Cyber for all

Stay informed, stay secure, and stay one step ahead of adversaries with KQL

Use Cases For Sentinel Summary Rules

Microsoft has announced a new Sentinel feature: Summary Rules. Those rules are aimed at aggregating large sets of data in the background for a smoother security operations experience across all log tiers (Documentation). This blog describes multiple use cases to get started with this new feature. I just want to have the queries! GitHub Sentinel Summary Rules. Use Cases You might question the use cases related to summary rules. First, it is good to know that summary rules are closely related to the summarize operator.

Sentinel Automation Part 2: Automate CISA Known Exploited Vulnerability Notifications

The CISA Known Exploited Vulnerabilities Catalog helps organizations prioritize vulnerabilities, as an end user you want to be notified when a new vulnerability is added. This blog describes four different solutions in Microsoft Sentinel to automate the notification process, leaving you with the important task of analyzing this new threat. The four automation solutions presented in this blog are: Email notifications Teams channel notifications Sentinel incidents Sentinel Analytics Rule Both the Logic App and the Analytics Rule are available on GitHub.

Audit Defender XDR Activities

While Microsoft is creating a unified portal for all security related activities we still lacked visibility into the audit activities in the security portal, this has now been changed! You can now audit Defender XDR activities and see who removed a device from isolation, deleted that custom detection rule, downloaded a Defender For Endpoint Offboarding Package and many more. This blow will explain what should be configured to audit activities in Defender XDR.

Investigating Microsoft Graph Activity Logs

At the beginning of April (2024) Microsoft announced the general availability of the Microsoft Graph activity logs. The logs can be forwarded using the Azure Diagnostics settings in Entra ID, which will in most cases result in a populated MicrosoftGraphActivityLogs table in your log analytics workspace. This blog discusses the following topics: Microsoft Graph Activity Logs Content Effectively Querying The Graph API Logs Enriching Microsoft Graph Activity Logs Detecting Suspicious Activities Related Expert Blogs RequestUri Length Microsoft Graph activity logs content The MicrosoftGraphActivityLogs are an audit trail of all HTTP requests that the Microsoft Graph service received and processed for a tenant.