Sentinel: Creating Data Collection Rules to send to the SecurityEvent table

Currently today you can ingest Windows Security Events to Microsoft Sentinel using the Windows Security Events via AMA data connector. This data connector will send events directly to the SecurityEvent table. When it comes to Windows event log collection its fairly important that events generally land in the SecurityEvent table. Most of the out of … Read more

Using the new Archiving, Basic Logs, and Retention Workbook

Back in February of 2022 several new features for Azure Monitor were released to support long term data retention, data search, data recovery and data ingestion. More specifically these features are built into Azure Log Analytics which is the data lake for Microsoft Sentinel. While we are still waiting for many of these features to … Read more

Creating Scheduled Analytics Rules From Templates – New Features

A while back I developed a PowerShell script that provides the ability to import multiple Scheduled Analytics from the Sentinel template library. Check out the original article here: Mass Creating Scheduled Analytics Rules From Templates Grab the script here: sentinel-tools/analytics_rules at main · seanstark/sentinel-tools (github.com) Since then I have recently added a few new features … Read more

Estimating Defender 365 Event Size

If you are planning on exporting raw events from Defender 365 to your SIEM you can easily estimate the table sizes and number of entries in Defender 365 Advanced Hunting. Estimate All Table Sizes Estimated Sentinel Price Update the price variable based on your region from the Azure pricing calculator. Price = Sentinel + Log … Read more

Sentinel Syslog Forwarder with AMA

Configure syslog forwarding for Microsoft Sentinel with the Azure Monitor Agent

What’s New in Microsoft Security — April Edition

What’s New in Microsoft Security

Sentinel – Common Roles for Getting Started

If you are just getting started with Sentinel take a look at the below reference to common roles required for creating Sentinel and integrating Microsoft data sources. For a complete list of roles refer to Microsoft Sentinel roles and allowed actions Mitigate risk to high privileged roles by leveraging Azure AD Privileged Identity Management Deploying … Read more

Mass Creating Scheduled Analytics Rules From Templates

create-scheduledRuleFromTemplate.ps1 is a PowerShell script you can leverage to import (create) multiple scheduled analytics rules from the Sentinel Github rule template repository This script was written to account for current limitations when leveraging the AzSentinel or Az.SecurityInsights PowerShell modules. Most of which are related to an incomplete set of properties being returned such as tactics and techniques … Read more

What’s New in Microsoft Security — February Edition

Sentinel Search, Basic Ingestion, Archive, and Data Restoration Ingestion-time transformations and Custom Logs v2 Advanced Security Information Model (ASIM) — out of the box MITRE view Run playbooks on incidents on demand Run playbooks on workbooks on demand Azure Purview Integration Codeless Connector Platform Large Watchlists Defender for Cloud Native CSPM for GCP and threat … Read more

%d bloggers like this: