Deploy Sysmon and collect additional data with Sentinel and the AMA agent
System Monitor (Sysmon) is one of the most common add-ons for Windows logging. With Sysmon, you can detect malicious activity by tracking code behavior and network traffic. Sysmon is part of the Sysinternals package and is owned by Microsoft. Sysmon can be used…
Which data connector and activity is free in Microsoft Sentinel?
After the initial onboarding of Microsoft Sentinel, connectors can be used for ingesting data. Microsoft invested in pre-build connectors which can be used for adding data/events correctly in Microsoft Sentinel. For a large set of Microsoft products; there are connectors available. With the…
Use automation/playbooks in Microsoft Sentinel during incident update activity using update triggers
Automation is critical for modern SOC environments to handle the volume of upcoming threats and manage day-to-day tasks. Ideally most of the features are automated in Microsoft Sentinel during the incident creation, enrichment, update, and closure. For quite some time playbooks can be…
What happens without RDP protection after 24+ hours in Microsoft Sentinel & Microsoft security products
For many years, abuse of Remote Desktop Protection (RDP) has been the most common root cause of all ransomware events. At the moment one of the most common attacks against VMs in Azure/ AWS or other clouds is based on the RDP brute-force…
Protecting Microsoft Teams with Microsoft Sentinel
Microsoft Teams and other online collaboration tools increases massively in the last 2-3 years. Working from home became the new normal in most of the work environments and securing IT cloud environments changes. Recent changes in Microsoft Teams bring more options for attackers…
Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR
The Microsoft Sentinel Data Connector that utilizes the modern agent (AMA) for collecting Windows Security Events is for a couple of months general available. The Log Analytics/MMA agent will be retired in 2024, which seems like a long way off. Preparing to use…
Monitor Microsoft Sentinel Data Connectors using Health Monitoring and Logic App
Microsoft announced a new public preview which contains the new Microsoft Sentinel Health Monitoring feature. Microsoft Sentinel now provides the SentinelHealth data table to help monitor the connector health and provides some insights which are interesting for further monitoring. Important: Feature currently in public preview….
Microsoft Sentinel content hub: Using solutions and start with the Training Lab content
Microsoft Sentinel is in the last months improved with a huge amount of new interesting features. One of the announced features is the content hub. In this blog the usage of the content hub and usage of the Teams / Training Lab content. …
Stream Azure AD Identity Protection events to Microsoft Sentinel/ Log Analytics
Microsoft recently added a new function that gives the option for stream events from Azure AD Identity Protection into Microsoft Sentinel. In this blog the instruction for export user risk events from Azure AD Identity protection into Microsoft Sentinel. Identity Protection – Risk…
Cloud App Discovery with MCAS & MDE for Shadow IT monitoring and integration with Azure Sentinel
Cloud discovery is one of the most interesting functions available with the Cloud App Discovery product. With Cloud Discovery, organizations will get insights into the application events and activities and most important the “Shadow IT” part of the network. Cloud App Security and…
