Get in Touch
Microsoft Sentinel Spotlight
You are here: Home /
In our new Microsoft Sentinel Spotlight, we’ll regularly bring you the latest news and most interesting and useful insights from the world of Sentinel.
As nothing these days fails to mention ChatGPT/OpenAI, here are some articles on this hot topic related to Sentinel. Here at Quorum Cyber we take compliance, your data and security seriously – so testing is done with the Azure OpenAI rather than ChatGPT (keeping it within the Microsoft ecosystem), and no customer data is provided into the models. Here are some links that relate to Microsoft Sentinel:
Introduction to OpenAI and Microsoft Sentinel – Microsoft Community Hub
OpenAI and Microsoft Sentinel Part 2: Explaining an Analytics Rule – Microsoft Community Hub
OpenAI and Microsoft Sentinel Part 3: DaVinci vs. Turbo – Microsoft Community Hub
OpenAI and Microsoft Sentinel Part 4: What does the future hold? – Microsoft Community Hub
(1) Using Azure Open AI with Microsoft Sentinel Part 1 – Getting Keys and Endpoints (substack.com)
(1) Using Azure Open AI with Microsoft Sentinel Part 2 – Converting Data to JSONL (substack.com)
Unleashing the Power of ChatGPT in Security Operations
Must-watch on Microsoft Secure
If you missed Microsoft’s first event dedicated to security, some content is still available.
Also check out the Tech Accelerator for a deeper dive into the Microsoft Secure content Tech Accelerator: Microsoft Secure & Microsoft Intune Suite – April 11-13 – Microsoft Community Hub
News and Updates from the world of Sentinel
SAP Data connector
Microsoft adds more and more to the SAP solution set each year. Here’s the latest.
You can choose to enable automatic updates for the connector agent on all existing containers or a specific container. Important: Automatically updating the SAP data connector agent is currently in PREVIEW.
Network Essentials
This is one that Quorum Cyber has been actively looking at given the benefits of fewer high-quality Analytic rules that apply to many third-party products.
Example
Microsoft mentions 15 products and in the pre-ASIM world this might have generated five use cases per product (5*15=75), so maybe 75 rules to write, or manage. Now, with solutions like this built on ASIM we need just five rules that work across the 15+ products. We’ll bring you more about our progress in future newsletters.
Source:
What’s New: Introducing Microsoft Sentinel Network Session Essentials solution – Microsoft Community Hub
“Today, we are announcing a new Network Session Essentials solutions in Public Preview. This is a domain solution and the first Microsoft Sentinel solution to leverage Advanced Security Information Model (ASIM). Hence this solution provides a set of generic OOTB (out-of-the-box) content, specific to network security scenarios that supports over 15 network products and services including Azure Firewall, Palo Alto Firewall, Corelight, Cisco Meraki, Fortinet Fortigate and more. This means the same content from this solution can work with multiple network products deployed in your organization hence delivering more value to protect your network with less.”
Stream log data from the Google Cloud Platform into Microsoft Sentinel (Preview)
We don’t get many requests for GCP, but if we do this will help:
Stream Google Cloud Platform into Microsoft Sentinel | Microsoft Learn
Detection Engineering
Did you know that Quorum Cyber has a dedicated Detection Engineering team? If the team is doing a good job, you probably won’t know they are there working away on your behalf. One of my tasks as the Solutions Director for Sentinel was to set up the team, hire and build out the capability. So, what has happened in the past year?
The team now consists of five full-time Detection Engineers: Anna, Andreas, Calum, David and Nick. The team works with tools such as Azure DevOps and GitHub, to create and maintain Analytic rules across all customers. Everything they do is logged in a Ticket in DevOps so it can be tracked and all assets are stored in GitHub centrally. We then use a pipeline process to deploy the rules to our customers on a Monday, Tuesday, and Wednesday (this is to try and reduce any unforeseen impact at the end of the week or weekends for the SOC and customers).
In the past month alone we have updated ~216 files and have changed 11,585 lines of code and made 3,909 deletions. We manage 600+ Quorum Cyber detections.
Remediation project
We started this project in early January and it’s still running (mid-April 2023) to make detections better for us and better for you. Essentially this was a “spring clean” to reset on what we used to do, and improve or change things for the future. Some of the tasks we completed in the first phase were:
– Retire old rules.
– Make sure all rules were up to date (code check).
– Make sure all rules are named correctly and remove old naming standards.
– Update the YAML files (every rule is stored in a YAML formatted file in GitHub) – they are now all at the latest version, with all settings.
Did you notice Remediation? Once again you may not have seen the results of this work, but you will over time.
Phase 2
Each customer has a config file – this is how we know what rules to deploy and the severity to set (among other things), this was a major area to go back through each one, check each entry to make sure it was still valid or see if we could simplify and improve.
Now we were better able to leverage the work in phase one. One example of that is some rules were deployed by name, so the config file might have contained 10 rows for 10 rules you needed, added over time. However, if they are all aligned to a single data connector then only one entry is now needed.
Another task for this phase was to pre-empt customer demand. In some scenarios where there is a use case or case, but we’ve not previously deployed them, now we are ‘adopting’ these analytics – simply adding into our GitHub for quicker deployment but also tuning or improving them if required.
Written by Clive Watson, Solution Director, Quorum Cyber
Clive Watson is Microsoft Sentinel Solution Director at Quorum Cyber, where he leads the Detection Engineering team and the Microsoft Sentinel solution offering.
Clive spent 18 years working for Microsoft and is a Microsoft Security Most Valuable Professional (Security MVP). With 30+ years’ experience within IT, consultancy and technical pre-sales, he regularly contributes to public forums and discussions on the topic of the Microsoft security stack, especially for Microsoft Sentinel, KQL and Workbooks.