What's New: SOC Process Framework is Now Live in Content Hub!
I am excited to announce that the SOC Process Framework has been updated and moved into Sentinel's Content Hub for installation across multiple workbooks, watchlists, and the amazing Get-SOCActions Playbook for analyst actions to be taken during Triage and Investigation. When you click on the SOC Process Framework Tile in Content Hub, you will see the Description details, as well as the content associated with the Framework, i.e. (7) Workbooks, (12) Watchlists, (1) Playbook. By clicking on the "Install" button, you will be prompted to follow the on-screen instructions. This Content Hub Solution contains all resources for the SOC Process Framework Microsoft Sentinel Solution. The SOC Process Framework Solution is built in order to easily integrate with Microsoft Sentinel and build a standard SOC Process and Procedure Framework within your Organization. By deploying this solution, you'll be able to monitor progress within your SOC Operations and update the SOC CMMI Assessment Score. This solution consists of the following resources: Integrated workbooks interconnected into a single workbook for single pane of glass operation. One Playbook for pushing SOC Actions to your Incidents. Multiple Watchlists helping you maintain and organize your SOC efforts, including IR Planning, SOC CMMI Assessment Score, and many more. Workbooks The workbooks contained in this solution have visualizations about the SOC Progress, Procedures, and Activity and provides an overview of the overall SOC Maturity. These workbooks and their dependances are deployed for you through this solution. NOTE: Be aware that after you have installed the workbooks, you must save the workbooks and edit the Watchlist Queries and run them, so they initialize for the framework to leverage the applied watchlists. Please use the steps below to initialize the Watchlist Queries. Save Workbook's and Edit Watchlist Queries Step 1. Save and Open the Workbook, "Update SOC Maturity Score". Step 2. Edit Workbook and click the Edit button to open the pills. Step 3. Click the box next to Watchlist. Step 4. Click the pencil icon to open the Settings Context Pane. Step 5. Click the "Run Query" button to execute the query and initialize the link between the workbook and the watchlists. Step 6. Click the "Save" Icon to save these settings. Step 7. Click Done Editing in the Workbook. Step 8. Click the "Save" Icon in the Workbook to save the Workbook. Step 9. Repeat Steps for the Workbooks called out below. Repeat this process for the following Workbooks: Workbook: Update SOC IR Planning Workbook: SOC Process Framework Watchlists The watchlists contained within this solution have information that pertain to Incident Response Planning, the SOC Maturity (CMMI) Scoring, Recommended SOC Actions, and more... All of these watchlists give the customer ease of access to updating pertinent information regarding their SOC Operations and more. Playbooks Currently the only Playbook in this solution is the Get-SOCActions Playbook for delivering custom Analyst Actions to take per Incident. This allows Organizations the ability to create/add their own scripted actions they want an Analyst to take. After deploying this Solution, please see the Post-Deployment Instructions before executing the Playbook. Post-Deployment Instructions After deploying this Solution and its associated playbook, you must authorize the connections leveraged within the Playbook before running. Visit the playbook resource. Under "Development Tools" (located on the left), click "API Connections". Ensure each connection has been authorized. Note: If you've deployed the [SOC Process Framework Playbook](https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/SOC Process Framework/Playbooks/Get-SOCActions/azuredeploy.json) playbook, you will only need to authorize the Microsoft Sentinel connection. Now that I have covered the installation of this framework, let's get to the content updates that have been made to this solution as a whole that I know you will be excited to learn more about! This solution contains a large number of updates: 4 new workbooks outlining the growth path along the SOC Journey and best practices regarding building a SOC Team. 2 new workbooks that outline both Incident Response Planning and SOC Maturity. 12 new Watchlists from SOC Contacts to IR Planning as well as ~800 questions regarding your SOC Maturity Score. New Content in the SOC Process Framework: SOC Capability Maturity Model Integration Incident response planning SOC RaMP (Rapid Modernization Plan) SOC Part-Time Staff SOC Small Staff SOC Medium Staff SOC Large Staff SOC Framework for Microsoft 365 Defender Planning Readiness Catalog of Services Roles Develop & Test SOC Tasks Investigations Phishing Incident Automation with Shifts for Teams Additional Tools in the SOC Tools and Resources Content API Call outs to update Watchlists without leaving the Framework SOC Maturity Update SOC Incident Response Planning This solution is supported by Microsoft Support and will be updated regularly with new content. We hope you enjoy the new version of the SOC Process Framework and that it will help you to mature your businesses SOC Operations!
Help Protect your Exchange Environment With Microsoft Sentinel
TL;DR; Sentinel + Exchange Servers or Exchange Online = better protected New Microsoft Sentinel security solution for Exchange Online and on premises servers : Microsoft Exchange Security! This content is very useful for any organization concerned about keeping the highest security posture as possible and be alerted in case of suspicious activities for those critical items.A Look at Different Options for Storing and Searching Sentinel Archived Logs
As an Azure Sentinel user, you know the importance of having a secure and accessible backup of your log data. In this blog, we'll show you the various options available for storing and searching Sentinel logs beyond the default 90-day retention period. Explore the features and benefits of each solution to find the best fit for your organization.Fortifying Your Defenses: How Microsoft Sentinel Safeguards Your Organization from BEC Attacks
Business Email Compromise (BEC) attacks continue to be some of the most prevalent and costly attacks facing organizations worldwide. Between April 2022 and April 2023, Microsoft Threat Intelligence detected and investigated 35 million BEC attempts with an adjusted average of 156,000 attempts daily. In just the last 30 days we have observed potential BEC attack related activity in over 150 customers. Microsoft 365 Defender has comprehensive prevention, detection, and disruption options for BEC attacks across Microsoft’s products and solutions. Using Microsoft Sentinel’s ability to collect data across all users, devices, applications, and infrastructure, both on-premises and in multiple clouds, we have now extended this level of detection and response to areas outside of Microsoft’s own platforms and to where your organization operates.Announcing the enhanced Microsoft Sentinel AWS CloudTrail solution, powered by new MITRE-Based Rules
Use the updated Microsoft Sentinel AWS CloudTrail solution to better protect your AWS environment. The updated solution includes over 70 MITRE-based rules, and monitoring and alerting capabilities to detect suspicious activity in your environment.Detect threats on your Power Platform based no-code/low-code applications with Microsoft Sentinel
In today's digital landscape, low-code and no-code development platforms have become increasingly popular among businesses looking to accelerate their application development processes. However, with the convenience and speed that these platforms offer, there are also security risks that organizations must consider. Power Platform provides a wide range of tools for citizen developers to build, run and manage low-code and no-code applications quickly, simply and at scale. With that, it also introduces a concern around the risk of security vulnerabilities introduced by citizen developers, some of whom may lack the security awareness of traditional pro-dev community. To counter this, early threat detection is crucial and can complement preventative guardrails to enable frictionless productivity while minimizing cyber risk. We are excited to announce the Microsoft Sentinel Solution for Microsoft Power Platform in Public Preview. A solution that can help SOC analysts to detect and respond to threats introduced by citizen developed Power Apps. Please sign up here for the limited public preview of the Microsoft Sentinel solution for Microsoft Power Platform.I'm Being Attacked, Now What?
Learn how to respond to attacks with the Microsoft Sentinel: Threat Analysis & Response Solution while applying SOAR remediations and implementing NIST SP 800-53 Controls with Microsoft Defender for Cloud. Evolve from reactive to proactive threat hunting with the MITRE ATT&CK blade. Check out the demo and get started today.
Announcing the Microsoft Sentinel: Cybersecurity Maturity Model Certification (CMMC) 2.0 Solution
Are you interested in maturing your security operations center capabilities? Do you need to align your cloud, multi-cloud, on-premises, and hybrid workloads for CMMC 2.0 compliance? We are pleased to announce the next evolution of the Microsoft Sentinel Cybersecurity Maturity Model Certification 2.0 Solution. This content features a redesigned user interface, new control card layouts, dozens of new visualizations, better-together integrations with Microsoft Defender for Cloud for assessments and alerting rules to actively monitor/alert on compliance posture deviations across each CMMC 2.0 control family.Revolutionize your SAP Security with Microsoft Sentinel's SOAR Capabilities
The purpose of this blog post is to demonstrate how the SOAR capabilities of Sentinel can be utilized in conjunction with SAP by leveraging Microsoft Sentinel Playbooks/Azure Logic Apps to automate remedial actions in SAP systems or SAP Business Technology Platform (BTP).
