WPNinjas HeaderWPNinjas Header

Tag: Microsoft Sentinel

Microsoft Sentinel
Thomas Kurth

Microsoft Sentinel ASIM Parser demystified

In the realm of cybersecurity, the ability to efficiently parse and analyze vast amounts of data is crucial. Microsoft Sentinel offers a powerful solution for this purpose. One of its key features is the ASIM (Advanced Security Information Model) parser, which plays a significant role in data normalization and enrichment.

Read More »
Microsoft Sentinel
Thomas Kurth

Enhancing Network Security Insights with IDS/IPS of Ubiquiti Dream Machine Pro and Microsoft Sentinel

In my previous post, I explored the basics of integrating Ubiquiti Dream Machine Pro logs with Microsoft Sentinel, setting the stage for advanced network monitoring and security analysis. Today, we’re taking a significant leap forward by incorporating the threat detection capabilities of the device, which is using Suricata, an open-source

Read More »
Microsoft Sentinel
Thomas Kurth

Ubiquiti Dream Machine Pro Logs to Microsoft Sentinel

Many IT geeks may have at home an Ubiquiti Dream Machine Pro to manage and protect their network. It’s a perfect device to build test networks and having some cool options like having an Azure Site to Site VPN tunnel. But can I also leverage the logs in Microsoft Sentinel?

Read More »
Security
Christoph Düggeli

Sentinel Automation use case – custom Alerting with LogicApps

Intro I recently stumbled over a LogicApp (Microsoft Sentinel Playbook) I’ve created a long time ago where I needed to fix some stuff. The use case of the LogicApp is to handle the phone alerting process for customers with specific alerting requirements (no 24/7, only dedicated times during the day).

Read More »
Security
Thomas Kurth

Extending Microsoft Sentinel with important device data

During security Incident Analysis, Threat and Vulnerability Management and security activities it’s important to have enough data available to correlate them.  Especially Microsoft Intune contains a lot of valuable information, but also other resources which are available via Microsoft Graph can be helpful. It is simple to add this information

Read More »
Security
Christoph Düggeli

Sentinel Incident Automation – Playbook dependencies

Intro In this blog post I follow up on my previous blog post. There we addressed the challenge to to handle the (potentially massive) delay in entity mappings for security incidents.  Here’s the link in case you missed the blog post: Sentinel Incident Automation – handle entity mapping delay in

Read More »
Security
Christoph Düggeli

Sentinel Incident Automation – handle entity mapping delay​ in Playbooks

Intro Automation is a key element to improve SOC efficiency. Many different use cases exist where automation can be applied Tagging of Security incidents Severity level adoptions Auto-Closure Security incident information enrichment  …and many more Most of the automation is based on pre-defined conditions. To auto-close a security incident one

Read More »
SOC Monitor Wall Layout
Security
Christoph Düggeli

SOC Monitor wall – Build your Content (Part 3)

In this blog post, I share how the dedicated workbooks could look like regarding their content. Note: During the analysis of a specific high-severity security incident in a customer environment you might want to display specific content on the SOC wall screen. Link to other Parts: Planning the Setup Develop

Read More »
SOC Monitor Wall Layout
Security
Christoph Düggeli

SOC Monitor wall – Planning the Setup (Part 1)

The big plus working in a SOC is the possibility to be on-site with other Security Analysts rather than being separated in the home office. Working in a MSSP SOC means to keep an eye on multiple customer SIEM’s simultaneously in terms of security incidents and anomalies/availability of mandatory log

Read More »