It seems my team mates still have time work, so they must be able to look at even more applicant for this #SOC analyst role in Switzerland!

https://recruitingapp-2563.umantis.com/Vacancies/515/Description/1

#FediHire #DefenderXDR #AzureSentinel

The article provides a comprehensive guide on how to use Bicep, a domain-specific language that uses declarative syntax to deploy Azure resources. It offers advantages over Azure Resource Management (ARM) templates such as smaller file size, integrated parameter files and better support for tools like Visual Studio code. The author explains in detail how to create a Microsoft Sentinel instance using Bicep templates, including setting up parameters, creating the Log Analytics workspace and deploying solutions via PowerShell scripts.

If you're interested in learning more about using Bicep for Microsoft Sentinel deployment or looking for tips on how to optimize your usage of this powerful tool, check out the full article. You'll find detailed examples of code snippets and useful links to further resources.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/deploy-microsoft-sentinel-using-bicep/ba-p/4270970

As digital environments expand, Security Operations teams are often faced with the challenge of optimizing costs while dealing with an exponential increase in data. This article outlines a strategy to reduce data volume and retain important information using Data Collection Rules (DCRs). The authors discuss how to decide what's important in a log for your organization and demonstrate the process of using DCRs to discard unnecessary information from logs. They also caution that only you can decide what’s essential for your organization in a particular log or table.

The authors delve into two types of DCRs: standard and workspace, explaining their use cases. They then guide readers on identifying high-volume sources, determining high-volume tables, record level analysis, column level analysis, and examining the process using two examples – AADNonInteractiveSigninLogs and SecurityEvent. In conclusion, they emphasize that as digital footprints grow exponentially, it is increasingly crucial for security teams to be judiciously intentional about the data they collect and retain. To learn more about this strategy and its application through practical examples, read the full article.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/save-money-on-your-sentinel-ingestion-costs-with-data-collection/ba-p/4270256

Some Sentinel users have noticed that several data connectors they were using are now showing as deprecated in the user interface. However, this change doesn't mean your data has stopped flowing; it's still being delivered to the CommonSecurityLog or Syslog table and analytic rules are still applying to the data. The deprecation is due to a switch from log analytics agent (MMA or OMS agent) to Azure Monitor Agent (AMA), which provides benefits like faster performance and support for multihoming.

The new AMA allows you to use a single connector, such as Common Event Format for AMA, instead of multiple different ones based on specific solutions. If you've already shifted to the Common Event Format data connector and want to delete the deprecated connectors, be aware there's currently an error preventing this but a fix is coming soon. To learn more about these changes and how they could benefit you, check out the full article.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-to-do-if-your-sentinel-data-connector-shows-as-deprecated/ba-p/4270346

The article discusses the Use Case Mapper Workbook, a tool that can help identify gaps in your Sentinel environment and established Content-Hub-Solutions. The workbook maps common use cases to the Mitre ATT&CK framework, providing an overview of available analysis options in Sentinel. It identifies several use cases such as Credential Exploitation, Lateral Movement, Rapid Encryption among others. The workbook also allows for customization by reducing results to selected Data Sources.

The post further provides a step-by-step guide on how to deploy and get started with the Use Case Mapper Workbook. It outlines prerequisites like having an Azure subscription with a Sentinel equipped Log Analytic Workspace and correct RBAC roles assigned. Once deployed, it explains how you can select predefined use cases and data sources/solutions within the workbook for your specific needs. To learn more about this invaluable tool that simplifies supplementing solutions for complete implementation while staying updated on new hunting queries, analytic rules or workbooks, check out the full article.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/introducing-the-use-cases-mapper-workbook/ba-p/4202058

The article discusses Cowrie, an advanced honeypot designed to emulate SSH (Secure Shell) and Telnet services to attract, detect, and analyze malicious activities. As a cybersecurity tool, Cowrie creates a controlled environment that mimics real systems to lure attackers. It logs their activities in detail, providing valuable insights into their methods and motives. The features of Cowrie include SSH and Telnet emulation, detailed logging of attempted commands, file and command logging for comprehensive view of attacker's activities among others.

Cowrie is beneficial as it provides threat intelligence by observing interactions with the honeypot; detects unknown threats not caught by traditional security measures; improves security posture based on data collected from the honeypot; and offers low risk deployment since any malicious activity targeting the honeypot does not affect actual production systems. Integrating Cowrie with Microsoft Sentinel enhances cybersecurity operations through intelligent security analytics across the enterprise. To learn more about how you can utilize this powerful tool for your organization's cybersecurity needs or if you're interested in installing Cowrie on Linux or leveraging Microsoft Sentinel with Cowrie, check out the full post.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/cowrie-honeypot-and-its-integration-with-microsoft-sentinel/ba-p/4258349

Microsoft has revamped its Sentinel Ninja Training program to keep pace with the rapidly changing cybersecurity landscape. The training now offers a more interactive experience, including updated modules, hands-on labs and real-world scenarios. It covers everything from threat detection to incident response and automation, ensuring you gain practical skills for optimizing your security operations. A major update is the integration of Sentinel into the Defender XDR portal which simplifies workflows and speeds up incident response.

The training also provides step-by-step guidance through official Microsoft Sentinel documentation, exclusive webinars and up-to-date blog posts from experts at Microsoft. If you're looking to enhance your Sentinel skills or want to explore the new features of this program, head over to their blog post on 'Become a Microsoft Sentinel Ninja: The Complete Level 400'. Don't miss out on this opportunity - your next cybersecurity breakthrough could be just one click away!
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/level-up-your-security-skills-with-the-new-microsoft-sentinel/ba-p/4260106

Microsoft has announced a significant enhancement to its Unified Security Operations (SecOps) platform. The Global Search feature in the Defender portal now supports searching for Microsoft Sentinel users and devices, providing a more comprehensive and unified search experience. This new feature allows you to search for devices, users, and other information by typing full or partial search terms. It also increases efficiency by cutting down investigation time leading to faster resolution of security incidents.

This update is designed to streamline your workflow and improve efficiency with benefits such as unified search results, comprehensive identifier support, improved user experience among others. Whether it's incident investigation, threat hunting or device tracking - this tool can significantly enhance your security operations from one single interface. To learn more about how this works and how you can get started with the Global Search feature visit the official Microsoft 365 Defender portal documentation.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-global-search-in-unified-security-operations-platform/ba-p/4255122

Microsoft Security has been evolving from individual security products to a unified platform called the Unified Security Operations Platform. This platform provides comprehensive visibility, investigation, and response capabilities across endpoints, hybrid identities, emails, collaboration tools, cloud apps, cloud workloads and data. The article also discusses Advanced Hunting capability that allows for threat hunting without boundaries. However, with the introduction of the unified hunting experience, “SecurityAlert” table is no longer present in Advanced Hunting.

The article further explains how to hunt Adversary-in-the-Middle (AiTM) attacks using advanced hunting techniques on this new platform. AiTM attacks use sophisticated tactics like creating fraudulent sites that intercept user login credentials allowing attackers to hijack sign-in sessions and bypass authentication protections. The Unified Security Operations Platform not only provides detection alerts but also includes attack disruption capabilities to stop ongoing attacks thanks to its correlation mechanisms and various signals from Microsoft Defender XDR. If you're interested in learning more about these advanced security measures or want details on how third-party network activity correlates with first-party logs such as Entra ID sign-in events and AiTM-related URL click actions then continue reading.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/detecting-aitm-phishing-via-3rd-party-network-events-in-unified/ba-p/4224653

The article is the third part of a blog series on how to collect events using Data Collection Rules (DCRs) for advanced use cases. It discusses Defender for Endpoint's (MDE) various protections against tampering and alerts to detect it, while acknowledging that adversaries are constantly trying to find ways around these defenses. The piece highlights the importance of having Tamper Protection configured and enforced in your environment. It also provides a detailed guide on monitoring Defender related event logs, discussing relevant event IDs and their definitions, as well as how to collect specific logs in Microsoft Sentinel.

If you're interested in learning more about collecting events using DCRs or want to know more about configuring Tamper Protection for MDE, this article is definitely worth reading! You'll get an in-depth understanding of how you can protect your organization from potential malicious behavior affecting device protection. Check out the post [here](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-power-of-data-collection-rules-collecting-events-for/ba-p/4236486).
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-power-of-data-collection-rules-detect-disabling-windows/ba-p/4236540

The article is a continuation of a blog series on how to collect events using Data Collection Rules (DCRs) for advanced use cases. It discusses the use of PowerShell, a tool used by administrators to manage devices and servers in their environment. The piece explains that PowerShell doesn't leave credentials behind on target systems unlike RDP, providing security benefits and preventing Pass-The-Hash attacks and other credential theft scenarios. However, adversaries have been known to exploit PowerShell for attacks; hence companies with robust PowerShell configuration and monitoring are at an advantage against these threats.

The post further provides steps on setting up your own monitoring mechanism to spot executed PowerShell code in your environment using Microsoft Sentinel and the Unified SecOps Platform. It also guides you through configuring script block logging, detecting and reviewing executed PowerShell code, configuring the data collection rule (DCR) to collect required events, creating detections among others. To get more details about this process as well as links to resources mentioned in the article such as books or GitHub templates visit the original post.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-power-of-data-collection-rules-monitoring-powershell-usage/ba-p/4236527

The process of migrating from Splunk to Microsoft Sentinel via the SIEM Migration experience has been improved with three key additions: Schema Mapping, support for Splunk Macros in translation, and support for Splunk Lookups in translation. These features allow customers to provide more contextual details about their Splunk environment & usage to the Microsoft Sentinel SIEM Migration translation engine so it can account for them when converting detections from SPL to KQL.

Schema mapping allows users to define how Splunk sources map to Microsoft Sentinel tables within the new “Schema mapping” section of the UI Experience. The system extracts all sources from SPL queries upon uploading a Splunk export. Support is provided for translating invocation of lookups using the “_GetWatchlist()” KQL function. Lastly, macros are expanded by making inline replacements of macro references by respective macro definitions and passed on to the translation engine. To learn more about these updates and get step-by-step guidance on how they work, check out this post.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/siem-migration-update-now-migrate-with-contextual-depth-in/ba-p/4241234

The article talks about the importance of monitoring Windows Security events for any organization's security. It discusses how Microsoft Sentinel can be used to collect and filter these events, which can reveal information leading to the discovery of an attack or other threats. The post also provides a step-by-step guide on setting up data collection rules to detect account discovery using Azure Monitor Agent (AMA) and Data Collection Rules (DCR). Furthermore, it explores how to set up security events with AMA and demonstrates detecting potential Discovery attacks.

If you're interested in learning more about this topic, especially if you're involved in managing your organization's network security, I highly recommend giving this article a read. You'll find detailed explanations along with relevant xPath queries for collecting required event IDs and scheduled analytic rules or hunting queries for making detections.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/the-power-of-data-collection-rules-collecting-events-for/ba-p/4236486

Microsoft has launched a public preview of multi-tenancy for its unified security operations (SecOps) platform. This feature allows managed security service providers and enterprises to protect their entire environment from one place, improving efficiency and threat detection accuracy. The release does not include multi-tenancy for Copilot for Security, Threat Intelligence or exposure management. However, it provides enhanced detection and response capabilities by correlating incidents across SIEM and XDR data, streamlined investigation with out-of-the-box enrichments from Microsoft Defenders, scalability and flexibility to accommodate growing customer bases, comprehensive threat intelligence access, and seamless integration with existing tools.

The new feature is designed for any enterprise or Managed Security Service Provider aiming to handle security for multiple client organizations or large multinational enterprises. To utilize this feature customers must be using Microsoft Sentinel along with at least one Defender XDR workload while having delegated access to more than 1 tenant enrolled into the unified SecOps platform via Azure B2B collaboration. No additional license is required but each tenant needs its own license. There are no additional ingestion costs associated with the use of this new feature either! If you want to learn more about how you can benefit from this innovative experience that brings together all critical SOC tools in one place then check out the full article.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-s-new-multi-tenancy-in-the-unified-security-operations/ba-p/4225658

As digital environments expand, organizations are grappling with the dual challenges of gathering relevant security data to enhance protection and optimizing costs to meet budget constraints. Microsoft is addressing these needs by announcing the public preview of a new data tier, Auxiliary Logs and Summary Rules in Microsoft Sentinel. The Auxiliary Logs support high-volume data sources including network, proxy, and firewall logs at an affordable price. They allow long-term storage but limit on-demand analysis to the last 30 days. Meanwhile, Summary Rules enable customers to aggregate data from Auxiliary Logs into a summary that can be routed for access to full query features.

Microsoft's native data tiering offers flexibility in managing all security data according to business needs. For instance, firewall event logs are crucial for threat hunting and investigations; organizations can now send all such logs to Auxiliary Logs at an affordable rate while running a Summary Rule for scheduled aggregations routed to Analytics Log tiers. This combination helps security teams use high volume logs efficiently while minimizing costs. To learn more about how Microsoft is expanding scenarios covered by Auxiliary Logs over time or how you can optimize log ingestion with this feature, check out the full article.
Post generated with the help of Azure OpenAI GPT4 🤖 #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/comprehensive-coverage-and-cost-savings-with-microsoft-sentinel/ba-p/4223293

The article discusses the Azure Monitor Agent (AMA), a lightweight log collection agent that replaces the deprecated Log Analytics Agent. AMA is designed to use minimal resources while collecting metrics and logs from your server, and it can be installed on various Linux or Windows machines hosted in Azure, on-premises or other cloud environments. The agent sends all collected logs to Microsoft Sentinel tables when associated with a Microsoft Sentinel workspace. It also allows for control using Data Collection Rules (DCR) which define where to collect logs from, how to manipulate data and where to send the logs.

The author highlights several reasons why they prefer AMA over its predecessor. Among them are its increased performance - up 25% compared to Linux OMS and 500% better than MMA for Windows; central configuration via DCRs enabling machine grouping; support for multi-homing, sending events across regions and tenants; enhanced security features including Managed Identity and Microsoft Entra tokens; as well as continuous improvements being made by their team. To learn more about these benefits of AMA, check out the full post! #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/revolutionizing-log-collection-with-azure-monitor-agent/ba-p/4218129

The article is a step-by-step guide on how to integrate the Cyberint Threat Intelligence module with Microsoft Sentinel, a cloud-native Security Information and Event Management (SIEM) solution. The integration enhances Microsoft Sentinel's ability to detect and respond to emerging threats using threat intelligence feeds. The guide provides detailed instructions on prerequisites, creating a new Logic App in Azure, enabling Managed Identity for the app, pasting JSON code into Code view, handling HTTP action redirect status codes and more.

If you're interested in enhancing your security operations with enriched threat intelligence data or need help troubleshooting issues during integration, this guide could be very helpful. Check out the full post for all the details and specific steps. #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-amp-cyberint-threat-intel-integration-guide/ba-p/4211883

Microsoft has recently announced the general availability of Microsoft Sentinel in the Defender portal. This is part of its unified security operations platform, which brings together all the tools a security team needs into one experience. The platform includes features such as SIEM, XDR, exposure management, GenAI and threat intelligence. Despite this integration, Microsoft Sentinel will continue to exist in Azure as a standalone experience for customers not ready to switch to the unified platform.

The article also provides answers to frequently asked questions about this new development. It clarifies that pricing isn't changing and both Microsoft Defender XDR and Microsoft Sentinel will continue to be sold separately. Customers can still use their existing Microsoft Sentinel workspace without needing any changes or rearchitecting when they connect it with the defender portal. For more details on these topics and others like benefits of unified incident queue alert correlation or how to onboard your workspace into the Defender portal, check out the full post. #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/frequently-asked-questions-about-the-unified-security-operations/ba-p/4212048

The blog post discusses how to overcome the lack of a dedicated connector for GitLab Cloud Edition in Microsoft Sentinel. It explains how to use API endpoints provided by GitLab to collect logs and integrate them into Sentinel. The process involves setting up a custom table via Azure Monitor Data Collection Endpoint (DCE) and Data Collection Rule (DCR), using Azure Logic Apps, and securely storing API endpoint credentials with Azure Key Vault. This allows organizations to maximize Microsoft Sentinel's capabilities, improving threat detection and response actions.

The blog provides detailed steps on setting up a free trial account on GitLab Cloud Edition, generating Personal Access Token (PAT) for accessing GitLab logs API Endpoint, leveraging PAT in Postman to check the logs, configuring Azure Monitor DCR and DCE, developing an Azure Logic App to fetch logs from GitLab and send them to Microsoft Sentinel, as well as storing API endpoint credentials securely using Azure Key Vault. To learn more about this comprehensive guide on integrating Gitlab with Microsoft Sentinel for enhanced security surveillance, visit the full article. #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/enhancing-security-monitoring-integrating-gitlab-cloud-edition/ba-p/4208519

Microsoft has announced a new version of Microsoft Sentinel All-in-One that now works with Azure Government tenants. This tool offers multiple features such as creating a resource group, enabling Microsoft Sentinel on top of the workspace, setting workspace retention and daily cap, enabling UEBA with relevant identity providers (AAD and/or AD), installing Content Hub solutions from a predefined list, and more. To start using this feature-packed offering, all you need is an Azure Government Subscription and an account with permissions to deploy Microsoft Sentinel.

For those interested in exploring this further or getting started right away, visit http://aka.ms/sentinel-all-in-one for the V2 folder. The team at Microsoft eagerly awaits your feedback on this updated version. Don't hesitate to try it out! You can find details about the required permissions here [https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Sentinel-All-In-One#prerequisites]. #msftadvocate #Sentinel #AzureSentinel https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/microsoft-sentinel-all-in-one-now-available-for-azure-government/ba-p/4204981