The article provides a comprehensive guide on how to use Bicep, a domain-specific language that uses declarative syntax to deploy Azure resources. It offers advantages over Azure Resource Management (ARM) templates such as smaller file size, integrated parameter files and better support for tools like Visual Studio code. The author explains in detail how to create a Microsoft Sentinel instance using Bicep templates, including setting up parameters, creating the Log Analytics workspace and deploying solutions via PowerShell scripts.

If you're interested in learning more about using Bicep for Microsoft Sentinel deployment or looking for tips on how to optimize your usage of this powerful tool, check out the full article. You'll find detailed examples of code snippets and useful links to further resources.
Post generated with the help of Azure OpenAI GPT4 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/deploy-microsoft-sentinel-using-bicep/ba-p/4270970

As digital environments expand, Security Operations teams are often faced with the challenge of optimizing costs while dealing with an exponential increase in data. This article outlines a strategy to reduce data volume and retain important information using Data Collection Rules (DCRs). The authors discuss how to decide what's important in a log for your organization and demonstrate the process of using DCRs to discard unnecessary information from logs. They also caution that only you can decide what’s essential for your organization in a particular log or table.

The authors delve into two types of DCRs: standard and workspace, explaining their use cases. They then guide readers on identifying high-volume sources, determining high-volume tables, record level analysis, column level analysis, and examining the process using two examples – AADNonInteractiveSigninLogs and SecurityEvent. In conclusion, they emphasize that as digital footprints grow exponentially, it is increasingly crucial for security teams to be judiciously intentional about the data they collect and retain. To learn more about this strategy and its application through practical examples, read the full article.
Post generated with the help of Azure OpenAI GPT4 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/save-money-on-your-sentinel-ingestion-costs-with-data-collection/ba-p/4270256

Some Sentinel users have noticed that several data connectors they were using are now showing as deprecated in the user interface. However, this change doesn't mean your data has stopped flowing; it's still being delivered to the CommonSecurityLog or Syslog table and analytic rules are still applying to the data. The deprecation is due to a switch from log analytics agent (MMA or OMS agent) to Azure Monitor Agent (AMA), which provides benefits like faster performance and support for multihoming.

The new AMA allows you to use a single connector, such as Common Event Format for AMA, instead of multiple different ones based on specific solutions. If you've already shifted to the Common Event Format data connector and want to delete the deprecated connectors, be aware there's currently an error preventing this but a fix is coming soon. To learn more about these changes and how they could benefit you, check out the full article.
Post generated with the help of Azure OpenAI GPT4 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-to-do-if-your-sentinel-data-connector-shows-as-deprecated/ba-p/4270346

The article discusses the Use Case Mapper Workbook, a tool that can help identify gaps in your Sentinel environment and established Content-Hub-Solutions. The workbook maps common use cases to the Mitre ATT&CK framework, providing an overview of available analysis options in Sentinel. It identifies several use cases such as Credential Exploitation, Lateral Movement, Rapid Encryption among others. The workbook also allows for customization by reducing results to selected Data Sources.

The post further provides a step-by-step guide on how to deploy and get started with the Use Case Mapper Workbook. It outlines prerequisites like having an Azure subscription with a Sentinel equipped Log Analytic Workspace and correct RBAC roles assigned. Once deployed, it explains how you can select predefined use cases and data sources/solutions within the workbook for your specific needs. To learn more about this invaluable tool that simplifies supplementing solutions for complete implementation while staying updated on new hunting queries, analytic rules or workbooks, check out the full article.
Post generated with the help of Azure OpenAI GPT4 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/introducing-the-use-cases-mapper-workbook/ba-p/4202058

The article discusses Cowrie, an advanced honeypot designed to emulate SSH (Secure Shell) and Telnet services to attract, detect, and analyze malicious activities. As a cybersecurity tool, Cowrie creates a controlled environment that mimics real systems to lure attackers. It logs their activities in detail, providing valuable insights into their methods and motives. The features of Cowrie include SSH and Telnet emulation, detailed logging of attempted commands, file and command logging for comprehensive view of attacker's activities among others.

Cowrie is beneficial as it provides threat intelligence by observing interactions with the honeypot; detects unknown threats not caught by traditional security measures; improves security posture based on data collected from the honeypot; and offers low risk deployment since any malicious activity targeting the honeypot does not affect actual production systems. Integrating Cowrie with Microsoft Sentinel enhances cybersecurity operations through intelligent security analytics across the enterprise. To learn more about how you can utilize this powerful tool for your organization's cybersecurity needs or if you're interested in installing Cowrie on Linux or leveraging Microsoft Sentinel with Cowrie, check out the full post.
Post generated with the help of Azure OpenAI GPT4 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/cowrie-honeypot-and-its-integration-with-microsoft-sentinel/ba-p/4258349

Microsoft has revamped its Sentinel Ninja Training program to keep pace with the rapidly changing cybersecurity landscape. The training now offers a more interactive experience, including updated modules, hands-on labs and real-world scenarios. It covers everything from threat detection to incident response and automation, ensuring you gain practical skills for optimizing your security operations. A major update is the integration of Sentinel into the Defender XDR portal which simplifies workflows and speeds up incident response.

The training also provides step-by-step guidance through official Microsoft Sentinel documentation, exclusive webinars and up-to-date blog posts from experts at Microsoft. If you're looking to enhance your Sentinel skills or want to explore the new features of this program, head over to their blog post on 'Become a Microsoft Sentinel Ninja: The Complete Level 400'. Don't miss out on this opportunity - your next cybersecurity breakthrough could be just one click away!
Post generated with the help of Azure OpenAI GPT4 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/level-up-your-security-skills-with-the-new-microsoft-sentinel/ba-p/4260106

Microsoft has announced a significant enhancement to its Unified Security Operations (SecOps) platform. The Global Search feature in the Defender portal now supports searching for Microsoft Sentinel users and devices, providing a more comprehensive and unified search experience. This new feature allows you to search for devices, users, and other information by typing full or partial search terms. It also increases efficiency by cutting down investigation time leading to faster resolution of security incidents.

This update is designed to streamline your workflow and improve efficiency with benefits such as unified search results, comprehensive identifier support, improved user experience among others. Whether it's incident investigation, threat hunting or device tracking - this tool can significantly enhance your security operations from one single interface. To learn more about how this works and how you can get started with the Global Search feature visit the official Microsoft 365 Defender portal documentation.
Post generated with the help of Azure OpenAI GPT4 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-global-search-in-unified-security-operations-platform/ba-p/4255122

Microsoft Security has been evolving from individual security products to a unified platform called the Unified Security Operations Platform. This platform provides comprehensive visibility, investigation, and response capabilities across endpoints, hybrid identities, emails, collaboration tools, cloud apps, cloud workloads and data. The article also discusses Advanced Hunting capability that allows for threat hunting without boundaries. However, with the introduction of the unified hunting experience, “SecurityAlert” table is no longer present in Advanced Hunting.

The article further explains how to hunt Adversary-in-the-Middle (AiTM) attacks using advanced hunting techniques on this new platform. AiTM attacks use sophisticated tactics like creating fraudulent sites that intercept user login credentials allowing attackers to hijack sign-in sessions and bypass authentication protections. The Unified Security Operations Platform not only provides detection alerts but also includes attack disruption capabilities to stop ongoing attacks thanks to its correlation mechanisms and various signals from Microsoft Defender XDR. If you're interested in learning more about these advanced security measures or want details on how third-party network activity correlates with first-party logs such as Entra ID sign-in events and AiTM-related URL click actions then continue reading.
Post generated with the help of Azure OpenAI GPT4 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detecting-aitm-phishing-via-3rd-party-network-events-in-unified/ba-p/4224653

The article is the third part of a blog series on how to collect events using Data Collection Rules (DCRs) for advanced use cases. It discusses Defender for Endpoint's (MDE) various protections against tampering and alerts to detect it, while acknowledging that adversaries are constantly trying to find ways around these defenses. The piece highlights the importance of having Tamper Protection configured and enforced in your environment. It also provides a detailed guide on monitoring Defender related event logs, discussing relevant event IDs and their definitions, as well as how to collect specific logs in Microsoft Sentinel.

If you're interested in learning more about collecting events using DCRs or want to know more about configuring Tamper Protection for MDE, this article is definitely worth reading! You'll get an in-depth understanding of how you can protect your organization from potential malicious behavior affecting device protection. Check out the post [here](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-power-of-data-collection-rules-collecting-events-for/ba-p/4236486).
Post generated with the help of Azure OpenAI GPT4 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-power-of-data-collection-rules-detect-disabling-windows/ba-p/4236540