Microsoft Bolstering Sentinel with Workspace Manager and Hunts Previews

Microsoft this week announced some Microsoft Sentinel enhancements that are either available as a public preview release or will be coming soon.

Microsoft is previewing a "Workspace Manager" multitenant capability, and will be previewing a new "Hunts" process for finding threats. Also to come will be "out-of-the-box" (OOTB) content consolidation for Sentinel, which is Microsoft's security information and event management (SIEM) solution.

Workspace Manager Preview Currently Available
At preview and currently available for Sentinel is a Workspace Manager capability. Workspace Manager is designed for use in multitenant customer management scenarios involving distributed workloads. It's for use by "managed security service providers" or providers of "managed detection and response" services.

Those service providers might use Workspace Manager in Sentinel to set up workspaces "based on business groups, verticals, geography, etc.," the announcement explained. Such a Workspace Manager capability is already enabled for SAP applications at the public preview level, which is used to limit data sharing.

"Security teams can permission SAP teams to access security data strictly for those applications, allowing for deeper collaboration across teams while minimizing what data is shared," the announcement explained regarding Workspace Manager for SAP.

Hunts Preview Coming in May
Microsoft is planning to release a public preview of a Hunts threat-hunting process in Sentinel sometime in May. Hunts is for security analysts, allowing them to generate "security-researcher-generated hunting queries, custom hunting queries, or bookmarks" for their investigations, based on a "hypothesis."

If threats are found, then it is possible for security analysts to "act on results by creating new analytic rules, new incidents, new threat indicators, and running playbooks," the announcement explained. Microsoft described the coming Hunts feature as "providing a first step towards an end-to-end hunting experience within Microsoft Sentinel by allowing customers to keep track of new, active, and closed hunts in one place."

Out-of-the-Box Content Consolidation in June
Microsoft Sentinel has so-called out-of-the-box capabilities, which Microsoft defined as a means "to easily discover and manage packaged solutions for end-to-end security operations center (SOC) scenarios based on products, domains, or industry." However, some of these out-of-the-box capabilities are housed in feature galleries, instead of the Microsoft Sentinel content hub.

Microsoft expects to remedy that situation and consolidate these capabilities in the content hub by June. Here's that description:

By June 2023 we plan to complete OOTB centralization in content hub by retiring the existing OOTB content in Microsoft Sentinel feature galleries. For more details see OOTB content centralization blog and product documentation to help you plan for these changes.

Microsoft touted content hub as offering an easier way "to discover, deploy and manage content by organizing solutions into packages that include analytics rules, data connectors, hunting queries, parsers, playbooks, workbooks or watchlists."

Some of the out-the-box capabilities use an Advanced Security Information Model (ASIM) for normalizing data at query time. Microsoft refers to these capabilities as "Microsoft Essential Solutions."

This week Microsoft announced a public preview of a new "DNS Essentials Solution." It's the second Microsoft Essential Solutions capability, following a "Network Session Essentials Solution" public preview release. DNS Essentials Solution is "specific to DNS security scenarios." It has support for "Windows Server DNS, Cisco Firewall, GCP DNS, Zscaler Internet access (ZIA) and more."

Microsoft claimed that DNS Essential Solution content can "work with multiple DNS products deployed in your organization." It's able to do that because these different products "have a common basic set of DNS alerts," Microsoft explained.

About the Author

Kurt Mackie is senior news producer for 1105 Media's Converge360 group.


comments powered by Disqus

Subscribe on YouTube