AMA: Microsoft SIEM & XDR: unified security operations
At Microsoft Ignite we announced that we are bringing our Microsoft Sentinel and Microsoft Defender XDR products together to deliver an optimized and unified security operations experience. We are combining the full power of these products into a single portal enhanced with more comprehensive features, automation, guided experiences, and Microsoft Security Copilot. Bring your questions to this Ask Microsoft Anything (AMA) as members of our Microsoft Security engineering team bring clarity and insights about this new experience. This session is part of the Microsoft Security Tech Accelerator. RSVP for event reminders, add it to your calendar, and post your questions and comments below! This session will also be recorded and available on demand shortly after conclusion of the live event.
TLS for Sentinel Syslog CEF Data connector(Secure Transfer of logs to Sentinel Log analytics workspa
Sentinel Data connector Syslog CEF is a feature that allows you to collect data from various sources using the Common Event Format (CEF) or Syslog protocols and send it to Azure Sentinel, a cloud-native security information and event management (SIEM) solution. By using this connector, you can integrate your existing security tools and devices with Sentinel and gain more visibility and insights into your network and security events. Ingest syslog and CEF messages to Microsoft Sentinel - AMA | Microsoft Learn The connection using this method happens over TCP/UDP 514 which is in plain text. However, some sources may require a secure connection to transmit data using Syslog over TLS (Transport Layer Security). This ensures that the data is encrypted and authenticated between the sender and the receiver. In this article, we will show you how to configure TLS for Syslog on a Linux machine and connect it to Azure Sentinel using the Sentinel Data connector for CEF.
I don't understand the ability to connect Ueba to multiple data sources.
Hello, I have connected UEBA in my environment, but I don't understand what it offers to connect the log sources of Audit Logs, Azure Activity, Security Events and Login Logs. According to UEBA, it collects alert information from other connectors such as Microsoft Defender for Endpoint, bookmarks or activities to generate these user behaviour profiles, so I don't understand why connect the aforementioned data sources? That added value where can you see it? Regards.
KQL: setting query time leads to problem in watchlist column projecting
Hello to the community! I have stumbled upon a very strange issue when using watchlists. I have a watchlist with 2 columns (userPrincipalName,allowedActivity) that I am then using to whitelist activities. Watchlist is imported using: let WhitelistedUsers = _GetWatchlist("testQuery") | project userPrincipalName, allowedActivity; Then I wanted to set it to a specific time frame to test it on given data set: set query_now = datetime("1/14/2022, 1:45:46.556 PM"); Problem is that when setting my query for a specific time, I get the following error from the watchlist: 'project' operator: Failed to resolve scalar expression named 'userPrincipalName'. Commenting the set query_now solves the project problem (not my problem though). I tried to set the time before and after watchlist import but that does not solve the issue. I could not find any posts around the topic (quite a specific one), so anyone observed similar behaviors or has a possible explanation? I can probably work around the set query_now with other functions but I gotten used to it, and find this behavior extremely strange
How can I detect someone enabling Forensic Evidence Capturing?
Someone recently drew my attention to Microsoft Purview's Forensic Evidence Capturing feature under insider risk management-- powerful stuff! But also a feature I would only want to see turned on if duly authorized. How can I detect someone enabling this in Microsoft Sentinel? I tried enabling/disabling it but do not see any events referencing "forensic evidence" generated anywhere.
Manage Microsoft 365 Defender Alerts in Azure Sentinel
We're trying to find a way to manage the 'out of the box' alerts that come with Defender 365 about 95% of which are FP. Is there a way to build some sort of dashboard in Sentinel with alerts? I don't mean incidents, we aren't there yet, I just mean alerts? Preferably, with enough information about the alert that the analyst can make a quick decision and move on... Thanks!!Cloud Discovery Data Import - Sentinel vs Cloud App Sec
Hi, Proxy logs benefit both Sentinel and Cloud App Security Cloud Discovery. What is the most sensible way of getting proxy log data into both with least amount of moving parts? For example, ZScaler emits CEF which can be consumed by Azure Log Forwarder into Sentinel, but then Cloud App Security cannot pick up from Sentinel.
