ASIM built-in functions in Sentinel, are they updated automatically?
Are the ASIM built-in functions in Sentinel automatically updated? For example, the built-in parsers such for DNS, NetworkSession, and WebSession. Do the built-in ones receive automatic updates or will the workspace-deployed versions of these parsers be the most up-to-date? And if true, would it be recommended to use workspace-deployed version of parsers that already come built-in?
Microsoft Defender Vulnerability Management Data in Sentinel
Anyone know when Microsoft Defender Vulnerability Management data will be available in Microsoft Defender XDR connector in Sentinel? If it won't be available soon, what is the best way to collect Vulnerability Management data to Sentinel? Thanks
Issue while deploying Sentienl Rules
I know that when deleting a Sentinel rule, you need to wait a specific amount of time before it can be redeployed. However, in this tenant, we've been waiting for almost a month and are still getting the same deployment error ('was recently deleted. You need to allow some time before re-using the same ID. Please try again later. Click here for details'). I still want to use the same ID ect. Does anyone have any idea or similar issue why it's still not possible after waiting for about a month?
Sentinel Solution Deployment via GitHub
Over the past couple years I have been working exclusively with LogRhythm and while I have deployed Sentinel a few times in the past, I have never attempted to do so using GitHub Actions. I seem to be relatively close to getting it deployed but have been struggling for the last couple days and have been unable to find (or overlooked) documentation to guide me in the right direction, so I thought I'd reach out to find out if anyone can help me out. Goals Central management of Sentinel across multiple tenants using Lighthouse Content such as Analytic Rules, Hunting Queries, Playbooks, Workbooks.. must be centrally managed across each tenant. I will have limited access to tenants and need a simple templated deployment process to handle the majority of the Sentinel deployment in tenants, ideally, I will provide the client with a deployment template and once deployed, it will have the the same content as the central management tenant. I have not yet decided whether to use Workspace manager, however, I will need to protect intellectual property so this will likely be a requirement (MSSP) I have been trying out the GitHub deployment and have mostly been running into issues with the solution deployment since the ARM Templates I have been creating don't seem to work. I get "Failed to check valid resource type." errors followed by "The file contains resources for content that was not selected for deployment. Please add content type to connection if you want this file to be deployed." warnings for most content. I have been able to get some working, specifically the Analytic Rules and Playbooks, and have not spent time on the Hunting Queries or Workbooks yet since I have rather been focused on the Solutions and while I make a bit of progress each day, I still feel like I am missing something simple, most likely related to the deployment script which Sentinel generates when connected to GitHub? Perhaps I am not deploying the required resources in the correct order? Now I am in the very early stages of planning and may very well not need to deploy solutions via GitHub if using the workspace manager (still to be verified), but it is killing me because I have not been able to figure it out in the last couple days! Does anyone know of a document that explains the process for those of us that don't spend a considerable amount of time using GitHub/DevOps?New Blog Post | Microsoft Sentinel this Week - Issue #60
Microsoft Sentinel this Week - Issue #60 | Revue (getrevue.co) Happy Friday all! I’m out and about this week at an in-person conference at the Mall of America in Bloomington, MN. It’s been a fantastic week talking about Defender for Cloud and Microsoft Sentinel to a group of folks that aren’t normally focused on security. There’s real interest in how Microsoft security offerings can bolster a career and can be integrated with current workloads without overwhelming. I’ll have more to share about this week’s experiences in next week’s newsletter. … We have a couple new surveys this week that I know is of interest to a large number of people. For the first one, I published a Playbook template for sending a daily email of Sentinel Incidents recently that a lot of you found useful. We’re trying to simplify this capability because it is so popular and valuable. From the product team: Today, emails can be sent automatically when incidents and alerts are created using playbooks. There are playbook templates ready-to-use, which leverage the Outlook Logic Apps connector. Using playbooks for sending emails has great benefits: It allows full customization of the email message and advanced capabilities such as approvals. On the other hand, we hear customer challenges using this method. We are looking to allow customers to easily send emails by Automation Rules. We are seeking to learn about real-life email-scenarios to make sure we design the feature to fit your needs. We appreciate your feedback on our form. We are committed to reviewing every data point in detail and we will get back to you if we have questions. Please note that in some cases, platform limitations prevent us from developing an integration. Also, we may have limited resources, so not every request will be prioritized. Participate in the following survey: Send email from automation rules The second one is focused on Microsoft Sentinel Fusion. Microsoft Sentinel uses Fusion, a correlation engine based on scalable machine learning algorithms, to automatically detect multistage attacks by identifying combinations of anomalous behaviors and suspicious activities that are observed at various stages of the kill chain. On the basis of these discoveries, Microsoft Sentinel generates incidents that would otherwise be difficult to catch. These incidents comprise two or more alerts or activities. By design, these incidents are low-volume, high-fidelity, and high-severity. More information about Fusion: https://aka.ms/SentinelFusion How Fusion works: https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/behind-the-scenes-the-ml-approach-for... As we continue to expand the Fusion coverage to help you detect emerging and advanced attacks, and improve the experiences to help you speed up the investigation, we’d like to learn more from you. In this survey, we’d like to get your perspectives on: Fusion detection Customization/configuration options for Fusion You can participate in this one here: Microsoft Sentinel Fusion Survey … Lastly, I had awesome discussions with customers this week. Delivering Microsoft Sentinel sessions to a group of folks who have zero knowledge of the product was absolutely rewarding. I could see lightbulbs go off as I was describing the features and value. One individual - experienced with “other” SIEMs who is now sold on Sentinel - invented a new tagline which has now been turned into a T-shirt. I present, the “My SOC Doesn’t SUC” T-shirt: https://cda.ms/4dB All proceeds go to St. Jude. … That’s it for me for this week. It’s time to pack up and head home. Talk soon. -Rod
