Secure Logstash connections to Microsoft Sentinel with 'Rot8r' 🤖

Logstash is a great tool for working with logs and can act as a very robust and versatile log collector for Microsoft Sentinel. But many companies struggle to optimize and secure their log ingestion flows. In this session I will explain (and demo!) everything regarding ingesting DCR-based custom logs with Logstash. As well as how to implement a fully automated and secure key rotation mechanism with my custom tool, I named "Rot8r".
So no more handing out workspace IDs and keys or storing passwords in plain text inside your Logstash instances! 👌🏻🔐

Unlimited Advanced Hunting for Microsoft Defender XDR with Azure Data Explorer

More and more customers ask me what the options are to extend the retention in Microsoft Defender XDR beyond the default 30 days. 
Data like incidents, alerts and event timelines of devices remain available for 180 days. But in this particular case they're referring to the Advanced Hunting data being purged beyond 30 days. So you won't be able to use Kusto Query Language (KQL) to look for events in the "raw data". And for pro-active hunting purposes, I can agree with my customers; this is just too short.

In this session I'd like to demonstrate how you can leverage Azure Data Explorer (ADX) to archive data from Microsoft 356 Defender without having to make use of Microsoft Sentinel in between. Because relaying this data through Sentinel is not the preferred by most, due to the added costs that come along with it. Which can be huge in some cases.

I will not only go through all of the design choices related to Azure Event Hubs and Azure Data Explorer, I'll also demonstrate an open-source tool I've created (ArchivR), which helps fully automate the deployment to help customers setting things up with a few simple steps!

Build your security data lake with Microsoft Sentinel & Data Explorer; a match made in Azure! ☁️🔐

In this session, Koos unravels the secrets of efficient and cost-effective log storage for security logs (a.k.a. Security Data Lake).

He'll explain why Microsoft Sentinel isn’t always the best destination for ALL security logs, particularly "chatty" logs like network or firewall data.

Koos will highlight the benefits of Azure Data Explorer, offering limitless storage at a fraction of the cost while retaining the power of Kusto Query Language (KQL) for seamless data exploration.

He demonstrates how to build a multi-tiered log architecture with multiple tiers of logging value and shows how security analysts can retrieve logs from multiple destinations directly within the Defender XDR UI.

Koos also clarifies the differences between "parse on ingest" and "parse on query" for custom logs, outlining how each approach can enhance architecture.

Finally, he explores how Elastic Logstash simplifies log distribution across multiple sources and destinations, proving to be the Swiss Army knife of logging solutions.

The session includes several demos where Koos showcases free PowerShell tools he has developed over the years to optimize and deploy solutions at scale with ease.

Key takeaways:
- The pros and cons for each Sentinel Table tier (Analytics, Basic, Auxiliary).
- Why Azure Data Explorer (ADX) might be a perfect companion alongside Sentinel.
- How to create a multi-tiered log architecture with multiple destinations. And how security analysts can explore data from all of them (including ADX) straight from Defender XDR.

No secrets, just security; mastering Sentinel Playbooks / Logic Apps with Managed Identities 🔑

Say goodbye to secrets and maintaining key rotation mechanisms.
Join me as we explore the power of Azure Managed Identities to improve the security posture for your Logic Apps and Sentinel playbooks.
Learn practical insights about overcoming limitations, integrating Managed Identities as well as real-world examples and tips for integrating these into your Infrastructure-as-Code deployments.

Getting the most bang for your logs 🪵; Sentinel tips you can’t afford to miss! 💰

Discover how to unlock the full potential of Microsoft Sentinel without breaking the bank!
This session dives into practical tips and field-tested strategies to optimize your Sentinel setup. Learn how to start leveraging Sentinel for free, make informed architectural decisions, and keep your costs under control with smart KQL queries and custom alerts. Explore techniques to monitor performance, troubleshoot ingestion issues,
Whether you're new to Sentinel or looking to refine your setup, this session has something for everyone.