Any data engineers or SIEM experts know one of the hardest components is keeping data normalized to a common schema to ensure all detections are consistent and accurate. Borrowing CI/CD for Security use case deployment is a natural fit to provide provide security detections, also known as correlation searches, to detect malicious or suspicious activity from event logs. KQL is code, code belongs in a repo. It should be tagged and versioned, just like .NET or C or Python. We will walk through: Use Cases - we first start with a Use Case to clearly outline the activity we are attempting to detect. This enumerates all the requirements from required data sources, specific fields, activity tracking, response procedures, and more. This is something usually captured and tracked in JIRA or something similar Security Detection Logic - Microsoft Kusto Query Language (KQL) is developed based on an Information Model to generate the required results to alert a SOC analyst of suspicious activity. This KQL is then checked into a code repository, where it is version controlled and merge requests are tracked. Connectors - Applying this logic here to also to parse the data according to the Information Model and apply required enrichments for the Security Detection Logic has to be thought of together to be successful. Configuration files such as HVA lists, logic apps and watchlists can also checked into the code repository, where they can also be version controlled and merge requests are tracked.
Mona Ghadiri is a Microsoft Security MVP and is a director of Product Management at BlueVoyant. Mona has 10+ years of experience concentrated in Program Management, Process Engineering, and Scrum creating cybersecurity products and Security Operations Center services meant to scale with automation and modern DevSecOps.
We seek to provide a respectful, friendly, professional experience for everyone, regardless of gender, sexual orientation, physical appearance, disability, age, race or religion. We do not tolerate any behavior that is harassing or degrading to any individual, in any form. The Code of Conduct will be enforced.
All live stream organizers using the Global Azure brand and Global Azure speakers are responsible for knowing and abiding by these standards. Each speaker who wishes to submit through our Call for Presentations needs to read and accept the Code of Conduct. We encourage every organizer and attendee to assist in creating a welcoming and safe environment. Live stream organizers are required to inform and enforce the Code of Conduct if they accept community content to their stream.
If you are being harassed, notice that someone else is being harassed, or have any other concerns, report it. Please report any concerns, suspicious or disruptive activity or behavior directly to any of the live stream organizers, or directly to the Global Azure admins at email@example.com. All reports to the Global admin team will remain confidential.
We expect local organizers to set up and enforce a Code of Conduct for all Global Azure live stream.
A good template can be found at https://confcodeofconduct.com/, including internationalized versions at https://github.com/confcodeofconduct/confcodeofconduct.com. An excellent version of a Code of Conduct, not a template, is built by the DDD Europe conference at https://dddeurope.com/2020/coc/.