In the realm of cybersecurity, the ability to efficiently parse and analyze vast amounts of data is crucial. Microsoft Sentinel offers a powerful solution for this purpose. One of its key features is the ASIM (Advanced Security Information Model) parser, which plays a significant role in data normalization and enrichment.
In my previous post, I explored the basics of integrating Ubiquiti Dream Machine Pro logs with Microsoft Sentinel, setting the stage for advanced network monitoring and security analysis. Today, we’re taking a significant leap forward by incorporating the threat detection capabilities of the device, which is using Suricata, an open-source
Many IT geeks may have at home an Ubiquiti Dream Machine Pro to manage and protect their network. It’s a perfect device to build test networks and having some cool options like having an Azure Site to Site VPN tunnel. But can I also leverage the logs in Microsoft Sentinel?
Intro I recently stumbled over a LogicApp (Microsoft Sentinel Playbook) I’ve created a long time ago where I needed to fix some stuff. The use case of the LogicApp is to handle the phone alerting process for customers with specific alerting requirements (no 24/7, only dedicated times during the day).
Apparently the contents from the screenshots taken is not easy to read and some zoom-in is required. Layer 8 issue. Table of Contents Intro You/your company has just signed up for a SIEM/SOAR solution where data from multiple, different external systems/platforms is aggregated, analyzed and (worst case) processed into Security
During security Incident Analysis, Threat and Vulnerability Management and security activities it’s important to have enough data available to correlate them. Especially Microsoft Intune contains a lot of valuable information, but also other resources which are available via Microsoft Graph can be helpful. It is simple to add this information
Intro In this blog post I follow up on my previous blog post. There we addressed the challenge to to handle the (potentially massive) delay in entity mappings for security incidents. Here’s the link in case you missed the blog post: Sentinel Incident Automation – handle entity mapping delay in
Intro Automation is a key element to improve SOC efficiency. Many different use cases exist where automation can be applied Tagging of Security incidents Severity level adoptions Auto-Closure Security incident information enrichment …and many more Most of the automation is based on pre-defined conditions. To auto-close a security incident one
In this blog post, I share how the dedicated workbooks could look like regarding their content. Note: During the analysis of a specific high-severity security incident in a customer environment you might want to display specific content on the SOC wall screen. Link to other Parts: Planning the Setup Develop
The big plus working in a SOC is the possibility to be on-site with other Security Analysts rather than being separated in the home office. Working in a MSSP SOC means to keep an eye on multiple customer SIEM’s simultaneously in terms of security incidents and anomalies/availability of mandatory log
Copyright © 2023 Workplace Ninja’s. All Rights Reserved. – Code of Conduct, Webpage Terms of use and Webpage Privacy Policy