Discover and read the best of Twitter Threads about #AzureSentinel

Most recents (9)

THREAD: Yesterday I gave a talk at #ITechDays on #Security approach in a #Cloud with #Azure context.
Here is key points and promised links and references.
DISCLAIMER: I'm MVP and RD but it isn't based on NDA info. My opinions only.
It might be wrong. You are warned.

Pic (cc) visualhunt.com/re7/e60879a6 Image
John Boyd defined #OODA loop. It is not strongest or best equip who survive.
Rate of adaptation to change matters.

How it applies to #security? Image
Read 28 tweets
Added #STRONTIUM election-related credential harvesting campaign "detection" to #AzureSentinel: github.com/Azure/Azure-Se…

Yes - it's hardcoded for netblocks released in the #MSTIC report (microsoft.com/security/blog/…)
This is just extra coverage on top of existing cred harvesting logic
That said, the logic posted there finds some high fidelity #STRONTIUM campaigns from at least June through... recently (more details in above blog).

You'll see a User-Agent, first/last attempt, # of total attempts, # of unique IPs & unique accounts attempted + a list of accounts
As shipped, it's looking over the past 30 days. But if you have #AzureSentinel, I recommend pasting that same KQL in & searchings logs w/ expanded timeframe.
The # authAttempts can stay where it's at ... #STRONTIUM activity is approx 100 attempts per IP per account
Read 4 tweets
It has never been easier to get started with key Microsoft security tools. There are ninja trainings for:

- Azure Security Center
- Microsoft Defender ATP
- Azure Sentinel

#AzureSecurityCenter #MDATP #MicrosoftDefenderATP #AzureSentinel
Read 5 tweets
It's been awesome to witness so many teams collaborating to prevent/detect malicious OAuth apps and reduce the attack surface.

Excited for my small part in providing #AzureSentinel visibility into suspicious OAuth behavior & tooling. Blog soon!
🙏PwnAuth, O365-attack-toolkit, C3 Azure Sentinel detections a...
Context:
I figured if I tweeted, I'd be forced to actually finish that blog with @cglyer 😅
Taking lots of action against multiple forms of OAuth abuse: https://t.co/kpH8363ey0
Read 3 tweets
🆕 Job Update: I'm joining @Microsoft!

On the #MSTIC R&D team:
☁️🏹hunting & investigations in the cloud (#AzureSentinel, @Office365)
🎯✍️🏽writing detections for several platforms
👥🎁community-based research & sharing
🛡️🤲🏽protecting those who need it the most #DefendingDemocracy
Honored to work for @JohnLaTwC & @LeahLease
I'm pumped to grow with & learn from so many amazing security engineers and analysts in #MSTIC: twitter.com/i/lists/112798… #FF

My new East Coast crew includes the #APT hunters in Reston, @Cyb3rWard0g, and some random @cglyer guy 😅

Also:
I'm going to lean on (& try¹ to contribute to) teams across the MS security family:
@MicrosoftMTP crew w/ @jepayneMSFT @endisphotic @GossiTheDog et al🤩
@msftsecresponse w/ the awesome @n0x08
@Lee_Holmes for everything Azure

¹if I say it here, it has to happen right?😉
Read 4 tweets
For 2020, here are 20 reasons to look into #AzureSentinel
👇👇
Read 21 tweets
Wait is over .. Read final part 2 which is focused on aws log data ingestion , #hunting and investigation of Capital one breach TTPs in #AzureSentinel techcommunity.microsoft.com/t5/Azure-Senti…
T1078: Privileged role attached to Instance.
#AzureSentinel #MITRE #AWS #threathunting
github.com/Azure/Azure-Se…
T1078 : Suspicious credential token access of valid IAM Roles
#AzureSentinel #MITRE #AWS #threathunting
github.com/Azure/Azure-Se…
Read 5 tweets
I was invited by @ram_ssk to speak at the Microsoft Security Data Science Colloquium. 🙏 COOL EVENT
His summary 👉
I talked on accelerating learning in infosec, importance of organizing knowledge w/ @MITREattack (and extending to cloud), executable know-how with @cyb3rops #Sigma, cloud native #AzureSentinel, #Jupyter notebooks for sharing repeatable analysis.
SLIDES: github.com/ramshans/2019-… ImageImageImageImage
I ♥️that it has attendees from the community including @Google, @salesforce, @netflix, @Facebook, @splunk (@meansec, @daveherrald, @davidveuve), @NicolasPapernot
Shout out to @Cyb3rWard0g and @ianhellen in my presentation!
Read 3 tweets
If you use O365, you need to learn about password spray. Want to see some campaigns against you? Try #AzureSentinel--you can connect your O365 data for free. Here are some common patterns.
👇👇👇
Attacker uses a formulaic Microsoft Office User Agent string. Image
Attacker using IMAP interface. Look for CBAInPROD from invalid login sources.
🔗gcits.com/knowledge-base… Image
Read 8 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!