I am excited to announce the public release of KQL Event Viewer. This is easily the most complete and useful project I have built to date. KQL Event Viewer is a Windows Event Viewer-style experience for KQL data. Instead of starting with a query, you start with the data. Tables are organized, pre-filtered, and easy… Read More »
A practical alternative and complement to Security Copilot I wrote about Alternatives to Microsoft Security Copilot last year and why many organizations are still looking for practical ways to bring AI into their SOC. That conversation has continued to come up in customer engagements. Some teams do not have access yet. Others are constrained by… Read More »
In the last article, I introduced Azure AI Foundry as a way to stand up a private AI service for SOC use cases. The key idea is that the model itself is not the solution. The value comes from how you shape requests using system prompts and structured input. One deployment can support many different… Read More »
Over the past few months, I have shared a set of workbooks focused on closing visibility gaps across identity and endpoint security data. These were built from real-world scenarios where the signals existed, but the connections between them were not always obvious. Today I am releasing major updates to both, expanding their scope and making… Read More »
Azure Workbooks are surprisingly capable and frustrating. In many ways, they are far more powerful than they appear at first glance. The UI does not always make it obvious where things live or how features connect, so it takes some effort to learn which buttons to push and in what order. Like many things in… Read More »
I was working with a customer recently who was trying to track down changes across several subscriptions. Nothing unusual there, except we quickly realized something was missing. A number of subscriptions were not sending Azure Activity Logs to Microsoft Sentinel at all. No errors, no alerts, just silent gaps. It stood out because this is… Read More »
I recently worked with a customer who had done the right thing from a security perspective. They followed the best practice of separating standard user accounts from privileged admin accounts. Day-to-day work was done with a normal account, and elevated tasks required a separate admin identity. What they chose not to do was record the… Read More »
I recently built an Azure Monitor workbook to help customers who are struggling to verify that all Azure virtual machines are fully onboarded to Microsoft Defender for Endpoint (MDE). Repo: AndrewBlumhardt/workbooks In theory, this should be straightforward. When Defender for Servers is enabled as part of Microsoft Defender for Cloud, Azure VMs are automatically onboarded… Read More »