Unified SecOps XDR
Hi, I am reaching out to community to seek understanding regarding Unified SecOps XDR portal for Multi-tenant Multi-workspace. Our organization already has a Azure lighthouse setup. My question is if M365 lighthouse license also required for the Multi-tenant Multi-workspace in unified SecOps XDR portal?
Log Analytics Workspace - ThreatIntelIndicators
Morning! I have been working on migrating some of our tenant analytic rules to use the new TI ThreatIntelIndicators table. However, I noticed the following: When querying against the new table, I get these values in a tenant log workspace When I do the same query in another tenant logs workspace, I get this result back If I expand the query to grab last 7 days, I get results back but they are wildly different from what I see from one tenant to another. I can find big and small discrepancies in the logs I see. I still can't find the connector on the connectors page (When I filter them out by data type). I can see the one that is being used for the soon to be decommissioned table. As far as I understand, the connector is not going to be changed per se, just how we access the logs from any given log analytics workspace. I'm expecting to see the same values across my log workspaces since it comes from the same connector, and provided by MS, or is this ingestion of TI logs tenant scope and each one has different settings? I couldn't find something that tells me this in the docs. Or is this part of the rollout problems we are expecting to see? Thanks!
Can we deploy Bicep through Sentinel repo
Hi there, Im new here, but 😅.... With the problem statement being "Deploying and managing sentinel infrastructure through git repository. I had looked into Sentinel Repository feature which is still in Preview. With added limitations of not being able to deploy watchlists or custom log analytical functions ( custom parsers ). There is also a limitation of deploying only ARM content My guess would be that the product folks at msft are working on this 😋 My hypothesized (just started the rnd, as of writing this) options would be to Fully go above and beyond with Bicep; Create bicep deployment files for both the rules as well as their dependencies like LAW functions, watchlists and the whole nine yards. Need to write pipelines for the deployment. The CI/CD would also need extra work to implement Hit that sweet spot; Deploy the currently supported resources using sentinel repo and write a pipeline to deploy the watchlists using Bicep. But not sure if this will be relevant to solutions to clients. When the whole shtick is that we are updating now so we dont have to later. Go back to the dark ages: Stick to the currently supported sentinel content through ARM & repo. And deploy the watchlists and dependencies using GUI 🙃 I will soon confirm the first two methods, but may take some time. As you know, I may or may not be new to sentinel...or devops.. But wanted to kick off the conversation, to see how close to being utterly wrong I am. 😎 Thanks, mal_secIntroducing the Use Cases Mapper workbook
1. Intro While looking for the most effective use cases for Sentinel, it usually makes sense to start with data sources that already exist in some way in the corporate environment, whether due to a previous / third-party SIEM integration or due to an already implemented security stack / solution. The next logical step in this process is to determine preexisting sentinel solutions for the products already in use. Unfortunately, this often occurs only inadequately or is not carried out completely due to lack of resources. In addition, the solutions available (so called Content-Hub-Solutions) continue to evolve and once implemented, necessary updates may be neglected. This is where the Use Case Mapper Workbook can help. The workbook and the complementary resources (watchlists) can be used to map common Use Cases to the Mitre ATT&CK framework, i.e. the tactics and techniques listed there. This gives you a quick overview of the analysis options available in Sentinel (e.g. Analytic Rules & Hunting Queries) according to these Use Cases. The identified Use Cases in this context are: Credential Exploitation Lateral Movement Rapid Encryption Command and Control Communication Insider Risk Anomalous Privilege Escalation Third-Party Abuses Overexposure Data Exfiltration Mobile Data Security Communication Abuse Web Application Abuse NOTE: These can change over time, as attack & defense strategies and techniques are constantly changing as well. To be able to adapt this information to your own needs, the option of reducing the results to selected Data Sources (Content Hub Solutions) has been implemented as well. 2. Prerequisites Before getting started, you have to check the prerequisites that should be fulfilled. an Azure subscription with a Sentinel equipped Log Analytic Workspace The correct RBAC roles assigned - for the sake of simplicity, it should be 'Contributor' or 'Owner' 3. How to deploy/get started Go to the following website: Azure-Sentinel/Workbooks/use cases mapper workbook at master · Azure/Azure-Sentinel · GitHub Look for the 'Deploy to Azure' button Log into a suitable tenant Enter the required information (subscription, resource group, region, workspace name) (1) and click 'Review + create' (2) Check your entered information again and confirm it by clicking on 'Create' The new workbook (Use Case Mapper) should now appear in Sentinel in 'Workbooks' section. 4. How to use & structure In the first section of the workbook, you have the option to select one of the predefined Use Cases. The next step (2nd step) is to select the right data source/solution. The selection made before is presented in section 3 below. Based on the selections made, the following information is presented. Analytical rules - ID | Name | Solution | Technique + graphical representation Hunting Queries - ID | Name | Solution | Technique + graphical representation Workbooks - Name | Solution 5. Conclusion The Use Case Mapper Workbook is an invaluable tool for identifying gaps in your Sentinel environment and the established Content-Hub-Solutions. It simplifies the process of supplementing your solutions to achieve a complete implementation. Additionally, it helps you stay informed about updates (such as new hunting queries, analytic rules, or workbooks) and makes it possible to integrate them promptly. The workbook also provides a clear picture of the threats and vulnerabilities that should be mitigated with your solutions and where they can be found within the Mitre Att&ck Framework.
SIEM Migration Update: Now Migrate with contextual depth in translations with Microsoft Sentinel!
What's new in SIEM Migration? The process of moving from Splunk to Microsoft Sentinel via the SIEM Migration experience has been enhanced with three key additions that help customers get more value from the translation of their detections from Splunk to Sentinel. These features let customers provide more contextual details about their Splunk environment & usage to the Microsoft Sentinel SIEM Migration translation engine so it can account for them when converting the detections from SPL to KQL in effect, making translation more contextually relevant. These are: Schema Mapping Support for Splunk Macros in translation Support for Splunk Lookups in translation Let talk about how these can make life easier when migrating to Microsoft Sentinel via the SIEM Migration experience:Revolutionizing log collection with Azure Monitor Agent
The much awaited deprecation of the MMA agent is finally here. While still sunsetting, this blog post reviews the advantages of AMA, different deployment options and important updates to your favorite Windows, Syslog and CEF events via AMA data connectors.Migrate from MMA to AMA
Hello everyone, We're planning to migrate from MMA to AMA. As per our design, some servers in our environment limit internet connection. So, we installed the MMA and pointed it to the OMS gateway. We can download the MMA on an internet-connected machine and share the agent with no internet machine. In the current AMA design, I need to install Azure Arc first. However, there is no Azure Arc agent like MMA. Please provide me with the straightforward way to install Azure Arc and AMA on servers with no internet access.
