Welcome to AzureVlog! Your one-stop destination for all things Microsoft Security. From mastering KQL to streamlining incident response, Microsoft Sentinel and Defender for Endpoint, we've got you covered. Join us me as I explore the endless possibilities of AI in Security and delve deeper into the world of cybersecurity. Subscribe now for valuable and informative content that will enhance your Microsoft Security skills 💻🔒 #MicrosoftSecurity #MicrosoftSentinel #Cybersecurity
Hi, I'm always trying to replicate in a lab all your videos, so that I can truly learn and understand, Thanks a lot for all your videos. Can you provide more details on the App Registration and on the "Parse JSON" action? I'm stuck in those two...
It always says the following error: Can't get account information Try again in a few minutes. If the issue persists, contact an administrator. please help me
Congratulations on your channel; it's helping me a lot. It's always bringing new information and helping those who want to stay updated in the world of Microsoft cybersecurity. You are very good! Thank you for sharing with us
Nice introduction, I'm looking forward to see some of the uses for Copilot for Security. I just deployed it in my tenant and began using it. I'm currently working on having it automatically provide an executive summary for incidents using the one from the promptbook. Since there isn't a way to run a whole promptbook automatically, I am writing a Logic App in Sentinel that basically runs each prompt of that promptbook, and will continue using the same session ID for each one until the executive summary is complete. Then, it can add the summary to the incident as a comment. Since this normally takes some time, having it run automatically so the comment is already present by the time you review the incident will be nice. Another tip to optimize SCU resource utilization is to limit using Copilot for queries. If there is something that can be defined by a KQL query, you can do that and feed the results to Copilot instead of asking it to do that query. For example, instead of saying "Go back and tell me about Security Incidents in Sentinel that happened in the last 12 hours", you can run a KQL query to return the Incident numbers during your desired time, and then instead ask Copilot "Tell about about the following Security Incidents" and then list the KQL results. This way Copilot doesn't have to use resources to figure out simple things like "what time is it now and how far is 12 hours back" and "What incidents were created in that time range". Cheers!
I need to be able to collect and change alerts' status from an external alert management system. Should I use Graph Security API or Azure Management API? What are the prerequisites for the Sentinel alerts appearing in the graph API? Thanks!
Security Copilot is not living up to the potential promised in current version. It can not decode base64 and it can not decode powershell obfuscated script if it has more then a few words. the limitations here are massive. And the code analyser uses so much SCU even if it fails (6 to 8.5).
Hi! Thanks for your response. I see this version as just the initial version of Copilot for Security. I think it has al the potential to become a very good security assistent. I just tested base64 encoding. That did work actually. I haven't fed a large script with multiple layers of obfuscation to it as I don't have such a file available at the moment; but would love to give it a try.
Hello, do you know if Multi Tenant Support for the unified Portal will be available (for example if I have multiple Sentinel Workspaces with Azure Lighthouse or Multiple XDR Tenants via MTO Defender)?
Greetings and thank you for all your great content. I've really been looking forward to the unification of Defender Portal and Sentinel but once connected I felt there is alot missing still. Playbooks for example. We use those extensively to enrich our entities in Sentinel Incidents but I have yet to find a way to do that in the Defender Portal
Hi! The workspace is still usable from within the Azure Portal. The unified security operations platform only supports a single workspace today. In case you also need to manage Defender for Endpoint in a multi tenant scenario; I would suggest to have a look at M365 Lighthouse
The customer has several Azure subscriptions with several standalone Sentinel configs. Do you think it will be possible to attach several Sentinel workspaces into one Defender portal? Thanks
Hi nice share, commenting the below out if context topic but it's important Texting you this after not receiving any reply from Microsoft tech community. I have this Azure recommendation "SQL databases should have vulnerability findings resolved" where I had one of the SQL Server in healthy resource but the databases inside are in not applicable databases i want to set it in healthy databases - what would be a solution for this and please note we are using the express configuration. Thankyou..!!
Hello how can I get the behaviorInfo table from defender for Cloud Apps into Sentinel? Would enabling this unified platform be of help? How about if I dont want to go unified because of some business reasons... Assistance on getting behaviourInfo table into Log Analytics