Cloud Security and Architecture: Microsoft Holistic Security, Azure Security, Microsoft Sentinel, Defender for Cloud
update-ama.ps1 is a PowerShell script you can use to update the Azure Monitor Agent on Azure Virtual Machines and Azure Arc Machines. The script will handle both Linux and Windows servers with the below features. I have also written a universal extension upgrade script that can be used to upgrade any extension: update-extension.ps1 Usage – Azure … Read more
Currently today you can ingest Windows Security Events to Microsoft Sentinel using the Windows Security Events via AMA data connector. This data connector will send events directly to the SecurityEvent table. When it comes to Windows event log collection its fairly important that events generally land in the SecurityEvent table. Most of the out of … Read more
Back in February of 2022 several new features for Azure Monitor were released to support long term data retention, data search, data recovery and data ingestion. More specifically these features are built into Azure Log Analytics which is the data lake for Microsoft Sentinel. While we are still waiting for many of these features to … Read more
A while back I developed a PowerShell script that provides the ability to import multiple Scheduled Analytics from the Sentinel template library. Check out the original article here: Mass Creating Scheduled Analytics Rules From Templates Grab the script here: sentinel-tools/analytics_rules at main · seanstark/sentinel-tools (github.com) Since then I have recently added a few new features … Read more
If you are planning on exporting raw events from Defender 365 to your SIEM you can easily estimate the table sizes and number of entries in Defender 365 Advanced Hunting. Estimate All Table Sizes Estimated Sentinel Price Update the price variable based on your region from the Azure pricing calculator. Price = Sentinel + Log … Read more
Configure syslog forwarding for Microsoft Sentinel with the Azure Monitor Agent
If you are just getting started with Sentinel take a look at the below reference to common roles required for creating Sentinel and integrating Microsoft data sources. For a complete list of roles refer to Microsoft Sentinel roles and allowed actions Mitigate risk to high privileged roles by leveraging Azure AD Privileged Identity Management Deploying … Read more
create-scheduledRuleFromTemplate.ps1 is a PowerShell script you can leverage to import (create) multiple scheduled analytics rules from the Sentinel Github rule template repository This script was written to account for current limitations when leveraging the AzSentinel or Az.SecurityInsights PowerShell modules. Most of which are related to an incomplete set of properties being returned such as tactics and techniques … Read more
Sentinel Search, Basic Ingestion, Archive, and Data Restoration Ingestion-time transformations and Custom Logs v2 Advanced Security Information Model (ASIM) — out of the box MITRE view Run playbooks on incidents on demand Run playbooks on workbooks on demand Azure Purview Integration Codeless Connector Platform Large Watchlists Defender for Cloud Native CSPM for GCP and threat … Read more
