KQL to Help Identify Systems Patched for CVE-2020-1350

On Tuesday, July 14th, we released an alert and guidance on a potentially impactful Windows DNS Server Remote Code Execution Vulnerability. See: CVE-2020-1350 If you're using Azure Sentinel, Intune, or any other service that can take advantage of KQL to sift through a Log Analytics Workspace (LAW), the following KQL query can help identify those … Continue reading KQL to Help Identify Systems Patched for CVE-2020-1350

Creating an Azure Sentinel Taskbar and Start Menu Shortcut and Icon for Quick Access

Do you want quick access to your Azure Sentinel tenant without having to sift through the general Azure portal? Sure, you can setup an Edge (or other browser) shortcut, but you can also create a Windows 10 Taskbar shortcut and/or a Start Menu shortcut. Here's how. Download the 32x32 pixels Azure Sentinel icon: https://github.com/rod-trent/AzureSentinelMisc/blob/master/AzureSentinel_icon_32x32.zip Extract … Continue reading Creating an Azure Sentinel Taskbar and Start Menu Shortcut and Icon for Quick Access

Using Microsoft To-do as a Simple Ticketing System for Azure Sentinel

A customer recently wanted me to suggest a very simple, cost-worthy service ticketing system they could use with Azure Sentinel. The following ended up serving the customer's needs. Microsoft To-do can be a powerful tool for those that like to separate their schedule items from their task lists. For many Office 365 customers, they may … Continue reading Using Microsoft To-do as a Simple Ticketing System for Azure Sentinel

Resolving WindowsFirewall Log Ingestion Problems for Azure Sentinel

This problem has come up enough in the last month or so that its worth a quick-hit blog post to help folks resolve it. The problem: You enable the Windows Firewall Data Connector in Azure Sentinel, follow the directions, and make sure the Log Analytics agent is installed on the remote system - but the … Continue reading Resolving WindowsFirewall Log Ingestion Problems for Azure Sentinel

Azure Sentinel Daily Task: Data Connectors

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I’ll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There’s deeper discussions and training that’s required to get a good … Continue reading Azure Sentinel Daily Task: Data Connectors

Azure Sentinel Daily Task: Analytics Rules

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I'll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There's deeper discussions and training that's required to get a … Continue reading Azure Sentinel Daily Task: Analytics Rules

Azure Firewall vs Network Virtual Appliances

Network security plays a vital role in public cloud infrastructure design. Azure cloud is providing multiple network security options for the cloud infra and application services. Few of Azure offerings in network and application security service are below Network Security GroupApplication Security GroupIsolated Virtual NetworkAccess Control ListAzure DDoS protectionAzure Front DoorApp Service EnvironmentAzure Firewall (firewall-as-a-service)Third … Continue reading Azure Firewall vs Network Virtual Appliances

Multi-workspace View for Azure Sentinel Now in Public Preview

We've had a lot of interest from customers to be able to review multiple workspaces in Azure Sentinel. Prior to this release, this was only available through Azure Lighthouse or, alternatively, you could do cross-workspace KQL queries to view merged data. Now, with the multi-workspace view, you can select multiple workspaces as you enter into … Continue reading Multi-workspace View for Azure Sentinel Now in Public Preview

Tools and Resources to Practice Your Azure Sentinel KQL-fu

I teach a couple KQL courses focused on Azure Sentinel - one beginner and one more advanced. The beginner course (level 100-200), coupled with our KQL docs (aka.ms/KQLDocs), is usually enough though to get customers on the right path to learning the Kusto Query Language. Whenever I deliver an Azure Sentinel workshop, it's the moment … Continue reading Tools and Resources to Practice Your Azure Sentinel KQL-fu

Exporting Events from Disconnected Systems to Ingest into Azure Sentinel

I had the occasion recently to work with a customer that had domain controllers that were disconnected from the Internet, but still wanted to ingest the server event logs into Azure Sentinel. Sifting through research I found there's a myriad of ways to do it (including standing up a Log Analytics gateway) but one of … Continue reading Exporting Events from Disconnected Systems to Ingest into Azure Sentinel