Home

Azure Sentinel product updates

%3CLINGO-SUB%20id%3D%22lingo-sub-815595%22%20slang%3D%22en-US%22%3EAzure%20Sentinel%20product%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-815595%22%20slang%3D%22en-US%22%3E%3CH2%20id%3D%22toc-hId-1817433623%22%20id%3D%22toc-hId-1817433623%22%20id%3D%22toc-hId-1817433623%22%3E%3CSTRONG%3EChanges%20and%20new%20features%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%20class%3D%22y-list%20y-list__unordered%20yj-redraft-list%22%3E%0A%3CLI%20class%3D%22y-list--item%22%3E%3CSTRONG%3ECases%20are%20now%20incidents%3C%2FSTRONG%3E%3A%20to%20better%20align%20with%20other%20Microsoft%20products%3B%20the%20term%20%22cases%22%20is%20changing%20to%20%22incidents%22.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20851px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127867iA2F55CAE088B6705%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%221.png%22%20title%3D%221.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CDIV%20id%3D%22tinyMceEditorclipboard_image_1%22%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%0A%3CUL%20class%3D%22y-list%20y-list__unordered%20yj-redraft-list%22%3E%0A%3CLI%20class%3D%22y-list--item%22%3E%3CSTRONG%3EIncident%20comments%3A%20%3C%2FSTRONG%3EThe%20comments%20feature%20enables%20customers%20to%20write%20multiple%20comments%20in%20the%20scope%20of%20an%20incident%2C%20and%20review%20them%20under%20the%20comments%20tab%20in%20the%20incident%20page.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%20style%3D%22padding-left%3A%2030px%3B%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20420px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F127866iB0A015B036BDB437%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%222.png%22%20title%3D%222.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CUL%20class%3D%22y-list%20y-list__unordered%20yj-redraft-list%22%3E%0A%3CLI%20class%3D%22y-list--item%22%3EWe%20have%20removed%20the%20option%20for%20auto-deploying%20a%20CEF%2FSyslog%20connector%20VM.%20While%20a%20convenient%20function%2C%20we%20understood%20that%20it%20might%20present%20a%20security%20risk%20as%20this%20was%20not%20a%20managed%20VM%2C%20and%20users%20were%20in%20charge%20of%20securing%20the%20VM.%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId--734723338%22%20id%3D%22toc-hId--734723338%22%20id%3D%22toc-hId--734723338%22%3E%3CSTRONG%3EBlog%20posts%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CUL%20class%3D%22y-list%20y-list__unordered%20yj-redraft-list%22%3E%0A%3CLI%20class%3D%22y-list--item%22%3E%3CA%20title%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Agent-Collecting-telemetry-from-on-prem-and-IaaS%2Fba-p%2F811760%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-Agent-Collecting-telemetry-from-on-prem-and-IaaS%2Fba-p%2F811760%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel%20Agent%3A%20Collecting%20telemetry%20from%20on-prem%20and%20IaaS%20server%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20class%3D%22y-list--item%22%3E%3CA%20title%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-The-Syslog-and-CEF-source-configuration-grand%2Fba-p%2F803891%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FAzure-Sentinel-The-Syslog-and-CEF-source-configuration-grand%2Fba-p%2F803891%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAzure%20Sentinel%3A%20The%20Syslog%20and%20CEF%20source%20configuration%20grand%20list%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%20class%3D%22y-list--item%22%3E%3CA%20title%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FCollecting-Azure-PaaS-services-logs-in-Azure-Sentinel%2Fba-p%2F792669%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2FAzure-Sentinel%2FCollecting-Azure-PaaS-services-logs-in-Azure-Sentinel%2Fba-p%2F792669%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ECollecting%20Azure%20PaaS%20services%20logs%20in%20Azure%20Sentinel%20%3C%2FA%3E%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CH2%20id%3D%22toc-hId-1008086997%22%20id%3D%22toc-hId-1008086997%22%20id%3D%22toc-hId-1008086997%22%3E%3CSTRONG%3EOther%3C%2FSTRONG%3E%3C%2FH2%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEdoardo%20Gerosa%20and%20Olaf%20Hartong%20have%20%3CA%20title%3D%22https%3A%2F%2Fonenote%3A%23section-id%3D%7B9F677402-3208-4097-AAE0-784416EE98F2%7D%26amp%3Bend%26amp%3Bbase-path%3Dhttps%3A%2F%2Fmicrosofteur-my.sharepoint.com%2Fpersonal%2Fofshezaf_microsoft_com%2FDocuments%2FOfer%2520%40%2520Microsoft%2FQuick%2520Notes.one%22%20href%3D%22https%3A%2F%2Fgithub.com%2FBlueTeamLabs%2Fsentinel-attack%2Fblob%2Fmaster%2Fdocs%2FDEFCON_attacking_the_sentinel.pdf%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epresented%20at%20DefCon%3C%2FA%3Ethe%20%22%3CA%20title%3D%22https%3A%2F%2Fonenote%3A%23section-id%3D%7B9F677402-3208-4097-AAE0-784416EE98F2%7D%26amp%3Bend%26amp%3Bbase-path%3Dhttps%3A%2F%2Fmicrosofteur-my.sharepoint.com%2Fpersonal%2Fofshezaf_microsoft_com%2FDocuments%2FOfer%2520%40%2520Microsoft%2FQuick%2520Notes.one%22%20href%3D%22https%3A%2F%2Fgithub.com%2FBlueTeamLabs%2Fsentinel-attack%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESentinel%20ATT%26amp%3BCK%3C%2FA%3E%22%2C%20which%20aims%20to%20simplify%20rapid%20deployment%20of%20a%20threat%20hunting%20capability%20that%20leverages%20Sysmon%20and%20MITRE%20ATT%26amp%3BCK%20on%20Azure%20Sentinel.%20Cool%20staff%20and%20tons%20of%20out%20of%20the%20box%20detections%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-816778%22%20slang%3D%22en-US%22%3ERE%3A%20Azure%20Sentinel%20product%20updates%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-816778%22%20slang%3D%22en-US%22%3EJust%20a%20little%20late.%20Noticed%20this%20during%20a%20customer%20demo%20%3B)%3C%2Fimg%3E%3C%2FLINGO-BODY%3E
Ofer_Shezaf
Microsoft

Changes and new features

 

  • Cases are now incidents: to better align with other Microsoft products; the term "cases" is changing to "incidents".

1.png

 
  • Incident comments: The comments feature enables customers to write multiple comments in the scope of an incident, and review them under the comments tab in the incident page.

2.png

  • We have removed the option for auto-deploying a CEF/Syslog connector VM. While a convenient function, we understood that it might present a security risk as this was not a managed VM, and users were in charge of securing the VM.

Blog posts

 

Other

 

Edoardo Gerosa and Olaf Hartong have presented at DefCon the "Sentinel ATT&CK", which aims to simplify rapid deployment of a threat hunting capability that leverages Sysmon and MITRE ATT&CK on Azure Sentinel. Cool staff and tons of out of the box detections

1 Reply
Just a little late. Noticed this during a customer demo ;)
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies