Can we deploy Bicep through Sentinel repo
Hi there, Im new here,but 😅.... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this 😋 My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI 🙃 I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. 😎 Thanks, mal_sec
GITHUB - AI Sentinel attack simulation
The recent support for Model Context Protocol (MCP) with Claude Desktop has opened the door for some really useful testing capability with Sentinel and emerging threats. I'm happy to share with the community a GitHub project that demonstrates the use of MCP against current exploits to generate simulated attack data that can be used with testing migrated ASIM alert rules. MCP allows for up-to-date exploits to be queried... ... and with AI prompting, simulated attack events can be created against our Sentinel test environments. Which results in a simulated attack based on the exploit being referenced. This is really useful for testing the migration of our Sentinel alert rules to ASIM! The full code and details about the project are available here: https://laurierhodes.info/node/175
Sentinel IP for WEST EUROPE
Hi. I have this issue, where I have Sentinel and need the data connector setup for accessing Github. If my github Org do have IP Allow list enabled this do not work. So I need to find the IP's that the Connector talks out from Azure / Sentinel with when hitting the github service so I can whitelist those. If I take the IP scopes for Sentinel they are quite extensive and it cannot be that I need to whitelist every single Azure monitor/sentinel IP just to get those that Sentinel uses to talk to an API, but how can I find the needed IP's Or is there another way to get Audit logs from Github when there is IP restrictions enabled on the Github organization (in a github cloud enterprice setup)What’s New: Exciting new Microsoft Sentinel Connectors Announcement - Ignite 2024
Microsoft Sentinel continues to be a leading cloud-native security information and event management (SIEM) solution, empowering organizations to detect, investigate, and respond to threats across their digital ecosystem at scale. Microsoft Sentinel offers robust out of the box (OOTB) content, allowing seamless connections with a wide array of data sources from both Microsoft and third-party providers. This enables comprehensive collection and analysis of security signals across multicloud, multiplatform environments, enhancing your overall security posture. In this Ignite 2024 blog post, we are thrilled to present the latest integrations contributed by our esteemed Partners. These new integrations further expand the capabilities of Microsoft Sentinel, enabling you to connect your existing security solutions and leverage Microsoft Sentinel’s powerful analytics and automation capabilities to fortify your defenses against evolving cyber threats. Featured ISV 1Password for Microsoft Sentinel The integration between 1Password Extended Access Management and Microsoft Sentinel provides businesses with real-time visibility and alerts for login attempts and account changes. It enables quick detection of security threats and streamlines reporting by monitoring both managed and unmanaged apps from a single, centralized platform, ensuring faster response times and enhanced security. Cisco Secure Email Threat Defense Sentinel Application This application collects threat information from Cisco Secure Email Threat Defense and ingests it into Microsoft Sentinel for visualization and analysis. It enhances email security by detecting and blocking advanced threats, providing comprehensive visibility and fast remediation. Cribl Stream Solution for Microsoft Sentinel Cribl Stream accelerates SIEM migrations by ingesting, transforming, and enriching third party data into Microsoft Sentinel. It simplifies data onboarding, optimizes data in various formats, and helps maintain compliance, enhancing security operations and threat detection. FortiNDR Cloud FortiNDR Cloud integrates Fortinet’s network detection and response capabilities with Microsoft Sentinel, providing advanced threat detection and automated response. Fortinet FortiNDR Cloud enhances network security by helping to identify and mitigate threats in real-time. Pure Storage Solution for Microsoft Sentinel This solution integrates Pure Storage’s data storage capabilities with Sentinel, providing enhanced data protection and performance. It helps optimize storage infrastructure and improve data security. New and Notable CyberArk Audit for Microsoft Sentinel This solution extracts audit trail data from CyberArk and integrates it with Microsoft Sentinel, providing a comprehensive view of system and user activities. It enhances incident response with automated workflows and real-time threat detection. Cybersixgill Actionable Alerts for Microsoft Sentinel Cybersixgill provides contextual and actionable alerts based on data from the deep and dark web. It helps SOC analysts detect phishing, data leaks, and vulnerabilities, enhancing incident response and threat remediation. Cyware For Microsoft Sentinel Cyware integrates with Microsoft Sentinel to automate incident response and enhance threat hunting. It uses Logic Apps and hunting queries to streamline security operations and provides contextual threat intelligence. Ermes Browser Security for Microsoft Sentinel Ermes Browser Security ingests security and audit events into Microsoft Sentinel, providing enhanced visibility and reporting. It helps monitor and respond to web threats, improving the organization’s security posture. Gigamon Data Connector for Microsoft Sentinel This solution integrates Gigamon GigaVUE Cloud Suite, including Application Metadata Intelligence, with Microsoft Sentinel, providing comprehensive network traffic visibility and insights. It helps detect anomalies and optimize network performance, enhancing overall security. Illumio Sentinel Integration Illumio integrates its micro-segmentation capabilities with Microsoft Sentinel, providing real-time visibility and control over network traffic. It helps prevent lateral movement of threats and enhances overall network security. Infoblox App for Microsoft Sentinel The Infoblox solution enhances SecOps capabilities by seamlessly integrating Infoblox's AI-driven analytics, providing actionable insights, dashboards, and playbooks derived from DNS intelligence. These insights empower SecOps teams to achieve rapid incident response and remediation, all within the familiar Microsoft Sentinel user interface. LUMINAR Threat Intelligence for Microsoft Sentinel LUMINAR integrates threat intelligence and leaked credentials data into Microsoft Sentinel, helping organizations maintain visibility of their threat landscape. It provides timely, actionable insights to help detect and respond to threats before they impact the organization. Prancer PenSuite AI Prancer PenSuite AI now supercharges Microsoft Sentinel by injecting pentesting and real-time AppSec data into SOC operations. With powerful red teaming simulations, it empowers teams to detect vulnerabilities earlier, respond faster, and stay ahead of evolving threats. Phosphorus Connector for Microsoft Sentinel Phosphorus Cybersecurity’s Intelligent Active Discovery provides in-depth context for xIoT assets, that enhances threat detection and allows for targeted responses, enabling organizations to isolate or secure specific devices based on their criticality. Silverfort for Microsoft Sentinel Silverfort integrates its Unified Identity Protection Platform with Microsoft Sentinel, securing authentication and access to sensitive systems, both on-premises and in the cloud without requiring agents or proxies. Transmit Security Data Connector for Sentinel Transmit Security integrates its identity and access management capabilities with Sentinel, providing real-time monitoring and threat detection for user activities. It helps secure identities and prevent unauthorized access. In addition to commercially supported integrations, Microsoft Sentinel Content Hub also connects you to hundreds of community-based solutions as well as thousands of practitioner contributions. For more details and instructions on how to set up these integrations see Microsoft Sentinel data connectors | Microsoft Learn. To our partners: Thank you for your unwavering partnership and invaluable contributions on this journey to deliver the most comprehensive, timely insights and security value to our mutual customers. Security is indeed a team sport, and we are grateful to be working together to enhance the security landscape. Your dedication and innovation are instrumental in our collective success. We hope you find these new partner solutions useful, and we look forward to hearing your feedback and suggestions. Stay tuned for more updates and announcements on Microsoft Sentinel and its partner ecosystem. Learn More Microsoft’s commitment to Security Microsoft’s Secure Future Initiative Unified SecOps | SIEM and XDR Solutions Unified Platform documentation | Microsoft Defender XDR What else is new with Microsoft Sentinel? Microsoft Sentinel product home Schema Mapping Microsoft Sentinel Partner Solution Contributions Update – Ignite 2023 Additional resources: Sentinel Ignite 2024 Blog Latest Microsoft Tech Community Sentinel blog announcements Microsoft Sentinel solution for SAP Microsoft Sentinel solution for Power Platform Microsoft Sentinel pricing Microsoft Sentinel customer stories Microsoft Sentinel documentationSentinel query KQL with variables
Hello! I need to use variables as parameters of functions in Sentinel Logs. I have: let t = "Syslog"; let name = "my-Sentinel"; let id = "abc123"; Well, if do this, it works fine: table("Syslog") table(t) workspace("my-Sentinel").table("Syslog") workspace("my-Sentinel").Syslog But i need to work this: worskpace(name).table(t) or let x=strcat("workspace('", name, "')"); let y=strcat("table('", t, "')"); x.y In general seems that the function workspace() doesent work with a variable as parameter, but the function table() if alone it works: workspace("my-Sentinel") -> YES workspace(n) -> NO table("Syslog") -> OK table(t) -> OK Any idea how to make it works? In particulary to do this: workspace(name).table(t) Thanks!!!Backing up Sentinel and the Security subscription
A lot of people ask about how Security Operations can effectively back up all of the Sentinel related objects. One option is to use GitHub or Azure DevOps pipelines to get a daily backup. I've been doing this for a very long time and it seems like a good forum to share that code. The trick behind it has been to use PowerShell to derive the current API versions for Azure objects. Once you do that, you can recursively download the whole subscription to a repo and then scripts can renerate reports using markdown and yaml. I've been backing up my subscription reliably since 2021. The default project creates reports for all the Sentinel related elements. Markdown lets the object reports be drilled down into... And KQL is presented as YAML for readability. It's actually easy to deploy all the backedup JSON files through REST if needed but for most of us, being able to have readable KQL and Git History of changes in files is probably all we need. This project is completely written in PowerShell with no compiled modules & anyone is freely welcome to it. I've written more about it here: Daily Azure / Sentinel Backup (and Reporting) with GitHub ... and the source code and install documentation can be found here: https://github.com/LaurieRhodes/PUBLIC-Subscription-Backup I hope this is of use to the community! 🙂 Best Regards Laurie
Enhancing Security Monitoring: Integrating GitLab Cloud Edition with Microsoft Sentinel
Maximize your security operations by combining GitLab Cloud Edition with Microsoft Sentinel. This blog covers how to fill the void of a missing native connector for GitLab in Sentinel. Utilize GitLab's API endpoints, Azure Monitor Data Collection Rules, and Data Collection Endpoints, as well as Azure Logic Apps and Key Vault, to simplify log collection and improve immediate threat identification. Our detailed guide will help you integrate smoothly and strengthen your security defences.Introducing the Use Cases Mapper workbook
1. Intro While looking for the most effective use cases for Sentinel, it usually makes sense to start with data sources that already exist in some way in the corporate environment, whether due to a previous / third-party SIEM integration or due to an already implemented security stack / solution. The next logical step in this process is to determine preexisting sentinel solutions for the products already in use. Unfortunately, this often occurs only inadequately or is not carried out completely due to lack of resources. In addition, the solutions available (so called Content-Hub-Solutions) continue to evolve and once implemented, necessary updates may be neglected. This is where the Use Case Mapper Workbook can help. The workbook and the complementary resources (watchlists) can be used to map common Use Casesto the Mitre ATT&CK framework, i.e. the tactics and techniques listed there. This gives you a quick overview of the analysis options available in Sentinel (e.g. Analytic Rules & Hunting Queries) according to theseUse Cases. The identifiedUse Casesin this context are: Credential Exploitation Lateral Movement Rapid Encryption Command and Control Communication Insider Risk Anomalous Privilege Escalation Third-Party Abuses Overexposure Data Exfiltration Mobile Data Security Communication Abuse Web Application Abuse NOTE: These can change over time, as attack & defense strategies and techniques are constantly changing as well. To be able to adapt this information to your own needs, the option of reducing the results to selectedData Sources(Content Hub Solutions) has been implemented as well. 2. Prerequisites Before getting started, you have to check the prerequisites that should be fulfilled. an Azure subscription with a Sentinel equipped Log Analytic Workspace The correct RBAC roles assigned - for the sake of simplicity, it should be 'Contributor' or 'Owner' 3. How to deploy/get started Go to the following website:Azure-Sentinel/Workbooks/use cases mapper workbook at master · Azure/Azure-Sentinel · GitHub Look for the 'Deploy to Azure' button Log into a suitable tenant Enter the required information (subscription, resource group, region, workspace name) (1)and click 'Review + create' (2) Check your entered information again and confirm it by clicking on'Create' The new workbook (Use Case Mapper) should now appear in Sentinel in 'Workbooks' section. 4. How to use & structure In the first section of the workbook, you have the option to select one of the predefined Use Cases. The next step (2nd step) is to select the right data source/solution. The selection made before is presented in section 3 below. Based on the selections made, the following information is presented. Analytical rules - ID | Name | Solution | Technique + graphical representation Hunting Queries - ID | Name | Solution | Technique + graphical representation Workbooks - Name | Solution 5. Conclusion The Use Case Mapper Workbook is an invaluable tool for identifying gaps in your Sentinel environment and the established Content-Hub-Solutions. It simplifies the process of supplementing your solutions to achieve a complete implementation. Additionally, it helps you stay informed about updates (such as new hunting queries, analytic rules, or workbooks) and makes it possible to integrate them promptly. The workbook also provides a clear picture of the threats and vulnerabilities that should be mitigated with your solutions and where they can be found within the Mitre Att&ck Framework.
