Cyber for all
Stay informed, stay secure, and stay one step ahead of adversaries with KQL
The CISA Known Exploited Vulnerabilities Catalog helps organizations prioritize vulnerabilities, as an end user you want to be notified when a new vulnerability is added. This blog describes four different solutions in Microsoft Sentinel to automate the notification process, leaving you with the important task of analyzing this new threat.
The four automation solutions presented in this blog are:
Email notifications Teams channel notifications Sentinel incidents Sentinel Analytics Rule Both the Logic App and the Analytics Rule are available on GitHub.
While Microsoft is creating a unified portal for all security related activities we still lacked visibility into the audit activities in the security portal, this has now been changed! You can now audit Defender XDR activities and see who removed a device from isolation, deleted that custom detection rule, downloaded a Defender For Endpoint Offboarding Package and many more.
This blow will explain what should be configured to audit activities in Defender XDR.
At the beginning of April (2024) Microsoft announced the general availability of the Microsoft Graph activity logs. The logs can be forwarded using the Azure Diagnostics settings in Entra ID, which will in most cases result in a populated MicrosoftGraphActivityLogs table in your log analytics workspace.
This blog discusses the following topics:
Microsoft Graph Activity Logs Content Effectively Querying The Graph API Logs Enriching Microsoft Graph Activity Logs Detecting Suspicious Activities Related Expert Blogs RequestUri Length Microsoft Graph activity logs content The MicrosoftGraphActivityLogs are an audit trail of all HTTP requests that the Microsoft Graph service received and processed for a tenant.
Automating incident response queries is one of the quick wins you can implement in Microsoft Sentinel. This allows you to automate incident enrichment and further investigations. The first blog of the Sentinel Automation Series will explain how you can quickly implement this in your environment. This is done based on automation rules and Playbooks (Logic Apps).
Results To show the value of automatically enriching incidents two examples are discussed in this section; Device Enrichment and the listing of inbound connections.