Joint forces - MS Sentinel and the MITRE framework
MITRE ATT&CK is a publicly accessible framework and knowledgebase of tactics and techniques that are commonly used by attackers. The MITRE ATT&CK framework is created and maintained by observing real-world scenarios. Many organizations use the MITRE ATT&CK framework to develop specific threat models and methodologies that are used to verify security status in their environments. In this blog post, we discuss the Microsoft Sentinel integration with the MITRE ATT&CK framework, and how it can help you improve your overall security coverage.Looking for unknown anomalies - what is normal? Time Series analysis & its applications in Security
This article provides a practical outline for using Time Series analysis to surface anomalies on security event log data sources, visualizing and alerting on anomalies for further investigation in Azure Sentinel. We will describe the various functions which are used in compiling the query and how to use those KQL queries to either visualize the output or transform it into tabular data outputs to configure alerts on specific anomalies.
Help Protect your Exchange Environment With Microsoft Sentinel
TL;DR; Sentinel + Exchange Servers or Exchange Online = better protected New Microsoft Sentinel security solution for Exchange Online and on premises servers : Microsoft Exchange Security! This content is very useful for any organization concerned about keeping the highest security posture as possible and be alerted in case of suspicious activities for those critical items.Handling ingestion delay in Azure Sentinel scheduled alert rules
At Azure Sentinel we take pride in the ability to ingest data from a variety of sources. However, data ingestion time may vary for different data sources under different circumstances. In this blog post we will address the delay challenge: understanding the impact of the ingestion delay and how to fix it.Detect Network beaconing via Intra-Request time delta patterns in Azure Sentinel
This article will discuss the use case of detecting network beaconing via intra-request time delta patterns using KQL (Kusto query language) in Azure Sentinel. The logic or technique of the use-case was originally discussed at threat hunting project here and also blogged with the open source network analytics tool (flare) implementation by huntoperator here. Implementing this technique natively using KQL allows defenders to quickly apply it over multiple network data sources and easily set up alerts within Azure Sentinel.Dynamic alert details - The force awakens
When authoring a new detection, one must keep in mind that the MTTR is highly impacted by the data available in the incident and alerts. Dynamic alert details allow customization of the alert properties resulting in a shorter investigation process. In this blog post we will cover the newly released capability in Microsoft Sentinel scheduled analytics rules to dynamically set the alert properties.
Automate Extraction of Microsoft Sentinel Analytical Rules from GitHub Solutions
🔧 Enhancing Pre-Deployment Rule Insights Extracting metadata like Rule Name, Severity, MITRE Tactics, and Techniques for out-of-the-box analytical rules across multiple solutions can be time-consuming when done manually—especially before the rules are deployed. 🚀 Script Overview The PowerShell script, hosted on GitHub, lets you: Provide the exact Microsoft Sentinel solution name as input, from Microsoft Sentinel GitHub: Azure-Sentinel/Solutions at master · Azure/Azure-Sentinel · GitHub Automatically query the [Microsoft Sentinel GitHub repo] Parse all associated analytical rule YAMLs under that solution Export relevant metadata into a structured CSV 📥 GitHub Link This is My GitHub repository where the custom PowerShell script is hosted. It allows you to extract built-in analytical rules from Microsoft Sentinel solutions based on the solution name: 🔗 GitHub - SentinelArtifactExtract (Optimized Script) 📝 Pre-Requisites: Generate GitHub Personal Access token: GitHub official page to generate PAT: Managing your personal access tokens - GitHub Docs Why GitHub PAT token: It will help us to Authenticate and overcome the GitHub API rate limit Error (403). Download the Script from GitHub to Azure CloudShell: Use Invoke-WebRequest or curl to download the raw script: Command to Download the Raw Script from GitHub: Invoke-WebRequest -Uri "https://raw.githubusercontent.com/vdabhi123/SentinelArtifactExtract/main/Extract%20Sentinel%20Analytical%20Rule%20with%20Solution%20Name%20prompt/OptimizedVersionPromptforSolutionNameOnly" -OutFile "ExtractRules.ps1 Invoke-WebRequest in Azure CloudShell Update the Script with you GitHub PAT (generated in pre-requisite 1) in main script: To update the PAT token you can use vim and ensure to run the updated script. 🧪 How to Use the Script Open Azure Cloud Shell (PowerShell). Upload and run the script. (This is Optional if Pre-requisite 3 is followed) Run the Script and Enter the **exact** solution name (e.g., `McAfee ePolicy Orchestrator`). The script fetches rule metadata and exports to CSV in the same directory. Download the CSV from Cloud Shell. & 2 as highlighted. 📤 Sample Output The script generates a CSV with the following columns: - `Solution` - `AnalyticalRuleName` - `Description` - `Severity` - `MITRE_Tactics` - `MITRE_Techniques` Example file name: Formatted Output with all Analytical Rule and other metadata for the Solution: ✅ Benefits Streamlines discovery of built-in analytical rules for initial Microsoft Sentinel deployments. Accelerates requirements gathering by exporting rules into a shareable CSV format. Enables collaborative planning—output can be shared with clients or Microsoft to determine which rules to implement or recommend. Eliminates manual effort of browsing GitHub or Microsoft Sentinel UI or exporting and reviewing full JSON rule files individually. 💡 Pro Tips Always verify the solution name from the official Microsoft Sentinel GitHub Solutions folder. Azure-Sentinel/Solutions at master · Azure/Azure-Sentinel · GitHub 📌 Final Thoughts This script was created in response to a real-world project need and is focused on improving the discovery and extraction of Microsoft Sentinel analytical rules. A follow-up blog covering the export of additional Sentinel artifacts—such as Playbooks, Workbooks, and Hunting Queries—will be published soon.Microsoft Sentinel Solution for SAP® Applications - New data exfiltration detection rules
On August 2022, Microsoft Sentinel solution for SAP was made generally available (GA). Together with releasing the Microsoft Sentinel Solution for SAP® Applications, new additional OOTB content has been added. This blog covers five new data exfiltration detection rules included with the Microsoft Sentinel Solution for SAP® Applications (these rules are currently in preview).Protect critical information within SAP systems against cyberattacks
SAP systems and applications handle massive volumes of business-critical data that is hosted on cloud or on-premises infrastructure. The SAP ecosystem is complex and difficult for security operations (SecOps) teams to effectively monitor and protect against growing threats. A breach of the SAP system could result in data loss, disruption to business processes, loss of revenue and major reputation damage. Microsoft Sentinel solution for SAP allows you to monitor, detect, and respond to suspicious activities within the SAP environment, protecting your sensitive data against sophisticated cyberattacks.
