Lots of updates for sentinel squeezed in before the end of the year:

New overview dashboard. Microsoft have elected to drop detection statistics in favour of performance / maintenance information which is a welcome change for me but I've had clients ask for the old info so you will probably want to make up a workbook

Incident Tasks. New case management feature that enables you to add investigation steps that can be ticked off when complete. If your using sentinel for case management this is fantastic for triage consistency and audit purposes. You can push tasks to incidents automatically.

New UEBA queries. Microsoft have released an UEBA essentials pack in the content hub and it's a must have if your using the engine. Lots of hunting queries.

Playbook health data now in sentinel. Data such as when a playbook ran, why it ran and what the outcome was is now stored directly in the log analytics workspace your sentinel instance sits. Another improvement for SOAR use cases.

CommonSecurityLog table has got some much needed love. A handful of data points typically kept under the field 'AdditonalExtensions' are now parsed out properly. Make sure to check your rules as this may break them.

Plethora of new integration opportunities. Lots of partners have added their own connectors so make sure to check out the list.

Nice little post from a fantastic team. Virtually all reports now have reported the same trends across 2022. Couple of observations I've made this year:

"Identity is the new endpoint" is the latest buzz word and with good reason. All teams are seeing drastic increases in attacks focused on cloud identites to the point it is now often exceeding your traditional "drop payloads to a device" procedures.

Phishing has been stagnant for while (although still the most prominent vector) but we are starting to see new developments through call back techniques and new frameworks.

Geolocation based detections are slowly degrading in quality as groups are ensuring traffic and activity originate from less suspicious locations. This is exasperated by work from home models becoming the norm.

Of course MFA has seen alot of abuses recently and the industry has responded in kind by effectively redefining what strong authentication means to methods that mitigate human error (number matching, hardware tokens). Large vendors such as AWS and Microsoft and have followed this trend with significant investment in new Innovations rather rapidly (rightly so)

Threat Actors are relying on low sophistication alot more as it still proves successful, offers great ROI and can actually aid in staying undetected.

https://expel.com/blog/expel-quarterly-threat-report-q3-top-5-takeaways/

US Department of Commerce has released a red team assessment against their Infrastructure. It has your typical findings

Software and services were not maintained and could be leveraged to further compromise

Once a single foothold was attained the entire network was exposed

Despite appropriate logging anomalous user activity was missed.

Identites were poorly configured. Least privilege not implemented and weak passwords.

I'm working on some cool resources for Zero Trust Architecture and found not to many people are aware of the Zero Trust Centre from Microsoft. Obviously keep your anti vendor hat on but it has alot of good content.

https://www.microsoft.com/en-gb/security/business/zero-trust