentinel Query History Externally

I've talked recently about how to use the cool new feature of Query Packs to save your Azure Sentinel queries for longer term. Query history is only save for 30 days, despite the 90-day retention offering for other Azure Sentinel data. So, its good to make use of the Query Packs or the general Save … Continue reading How to Save Your Azure Sentinel Query History Externally