‌

‌❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

Introduction:

Data collection rules (DCRs) are part of a modern data collection strategy that improves upon traditional methods. They provide a standardized approach to configuring data     ingestion from various sources, making the process more manageable and scalable.DCRs allow users to define how data is collected, transformed, and sent to a destination,such as a Log Analytics workspace.

This functionality (also known as Log Splitting) can be used for a variety of reasons:

- cost optimization
- normalization
- enrichment
- removing sensitive data
- and granular access configuration

The benefits and costs of this technology depend on how you split the logs and where you transfer them. Therefore, you need to carefully design your sentinel and data collection rules.

Two target scenarios will now be discussed in more detail.

• Send information to a secondary Basic or Auxiliary logs table
  Basic and Auxiliary tables offer a significantly lower cost compared to Analytics tables, making them attractive for cost-saving strategies. However, these tiers come with important limitations:
  
  - They have strict retention policies.
  - KQL query capabilities are heavily restricted.
  - They cannot be used in alert rules.
  
  These constraints are critical and can impact operational flexibility. Additionally, not all tables are eligible to be switched to Basic or Auxiliary tiers, which further limits their applicability.
  
• Send data to a secondary Analytics table with customized retention or archiving settings
  Microsoft Sentinel provides free data retention for the first 90 days. Beyond that, extended retention or archiving incurs additional costs. To optimize expenses, you can configure tables with different retention periods and route logs accordingly. This allows you to retain critical data longer while rolling out less essential logs earlier - helping reduce storage costs without compromising operational needs.

For more information see:
- https://docs.azure.cn/en-us/azure-monitor/logs/data-platform-logs#table-plans

ℹ️ Info: Another cost-effective option that enables long-term storage and advanced analytics without the traditional limitations of SIEM is the use of the data lake layer.

For more information see:
- https://learn.microsoft.com/en-us/azure/sentinel/datalake/sentinel-lake-overview
- https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-sentinel%E2%80%99s-new-data-lake-cut-costs--boost-threat-detection/4445281

💡Good to know: When a connector is enabled and the data lake feature is activated, data is automatically sent to the analytics tier and mirrored in the data lake tier by default. Mirroring data in the data lake with the same retention as the analytics tier doesn't incur additional billing charges.

Subsequently, only the first scenario mentioned above will be discussed step by step without further elaborating on the data lake option.

How to Use Workspace Transformation Rules to Send Azure Diagnostic Logs to Secondary Analytics or Auxiliary Tables

Prerequisites

• An Azure Subscription
• Azure Contributor rights
• A pre-existing Resource Group      (ideally named "rg-sentinel-001")
• A Log Analytics Workspace      (ideally named "log-sentinel-001")

Navigate to the Resource Group (or create one, see link), where you want to deploy your resources for this hands-on lab. Click on "Create"

Enter "storage account" in the search field. Click the "Create" button under Microsoft's Storage Account offering, then select the "Storage account" option.

Fill in all the necessary fields, such as Subscription, Resource group, Storage account name, Region, Preferred storage type, Performance, and Redundancy. Then click on "Review + Create".

Click "Create" again.

Once the deployment is complete, select “Go to resource.”

Next, select “Diagnostic settings” and choose the “blob” storage type for which the log data is to be collected.

Select "Add diagnostic setting".

1. Select the categories for which logging data should be collected.
2. Assign a name for the Diagnostic Settings.
3. Define a destination for the collected logs. In this case, select “Send to Log Analytic workspace.”
4. Select the correct “Subscription” and “Log Analytic workspace.”
5. Click on “Save.”

Next, you need to create a container and generate some logging data.

1. To do this, go to “Storage browser.”
2. Then click on “Blob containers.”
3. Next, select “Add container.”

Now we assign a name to the new container and then click on “Create.”

As soon as the new container is visible (you can refresh the view with F5), we select it.

Now let's click on “Upload”.

We move a file (in our case “Test.txt”) with any content into the drag and drop field and click on “Upload” again.

Once the upload is complete, we click on the 3 dots next to the new file.

A menu opens, in which we select the "Delete" function.

Showing Result in the Log Analytic Workspace:

Now that we have added a few interactions to the storage account, we should check whether these have been logged. To do this, we switch to the Log Analytics workspace, click on “Logs”, and display all data from the “StorageBlobLogs” table.

To do this, you just need to specify the table name and click on "Run".

As you can see, a few interactions have already been logged

Creating an Auxiliary - Tier Table

To split the data into different tables, you need to create a destination table for this purpose. To do this, we use a ready-made script (the script can be found here). Save it with the name “Create-AuxCustomTable.ps1”.

function Create-AuxCustomTable{

<#

.SYNOPSIS
    Creates or updates an Auxiliary (Data Lake) custom table in Azure Log
    Analytics.

.DESCRIPTION
    This function allows you to create a new Auxiliary (Data Lake) custom  
    Table in Azure Log Analytics or update an existing table
    by copying the schema of a specified source table.

.NOTES
    File Name : Create-AuxCustomTable.ps1
    Author    : Microsoft MVP/MCT - Charbel Nemnom
    Version   : 1.1
    Date      : 17-June-2025
    Updated   : 20-August-2025
    Requires  : PowerShell 7.4.x (Core)
    Module    : Az Module

.LINK
    To provide feedback or for further assistance please visit:
    https://charbelnemnom.com

.PARAMETER workspaceResourceId
    The resource id of the Log Analytics workspace.
    /subscriptions/subscription-Id/resourceGroups/rg-name/providers/Microsoft.OperationalInsights/workspaces/workspace-name

.PARAMETER SourceTableName
    The name of the source table to copy the schema from.

.PARAMETER AuxTableName
    The name of the new Auxiliary (Data Lake) custom table to create (suffix _CL will be appended automatically).

.PARAMETER AuxTableDescription
    A description for the new Auxiliary (Data Lake) custom table.    

.PARAMETER TotalRetention
    Total long-term retention period for the new Auxiliary (Data Lake) table in days between (30-4383).

.EXAMPLE
    Create-AuxCustomTable `
     -WorkspaceResourceId "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup/providers/Microsoft.OperationalInsights/workspaces/MyWorkspace" `
     -SourceTableName "CommonSecurityLog" `
     -AuxTableName "AuxTable" `
     -AuxTableDescription "AuxTableDescription" `
     -TotalRetention 365
#>

param (
    [Parameter(Position = 0, Mandatory = $true, HelpMessage = 'Enter Log Analytics Workspace Resource Id')]
    [ValidateNotNullOrEmpty()]
    [string]$WorkspaceResourceId,

    [Parameter(Position = 1, Mandatory = $true, HelpMessage = 'Enter the source table Name')]
    [ValidateNotNullOrEmpty()]
    [string]$SourceTableName,

    [Parameter(Position = 2, Mandatory = $true, HelpMessage = 'Enter the Auxiliary (Data Lake) custom table Name')]
    [ValidateNotNullOrEmpty()]
    [string]$AuxTableName,

    [Parameter(Position = 3, Mandatory = $true, HelpMessage = 'Enter the description for the new Auxiliary (Data Lake) custom table')]
    [ValidateNotNullOrEmpty()]
    [string]$AuxTableDescription,       

    [Parameter(Position = 4, Mandatory = $true, HelpMessage = 'Enter the total retention period for the Auxiliary (Data Lake) table in days between [30-4383]')]
    [ValidateRange(30, 4383)]
    [int]$TotalRetention
)

#! Define Variables    
$tableType = "auxiliary"
#! Define the Preview API Version to use for Log Analytics
$apiVersion = "?api-version=2023-01-01-preview"    

#! Install Az Module If Needed
function Install-Module-If-Needed {
    param([string]$ModuleName)

    if (Get-Module -ListAvailable -Name $ModuleName) {
        Write-Host "Module '$($ModuleName)' already exists, continue..." -ForegroundColor Green
    } 
    else {
        Write-Host "Module '$($ModuleName)' does not exist, installing..." -ForegroundColor Yellow
        Install-Module $ModuleName -Force  -AllowClobber -ErrorAction Stop
        Write-Host "Module '$($ModuleName)' installed." -ForegroundColor Green
    }
}

#! Install Az Accounts Module If Needed
Install-Module-If-Needed Az.Accounts

#! Check Azure Connection
Try { 
    Write-Verbose "Connecting to Azure Cloud..." 
    Connect-AzAccount -WarningAction SilentlyContinue -ErrorAction Stop | Out-Null 
}
Catch { 
    Write-Warning "Cannot connect to Azure Cloud. Please check your credentials. Exiting!" 
    Break 
}

# Create the authentication token
$context = Get-AzContext
if (-not $context) {
    throw "No Azure context found. Please re-authenticate."
} 
$tokenRequest = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate($context.Account, $context.Environment, $context.Tenant.Id, $null, "Never", $null, "https://management.azure.com/")
if (-not $tokenRequest) {
    throw "Failed to obtain access token. Please check your authentication."
}
$AzureAccessToken = $tokenRequest.AccessToken
$AuthenticationHeader = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$AuthenticationHeader.Add("Content-Type", "application/json")
$AuthenticationHeader.Add("Authorization", "Bearer $AzureAccessToken") 

# Getting original source table schema
Write-Output "[Getting source table schema for $sourceTableName...]"
$tableManagementAPIUrl = "https://management.azure.com$workspaceResourceId/tables/$sourceTableName" + "$($apiVersion)"
$response = Invoke-RestMethod -Uri $tableManagementAPIUrl -Method Get -Headers $AuthenticationHeader -ErrorAction Stop
$columns = $response.properties.schema.columns

# For standard tables we need to look into standard and custom columns separately
if ($sourceTableName -notlike "*_CL") {
    $columns += $response.properties.schema.standardColumns
}

# Removing reserved column names from the schema
Write-Output "[Removing reserved column names from the schema...]"
$columnsNameToRemove = @("TenantId", "SourceSystem")
# Removing dynamic column type from the schema. Tables with the Auxiliary plan don't support columns with dynamic data.
Write-Output "[Removing dynamic column type from the schema...]"
$columnsTypeToRemove = @("dynamic")    
$updatedColumns = $columns | Where-Object { $columnsNameToRemove -notcontains $_.name -and $columnsTypeToRemove -notcontains $_.type }

# Construct table parameters
Write-Output "[Constructing the Auxiliary table parameters...]"
$customAuxTableName = $auxTableName + "_CL"
$TableParams = @{
    properties = @{
        schema               = @{
            name        = $customAuxTableName
            description = $auxTableDescription
            columns     = $updatedColumns
        }
        totalRetentionInDays = $TotalRetention
        plan                 = $tableType
    }
}    

# Convert table parameters to JSON
Write-Output "[Converting table parameters to JSON...]"
$TableParamsJson = $TableParams | ConvertTo-Json -Depth 4

# Create or update the table
Write-Output "[Creating/Updating Auxiliary table $customAuxTableName...]"
$Response = Invoke-AzRestMethod -Path "$workspaceResourceId/tables/${customAuxTableName}$($apiVersion)" -Method PUT -Payload $TableParamsJson

if ($Response.StatusCode -eq 200 -or $Response.StatusCode -eq 202) {
    Write-Output "[Success] Auxiliary Table '$customAuxTableName' created/updated successfully."
}
else {
    Write-Error "Failed to create/update the table. Status code: $($Response.StatusCode)"
    if ($Response.Content) {
        $ErrorDetails = $Response.Content | ConvertFrom-Json
        Write-Error "Error Code: $($ErrorDetails.error.code)"
        Write-Error "Error Message: $($ErrorDetails.error.message)"
    }
}
}

It is best to run it in an Azure Shell and upload the script via “Manage files.” Once uploaded, you need to dot source it.

With the command

Create-AuxCustomTable `
         -WorkspaceResourceId "/subscriptions/45dc4629-f423-4e3c-a063-37b62eec82fb/resourcegroups/rg-sentinel-001/providers/microsoft.operationalinsights/workspaces/log-sentinel-001" `
         -SourceTableName "StorageBlobLogs" `
         -AuxTableName "StorageBlobLogs_Aux" `
         -AuxTableDescription "Test" `
         -TotalRetention 365

we create a so-called custom table in the auxiliary logs tier based on a template table and define the name of the source and what the new table should be called, as well as how long it should store data. The WorkspaceResourceId determines which Log Analytic workspace should be used.

To view the new table, navigate to "Tables" under "Settings" in the Log Analytics workspace and search for the name of the newly created table.
The table can be easily identified because it has a “_CL” postfix.

Next, it is necessary to create or define the splitting logic.

In our case, we use a Workspace Transformation Rule for this.

Sometimes this rule already exists.

To check if you have a Workspace Transformation Rule in place, look for the kind parameter in the arm template of the rule you are checking.

To  create a Workspace Transformation DCR via GUI follow the steps outlined here: Tutorial: Add a workspace transformation to Azure Monitor Logs by using the Azure portal - Azure Monitor | Microsoft Learn

We now assume that this DCR already exists and want to adapt it to our needs.

We navigate back to the “Tables” section under ‘Settings’ in the Log Analytics workspace and locate the “StorageBlobsLogs” table. Then we click on the three dots.

A menu will open. Select “Create transformation.”

Click on "Next"

Select the icon for the "Transformation editor"

Add this Transformation (KQL)

source | where StatusCode == "200"

Click on “Run”  and confirm with “Apply”.

Click "Next" and "Create"

To see the result, you need to inspect the ARM code (JSON) of the Workspace DCR. Here you can see that the KQL transformation has been implemented.

Since the redirection to another table is still missing here, the ARM template must be adapted for this and the workspace transformation DCR must be redeployed.

Select “Deploy”.

Navigate to "Edit template" and select it.

Add this line at the end of the template.
Make sure to use the prefix “Custom-“.

"outputStream": "Custom-StorageBlobLogs_Aux_CL"

Select “Save”

Click on "Review + create"

After about 30 minutes and further interaction with the storage account (e.g., copy and delete actions), the redirected logs should be in the newly created table.

Switch to the Log Analytics workspace, click on “Logs”, and display all data from the “StorageBlobLogs_Aux_CL” table.

This way, logging information can be transferred to another storage location and stored more cost-effectively.

Sources:

https://charbelnemnom.com/auxiliary-logs-transformations-in-sentinel/#Splitting_Streams_Between_Different_Tiers

Create a transformation in Azure Monitor - Azure Monitor

Create a transformation in Azure Monitor and add it to a data collection rule (DCR).

bwrenMicrosoft Learn

Tutorial: Add a workspace transformation to Azure Monitor Logs by using the Azure portal - Azure Monitor

Describes how to add a custom transformation to data flowing through Azure Monitor Logs by using the Azure portal.

austinmccollumMicrosoft Learn

❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

KQL OPERATOR: Summarize

Description:

The summarize operator in Kusto Query Language (KQL) is used to aggregate data by one or more columns (see all supported aggregation function types) . It takes in a table of data and outputs a new table that is aggregated based on the specified columns.

Syntax

T | summarize [ SummarizeParameters ] [[Column =] Aggregation [, ...]] [by [Column =] GroupExpression [, ...]]

Use-Cases (leveraging the DeviceNetworkEvents Table):

#1 Basic usage:

This command 👇 returns the count of records for each Actiontypevalue in the DeviceNetworkEvents table (for the last 24h + Show limit: 1000 results)

DeviceNetworkEvents
| summarize count() by ActionType

#2 Multiple Aggregations:

This query 👇 provides a count of network events for each device and action type, sorted by the device name  (for the last 24h + Show limit: 1000 results).

DeviceNetworkEvents
| project DeviceName, ActionType
| summarize count()by DeviceName, ActionType
| sort by DeviceName asc

#3 Conditional Aggregation:

This KQL 👇 filters network events from the past 30 days to include only those with a non-empty initiating process parent file name, identifies the most recent event for each device, and then counts how many of these events were initiated by a parent process named python3.6.

DeviceNetworkEvents
| where TimeGenerated > ago (30d)
        and isnotempty(InitiatingProcessParentFileName)
| summarize arg_max(TimeGenerated, *) by DeviceName
| summarize Count = countif(InitiatingProcessParentFileName == 'python3.6')

#4 Grouping

This KQL 👇 filters network events from the past week (see my blog post about the where operator), identifies the most recent action type for each device, and then counts how many times each action type occurred

DeviceNetworkEvents
| where TimeGenerated > ago(7d)
| summarize arg_max(TimeGenerated,ActionType) by DeviceName
| summarize count() by ActionType

#5 Calculate percentage based on two columns

This KQL  👇 analyzes the connection actions of devices by summarizing the total number of connection attempts, the number of failed and successful connections, and the percentage of failed connections for each device. It then sorts the results by the number of failed connections.

DeviceNetworkEvents
| summarize 
    TotalActions = countif(ActionType == 'ConnectionFailed' or ActionType == 'ConnectionSuccess'),
    ConnectionFailed = countif(ActionType == 'ConnectionFailed'),
    ConnectionSuccess = countif(ActionType == 'ConnectionSuccess')
    by DeviceName
| extend PercentFailed = 
    round((todouble(ConnectionFailed) / TotalActions * 100), 2)
| sort by ConnectionFailed

#5 Visualization

This KQL 👇 is used to analyze device network events, specifically focusing on connection actions, and then visualize the results using a bar chart.

DeviceNetworkEvents
| summarize 
    ConnectionFailed = countif(ActionType == 'ConnectionFailed'),
    ConnectionSuccess = countif(ActionType == 'ConnectionSuccess')
    by DeviceName
| sort by ConnectionFailed
| render barchart 

WHEN TO USE IT:

• to calculate aggregate values such as counts, sums, averages, minimums, or maximums across different columns.
• to group data by specific columns and perform calculations on each group.
• to reorganize data by converting rows into columns to highlight key patterns and relationships.
• to filter and sort aggregated data to focus on specific insights.
• to optimize query performance by reducing the amount of data processed.

THINGS TO KEEP IN MIND

• the summarize operator supports various aggregation functions such as count(), sum(), avg(), min(), max(), arg_min(), arg_max(), make_list(), and make_set(). Choose the appropriate function based on the type of analysis you need.

References:

summarize operator - Kusto

Learn how to use the summarize operator to produce a table that summarizes the content of the input table.

shsagirMicrosoft Learn

Tutorial: Use aggregation functions in Kusto Query Language - Kusto

This tutorial describes how to use aggregation functions in the Kusto Query Language.

shsagirMicrosoft Learn

DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR

Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema

schmurkyMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

https://sandyzeng.gitbook.io/kql/kql-quick-guide/need-to-practice-more/summarize

KQL - Basics for SOC - Analysts #3 - Where

❕This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage KQL OPERATOR: WHERE [https://learn.microsoft.com/en-us/kusto/query/where-operator] Description: The where [https://learn.microsoft.com/en-us/kusto/query/where-operator…

Thomas BründlIT - Solutions - Blog

Aggregation Functions - Kusto

Learn how to use aggregation functions to perform calculations on a set of values and return a single value.

shsagirMicrosoft Learn

‌❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

Introduction:

The Kusto Query Language, or KQL for short, is a powerful query language. It is a domain-driven language (see Domain-Driven Design (DDD): A Summary)  specifically designed for querying data and information. As mentioned, it is used to explore and analyse data. It doesn't matter if the data is structured, semi-structured or unstructured. The goal is to identify patterns, detect anomalies and recognise outliers in data series. The goal behind KQL was to develop a language that is easy to understand, read and write, and that allows users to query and interact with data effortlessly.

Fields of application:

KQL involves data analysis and aggregation. How can data be related to each other, evaluated, and relationships made visible? Topics such as geodata analysis and vector similarity search, which are particularly important in AI and machine learning, play a role. Time series operators and functions are also included. This means that if data is received over a period of time, whether it's IoT data or telemetry data, it should be analysed over time to identify differences between different time units. It's all about data exploration. Data from different sources should be explored, analysed and hopefully meaningful insights derived.

Microsoft context for KQL:

Microsoft is using KQL in several environments. Its primary use is in Azure Data Explorer, originally codenamed Kusto after Jacques Cousteau, with the goal of finding data truth in the sea of data. Azure Data Explorer (see What is Azure Data Explorer?) evolved from Kusto, but the Kusto query language remains. KQL is still used today in Azure Data Explorer. It is also used in Azure Monitor, specifically in Azure Log Analytics (see Log Analytics workspace overview) for log analysis of monitoring data in Microsoft Azure. In addition, KQL is used in Azure Resource Graph (see Overview of Azure Resource Graph ), which provides a complete index of Azure resources in the Azure environment. KQL is also used in security environments such as Microsoft Defender Suite (What is Microsoft Defender XDR? ) and Microsoft Sentinel (What is Microsoft Sentinel?), to query security alerts. Therefore, it is imperative for SOC analysts to understand and learn KQL.

Fundamentals of the syntax of KQL:

Let's take a closer look at the basic syntax of KQL. The first time you use KQL, you need to write a Kusto query. A Kusto query is a read-only request for data processing, meaning that it queries a dataset without modifying it. Any changes to the data are made beforehand, during data logging, telemetry or IoT data input. With KQL, data is queried and processed, allowing manipulation, calculations and other necessary operations, but never changing the data source, such as a database. The goal is to present the results in the form of a table, graph, dashboard or similar output. Similar to PowerShell, Kusto Queries uses a data flow model known as a pipe, where the output of one command serves as the input for the next. This is how Kusto Queries work. It should also be noted that KQL is case sensitive. Upper and lower case must always be respected.

Let's take a closer look at this using an example query (leveraging the DeviceNetworkEvents Table):

This KQL query 👇 is used to analyze device network events related to Microsoft OneDrive. It filters the events to include only those where the initiating process's product name is "Microsoft OneDrive." Then, it summarizes the data by counting the occurrences of each action type, resulting in a count of different action types associated with Microsoft OneDrive network events.

DeviceNetworkEvents
| where InitiatingProcessVersionInfoProductName == "Microsoft OneDrive"
| summarize ActionTypeCount = count() by ActionType

Let's break down the query and look at it step by step.

1. Table referencing

//1
DeviceNetworkEvents 
// Reference to a particular table (DeviceNetworkEvents table | created by MDE (Microsoft Defender for Endpoint))

2. Filtering

//2
| where InitiatingProcessVersionInfoProductName == "Microsoft OneDrive" 
// In this step, the entire table dataset of the last 24 hours is passed from the DeviceNetworkEvents table via a pipe '|', then a filter is set up with 'where', which specifies that we are only interested in values from the column 'InitiatingProcessVersionInfoProductName' with the value 'Microsoft OneDrive'.

3. Aggregation

//3
| summarize ActionTypeCount = count() by ActionType
// In the final step, the now filtered data is passed on again to a pipe '|' and aggregated. This is done by summarising and counting the data in individual action types.

It has been demonstrated that the pipeline notation, symbolised by the vertical bar "|", is used, so that the output of the first operator, e.g. DeviceNetworkEvents, is the input of the next operator, where InitiatingProcessVersionInfoProductName == 'Microsoft OneDrive'.Without this pipe and without passing on the data, this entire command would not work. And because the whole thing is nicely filled with comments, we have also seen that we can add comments to our KQL queries using the double slash.

Syntax rules (see KQL quick reference):

• Block - a string that has to be entered like this
• italics - parameter that has to be transferred for use
• [] - optional values
• () - at least one value required
• | (pipe) - when used within [] or () as logical OR, otherwise KQL query pipe
• [,....] - previous parameter can be repeated comma-separated
• ; - query terminator

Example leveraging the Search Operator:

[TabularSource |] search [kind=CaseSensitivity] [in (TableSources)] SearchPredicate

Example leveraging the Where Operator:

T | where Predicate

For more see KQL quick reference.

References:

• Domain-Driven Design (DDD): A Summary – Software Engineering: A Modern Approach
• What is Azure Data Explorer? - Azure Data Explorer | Microsoft Learn
• Log Analytics workspace overview - Azure Monitor | Microsoft Learn
• Overview of Azure Resource Graph - Azure Resource Graph | Microsoft Learn
• What is Microsoft Defender XDR? - Microsoft Defender XDR | Microsoft Learn
• What is Microsoft Sentinel? | Microsoft Learn

DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR

Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema

schmurkyMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

KQL quick reference - Kusto

A list of useful KQL functions and their definitions with syntax examples.

shsagirMicrosoft Learn

KQL - Basics for SOC - Analysts #2 - Search

‌❕This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage KQL OPERATOR: SEARCH [https://learn.microsoft.com/en-us/kusto/query/search-operator] Description: The search [https://learn.microsoft.com/en-us/kusto/query/search-operator…

Thomas BründlIT - Solutions - Blog

KQL - Basics for SOC - Analysts #3 - Where

❕This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage KQL OPERATOR: WHERE [https://learn.microsoft.com/en-us/kusto/query/where-operator] Description: The where [https://learn.microsoft.com/en-us/kusto/query/where-operator…

Thomas BründlIT - Solutions - Blog

‌❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

Friendly name (for server): Alienvault-Demo
API root URL: https://otx.alienvault.com/taxii/root
Collection ID: user_AlienVault
Username: -
Password: -

Microsoft Defender Threat Intelligence | Microsoft Security

Microsoft Defender Threat Intelligence is a dynamic threat intelligence solution that helps protect your organization from modern cyberthreats and exposure.

Microsoft SecurityYour Privacy Choices Opt-Out Icon

Threat Intelligence - Pulsedive

Pulsedive is a free threat intelligence platform. Search, scan, and enrich IPs, URLs, domains and other IOCs from OSINT feeds or submit your own.

PulsedivePulsedive logo

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today’s emerging threats.

LevelBlue Open Threat Exchange

❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

KQL OPERATOR: DISTINCT

Description:

The distinct operator in Kusto Query Language (KQL) is used to extract unique values from one or more columns. For a security analyst working with Microsoft Defender for Endpoint (MDE), this operator allows the identification of unique patterns or indicators in the data.

Syntax:

T | distinct ColumnName[,ColumnName2, ...]

Use-Cases (leveraging the DeviceNetworkEvents Table):

#1 Basic usage:

This command 👇 returns all unique RemoteIP addresses from the DeviceNetworkEvents table.

DeviceNetworkEvents 
| distinct RemoteIP

#2  Combination of columns:

This 👇 provides the analyst with a list of all unique combinations of RemoteIP and ActionType.

DeviceNetworkEvents 
| distinct RemoteIP, ActionType

WHEN TO USE IT:

• to identify unique patterns or indicators in the data.
• to eliminate redundancies in the data and simplify the analysis.

THINGS TO KEEP IN MIND

• When using the distinct operator on multiple columns, a combination of the values in these columns is considered as unique.

References:

distinct operator - Kusto

Learn how to use the distinct operator to create a table with the distinct combination of the columns of the input table.

shsagirMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR

Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema

schmurkyMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

KQL OPERATOR: WHERE

Description:

The where operator in Kusto Query Language (KQL) is used to filter data based on specific criteria. For a security analyst working with Microsoft Defender for Endpoint (MDE), this operator is essential for identifying and analysing specific events or patterns in the data.

Syntax

T | where Predicate

Use-Cases (leveraging the DeviceNetworkEvents Table):

#1 Basic usage:

This command 👇 filters all network events where the remote IP is "192.168.50.1"

DeviceNetworkEvents | where RemoteIP == '192.168.50.1'

#2 Search for specific action types:

With this 👇, the analyst receives all network events where the action was 'HttpConnectionInspected'.

 DeviceNetworkEvents 
| where ActionType == "HttpConnectionInspected"

WHEN TO USE IT:

• to identify and analyse specific events or patterns
• in combination with other operators to create complex queries.

THINGS TO KEEP IN MIND:

The whereoperator can affect performance, especially with large amounts of data. It is advisable to make the query as specific as possible.

References:

Use the where operator - Training | Microsoft Learn

Use the where operator

wwlpublishMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

where operator - Kusto

Learn how to use the where operator to filter a table to the subset of rows that satisfy a predicate.

shsagirMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR

Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema

schmurkyMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

‌❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

KQL OPERATOR: SEARCH

Description:

The search operator in Kusto Query Language (KQL) allows you to search for a specific text or value across the entire database or within specific tables. For a security analyst working with Microsoft Defender for Endpoint (MDE), this operator is particularly useful for quickly finding relevant information about a specific indicator or threat.

Syntax

[T |] search [kind= CaseSensitivity ] [in (TableSources)] SearchPredicate

Use-Cases (leveraging the DeviceNetworkEvents Table):

#1 Basic usage:

This command 👇 searches for the value "192.168.1.1" in all tables and returns all related events.

search "192.168.1.1"

#2 Search for specific action types:

With this 👇, the analyst receives all network events where the action was 'HttpConnectionInspected'.

 DeviceNetworkEvents 
| search "HttpConnectionInspected"
| take 5

✏️ Note: If you want to learn more about the take operator, follow this link to a previously created blog post.

WHEN TO USE IT:

• to quickly find relevant information about a specific indicator or threat.
• in combination with other operators, to define specific search criteria.

THINGS TO KEEP IN MIND

• The search operator scans the entire database or table, which can lead to performance issues with large amounts of data.
• It is important to narrow down the search scope as much as possible to increase efficiency.

References:

search operator - Kusto

Learn how to use the search operator to search for a text pattern in multiple tables and columns.

shsagirMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR

Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema

schmurkyMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

KQL - Basics for SOC - Analysts #1

‌❕This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage KQL OPERATOR: TAKE [https://learn.microsoft.com/en-us/kusto/query/take-operator] Description: The take operator in Kusto Query Language (KQL) is used t…

Thomas BründlIT - Solutions - Blog

Use the search operator - Training | Microsoft Learn

Use the search operator

wwlpublishMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

‌❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

KQL OPERATOR: TAKE

Description:

The take operator in Kusto Query Language (KQL) is used to extract a specific number of rows from a dataset.

For a security analyst working with Microsoft Defender for Endpoint (MDE), this operator is particularly useful for quickly previewing suspicious or relevant network events.

Syntax

take NumberOfRows

Use-Cases (leveraging the DeviceNetworkEvents Table):

#1 Basic usage:

This command 👇 displays the first 5 network events from the
DeviceNetworkEvents table. This gives the analyst a quick overview
overview of the latest network activities.

DeviceNetworkEvents 
| sort by Timestamp 
| take 5

#2 Search for specific action types:

This 👇 gives the analyst the first 5 network events for which the action was
was 'HttpConnectionInspected'. This can be useful to quickly analyse
the latest web activities.

DeviceNetworkEvents 
| sort by Timestamp
| where ActionType == 'HttpConnectionInspected'
| take 5

#3 Combined with IP filter:

With this 👇 query, the Analyst can display the first 5 network events that
occurred from or to a specific IP address (in this case 192.168.1.1).
have taken place.

DeviceNetworkEvents
| sort by Timestamp 
| where RemoteIP == '23.202.169.49' 
| take 5

WHEN TO USE IT:

• to get a quick preview of the latest or most relevant network events.
• in combination with filters to identify a limited number of relevant events.

THINGS TO KEEP IN MIND

• The take operator returns the rows in the order in which they appear in the data set. If a specific order is required, you should use the sort operator first.
• When using take in combination with other operators the order is important. The take operator should always be placed after the filter and sort operators.

References:

top operator - Kusto

Learn how to use the top operator to return the first specified number of records sorted by the specified column.

shsagirMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

DeviceNetworkEvents table in the advanced hunting schema - Microsoft Defender XDR

Learn about network connection events you can query from the DeviceNetworkEvents table of the advanced hunting schema

schmurkyMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage.

Setting up the environment:

Return to the Dataexplorer and the Cluster, you created in the onboarding challange:

https://dataexplorer.azure.com/home

Script to be executed:

.execute database script <|
// Create the table with the traffic information.
// The data loading process estimated to take ~3-4min to complete (114M+ rows of data).
// Notes: VIN - is Vehicle ID 
.create-merge table Traffic (Timestamp:datetime, VIN:string, Ave:int, Street:int)
.ingest async into table Traffic (@'https://kustodetectiveagency.blob.core.windows.net/digitown-traffic/log_00000.csv.gz')
.ingest async into table Traffic (@'https://kustodetectiveagency.blob.core.windows.net/digitown-traffic/log_00001.csv.gz')
.ingest async into table Traffic (@'https://kustodetectiveagency.blob.core.windows.net/digitown-traffic/log_00002.csv.gz')

The Challenge:

.execute database script <|
//Create table for the data
.create-merge table PrimeNumbers(Number:long)
//Import data
.ingest into table PrimeNumbers ('https://kustodetectiveagency.blob.core.windows.net/prime-numbers/prime-numbers.csv.gz')

let check_special_primes = (PrimeNumbers
| sort by Number asc
| extend previous_number = prev(Number)
| extend check_special_prime = toint(Number)+toint(previous_number)+1
| where check_special_prime < 100000000 and check_special_prime > 99000000);
PrimeNumbers
| where Number < 100000000 and Number > 99000000
| join kind=inner (check_special_primes) on $left.Number == $right.check_special_prime
| project special_prime_highest = Number
| order by special_prime_highest desc 
| take 1

aka.ms/99999517

.execute database script <|
// The data below is from https://data.cityofnewyork.us/Environment/2015-Street-Tree-Census-Tree-Data/uvpi-gqnh 
// The size of the tree can be derived using 'tree_dbh' (tree diameter) column.
.create-merge table nyc_trees 
       (tree_id:int, block_id:int, created_at:datetime, tree_dbh:int, stump_diam:int, 
curb_loc:string, status:string, health:string, spc_latin:string, spc_common:string, steward:string,
guards:string, sidewalk:string, user_type:string, problems:string, root_stone:string, root_grate:string,
root_other:string, trunk_wire:string, trnk_light:string, trnk_other:string, brch_light:string, brch_shoe:string,
brch_other:string, address:string, postcode:int, zip_city:string, community_board:int, borocode:int, borough:string,
cncldist:int, st_assem:int, st_senate:int, nta:string, nta_name:string, boro_ct:string, ['state']:string,
latitude:real, longitude:real, x_sp:real, y_sp:real, council_district:int, census_tract:int, ['bin']:int, bbl:long)
with (docstring = "2015 NYC Tree Census")
.ingest async into table nyc_trees ('https://kustodetectiveagency.blob.core.windows.net/el-puente/1.csv.gz')
.ingest async into table nyc_trees ('https://kustodetectiveagency.blob.core.windows.net/el-puente/2.csv.gz')
.ingest async into table nyc_trees ('https://kustodetectiveagency.blob.core.windows.net/el-puente/3.csv.gz')
// Get a virtual tour link with Latitude/Longitude coordinates
.create-or-alter function with (docstring = "Virtual tour starts here", skipvalidation = "true") VirtualTourLink(lat:real, lon:real) { 
	print Link=strcat('https://www.google.com/maps/@', lat, ',', lon, ',4a,75y,32.0h,79.0t/data=!3m7!1e1!3m5!1s-1P!2e0!5s20191101T000000!7i16384!8i8192')
}
// Decrypt message helper function. Usage: print Message=Decrypt(message, key)
.create-or-alter function with 
  (docstring = "Use this function to decrypt messages")
  Decrypt(_message:string, _key:string) { 
    let S = (_key:string) {let r = array_concat(range(48, 57, 1), range(65, 92, 1), range(97, 122, 1)); 
    toscalar(print l=r, key=to_utf8(hash_sha256(_key)) | mv-expand l to typeof(int), key to typeof(int) | order by key asc | summarize make_string(make_list(l)))};
    let cypher1 = S(tolower(_key)); let cypher2 = S(toupper(_key)); coalesce(base64_decode_tostring(translate(cypher1, cypher2, _message)), "Failure: wrong key")
}

nyc_trees
| where spc_common == "American linden"
| extend h3cell = geo_point_to_h3cell(longitude,latitude,10)
| where h3cell == "8a2a100dec9ffff"
| sort by tree_dbh asc
| project tree_id, tree_dbh, latitude,longitude

print Message=Decrypt(@"20INznpGzmkmK2NlZ0JILtO4OoYhOoYUB0OrOoTl5mJ3KgXrB0[8LTSSXUYhzUY8vmkyKUYevUYrDgYNK07yaf7soC3kKgMlOtHkLt[kZEclBtkyOoYwvtJGK2YevUY[v65iLtkeLEOhvtNlBtpizoY[v65yLdOkLEOhvtNlDn5lB07lOtJIDmllzmJ4vf7soCpiLdYIK0[eK27soleqO6keDpYp2CeH5d\F\fN6aQT6aQL[aQcUaQc[aQ57aQ5[aQDG", "ASHES to ASHES")

References:

Kusto Detective Agency Case 4

El Puente - Ready to play? Hello. I have been watching you, and I am pretty impressed with your abilities of hacking and cracking little crimes. Want to play big? Here is a prime puzzle for you. Find what it means and prove yourself worthy. 20INznpGzmkmK2NlZ0JILtO4OoYhOoYUB0OrOoTl5mJ3KgXrB0[8LTS…

Yingting HuangUnofficial Azure Club

Kusto Detective Agency — Ready to Play (Part 4 of 5)

While browsing twitter, I came across Kusto Detective Agency — a gamified way of learning Kusto Query Language (KQL). There are a set of five challenges that participants are required to solve using…

Soumyadeep BasuMedium

This article has not been completed yet. However, it may already contain helpful Information and therefore it has been published at this stage.

Setting up the environment:

Return to the Dataexplorer and the Cluster, you created in the onboarding challange:

https://dataexplorer.azure.com/home

Script to be executed:

.execute database script <|
// Create the table with the traffic information.
// The data loading process estimated to take ~3-4min to complete (114M+ rows of data).
// Notes: VIN - is Vehicle ID 
.create-merge table Traffic (Timestamp:datetime, VIN:string, Ave:int, Street:int)
.ingest async into table Traffic (@'https://kustodetectiveagency.blob.core.windows.net/digitown-traffic/log_00000.csv.gz')
.ingest async into table Traffic (@'https://kustodetectiveagency.blob.core.windows.net/digitown-traffic/log_00001.csv.gz')
.ingest async into table Traffic (@'https://kustodetectiveagency.blob.core.windows.net/digitown-traffic/log_00002.csv.gz')

The Challenge:

We have a situation, rookie.
As you may have heard from the news, there was a bank robbery earlier today.
In short: the good old downtown bank located at 157th Ave / 148th Street has been robbed.
The police were too late to arrive and missed the gang, and now they have turned to us to help locating the gang.
No doubt the service we provided to the mayor Mrs. Gaia Budskott in past - helped landing this case on our table now.

Here is a precise order of events:

08:17AM: A gang of three armed men enter a bank located at 157th Ave / 148th Street and start collecting the money from the clerks.
08:31AM: After collecting a decent loot (est. 1,000,000$ in cash), they pack up and get out.
08:40AM: Police arrives at the crime scene, just to find out that it is too late, and the gang is not near the bank. The city is sealed - all vehicles are checked, robbers can't escape. Witnesses tell about a group of three men splitting into three different cars and driving away.
11:10AM: After 2.5 hours of unsuccessful attempts to look around, the police decide to turn to us, so we can help in finding where the gang is hiding.

Police gave us a data set of cameras recordings of all vehicles and their movements from 08:00AM till 11:00AM. Find it below.

Let's cut to the chase. It's up to you to locate gang’s hiding place!
Don't let us down!

Info: Each challenge has up to three hints that can be accessed through the hints section of your Detective UI.

Query Hint:

The trick with this challenge is you need to be able to create a set of vehicles that weren’t moving during the robbery, of course the catch is that only moving vehicles have records in the traffic data. KQL commands that will be useful for this challenge are join, remember that there are different kinds of joins and arg_max

Let's get started.

First we have to analyze the data and structure.

Operator involved: take

# Step 1

# Show 10 entries of the Traffic table

Traffic | take 10

Next we have to filter for a specific street and avenue as well time range.
For this we use the where and  join (kind=leftanti) operator.

# Step 2

# This query retrieves traffic data for a specific street and avenue within a 
# specific time range (08:31:00 to 08:40:00) and excludes any data that also 
# appears in an earlier time range (08:17:00 to 08:31:00) based on the VIN 
# column.

Traffic
| where Street == 148 and Ave == 157
| where Timestamp > datetime(2022-10-16T08:31:00Z) and Timestamp < datetime(2022-10-16T08:40:00Z)
| join kind=leftanti ( Traffic | where Timestamp >= datetime(2022-10-16T08:17:00Z) and Timestamp <= datetime(2022-10-16T08:31:00Z)) on VIN

References:

https://it-infrastructure.solutions/kusto-detective-agency-part1/

‌❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

Setting up an Automation Account

Necessary Permission (RBAC) adjustments

Deploying the solution

How to use the Tool:

File Path: "https://raw.githubusercontent.com/Yaniv-Shasha/Sentinel/master/Sample_Data/scenarios/Security%20Event%20log%20cleared/1102_clearlogs.json"

References:

New ingestion-SampleData-as-a-service solution, for a great Demos and simulation

Demonstrating Microsoft Sentinel features, that include security incidents, alerts, workbooks, meaningful hunting queries, Helping our internal teams,..

Yaniv ShashaTECHCOMMUNITY.MICROSOFT.COM

GitHub - Contoso-Hotels-Security-old/LogIngestion: LogIngestion and Fusion

LogIngestion and Fusion. Contribute to Contoso-Hotels-Security-old/LogIngestion development by creating an account on GitHub.

Contoso-Hotels-Security-oldGitHub

❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

1. Set the default location

az configure --defaults location=westeurope

2. Create a resource group

az group create --name MyResourceGroup

3.  List resource groups

az group list --output table

4. Set the default resource group

# Defining the default resource group
az configure --defaults group="MyResourceGroup"

5. Create the Linux VM

# Creating the Azure Linux VM
az vm create --name support-web-vm01 --image Canonical:UbuntuServer:16.04-LTS:latest --size Standard_DS1_v2 --admin-username azureuser --generate-ssh-keys

6. Checking whether the SSH client is installed on the access machine

# Checking whether the necessary SSH client is installed
ssh

7. Under certain circumstances, the necessary folder structures and files are not created. Therefore, we now do this ourselves.

# Creating the ssh program path and the needed config file
New-Item -Path $HOME\.ssh\config -ItemType File -force

8. Download the private key created in step 5

• Select Manage files
• Click on Download

• Specifiy the file that needs to be downloaded ".ssh/id_rsa"
• Click on Download

• Copy the downloaded file into the right folder ("C:\Windows\Users\<username>\.ssh\")

9. To customize the SSH configuration file in the right way we need the public IP of the created VM

# Retrieving the public IP of the Linux Azure VM
az vm show \
  --name support-web-vm01 \
  --show-details \
  --query [publicIps] \
  --output tsv

10. Customizing the SSH connection configuration using Notepad

# Open config File with Notepad
C:\WINDOWS\System32\notepad.exe $HOME\.ssh\config

# For Azure Linux VM
Host <Public IP>
  User azureuser
  Port 22
  IdentityFile ~/.ssh/id_rsa
  IdentitiesOnly yes

11. Testing the access

# Accessing the Azure Linux VM via SSH
ssh azureuser@20.4.22.39

# Should the connection be established?
Are you sure you want to continue connecting (yes/no/[fingerprint])?

Result:

References:

Exercise - Add a data disk to a VM - Training

Exercise - Add a data disk to a VM

roygaraMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

Location of OpenSSH configuration file on Windows

How do I set the host name and port in a config file for Windows, using OpenSSH through PowerShell? As on Unix/Linux: Edit or create the file now by typing: nano ~/.ssh/config In here...

ThufirSuper User

How to manage Azure resource groups – Azure CLI

Learn how to manage Azure resource groups in the Azure CLI, a cross-platform tool to connect to Azure and execute administrative commands on Azure resources.

dbradish-microsoftMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

Yubikey Options:

Setup:

Step - 1️⃣

• Navigate to https://mysignins.microsoft.com/security-info in your computer.

Step - 2️⃣

• Click Security Info
• Click + Add sign-in method

Step - 3️⃣

• Click Choose a method and select Security key

Step - 4️⃣

• Click Add

Step - 5️⃣

• Click Next

Step - 6️⃣

• Click USB device

Step - 7️⃣

• Click Next

Step - 8️⃣

• Select Security key and click Next

Step - 9️⃣

• Click OK

Step - 🔟

• Click OK

Step -

• Assign and verify a Pin
• Click OK

Step -

• Touch your security key.

Step -

• Click OK

Step -

• Assign a Key Name
• Click OK

Step -

• Assign a Key Name
• Click OK

Result:

Test:

Step - 1️⃣

• Lock your Device (Shortkeycombination: Windows + L)
• Select Sign-in options

Step - 2️⃣

• Select the Security Key Icon

Step - 3️⃣

Enter your Security Key Pin

Step - 4️⃣

• Touch your security Key

You should be successfully logged in.

❕This article has not been completed yet. However, it may already contain   helpful Information and therefore it has been published at this stage

Prerequisite:

• Nothing

Pic 1

The castle-and-moat theory forms the basis of conventional IT network security. Castle-and-moat security makes it difficult for outsiders to access the network, but by default, everyone on the network is trusted. This strategy has the drawback that an attacker has complete control over everything on the network once they get access to it.

Zero Trust Principles:

To implement Zero Trust in your organization, Microsoft defines 3 principles to follow.

Tab 1

Pic 2

The question is how to implement these principles. Microsoft is one of the few vendors, that offer an integrated END 2 End strategy.

Pic 3

This is also known as defence in depth, because security happens on many different levels.

Let's stick with our castle and moat theory. This is not to say that there are no other security measures besides the network-related ones. In most cases, there are also other security products such as third-party antivirus solutions. However, the problem is that these products and solutions do not communicate with each other and this is where the great advantage of the Microsoft Security Suite comes into play.

Pic 4

Let's map the objects / entities worth protecting from Pic 3/4 👆.

• Identities
  Are strengthened using Entra ID (formerly Azure AD) & Microsoft Defender for Identity providing robust (onprem) authentication and authorization.
• Endpoints
  Services like Microsoft Intune (formerly Microsft Endpoint Manager) and Entra ID Join as well Microsft Defender for Endpoint manage the corporate and BYOD devices with strict compliance.
• Applications
  Azure Defender for Cloud, Azure Web Application Firewall (WAF) or Defender for  Cloud Apps protects app services by using bleeding-edge security features.
• Network
  Azure network services like Azure Firewall and Virtual Networks are ensuring traffic is secure and segmented
• Infrastructure
  Secrets and certificates can be protected with Azure Key Vault services and Microsoft Defender for Cloud offers comprehensive threat protection from day zero
• Data
  Remains top priority in transit and rest with advanced security features of dedicated Storage services including Microsoft Purview (formerly Microsoft Information Protection) by providing secure, reliable, and scalable solutions.
  
  This also maps to the cyber kill chain 👇 (see picture 5 below). There is also a mapping to the right products.

Pic 5

I hope this helps a little and gives an overview of how Microsoft is trying to implement Zero Trust with its products.

References:

https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/

What is Zero Trust?

Understand the Zero Trust security model, learn about the principles, and apply the Zero Trust architecture using Microsoft 365 and Microsoft Azure services.

mjcaparasMicrosoft LearnCalifornia Consumer Privacy Act (CCPA) Opt-Out IconCalifornia Consumer Privacy Act (CCPA) Opt-Out Icon

What services you could use to apply Zero Trust principles in your cloud environment?

We live in a rapidly evolving security landscape with new challenges every day. Even after the pandemic, our work continues to be blended with remote work where many organizations enabled the BYOD…

Mário CruzMedium