Hi Craig, first of all, thank you so much for your videos, they really help me understand a lot on the SC-200 course and exam I am currently studying for! If I understand correctly, for parsers there are (generally speaking) the following types: _Im_<schema> = Built-in UNIFYING parser Im<schema> = Built-in WORKSPACE DEPLOYED parser _Im_<schema>_<source> = Built-in SOURCE-SPECIFIC parser vim<schema> = WORKSPACE-DEPLOYED SOURCE SPECIFIC parser A corresponding set of parsers that use _ASim_<schema> and ASim<Schema> are also available. It is not completely clear to me when to use these last parsers, actually. Could you (or someone else of course) help me out please? Thank you :)

Hats off to you Craig! It was mindblowing the way you simplified the whole jargon, I feel so rich with the knowledge you shared here, I was so poor before this class

Realy nice vicdeo, can you please share this ransomware so we can test this in my environment.

Hello thank you for the concise video. Where can I find/read more on the MS AI official framework around the 6 components shown ~@4:55?

@8:18 was pretty unexpected. But it did generate a smile on my face :)

you deserve more subs and views This one was JUICY

Any danger of you showing how to technically respond to the issues using MS Sentinel?

Master i want to be your student 😂😂😂😂 before i lose it 😂😂😂😂

Promo`SM

This is awesome content. Great resource videos to share with our SOC team.

@Progod, yes this is true, which is why i recommend using free enrichment for TI, using RDAP, Virus Total, RiskIQ etc, I'm hoping this bring the cost of Defender for TI down, because alot of my customers are just objecting it because of the costs

Craig, would you mind uploading a video to integrate Qualys into MS Sentinel? Or briefly explain the processes?

Great job Craig.

Nice video, where could we find the command line on 5:45?

how can I store Subscription Value under Variable in azure workbook

Hi Craig, what if we have single tenant and multiple subscriptions.. would single sentinel workspace work?

nice video , can you please provide the video

Your videos are fantastic!! Thanks so much for sharing you have a true talent for making the complex simple, entertaining, and practical. Keep up the great work-- Cheers!!!

keep up the sentinel content!

what if i'm having a bunch of yaml files for each rule instead of a single JSON for all

That intro bro!

how do we work on phishing email incident in sentinel plz upload the video

How do you find hash values from AD joined devices? For some reason, I only see VMs like softbox but not any of the "hardbox" like actual endpoint that's joined to company intune.

Super useful content, Thank you Craig!

Your videos are really relaxing and a joy to follow. Grow your page easily = 'Promosm' .

Craig your channel is a diamond find! Thank you for all the content. Love Sentinel. Do you plan any log analytics management - strategies ?

Excellent overview, I work with both and your assessment of the setup time and operational effort is spot on. Sentinel is the superior product.

Disclaimer - I am a Splunk Account Manager so keep that in mind while reading my comments. I find this comparision to be extremely misleading. You compare Sentinel to a Splunk BYOL (bring your own license)) Cloud deployment. To put this in Microsoft terms you are comparing O365 to Exhange running in Azure. Not a fair comparison. I would recommend a redo on this video comparing Sentinel to Splunk Cloud with Mission Control which is a more comparable deployment model. This is not an apples to apples comparision, it is more like an Apples to Walnuts......

I work with both Splunk and Sentinel and would consider myself vendor agnostic (worked with LogRythm, ArcSight and Elastic Stack too). There are a few comments I would like to make. 1. I agree Sentinel is very easy to initially set up vs Splunk / Splunk Cloud. Especially Microsoft and large vendor sources (Cisco, Fortinet, etc etc) 2. In addition to an ingest licence Splunk provide a compute based licence too. I would argue this is much easier to budget for vs ingest cost (even with Committment Tiers). I've worked with plenty of organisations (Universities for example) whose throughput massively changes from month to month 3. I would say Splunk is much more mature for non-Microsoft integrations - just look at the number of TAs available on Splunkbase. With Sentinel, you may need a developer (not a typical security engineer) to develop Function Apps to ingest into Custom Tables. 4. Skills. I would argue that Splunk, having been around 20 years, with a robust training offer - skills are much more common. Sentinel is new, and there isn't yet a specific training programme for this (Splunk Ninja Training is good though!) 5. Sentinel scheduled rules can only look back 14 days. 6. Mention of ADX for archiving. Actually Sentinel now has the very good Archive Tier. Splunk very similar (DDAA and DDSS). 7. Developing integrations for sources not yet available in Splunkbase (a rare thing) is super easy using Splunk's Add-on builder. I find with Sentinel you will need to employ someone comfortable with developing Python, Poweshell etc for developing Function Apps. These have to be maintained. Growing list of course open source on GitHub, but catching up. 8. Log source monitoring. Sentinel has some work to do to catch up with Splunk's "TrackMe" app which uses ML to detect outliers, throughput etc. 9. Licence. Sentinel is kinda similar to Splunk ES in the licence model. Sentinel (Splunk ES) is charged on the ingest volume on top of the ingest +storage cost of the underlying Log Analytics Workspace (Splunk Enterprise/Cloud) 10. Learning Microsoft KQL is required, much in the same way as the need to learn Splunk SPL. I like both, and coming from an Oracle background I kind of prefer the KQL language which is more similar and query optimisation is performed transparently. That said Splunk accelerated data is much much quicker. I also like Splunk's "schema on the fly" way of doing things. 11. A Splunk Deployment Server (or supported Ansible, Puppet, Chef, SCCM, ...) isn't mandatory, but useful for configuration of a large number of agents (if only collecting API sources, not needed for example). This is similar to Sentinel's data collection rules (DCR) now available with the AMA agent. Until AMA it hasn't been easily possible to fine tune what is collected (thinking the 4 built-in filters for Windows Security Event collection).

Good one, Craig.

this is a very useful and helpful video, currently doing my MSc dissertation research on how sentinel can help mitigate ransomware attack. This video has come to the rescue; I will surely reference your work. Thank you

Please come up with "how to crack Sentinel interview?"

This was very helpful 😊

Great content! I'm using it to ignite my career transition. Don't stop hacking!

Good content. The volume was a little low. Thanks!

These videos are awesome! Far more informative/engaging than the official MS ones, thank you!

Hey Craig, really good video. For writing analytic rules in Sentinel, I was wondering if you knew of a place of reference to go to in order to check for an extensive list of names of programs, extensions, directories and other indicators to put in KQL queries for the contains, !contains, has, !has, and so on fields for different types of analytic rules we may be writing. Basically for the filtering part of any analytics rule.

Great thanks!!

Thanks for the video.. It was very informative... I just want to know if we use Azure Blob storage for data retention you said we cant use KQL queries.. but can we connect Blob storage to sentinel using data connector and run KQL on that data..? Thanks in advance..

Enjoyed this video. Hope you keep posting more stuff so i can continue sharpening my skills

I'm happy to say ADX is no longer needed for Sentinel. Long live the archive feature! kzbin.info/www/bejne/sGqrdX-Lf9yiZ6M

Hell Yeah × ∞ Is that enough Hell Yeahs? :D

Thanks 👍

8:32am, whiskey in hand, ready to get pretty damn juicy

Can you please tell the command to upload a JSON file instead of a csv. Thanks

I told my nan

Thank you for this! Excellent job!

Excellent content sir. Thanks again!

Dude, you have no idea how much you've helped me by making this video. Preciecly what I have been asked to do as a project at work. Thank you so much!

at 16.59 for the log analytics query logs table, do you mean the Activity log for the LA resource?