Prerequisite Enable UEBA – Use entity behavior analytics to detect advanced threats If already have UEBA enabled, you will notice that a new table called ‘IdentityInfo’ is now available under ‘Azure Sentinel UEBA’ group in your Log Analytics. The Identity info table contains a snapshot of the user’s profile: metadata information, groups membership, Azure AD …
The 12th July, Microsoft has announced the General Availability (GA) of Azure Sentinel Watchlist to all regions! Azure Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Azure Sentinel environment. Watchlists are stored in your Azure Sentinel workspace as name-value pairs and are cached for optimal …
The new watchlist UI encompasses the following functionality: Add new watchlist items or update existing watchlist items. Select and update multiple watchlist items at once via an Excel-like grid. Add/remove columns from the watchlist update UI view for better usability. How to update watchlist From the Azure portal, navigate to Azure Sentinel > Configuration > Watchlist Select a Watchlist, then select Edit Watchlist …
Azure Sentinel Watchlists provides the ability to quickly import IP addresses, file hashes, etc. from csv files into your Azure Sentinel workspace. Then utilize the watchlist name/value pairs for joining and filtering for use in alert rules, threat hunting, workbooks, notebooks and for general queries. Watchlist Updating Functionality The new watchlist UI encompasses the following …
The 09 November, Microsoft announced that the public preview of the new Microsoft 365 Defender connector is now available. The M365 Defender connector lets you stream advanced hunting logs – a type of raw event data – from Microsoft 365 Defender into Azure Sentinel. It will permit to give you a complete access to the …
An Azure Logic App can be used in Azure Sentinel as a Playbook to be automatically invoked when an incident is created. You can use the Playbooks health monitoring workbook to monitor the health of your Playbooks, look for anomalies in the amount of succeeded or failed runs. At a glance, you can also view …
Azure Sentinel playbooks help to automate tasks, improve investigations, and allow quick responses to threats. This new feature enables selection of up to 10 playbooks to run when a new alert is created. For example, an analytics rule that indicates high-risk users assigned to suspicious IPs might trigger: An Enrichment playbook will query Virus Total about the IP entities, …
Nice to see the Office 365 Advanced Threat Protection connector for Azure Sentinel ! Description Office 365 Advanced Threat Protection (ATP) safeguards your organization against malicious threats posed by email messages, links (URLs) and collaboration tools. By ingesting Office 365 ATP alerts into Azure Sentinel, you can incorporate information about email- and URL-based threats into …
What is Azure Sentinel Livestream? Livestream lets you run queries that refresh every 30 seconds and notifies you of any new results. Creating a livestream enables you to : test newly created queries as events occur, receive notifications from a session when a match is found, promote a livestream to a detection rule to generate …