I see a growing amount of chatter about “securing AI,” but that phrase is so broad that it almost loses meaning. Securing what exactly? Most of these conversations are really about large language models (LLMs). And even then, the security discussion is very different depending on whether you are talking about public LLMs, enterprise LLMs,… Read More »
I recently worked with a customer who had done the right thing from a security perspective. They followed the best practice of separating standard user accounts from privileged admin accounts. Day-to-day work was done with a normal account, and elevated tasks required a separate admin identity. What they chose not to do was record the… Read More »
I recently built an Azure Monitor workbook to help customers who are struggling to verify that all Azure virtual machines are fully onboarded to Microsoft Defender for Endpoint (MDE). Repo: AndrewBlumhardt/workbooks In theory, this should be straightforward. When Defender for Servers is enabled as part of Microsoft Defender for Cloud, Azure VMs are automatically onboarded… Read More »
Vibe coding is an informal term used to describe a style of development where a large language model writes most of the code interactively. Instead of starting with detailed designs or carefully planned implementations, you describe intent. You explain what you want to build, how it should behave, or what needs to change, and the… Read More »
I recently ran into confusion around Azure Logic Apps that came from viewing them through a Power Automate lens. On the surface the two platforms look nearly identical. They share connectors, workflows, and even the same HTTP action. But applying Power Automate’s security assumptions to Logic Apps leads to incorrect conclusions about risk, governance, and… Read More »
I recently responded to a customer who had questions about device compliance policies and how they interact with Conditional Access. While researching my response, I was reminded how often Microsoft Intune is overlooked as a security solution, even though it now sits at the center of Microsoft’s cloud security and zero trust strategy. That disconnect… Read More »
Traditional SIEMs follow a predictable model: collect logs from many sources, ingest them into a central store, normalize them into a readable schema, index them, and then use queries, dashboards, and alerts to investigate and respond. This design exists because data is scattered, inconsistent, and hard to retrieve. Centralization solves those problems but introduces challenges… Read More »
During a recent Security Copilot demo, a customer asked an excellent question: “Can these agents run PowerShell?” The short answer is not directly. Security Copilot does not execute arbitrary PowerShell commands like a runbook or automation platform would. However, it appears technically feasible to accomplish similar outcomes by triggering automation through existing Microsoft services. It… Read More »
KQL is easy to learn, efficient, readable, and perfect for daily hunting and incident response. It powers queries across Microsoft Sentinel, Azure Monitor Logs, and the Advanced Hunting experience in Microsoft XDR. Every time you open the Logs blade or run a query in the portal, you are using KQL to explore the Analytics Tier.… Read More »
Another Unforgettable Black Hat & DEF CON Week I landed in Las Vegas and checked into Circus Circus, a no-frills spot but close enough to DEF CON to make the walk easy. It felt like the right basecamp for a packed week. My 4th hacker summer camp! Tuesday was about arrivals, badges, and parties. I… Read More »
If you’re looking to learn Microsoft Sentinel hands-on or showcase its capabilities, spinning up a demo lab is easier than you might think. Microsoft offers a 31-day free trial with up to 10TB per day, perfect for testing scenarios without incurring charges. With a few quick steps, you can deploy a fully functional Sentinel lab… Read More »
Introduction Microsoft released Security Copilot worldwide on April 1, 2024. This service provides a natural language, generative AI assistant for Security Operation Center (SOC) analysts. Security Copilot is a generative AI-powered chat assistant add-on designed for various Microsoft Security tools. It enables security analysts to converse with an AI assistant, share conversations, and use generative… Read More »
A simplified approach to following the DOD (U.S. Department of Defense) Zero Trust roadmap using Microsoft security solutions. Introduction The DoD Zero Trust Portfolio Management Office (ZT PfMO) released the Department of Defense Zero Trust Strategy and Roadmap on Nov 22, 2022. It defined what the DOD needs to do to execute Zero Trust. A… Read More »
Are your Entra ID (AAD) logs getting too expensive in Sentinel? I have a theory on this. These logs appear to be created primarily for reporting purposes. Optimal sizing may not have been a primary consideration. In my experience these logs can grow rapidly and may become too expensive to retain in Sentinel. The two… Read More »
It is often necessary to setup alert or ticket integration between two monitoring solutions. For example, sending alerts from one system to an ITSM or SIEM. I will refer to the data being transferred as alerts here for simplicity. Where do you start? First determine your requirements: Look for out of the box and community… Read More »