KQL is easy to learn, efficient, readable, and perfect for daily hunting and incident response. It powers queries across Microsoft Sentinel, Azure Monitor Logs, and the Advanced Hunting experience in Microsoft XDR. Every time you open the Logs blade or run a query in the portal, you are using KQL to explore the Analytics Tier.… Read More »
Another Unforgettable Black Hat & DEF CON Week I landed in Las Vegas and checked into Circus Circus, a no-frills spot but close enough to DEF CON to make the walk easy. It felt like the right basecamp for a packed week. My 4th hacker summer camp! Tuesday was about arrivals, badges, and parties. I… Read More »
If you’re looking to learn Microsoft Sentinel hands-on or showcase its capabilities, spinning up a demo lab is easier than you might think. Microsoft offers a 31-day free trial with up to 10TB per day, perfect for testing scenarios without incurring charges. With a few quick steps, you can deploy a fully functional Sentinel lab… Read More »
Introduction Microsoft released Security Copilot worldwide on April 1, 2024. This service provides a natural language, generative AI assistant for Security Operation Center (SOC) analysts. Security Copilot is a generative AI-powered chat assistant add-on designed for various Microsoft Security tools. It enables security analysts to converse with an AI assistant, share conversations, and use generative… Read More »
A simplified approach to following the DOD (U.S. Department of Defense) Zero Trust roadmap using Microsoft security solutions. Introduction The DoD Zero Trust Portfolio Management Office (ZT PfMO) released the Department of Defense Zero Trust Strategy and Roadmap on Nov 22, 2022. It defined what the DOD needs to do to execute Zero Trust. A… Read More »
Are your Entra ID (AAD) logs getting too expensive in Sentinel? I have a theory on this. These logs appear to be created primarily for reporting purposes. Optimal sizing may not have been a primary consideration. In my experience these logs can grow rapidly and may become too expensive to retain in Sentinel. The two… Read More »
It is often necessary to setup alert or ticket integration between two monitoring solutions. For example, sending alerts from one system to an ITSM or SIEM. I will refer to the data being transferred as alerts here for simplicity. Where do you start? First determine your requirements: Look for out of the box and community… Read More »