Azure Sentinel News
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
  • Home
    • Home – Layout 1
    • Home – Layout 2
    • Home – Layout 3
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence
No Result
View All Result
Azure Sentinel News
No Result
View All Result
Home Incident Response

Adding MBAM/Bitlocker Logs to Azure Sentinel

Azure Sentinel News Editor by Azure Sentinel News Editor
December 30, 2020
in Incident Response
0
What’s new: Microsoft Teams connector in Public Preview
2.2kViews
517 Shares Share on Facebook Share on Twitter

With the recent warning about a new vulnerability (CVE-2020-10713) that’s being called BootHole, some customers may want to monitor the MBAM/Bitlocker logs, as there’s no real protection against the flaw yet. And, in doing so, may also want to provide notifications through analysis – which is a perfect situation for Azure Sentinel.

However, there’s a catch that deserves some guidance and a tip.

If you’ve worked with Log Analytics workspaces for any period of time, you know that you can add additional logs (even custom logs) to the list of sources to be ingested into the data space.

For Azure Sentinel customers, this function can be found by navigating to Settings – Workspace Settings – Advanced Settings – Data as shown in the next image. Inside the Data component there’s a number of areas to configure different log sources including Windows Event Logs (which is where we’re trying to locate MBAM).

Settings – Workspace Settings – Advanced Settings – Data

For those that have added custom Windows Event Logs to the Azure Sentinel workspace before, you know you can simply just start typing a log file name in the space provided and those logs that are “known” will display so you can choose the one you desire.

However, guess what? There are some log files that will not show up in the “known” list and a couple of those are related to MBAM/Bitlocker (specifically, the Operational and Admin logs). That doesn’t mean that the Log Analytics workspace can’t ingest those logs, only that (for some reason) it doesn’t know about them.

Where’s MBAM?

Even though the MBAM logs don’t show up in the list, you can still add them. You just need to know what the log file names actually are. To figure that out, open Windows Event Viewer on any Windows PC and navigate to Applications and Services Logs – Microsoft – Windows – MBAM. Click on either the Admin or Operational log and the Log Name is displayed.

MBAM Operational Log Name

Copy the Log Name from Event Viewer (in the example above, it’s Microsoft-Windows-MBAM/Operational), paste it into the Log Analytics workspace for Azure Sentinel configuration for Windows Event Logs, and click the Plus (+) button to add it. Make sure to hit the Save button before navigating back to Azure Sentinel.

Adding MBAM Operational log file to be collected

After the next check-in for the Log Analytics agent that’s installed on your systems, the data from the MBAM log will start flowing in.

Yay! MBAM!

And, with this new data flowing in, it’s time to start the real fun: writing queries and Analytics Rules.

Keep in mind, you can perform this same process for many logs that don’t display automatically in the Log Analytics workspace list of logs. BUT – be careful. Data ingestion will cost and some logs are simply not worthy of collection for security purposes. Be mindful and intentional.

Reference: https://azurecloudai.blog/2020/07/31/adding-mbam-bitlocker-logs-to-azure-sentinel/

Azure Sentinel News Editor

Azure Sentinel News Editor

Related Posts

Wipro launches advanced cloud SOC services using Microsoft Azure Sentinel
Incident Response

Azure Sentinel Rare Occurrences Incidents Generated After Setup

December 30, 2020
Introducing the Microsoft Azure Modular Datacenter
Incident Response

Azure Sentinel: Sending an Email Each Morning with the List of Daily Incidents Created

December 29, 2020
RiskIQ Joins Microsoft Intelligent Security Association
Incident Response

How to Add Geographical Data for IP Addresses to an Azure Sentinel Incident

December 28, 2020
Next Post
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Managing Disconnected Azure VMs for Azure Sentinel

Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

Modified IP Address to GEO to Tags Azure Sentinel Playbook

Microsoft is quietly becoming a cybersecurity powerhouse

KQL to Help Identify Systems Patched for CVE-2020-1350

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Follow Us

  • 21.8M Fans
  • 81 Followers

Recommended

CRITICALSTART Adds Support for Microsoft Azure Sentinel to MDR Services

What’s New: PowerShell+Azure Sentinel notebooks to supercharge your hunting and investigations!

3 months ago
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

3 days ago
Wipro launches advanced cloud SOC services using Microsoft Azure Sentinel

Accelerate your Azure Sentinel Deployment with this Azure DevOps Boards Template

3 months ago
What’s new: Microsoft Teams connector in Public Preview

The Best Online Microsoft Azure Courses and Training

3 months ago

Instagram

    Please install/update and activate JNews Instagram plugin.

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

Topics

anomaly automation Azure Azure DevOps Azure Security Center Azure Sentinel Azure Sentinel API Azure Sentinel Connector BlueVoyant Call cybersecurity Detection file GitHub Hunting Huntingy IAC incident response Incident Triage infrastructure as code Investigation jupyter LAQueryLogs MDR Microsoft microsoft 365 mssp Multitenancy Notebooks Pester Playbooks PowerShell python Records Security Sentinel Sharing SIEM signin Supply Chain teams Threat hunting Watchlists Workbooks XDR
No Result
View All Result

Highlights

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

How to Deploy an Analytics Rule to Azure Sentinel from the GitHub Repository

Azure Sentinel Weekly Newsletter

How to Generate Azure Sentinel Incidents for Testing

Azure Sentinel Notebooks Loses It’s Preview Tag

Trending

With new release, CrowdStrike targets Google Cloud, Azure and container adopters
SIEM

Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA

by Azure Sentinel News Editor
March 5, 2021
0

Deploying collateral from our GitHub repository to your Azure Sentinel instance is very similar in that it...

Vectra AI and Microsoft partner on security integration

How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks

March 4, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository

March 3, 2021
With new release, CrowdStrike targets Google Cloud, Azure and container adopters

Improved Azure Portal View Makes Switching Between Azure Sentinel LAWs Easier

March 3, 2021
Microsoft’s newest sustainable datacenter region coming to Arizona in 2021

How to Use Azure Sentinel to Protect Against the Exchange Zero-day

March 3, 2021

We bring you the best, latest and perfect Azure Sentinel News, Magazine, Personal Blogs, etc. Visit our landing page to see all features & demos.
LEARN MORE »

Recent News

  • Microsoft Releases Azure AD My App and New Risk Detections for Identity Protection into GA March 5, 2021
  • How to Take Advantage of the New Virus Total Logic App Connector for Your Azure Sentinel Playbooks March 4, 2021
  • How to Deploy a Hunting Query to Azure Sentinel from the GitHub Repository March 3, 2021

Categories

  • AI & ML
  • Artificial Intelligence
  • Incident Response
  • IR
  • KQL
  • Security and Compliance
  • Security Ochestration & Automated Response
  • Security Operations
  • SIEM
  • SOAR
  • SOC
  • Threat Intelligence
  • Uncategorized

[mc4wp_form]

Copyright © 2020 - Azure Sentinel News

No Result
View All Result
  • Home
  • Security and Compliance
  • SOC
  • Threat Intelligence
  • Security Ochestration & Automated Response
  • SOAR
  • Security Operations
  • Artificial Intelligence

Copyright © 2020 Azure Sentinel News