Azure Sentinel Incident Auto-refresh feature hits GA

It's the little things, right? It's the attention to detail that drives quality and consumption. That said, today the Auto-refresh feature for Azure Sentinel Incidents has hit the general availability milestone. Auto-refresh capability What does it do? Good question. Again, a very simple looking and sounding feature, but also a very powerful tool to use … Continue reading Azure Sentinel Incident Auto-refresh feature hits GA

Managing Disconnected Azure VMs for Azure Sentinel

For those that take the deeper security plunge for their Azure VMs and disconnect them from the Internet completely, did you know this will result in a bit of a challenge for being able to monitor security with Azure Sentinel? The Log Analytics agent requires an Internet connection to function, but by enabling a specific … Continue reading Managing Disconnected Azure VMs for Azure Sentinel

Hyper-V On-the-Go: Lab VM State Change

Shutting down or powering up (or even rebooting) the lab en-masse via Hyper-V, nuts to that! Do it the PowerShell way. No muss, no fuss and way quicker. Note the $txtMatch variable is defaulted with the match string '^((ad|app)\.|incep)'. This regex looks for any VM Name beginning with either AD., APP. or Incep (short for inception). Load the function into your … Continue reading Hyper-V On-the-Go: Lab VM State Change

Modified IP Address to GEO to Tags Azure Sentinel Playbook

One of my favorite Playbooks is the one created by Nicholas DiCola that provides GEO information for IP Addresses that are associated with an Azure Sentinel Incident. Once the information is obtained, it's placed in the Incident's Tags for easy readability and quick-glance information about where the connections are coming from. I run this Playbook … Continue reading Modified IP Address to GEO to Tags Azure Sentinel Playbook

KQL to Help Identify Systems Patched for CVE-2020-1350

On Tuesday, July 14th, we released an alert and guidance on a potentially impactful Windows DNS Server Remote Code Execution Vulnerability. See: CVE-2020-1350 If you're using Azure Sentinel, Intune, or any other service that can take advantage of KQL to sift through a Log Analytics Workspace (LAW), the following KQL query can help identify those … Continue reading KQL to Help Identify Systems Patched for CVE-2020-1350