Help Protect your Exchange Environment With Microsoft Sentinel
TL;DR; Sentinel + Exchange Servers or Exchange Online = better protected New Microsoft Sentinel security solution for Exchange Online and on premises servers : Microsoft Exchange Security! This content is very useful for any organization concerned about keeping the highest security posture as possible and be alerted in case of suspicious activities for those critical items.Level Up Your Security Skills with the New Microsoft Sentinel Ninja Training!
If you’ve explored our Microsoft Sentinel Ninja Training in the past, it’s time to revisit! Our training program has undergone some exciting changes to keep you ahead of the curve in the ever-evolving cybersecurity landscape. Microsoft Sentinel is a cutting-edge, cloud-native SIEM and SOAR solution designed to help security professionals protect their organizations from today’s complex threats. Our Ninja Training program is here to guide you through every aspect of this powerful tool. So, what’s new? In addition to the structured security roles format, the Ninja Training now offers a more interactive experience with updated modules, hands-on labs, and real-world scenarios. Whether you're focusing on threat detection, incident response, or automation, the training ensures you gain the practical skills needed to optimize your security operations. One of the biggest updates is the integration of Sentinel into the Defender XDR portal, creating a unified security platform. This merger simplifies workflows, speeds up incident response, and minimizes tool-switching, allowing for seamless operations. Other highlights include: Step-by-step guidance through the official Microsoft Sentinel documentation. Exclusive webinars and up-to-date blog posts from Microsoft experts. If you're ready to take your Sentinel skills to the next level or want to revisit the program’s new features, head over to the blog now and dive into the refreshed Microsoft Sentinel Ninja Training! Don’t miss out—your next cybersecurity breakthrough is just a click away!
New Compliance Solutions in Microsoft Sentinel: HIPAA & GDPR Reports
What’s New? GDPR Compliance & Data Security Solution (Preview) Helps organizations demonstrate compliance with the General Data Protection Regulation (GDPR) and protect personal data in cloud and hybrid environments. Consolidates data from Alerts, Incidents, Microsoft Purview, Azure SQL, Microsoft 365, UEBA, and Entra ID into a unified workbook. Monitors GDPR-related alerts, data classification, sensitive data queries, identity risks, and insider behaviours. Provides clear audit evidence and compliance reports, supporting proactive risk detection and regulatory accountability. HIPAA Compliance Solution (Preview) Designed for healthcare organizations and business associates to meet HIPAA Security and Privacy Rules. Provides robust monitoring of Protected Health Information (PHI) across administrative, technical, and physical safeguards. Features integrated dashboards, analytics, and Azure-native security capabilities for audit readiness and operational efficiency. Includes pre-built workbook tabs for overview, attack range, audit trail reporting, and advanced analysis. Enables anomaly detection (e.g., ransomware, suspicious SQL procedures, password spray attempts) and forensic audit trails for incident investigations. Below, you will find more detailed information about the HIPAA and GDPR connectors. First, we cover the features of the HIPAA connector, followed by the key aspects of the GDPR solution. GDPR Compliance Solution This solution provides a unified workbook that consolidates data from Alerts and Incidents, Microsoft Purview, Azure SQL Databases, Microsoft 365, User & Entity Behavior Analytics (UEBA), and Entra ID. With this workbook, you can: Monitor GDPR and data-theft related alerts and incidents across your Microsoft ecosystem. Gain visibility into data classification and sensitivity labelling with Microsoft Purview. Detect sensitive data queries, anomalous database activity, and unusual access patterns in Azure SQL. Investigate identity risks, anomalous sign-ins, and insider behaviours using Entra ID and UEBA. Provide clear audit evidence and compliance reports across Microsoft 365 and related services. Key Capabilities Security Alerts & Incidents Investigate security alerts and incidents from hosts and resources that store or process personal data. Track alerts mapped to MITRE ATT&CK® tactics and measure responsiveness for breach notification requirements. Focus on GDPR-relevant systems using customizable watchlists. For the Security Alerts & Incidents section to function properly, you must create a watchlist containing servers that host personal data. You must configure this watchlist in Sentinel and populate it with the names of your personal data hosting servers. Sample Watchlist (GDPR_PersonalData_Assets) HostName server1 server2 server3 server4 Data Loss Prevention (DLP) Monitor sensitive data access, leaks, and geolocation-based usage. Detect potential leaks or unauthorized transfers of personal data. Track label-based access patterns and provide evidence of preventive controls. Purview Logs Discover and classify assets, monitor sensitivity labelling, and track data governance. Assess the application of sensitivity labels and provide auditors with data inventory and classification coverage. Azure SQL Databases Detect anomalies and monitor classified data queries. Track application and IP access to classified data for accountability and traceability. Provide auditors with proof of continuous monitoring of database activity. Microsoft 365 Activity Monitor user and administrator activity across Exchange, SharePoint, OneDrive, and Teams. Detect risky behaviours such as external sharing, non-owner mailbox access, and unusual admin operations. Provide a comprehensive audit trail of data activity in Microsoft 365 services. User & Entity Behavior Analytics (UEBA) Analyze anomalous user and entity behaviors to detect insider threats and compromised accounts. Correlate activities across multiple data sources and identify potential data exfiltration attempts. Sign-Ins and Audit (Entra ID) Track risky sign-ins, brute-force attempts, and unusual geolocations. Investigate access patterns to applications and resources handling personal data. Monitor changes to users, groups, and applications for GDPR accountability. References The metrics and monitoring approaches used in the GDPR Compliance Solution are referenced from established workbooks and solutions, including: Microsoft Purview: For data classification, sensitivity labelling, and governance metrics, leveraging Purview’s comprehensive data inventory and classification coverage. Azure SQL Database Solution for Sentinel: For monitoring classified data queries, detecting anomalies, and providing continuous database activity auditing. Microsoft Purview Insider Risk Management: For insights into M365 audits, identity risks, and anomalous activities, supporting proactive risk detection and regulatory accountability. HIPAA Compliance Solution The HIPAA Compliance Solution in Microsoft Sentinel—now available in preview—empowers security teams to validate compliance posture, detect anomalies, and respond swiftly to threats. With integrated dashboards, analytics, and Azure-native security capabilities, this solution helps you stay audit-ready while reducing operational complexity. Getting Started: Two Key Steps Connect Data Sources To unlock the full potential of the HIPAA Compliance Solution, you need to integrate key data sources into Microsoft Sentinel. These connectors ensure comprehensive visibility across your HIPAA environment: AzureDiagnostics Collect logs from Azure services, firewalls, and network devices. This is critical for monitoring HIPAA-relevant infrastructure and network traffic anomalies. Recommended Solution: [Azure Firewall Solution in Sentinel Content Hub] for enriched firewall analytics. SecurityEvent Ingest Windows Server event logs to track login activity, access attempts, and policy changes. Recommended Solution: [Windows Security Events Solution] for prebuilt analytics and dashboards. SecurityAlert Pull in alerts from Microsoft Defender and other integrated security tools for anomaly and incident detection. Recommended Solution: [Microsoft Defender for Endpoint Solution] for advanced threat detection and correlation. AuditLogs Capture Azure AD sign-in logs, MFA status, and user activity to validate identity and access controls. Recommended Solution: [Azure Active Directory Solution] for identity governance and compliance insights. DeviceEvents / DeviceProcessEvents Gather endpoint telemetry and Defender for Endpoint alerts to monitor device health and detect compromise attempts. Recommended Solution: [Microsoft Defender for Endpoint Solution] for endpoint security posture. SQLSecurityAuditEvents Enable auditing for HIPAA-relevant databases to track CRUD operations, suspicious stored procedures, and integrity checks. Recommended Solution: [SQL Security Audit Solution] for database compliance and threat detection. Define HIPAA Users and Assets Use Watchlists to specify HIPAA-relevant users and assets within your compliance scope: HIPAA Users Details Watchlist Columns: UserName, TrainingStatus, AccessLevel Upload as CSV and configure in Sentinel under Configuration > Watchlist. HIPAA Assets Watchlist Columns: DeviceName, DeviceType Follow the same steps as above with appropriate naming conventions. To learn more about how to create watchlists, see Create new watchlists - Microsoft Sentinel | Microsoft Learn What’s Included in the Solution Pre-Built Workbook Tabs Overview Tab Track user training status, asset health, login success/failure, MFA status, antivirus coverage, and incident trends. Attack Range Tab This tab focuses on real-time threat visibility and behavioral analytics, giving SOC teams the ability to detect and respond to active threats impacting HIPAA-regulated environments. It visualizes multiple high-risk indicators drawn from security logs, Defender telemetry, and database activity. Key insights provided on this dashboard include: Macaw Ransomware Detection: Identifies endpoints exhibiting encryption-like behavior typical of the Macaw ransomware family, allowing the SOC team to act before patient health data is encrypted or lost. Suspicious SQL Stored Procedures: Flags execution of destructive or data-deletion commands from stored procedures initiated by untrained or unauthorized HIPAA users — a potential insider threat or misuse case. Password Spray Attempts: Detects repeated failed login attempts from a single IP within a short time frame, helping to identify brute-force or credential-stuffing activity targeting HIPAA accounts. Unusual SMB Activity: Surfaces abnormal file-sharing or data transfer patterns between internal servers, indicating potential lateral movement or data exfiltration attempts. Audit Trail Reporting Tab This Tab serves as the organization’s forensic and compliance backbone, enabling security and compliance teams to trace every critical activity within their HIPAA environment. It provides a detailed chronological record of user actions, system processes, and network communications — essential for both incident investigations and regulatory audits. Further Analysis Tab Export pre-written queries for advanced investigation and compliance reporting.What's New: View Microsoft Sentinel Workbooks Directly from Unified SOC Operations Platform
*This blog was posted on behalf of the original author, Aman Kaur. Thank you Aman for preparing this content for the community.* Key Benefits Unified Viewing Experience: Microsoft Sentinel workbook templates and saved workbooks can now be accessed directly within the Defender XDR portal. This eliminates the need to switch between different portals, providing a seamless experience. Increased Efficiency and Time Saving: The ability to view workbooks within the Defender XDR portal cuts down on the time spent navigating between portals, leading to faster access to critical information. Improved User Experience: This integration simplifies the process of referencing important data and insights, making it easier for security professionals to monitor security events, analyze trends, and review historical data. Important Note While viewing capabilities have been integrated into the Defender XDR portal, editing or creating workbooks will still require you to navigate to the Azure portal. This ensures that you have access to the full suite of editing tools and functionalities available in Azure. How to Get Started Getting started with viewing Microsoft Sentinel workbooks in the Defender XDR portal is simple: Access the Microsoft Defender XDR Portal: Log in to the Microsoft Defender XDR portal using your credentials. Navigate to Microsoft Sentinel > Threat Management > Workbooks : Select any workbook. View Workbooks: Access and view the templates and saved workbooks directly within the portal. Moving Forward with Sentinel Workbooks in Defender XDR Portal With the ability to view Microsoft Sentinel workbooks directly within the Microsoft Defender XDR portal, organizations can significantly enhance their security operations. This feature empowers security teams with the tools they need to efficiently monitor, investigate, and respond to threats—all from a single interface. By bringing together a unified viewing experience across incidents, alerts, users, devices, and files, this enhancement streamlines threat hunting, investigation, and response workflows. This ultimately helps organizations stay ahead of evolving threats and ensures they have the necessary context to protect their environment effectively. Get started with workbooks in the unified portal today!
[DevOps] dps.sentinel.azure.com no longer responds
Hello, Ive been using Repository connections in sentinel to a central DevOps for almost two years now. Today i got my first automated email on error for a webhook related to my last commit from the central repo to my Sentinel intances. Its a webhook that is automticly created in connections that are made the last year (the once from 2 years ago dont have this webhook automaticly created). The hook is found in devops -> service hooks -> webhooks "run state change" for each connected sentinel However, after todays run (which was successfull, all content deployed) this hook generates alerts. It says it cant reach: (EU in my case) eu.prod.dps.sentinel.azure.com full url: https://eu.prod.dps.sentinel.azure.com/webhooks/ado/workspaces/[REDACTED]/sourceControls/[REDACTED] So, what happened to this domain? why is it no longer responding and when was it going offline? I THINK this is the hook that sets the status under Sentinel -> Repositories in the GUI. this success status in screenshoot is from 2025/02/06, no new success has been registered in the receiving Sentinel instance. For the Sentinel that is 2 year old and dont have a hook in my DevOps that last deployment status says "Unknown" - so im fairly sure thats what the webhook is doing. So a second question would be, how can i set up a new webhook ? (it want ID and password of the "Azure Sentinel Content Deployment App" - i will never know that password....) so i cant manually add ieather (if the URL ever comes back online or if a new one exists?). please let me know.
