Sentinel Data Connector for Azure Virtual Desktop
Hello, I have a customer planning to deploy Azure Virtual Desktop (AVD). They are currently using Microsoft Sentinel for their SecOps. However, there is no AVD Data Connector available. The customer is not interested in building a custom data connector. Does anyone know if there are plans to add a data connector for AVD in the near future? Thanks.Improve SecOps collaboration with case management
Are you using a 3rd party case management system for the SecOps work you do in Microsoft Sentinel or Defender XDR? Do you struggle to find a solution that encompasses the specific needs of your security team? We are excited to announce a new case management solution, now in public preview. This is our first step towards providing a native, security-focused case management system that spans all SecOps workloads in the Defender portal, removing customer reliance on 3rd party SIEM/XDR and ticketing systems. This will be available for all Microsoft Sentinel customers that have onboarded to the unified SecOps platform.
Daily "Network Port Sweep detected on port x" but no Source IP
For a couple of months we have been getting "Network Port Sweep was detection by multiple IPs" with ports 135 and 445 mostly. The KQL attached lists a load of Destination IPs but no Source IP (see example below) All these are inside our network, and so not coming from outside the network where the firewall would block such scans. We suspect it is one of our network tools such as Solarwinds but without the Source IP it is difficult to prove anything. // The query_now parameter represents the time (in UTC) at which the scheduled analytics rule ran to produce this alert. set query_now = datetime(2024-06-24T03:01:10.2587643Z); let lookback = 1h; let threshold = 20; _Im_NetworkSession(starttime=ago(lookback), endtime=now()) | where NetworkDirection == "Inbound" | summarize make_set(DstIpAddr, 100) by DstPortNumber | where array_length(set_DstIpAddr) > threshold Tried to modify the query, this is the KQL I have tried. set query_now = datetime(2024-01-26T07:47:48.3756000Z); let lookback = 1h; let threshold = 20; _Im_NetworkSession(starttime=ago(lookback), endtime=now()) | where NetworkDirection == "Inbound" | summarize make_set(DstIpAddr, 100), make_set(SrcIpAddr, 100) by DstPortNumber | where array_length(set_DstIpAddr) > threshold Anyone got any suggestions on how we can track down what is causing this alert in Sentinel?What’s New: Exciting new Microsoft Sentinel Connectors Announcement - Ignite 2024
Microsoft Sentinel continues to be a leading cloud-native security information and event management (SIEM) solution, empowering organizations to detect, investigate, and respond to threats across their digital ecosystem at scale. Microsoft Sentinel offers robust out of the box (OOTB) content, allowing seamless connections with a wide array of data sources from both Microsoft and third-party providers. This enables comprehensive collection and analysis of security signals across multicloud, multiplatform environments, enhancing your overall security posture. In this Ignite 2024 blog post, we are thrilled to present the latest integrations contributed by our esteemed Partners. These new integrations further expand the capabilities of Microsoft Sentinel, enabling you to connect your existing security solutions and leverage Microsoft Sentinel’s powerful analytics and automation capabilities to fortify your defenses against evolving cyber threats. Featured ISV 1Password for Microsoft Sentinel The integration between 1Password Extended Access Management and Microsoft Sentinel provides businesses with real-time visibility and alerts for login attempts and account changes. It enables quick detection of security threats and streamlines reporting by monitoring both managed and unmanaged apps from a single, centralized platform, ensuring faster response times and enhanced security. Cisco Secure Email Threat Defense Sentinel Application This application collects threat information from Cisco Secure Email Threat Defense and ingests it into Microsoft Sentinel for visualization and analysis. It enhances email security by detecting and blocking advanced threats, providing comprehensive visibility and fast remediation. Cribl Stream Solution for Microsoft Sentinel Cribl Stream accelerates SIEM migrations by ingesting, transforming, and enriching third party data into Microsoft Sentinel. It simplifies data onboarding, optimizes data in various formats, and helps maintain compliance, enhancing security operations and threat detection. FortiNDR Cloud FortiNDR Cloud integrates Fortinet’s network detection and response capabilities with Microsoft Sentinel, providing advanced threat detection and automated response. Fortinet FortiNDR Cloud enhances network security by helping to identify and mitigate threats in real-time. Pure Storage Solution for Microsoft Sentinel This solution integrates Pure Storage’s data storage capabilities with Sentinel, providing enhanced data protection and performance. It helps optimize storage infrastructure and improve data security. New and Notable CyberArk Audit for Microsoft Sentinel This solution extracts audit trail data from CyberArk and integrates it with Microsoft Sentinel, providing a comprehensive view of system and user activities. It enhances incident response with automated workflows and real-time threat detection. Cybersixgill Actionable Alerts for Microsoft Sentinel Cybersixgill provides contextual and actionable alerts based on data from the deep and dark web. It helps SOC analysts detect phishing, data leaks, and vulnerabilities, enhancing incident response and threat remediation. Cyware For Microsoft Sentinel Cyware integrates with Microsoft Sentinel to automate incident response and enhance threat hunting. It uses Logic Apps and hunting queries to streamline security operations and provides contextual threat intelligence. Ermes Browser Security for Microsoft Sentinel Ermes Browser Security ingests security and audit events into Microsoft Sentinel, providing enhanced visibility and reporting. It helps monitor and respond to web threats, improving the organization’s security posture. Gigamon Data Connector for Microsoft Sentinel This solution integrates Gigamon GigaVUE Cloud Suite, including Application Metadata Intelligence, with Microsoft Sentinel, providing comprehensive network traffic visibility and insights. It helps detect anomalies and optimize network performance, enhancing overall security. Illumio Sentinel Integration Illumio integrates its micro-segmentation capabilities with Microsoft Sentinel, providing real-time visibility and control over network traffic. It helps prevent lateral movement of threats and enhances overall network security. Infoblox App for Microsoft Sentinel The Infoblox solution enhances SecOps capabilities by seamlessly integrating Infoblox's AI-driven analytics, providing actionable insights, dashboards, and playbooks derived from DNS intelligence. These insights empower SecOps teams to achieve rapid incident response and remediation, all within the familiar Microsoft Sentinel user interface. LUMINAR Threat Intelligence for Microsoft Sentinel LUMINAR integrates threat intelligence and leaked credentials data into Microsoft Sentinel, helping organizations maintain visibility of their threat landscape. It provides timely, actionable insights to help detect and respond to threats before they impact the organization. Prancer PenSuite AI Prancer PenSuite AI now supercharges Microsoft Sentinel by injecting pentesting and real-time AppSec data into SOC operations. With powerful red teaming simulations, it empowers teams to detect vulnerabilities earlier, respond faster, and stay ahead of evolving threats. Phosphorus Connector for Microsoft Sentinel Phosphorus Cybersecurity’s Intelligent Active Discovery provides in-depth context for xIoT assets, that enhances threat detection and allows for targeted responses, enabling organizations to isolate or secure specific devices based on their criticality. Silverfort for Microsoft Sentinel Silverfort integrates its Unified Identity Protection Platform with Microsoft Sentinel, securing authentication and access to sensitive systems, both on-premises and in the cloud without requiring agents or proxies. Transmit Security Data Connector for Sentinel Transmit Security integrates its identity and access management capabilities with Sentinel, providing real-time monitoring and threat detection for user activities. It helps secure identities and prevent unauthorized access. In addition to commercially supported integrations, Microsoft Sentinel Content Hub also connects you to hundreds of community-based solutions as well as thousands of practitioner contributions. For more details and instructions on how to set up these integrations see Microsoft Sentinel data connectors | Microsoft Learn. To our partners: Thank you for your unwavering partnership and invaluable contributions on this journey to deliver the most comprehensive, timely insights and security value to our mutual customers. Security is indeed a team sport, and we are grateful to be working together to enhance the security landscape. Your dedication and innovation are instrumental in our collective success. We hope you find these new partner solutions useful, and we look forward to hearing your feedback and suggestions. Stay tuned for more updates and announcements on Microsoft Sentinel and its partner ecosystem. Learn More Microsoft’s commitment to Security Microsoft’s Secure Future Initiative Unified SecOps | SIEM and XDR Solutions Unified Platform documentation | Microsoft Defender XDR What else is new with Microsoft Sentinel? Microsoft Sentinel product home Schema Mapping Microsoft Sentinel Partner Solution Contributions Update – Ignite 2023 Additional resources: Sentinel Ignite 2024 Blog Latest Microsoft Tech Community Sentinel blog announcements Microsoft Sentinel solution for SAP Microsoft Sentinel solution for Power Platform Microsoft Sentinel pricing Microsoft Sentinel customer stories Microsoft Sentinel documentationIntroducing the Use Cases Mapper workbook
1. Intro While looking for the most effective use cases for Sentinel, it usually makes sense to start with data sources that already exist in some way in the corporate environment, whether due to a previous / third-party SIEM integration or due to an already implemented security stack / solution. The next logical step in this process is to determine preexisting sentinel solutions for the products already in use. Unfortunately, this often occurs only inadequately or is not carried out completely due to lack of resources. In addition, the solutions available (so called Content-Hub-Solutions) continue to evolve and once implemented, necessary updates may be neglected. This is where the Use Case Mapper Workbook can help. The workbook and the complementary resources (watchlists) can be used to map common Use Cases to the Mitre ATT&CK framework, i.e. the tactics and techniques listed there. This gives you a quick overview of the analysis options available in Sentinel (e.g. Analytic Rules & Hunting Queries) according to these Use Cases. The identified Use Cases in this context are: Credential Exploitation Lateral Movement Rapid Encryption Command and Control Communication Insider Risk Anomalous Privilege Escalation Third-Party Abuses Overexposure Data Exfiltration Mobile Data Security Communication Abuse Web Application Abuse NOTE: These can change over time, as attack & defense strategies and techniques are constantly changing as well. To be able to adapt this information to your own needs, the option of reducing the results to selected Data Sources (Content Hub Solutions) has been implemented as well. 2. Prerequisites Before getting started, you have to check the prerequisites that should be fulfilled. an Azure subscription with a Sentinel equipped Log Analytic Workspace The correct RBAC roles assigned - for the sake of simplicity, it should be 'Contributor' or 'Owner' 3. How to deploy/get started Go to the following website: Azure-Sentinel/Workbooks/use cases mapper workbook at master · Azure/Azure-Sentinel · GitHub Look for the 'Deploy to Azure' button Log into a suitable tenant Enter the required information (subscription, resource group, region, workspace name) (1) and click 'Review + create' (2) Check your entered information again and confirm it by clicking on 'Create' The new workbook (Use Case Mapper) should now appear in Sentinel in 'Workbooks' section. 4. How to use & structure In the first section of the workbook, you have the option to select one of the predefined Use Cases. The next step (2nd step) is to select the right data source/solution. The selection made before is presented in section 3 below. Based on the selections made, the following information is presented. Analytical rules - ID | Name | Solution | Technique + graphical representation Hunting Queries - ID | Name | Solution | Technique + graphical representation Workbooks - Name | Solution 5. Conclusion The Use Case Mapper Workbook is an invaluable tool for identifying gaps in your Sentinel environment and the established Content-Hub-Solutions. It simplifies the process of supplementing your solutions to achieve a complete implementation. Additionally, it helps you stay informed about updates (such as new hunting queries, analytic rules, or workbooks) and makes it possible to integrate them promptly. The workbook also provides a clear picture of the threats and vulnerabilities that should be mitigated with your solutions and where they can be found within the Mitre Att&ck Framework.Level Up Your Security Skills with the New Microsoft Sentinel Ninja Training!
If you’ve explored our Microsoft Sentinel Ninja Training in the past, it’s time to revisit! Our training program has undergone some exciting changes to keep you ahead of the curve in the ever-evolving cybersecurity landscape. Microsoft Sentinel is a cutting-edge, cloud-native SIEM and SOAR solution designed to help security professionals protect their organizations from today’s complex threats. Our Ninja Training program is here to guide you through every aspect of this powerful tool. So, what’s new? In addition to the structured security roles format, the Ninja Training now offers a more interactive experience with updated modules, hands-on labs, and real-world scenarios. Whether you're focusing on threat detection, incident response, or automation, the training ensures you gain the practical skills needed to optimize your security operations. One of the biggest updates is the integration of Sentinel into the Defender XDR portal, creating a unified security platform. This merger simplifies workflows, speeds up incident response, and minimizes tool-switching, allowing for seamless operations. Other highlights include: Step-by-step guidance through the official Microsoft Sentinel documentation. Exclusive webinars and up-to-date blog posts from Microsoft experts. If you're ready to take your Sentinel skills to the next level or want to revisit the program’s new features, head over to the blog now and dive into the refreshed Microsoft Sentinel Ninja Training! Don’t miss out—your next cybersecurity breakthrough is just a click away!
I am learning to build Logic Apps working with Sentinel inc
Hello I am learning to build Logic Apps. The tasks will mainly involve querying Log Analytics and writing comments in incidents. How can I do this securely? I understand that I need to add the Sentinel Contributor role for the Logic App, but what next? If I need the Logic App to be able to query, do I need to give it additional access, such as Log Analytics Contributor or Reader? When I want to create a connection, I have three options: OAuth - I see that I log in with my account, and then the Logic App has access to what I have access to. Is this secure? Service Principal - I need to register an application and create a secret for it, then grant this application access to Sentinel. Can I use a single Service Principal for all Logic Apps? I understand that secrets need to be rotated – does this affect my Logic Apps? Will I need to update something to ensure everything works properly? Managed Identity - This only works within the specific Logic App? This seems like the best solution, but I managed to add a new Managed Identity to query Log Analytics, and in the next step, I wanted it to add tasks to an incident in Sentinel, and unfortunately, it didn't work. (However, I changed the last step and added it via OAuth, and it worked, allowing the Logic App to add tasks to the incident in Sentinel.) this is one of example i am working on. https://github.com/Azure/Azure-Sentinel/blob/master/Playbooks/Get-SOCTasks/readme.md adding role assignment I would be great if you can share your experiences! thank youMicrosoft Sentinel Notebooks Ninja Part 2: Getting Started with Microsoft Sentinel Notebooks
If you’ve never used Jupyter notebooks before it can feel daunting and seem a bit like a black box. Ideally, the best way to get started is to become comfortable with a few of the “quick start” notebooks that we’ve provided as part of the Microsoft Sentinel out-of-the-box experience.
