Content
48 TopicsMicrosoft Defender Vulnerability Management Data in Sentinel
Anyone know when Microsoft Defender Vulnerability Management data will be available in Microsoft Defender XDR connector in Sentinel? If it won't be available soon, what is the best way to collect Vulnerability Management data to Sentinel? Thanks58Views1like1CommentWhat's New: View Microsoft Sentinel Workbooks Directly from Unified SOC Operations Platform
*This blog was posted on behalf of the original author, Aman Kaur. Thank you Aman for preparing this content for the community.* Key Benefits Unified Viewing Experience: Microsoft Sentinel workbook templates and saved workbooks can now be accessed directly within the Defender XDR portal. This eliminates the need to switch between different portals, providing a seamless experience. Increased Efficiency and Time Saving: The ability to view workbooks within the Defender XDR portal cuts down on the time spent navigating between portals, leading to faster access to critical information. Improved User Experience: This integration simplifies the process of referencing important data and insights, making it easier for security professionals to monitor security events, analyze trends, and review historical data. Important Note While viewing capabilities have been integrated into the Defender XDR portal, editing or creating workbooks will still require you to navigate to the Azure portal. This ensures that you have access to the full suite of editing tools and functionalities available in Azure. How to Get Started Getting started with viewing Microsoft Sentinel workbooks in the Defender XDR portal is simple: Access the Microsoft Defender XDR Portal: Log in to the Microsoft Defender XDR portal using your credentials. Navigate to Microsoft Sentinel > Threat Management > Workbooks : Select any workbook. View Workbooks: Access and view the templates and saved workbooks directly within the portal. Moving Forward with Sentinel Workbooks in Defender XDR Portal With the ability to view Microsoft Sentinel workbooks directly within the Microsoft Defender XDR portal, organizations can significantly enhance their security operations. This feature empowers security teams with the tools they need to efficiently monitor, investigate, and respond to threats—all from a single interface. By bringing together a unified viewing experience across incidents, alerts, users, devices, and files, this enhancement streamlines threat hunting, investigation, and response workflows. This ultimately helps organizations stay ahead of evolving threats and ensures they have the necessary context to protect their environment effectively. Get started with workbooks in the unified portal today!1.2KViews2likes0CommentsIssue while deploying Sentienl Rules
I know that when deleting a Sentinel rule, you need to wait a specific amount of time before it can be redeployed. However, in this tenant, we've been waiting for almost a month and are still getting the same deployment error ('was recently deleted. You need to allow some time before re-using the same ID. Please try again later. Click here for details'). I still want to use the same ID ect. Does anyone have any idea or similar issue why it's still not possible after waiting for about a month?268Views1like1CommentLevel Up Your Security Skills with the New Microsoft Sentinel Ninja Training!
If you’ve explored our Microsoft Sentinel Ninja Training in the past, it’s time to revisit! Our training program has undergone some exciting changes to keep you ahead of the curve in the ever-evolving cybersecurity landscape. Microsoft Sentinel is a cutting-edge, cloud-native SIEM and SOAR solution designed to help security professionals protect their organizations from today’s complex threats. Our Ninja Training program is here to guide you through every aspect of this powerful tool. So, what’s new? In addition to the structured security roles format, the Ninja Training now offers a more interactive experience with updated modules, hands-on labs, and real-world scenarios. Whether you're focusing on threat detection, incident response, or automation, the training ensures you gain the practical skills needed to optimize your security operations. One of the biggest updates is the integration of Sentinel into the Defender XDR portal, creating a unified security platform. This merger simplifies workflows, speeds up incident response, and minimizes tool-switching, allowing for seamless operations. Other highlights include: Step-by-step guidance through the official Microsoft Sentinel documentation. Exclusive webinars and up-to-date blog posts from Microsoft experts. If you're ready to take your Sentinel skills to the next level or want to revisit the program’s new features, head over to the blog now and dive into the refreshed Microsoft Sentinel Ninja Training! Don’t miss out—your next cybersecurity breakthrough is just a click away!5KViews5likes1CommentSentinel Solution Deployment via GitHub
Over the past couple years I have been working exclusively with LogRhythm and while I have deployed Sentinel a few times in the past, I have never attempted to do so using GitHub Actions. I seem to be relatively close to getting it deployed but have been struggling for the last couple days and have been unable to find (or overlooked) documentation to guide me in the right direction, so I thought I'd reach out to find out if anyone can help me out. Goals Central management of Sentinel across multiple tenants using Lighthouse Content such as Analytic Rules, Hunting Queries, Playbooks, Workbooks.. must be centrally managed across each tenant. I will have limited access to tenants and need a simple templated deployment process to handle the majority of the Sentinel deployment in tenants, ideally, I will provide the client with a deployment template and once deployed, it will have the the same content as the central management tenant. I have not yet decided whether to use Workspace manager, however, I will need to protect intellectual property so this will likely be a requirement (MSSP) I have been trying out the GitHub deployment and have mostly been running into issues with the solution deployment since the ARM Templates I have been creating don't seem to work. I get "Failed to check valid resource type." errors followed by "The file contains resources for content that was not selected for deployment. Please add content type to connection if you want this file to be deployed." warnings for most content. I have been able to get some working, specifically the Analytic Rules and Playbooks, and have not spent time on the Hunting Queries or Workbooks yet since I have rather been focused on the Solutions and while I make a bit of progress each day, I still feel like I am missing something simple, most likely related to the deployment script which Sentinel generates when connected to GitHub? Perhaps I am not deploying the required resources in the correct order? Now I am in the very early stages of planning and may very well not need to deploy solutions via GitHub if using the workspace manager (still to be verified), but it is killing me because I have not been able to figure it out in the last couple days! Does anyone know of a document that explains the process for those of us that don't spend a considerable amount of time using GitHub/DevOps?580Views1like1CommentHelp Protect your Exchange Environment With Microsoft Sentinel
TL;DR; Sentinel + Exchange Servers or Exchange Online = better protected New Microsoft Sentinel security solution for Exchange Online and on premises servers : Microsoft Exchange Security! This content is very useful for any organization concerned about keeping the highest security posture as possible and be alerted in case of suspicious activities for those critical items.17KViews6likes11CommentsAMA on client devices
We have followed the guidance outlined below to get AMA installed and working on a few test client devices and they are sending logs to the Event table in our Sentinel workspace. https://learn.microsoft.com/en-us/azure/azure-monitor/agents/azure-monitor-agent-windows-client The problem we face is with the Windows Security Events via AMA connector. Is there a supported way to get client devices to populate security events into the SecurityEvent table? I see the events in the 'Event' table but not the SecurityEvent table. It seems like the Sentinel security events connector only sees DCR's that are created in Sentinel, it does not see the DCR's that are created outside of Sentinel. Is that a bug or by design? Any guidance is appreciated, we have had data in SecurityEvent from client devices via MMA for a few years and expected to be able to continue to ingest them properly via AMA.519Views0likes2Comments