siem
72 TopicsGo agentless with Microsoft Sentinel for SAP
What a title during Agentic AI times 😂 Dear community, Bringing SAP workloads under the protection of your SIEM solution is a primary concern for many customers out there. The window for defenders is small “Critical SAP vulnerabilities being weaponized in less than 72 hours of a patch release and new unprotected SAP applications provisioned in cloud (IaaS) environments being discovered and compromised in less than three hours.” (SAP SE + Onapsis, Apr 6 2024) Having a turn-key solution as much as possible leads to better adoption of SAP security. Agent-based solutions running in Docker containers, Kubernetes, or other self-hosted environemnts are not for everyone. Microsoft Sentinel for SAP’s latest new capability re-uses the SAP Cloud Connector to profit from already existing setups, established integration processes, and well-understood SAP components. Meet agentless ❌🤖 The new integration path leverages SAP Integration Suite to connect Microsoft Sentinel with your SAP systems. The Cloud integration capability of SAP Integration Suite speaks all relevant protocols, has connectivity into all the places where your SAP systems might live, is strategic for most SAP customers, and is fully SAP RISE compatible by design. Are you deployed on SAP Business Technology Platform yet? Simply upload our Sentinel for SAP integration package (see bottom box in below image) to your SAP Cloud Integration instance, configure it for your environment, and off you go. Best of all: The already existing SAP security content (detections, workbooks, and playbooks) in Microsoft Sentinel continues to function the same way as it does for the Docker-based collector agent variant. The integration marks your steppingstone to bring your SAP threat signals into the Unified Security Operations Platform – a combination of Defender XDR and Sentinel – that looks beyond SAP at your whole IT estate. Microsoft Sentinel solution for SAP applications is certified for SAP S/4HANA Cloud, Private Edition RISE with SAP, and SAP S/4HANA on-premises. So, you are all good to go😎 You are already dockerized or agentless? Then proceed to this post to learn more about what to do once the SAP logs arrived in Sentinel. Final Words During the private preview we saw drastically reduced deployment times for SAP customers being less familiar with Docker, Kubernetes and Linux administration. Cherry on the cake: the network challenges don’t have to be tackled again. The colleagues running your SAP Cloud Connector went through that process a long time ago. SAP Basis rocks 🤘 Get started from here. Find more details on our blog on the SAP Community and latest Microsoft Learn article. Cheers Martin689Views1like0CommentsIntroducing SOC Optimization Recommendations Based on Similar Organizations
One of the key challenges that security teams in modern SOCs regularly face is determining which new data sources to onboard and which detections to activate. This ongoing process takes time and requires constant evaluation of the organization’s assets and the value that the data brings to the SOC. "…determining which logs to ingest for better threat coverage is time-consuming and requires significant effort. I need to spend a long time identifying the appropriate logs..." Elie El Karkafi, Senior Solutions Architect, ampiO Solutions Today, we’re excited to announce the public preview of recommendations based on similar organizations - a first-of-its-kind capability for SOC optimizations. Recommendations based on similar organizations use peer-based insights to guide and accelerate your decision-making process. We believe that applying insights learned from the actions of organizations with similar profiles can provide great value. Recommendations based on similar organizations use advanced machine learning to suggest which data to ingest, based on organizations with similar ingestion patterns. The recommendations also highlight the security value you can gain by adding the data. They list out-of-the-box rules that are provided by Microsoft research, which you can activate to enhance your coverage. Use the new recommendations to swiftly pinpoint the next recommended data source for ingestion and determine the appropriate detections to apply. This can significantly reduce the time and costs typically associated with research or consulting external experts to gain the insights you need. Recommendations based on similar organizations are now available in the SOC optimization page, in both the Azure portal and the unified security operations platform: - unified security operations platform Use cases Let’s take a tour of the unified security operations platform, stepping into the shoes of a small tech company that benefited from recommendations based on similar organizations during its private preview phase. In the following image, the new recommendation identifies that the AADNonInteractiveUserSignInLogs table is used by organizations similar to theirs: Selecting View details button on the recommendation card allowed them to explore how other organizations use the recommended table. This includes insights into the percentage of organizations using the table for detection and investigation purposes. By selecting See details hyperlink, the SOC engineer was able to explore how coverage could be improved with respect to the MITRE ATT&CK framework, using Microsoft’s out-of-the box rules: By selecting Go to Content hub, the SOC engineer was able to view all the essential data connectors needed to start ingesting the recommended tables. This page also includes a detailed list of out of the box, recommended analytics rules, which can provide immediate value and enhanced protection for your environment: Finally, by following the recommendation, which uses the security practices of similar organizations as a benchmark, the tech company quickly ingested the AADNonInteractiveUserSignInLogs table and activated several recommended analytics rules. Overall, this resulted in improved security coverage, corresponding to the company's specific characteristics and needs. Feedback from private preview: “I think this is a great addition. Like being able to identify tables not being used, it is useful to understand what tables other organizations are utilizing which could reveal things that so far haven't been considered or missed...” Chris Hoard, infinigate.cloud "In my view, those free recommendations are always welcomed and we can justify cost saving and empowering SOC analysts (that we know are more and more difficult to find)." Cyrus Irandoust, IBM “These recommendations will help us to take a look at the left out stuffs” Emmanuel Karunya, KPMG “Nice overview and insights! Love the interface too - nice and easy overview!” Michael Morten Sonne, Microsoft MVP Q&A: Q1: Why don’t I see these recommendations? A: Not all workspaces are eligible for recommendations based on similar organizations. Workspaces only receive these recommendations if the machine learning model identifies significant similarities between your organization and others, and discovers tables that they have but you don’t. If no such similarities are identified, no extra recommendations are provided. You’re more likely to see these recommendations if your SOC is still in its onboarding process, rather than a more mature SOC. Q2: What makes an organization similar to mine? A: Similarity is determined based on ingestion trends, as well as your organization's industry and vertical, when available in our databases. Q3: Is any of my PII being used to make recommendations to other customers? A: No. The recommendations are generated using machine learning models that rely solely on Organizational Identifiable Information (OII) and system metadata. Customer log content is never accessed or analyzed, and no customer data, content, or End User Identifiable Information (EUII) is exposed during the analysis process. Microsoft prioritizes customer privacy and ensures that all processes comply with the highest standards of data protection. Looking forward Microsoft continues to use artificial intelligence and machine learning to help our customers defend against evolving threats and provide enhanced protection against cyberattacks. This ongoing innovation is a key part of SOC optimization’s commitment to help you maximize your value from your SIEM & XDR. Learn More: SOC optimization documentation: SOC optimization overview ; Recommendation's logic Short overview and demo: SOC optimization Ninja show In depth webinar: Manage your data, costs and protections with SOC optimization SOC optimization API: Introducing SOC Optimization API | Microsoft Community Hub2.6KViews2likes1CommentWhat's New: View Microsoft Sentinel Workbooks Directly from Unified SOC Operations Platform
*This blog was posted on behalf of the original author, Aman Kaur. Thank you Aman for preparing this content for the community.* Key Benefits Unified Viewing Experience: Microsoft Sentinel workbook templates and saved workbooks can now be accessed directly within the Defender XDR portal. This eliminates the need to switch between different portals, providing a seamless experience. Increased Efficiency and Time Saving: The ability to view workbooks within the Defender XDR portal cuts down on the time spent navigating between portals, leading to faster access to critical information. Improved User Experience: This integration simplifies the process of referencing important data and insights, making it easier for security professionals to monitor security events, analyze trends, and review historical data. Important Note While viewing capabilities have been integrated into the Defender XDR portal, editing or creating workbooks will still require you to navigate to the Azure portal. This ensures that you have access to the full suite of editing tools and functionalities available in Azure. How to Get Started Getting started with viewing Microsoft Sentinel workbooks in the Defender XDR portal is simple: Access the Microsoft Defender XDR Portal: Log in to the Microsoft Defender XDR portal using your credentials. Navigate to Microsoft Sentinel > Threat Management > Workbooks : Select any workbook. View Workbooks: Access and view the templates and saved workbooks directly within the portal. Moving Forward with Sentinel Workbooks in Defender XDR Portal With the ability to view Microsoft Sentinel workbooks directly within the Microsoft Defender XDR portal, organizations can significantly enhance their security operations. This feature empowers security teams with the tools they need to efficiently monitor, investigate, and respond to threats—all from a single interface. By bringing together a unified viewing experience across incidents, alerts, users, devices, and files, this enhancement streamlines threat hunting, investigation, and response workflows. This ultimately helps organizations stay ahead of evolving threats and ensures they have the necessary context to protect their environment effectively. Get started with workbooks in the unified portal today!1.2KViews3likes0CommentsIntroducing the new Microsoft Sentinel simplified pricing.
Learn about the new Microsoft Sentinel simplified price that combines the Azure Monitor Log Analytics and Microsoft Sentinel pricing tiers to a single combined tier - simplifying budgeting, billing, and cost management.49KViews6likes11CommentsWhat’s New: Exciting new Microsoft Sentinel Connectors Announcement - Ignite 2024
Microsoft Sentinel continues to be a leading cloud-native security information and event management (SIEM) solution, empowering organizations to detect, investigate, and respond to threats across their digital ecosystem at scale. Microsoft Sentinel offers robust out of the box (OOTB) content, allowing seamless connections with a wide array of data sources from both Microsoft and third-party providers. This enables comprehensive collection and analysis of security signals across multicloud, multiplatform environments, enhancing your overall security posture. In this Ignite 2024 blog post, we are thrilled to present the latest integrations contributed by our esteemed Partners. These new integrations further expand the capabilities of Microsoft Sentinel, enabling you to connect your existing security solutions and leverage Microsoft Sentinel’s powerful analytics and automation capabilities to fortify your defenses against evolving cyber threats. Featured ISV 1Password for Microsoft Sentinel The integration between 1Password Extended Access Management and Microsoft Sentinel provides businesses with real-time visibility and alerts for login attempts and account changes. It enables quick detection of security threats and streamlines reporting by monitoring both managed and unmanaged apps from a single, centralized platform, ensuring faster response times and enhanced security. Cisco Secure Email Threat Defense Sentinel Application This application collects threat information from Cisco Secure Email Threat Defense and ingests it into Microsoft Sentinel for visualization and analysis. It enhances email security by detecting and blocking advanced threats, providing comprehensive visibility and fast remediation. Cribl Stream Solution for Microsoft Sentinel Cribl Stream accelerates SIEM migrations by ingesting, transforming, and enriching third party data into Microsoft Sentinel. It simplifies data onboarding, optimizes data in various formats, and helps maintain compliance, enhancing security operations and threat detection. FortiNDR Cloud FortiNDR Cloud integrates Fortinet’s network detection and response capabilities with Microsoft Sentinel, providing advanced threat detection and automated response. Fortinet FortiNDR Cloud enhances network security by helping to identify and mitigate threats in real-time. Pure Storage Solution for Microsoft Sentinel This solution integrates Pure Storage’s data storage capabilities with Sentinel, providing enhanced data protection and performance. It helps optimize storage infrastructure and improve data security. New and Notable CyberArk Audit for Microsoft Sentinel This solution extracts audit trail data from CyberArk and integrates it with Microsoft Sentinel, providing a comprehensive view of system and user activities. It enhances incident response with automated workflows and real-time threat detection. Cybersixgill Actionable Alerts for Microsoft Sentinel Cybersixgill provides contextual and actionable alerts based on data from the deep and dark web. It helps SOC analysts detect phishing, data leaks, and vulnerabilities, enhancing incident response and threat remediation. Cyware For Microsoft Sentinel Cyware integrates with Microsoft Sentinel to automate incident response and enhance threat hunting. It uses Logic Apps and hunting queries to streamline security operations and provides contextual threat intelligence. Ermes Browser Security for Microsoft Sentinel Ermes Browser Security ingests security and audit events into Microsoft Sentinel, providing enhanced visibility and reporting. It helps monitor and respond to web threats, improving the organization’s security posture. Gigamon Data Connector for Microsoft Sentinel This solution integrates Gigamon GigaVUE Cloud Suite, including Application Metadata Intelligence, with Microsoft Sentinel, providing comprehensive network traffic visibility and insights. It helps detect anomalies and optimize network performance, enhancing overall security. Illumio Sentinel Integration Illumio integrates its micro-segmentation capabilities with Microsoft Sentinel, providing real-time visibility and control over network traffic. It helps prevent lateral movement of threats and enhances overall network security. Infoblox App for Microsoft Sentinel The Infoblox solution enhances SecOps capabilities by seamlessly integrating Infoblox's AI-driven analytics, providing actionable insights, dashboards, and playbooks derived from DNS intelligence. These insights empower SecOps teams to achieve rapid incident response and remediation, all within the familiar Microsoft Sentinel user interface. LUMINAR Threat Intelligence for Microsoft Sentinel LUMINAR integrates threat intelligence and leaked credentials data into Microsoft Sentinel, helping organizations maintain visibility of their threat landscape. It provides timely, actionable insights to help detect and respond to threats before they impact the organization. Prancer PenSuite AI Prancer PenSuite AI now supercharges Microsoft Sentinel by injecting pentesting and real-time AppSec data into SOC operations. With powerful red teaming simulations, it empowers teams to detect vulnerabilities earlier, respond faster, and stay ahead of evolving threats. Phosphorus Connector for Microsoft Sentinel Phosphorus Cybersecurity’s Intelligent Active Discovery provides in-depth context for xIoT assets, that enhances threat detection and allows for targeted responses, enabling organizations to isolate or secure specific devices based on their criticality. Silverfort for Microsoft Sentinel Silverfort integrates its Unified Identity Protection Platform with Microsoft Sentinel, securing authentication and access to sensitive systems, both on-premises and in the cloud without requiring agents or proxies. Transmit Security Data Connector for Sentinel Transmit Security integrates its identity and access management capabilities with Sentinel, providing real-time monitoring and threat detection for user activities. It helps secure identities and prevent unauthorized access. In addition to commercially supported integrations, Microsoft Sentinel Content Hub also connects you to hundreds of community-based solutions as well as thousands of practitioner contributions. For more details and instructions on how to set up these integrations see Microsoft Sentinel data connectors | Microsoft Learn. To our partners: Thank you for your unwavering partnership and invaluable contributions on this journey to deliver the most comprehensive, timely insights and security value to our mutual customers. Security is indeed a team sport, and we are grateful to be working together to enhance the security landscape. Your dedication and innovation are instrumental in our collective success. We hope you find these new partner solutions useful, and we look forward to hearing your feedback and suggestions. Stay tuned for more updates and announcements on Microsoft Sentinel and its partner ecosystem. Learn More Microsoft’s commitment to Security Microsoft’s Secure Future Initiative Unified SecOps | SIEM and XDR Solutions Unified Platform documentation | Microsoft Defender XDR What else is new with Microsoft Sentinel? Microsoft Sentinel product home Schema Mapping Microsoft Sentinel Partner Solution Contributions Update – Ignite 2023 Additional resources: Sentinel Ignite 2024 Blog Latest Microsoft Tech Community Sentinel blog announcements Microsoft Sentinel solution for SAP Microsoft Sentinel solution for Power Platform Microsoft Sentinel pricing Microsoft Sentinel customer stories Microsoft Sentinel documentation2.6KViews0likes0CommentsUse Azure DevOps to manage Sentinel for MSSPs and Multi-tenant Environments
Automate Sentinel resource deployment in multi-tenant scenarios using Azure DevOps and Sentinel Repositories. Enable version control, collaboration, and streamlined updates for consistent and secure configurations.9.6KViews5likes6CommentsSetting up Sentinel for Kubernetes Monitoring
A guide to using Microsoft Sentinel for monitoring the security of your containerized applications and orchestration platforms. Part 3 of 3 part series about security monitoring of your Kubernetes Clusters and CI/CD pipelines by Abhi Singh and Umesh Nagdev, Security GBB Link to Part 1 Link to Part 26.5KViews4likes1Comment