Azure Workbooks are surprisingly capable and frustrating. In many ways, they are far more powerful than they appear at first glance. The UI does not always make it obvious where things live or how features connect, so it takes some effort to learn which buttons to push and in what order. Like many things in… Read More: Azure Workbooks: Hidden Gems »
I was working with a customer recently who was trying to track down changes across several subscriptions. Nothing unusual there, except we quickly realized something was missing. A number of subscriptions were not sending Azure Activity Logs to Microsoft Sentinel at all. No errors, no alerts, just silent gaps. It stood out because this is… Read More: Azure Activity Logs: A Few Practical Tips »
I was introduced to the Copilot Earth project late last year, and that got me thinking about how a similar concept could be applied to security. The idea of visualizing activity at a global level, enriched and interactive, felt like something that should exist for a SOC. From there, one idea led to another. I… Read More: Adventures in Vibe Coding »
I put together a small project called Global Threat Atlas. It started out simple, and 500+ commits later it turned into something production-ready. It can be deployed today in Azure commercial subscriptions. This is built with an operations center in mind. It works well as a glanceable wallboard, but you can also interact with it… Read More: Global Threat Atlas – Public Release »
I was reminded of something recently that I have been aware of for a long time. The first time it was explained clearly to me was many years ago during a presentation on profit strategies for video game arcades. The core idea is simple. People behave differently when they feel like they are spending money.… Read More: Pricing Misdirection Improves User Adoption »
I see a growing amount of chatter about “securing AI,” but that phrase is so broad that it almost loses meaning. Securing what exactly? Most of these conversations are really about large language models (LLMs). And even then, the security discussion is very different depending on whether you are talking about public LLMs, enterprise LLMs,… Read More: Securing Public, Enterprise, & Private LLMs »
I recently worked with a customer who had done the right thing from a security perspective. They followed the best practice of separating standard user accounts from privileged admin accounts. Day-to-day work was done with a normal account, and elevated tasks required a separate admin identity. What they chose not to do was record the… Read More: Reconnecting Admin and User Accounts in Entra »
I recently built an Azure Monitor workbook to help customers who are struggling to verify that all Azure virtual machines are fully onboarded to Microsoft Defender for Endpoint (MDE). Repo: AndrewBlumhardt/workbooks In theory, this should be straightforward. When Defender for Servers is enabled as part of Microsoft Defender for Cloud, Azure VMs are automatically onboarded… Read More: Verifying MDE Protection for Azure VMs »
Vibe coding is an informal term used to describe a style of development where a large language model writes most of the code interactively. Instead of starting with detailed designs or carefully planned implementations, you describe intent. You explain what you want to build, how it should behave, or what needs to change, and the… Read More: Why Vibe Coding Needs Checkpoints »
I recently ran into confusion around Azure Logic Apps that came from viewing them through a Power Automate lens. On the surface the two platforms look nearly identical. They share connectors, workflows, and even the same HTTP action. But applying Power Automate’s security assumptions to Logic Apps leads to incorrect conclusions about risk, governance, and… Read More: Securing Power Automate vs. Azure Logic Apps »
I recently responded to a customer who had questions about device compliance policies and how they interact with Conditional Access. While researching my response, I was reminded how often Microsoft Intune is overlooked as a security solution, even though it now sits at the center of Microsoft’s cloud security and zero trust strategy. That disconnect… Read More: The Overlooked Security Role of Microsoft Intune »
Traditional SIEMs follow a predictable model: collect logs from many sources, ingest them into a central store, normalize them into a readable schema, index them, and then use queries, dashboards, and alerts to investigate and respond. This design exists because data is scattered, inconsistent, and hard to retrieve. Centralization solves those problems but introduces challenges… Read More: Could AI Replace the SIEM? »
During a recent Security Copilot demo, a customer asked an excellent question: “Can these agents run PowerShell?” The short answer is not directly. Security Copilot does not execute arbitrary PowerShell commands like a runbook or automation platform would. However, it appears technically feasible to accomplish similar outcomes by triggering automation through existing Microsoft services. It… Read More: Can Security Copilot Agents Run PowerShell? »
KQL is easy to learn, efficient, readable, and perfect for daily hunting and incident response. It powers queries across Microsoft Sentinel, Azure Monitor Logs, and the Advanced Hunting experience in Microsoft XDR. Every time you open the Logs blade or run a query in the portal, you are using KQL to explore the Analytics Tier.… Read More: Analyzing Sentinel Data with Python »
Another Unforgettable Black Hat & DEF CON Week I landed in Las Vegas and checked into Circus Circus, a no-frills spot but close enough to DEF CON to make the walk easy. It felt like the right basecamp for a packed week. My 4th hacker summer camp! Tuesday was about arrivals, badges, and parties. I… Read More: Hacker Summer Camp 2025 »
If you’re looking to learn Microsoft Sentinel hands-on or showcase its capabilities, spinning up a demo lab is easier than you might think. Microsoft offers a 31-day free trial with up to 10TB per day, perfect for testing scenarios without incurring charges. With a few quick steps, you can deploy a fully functional Sentinel lab… Read More: Quickly Deploy a Microsoft Sentinel Demo Lab »
Introduction Microsoft released Security Copilot worldwide on April 1, 2024. This service provides a natural language, generative AI assistant for Security Operation Center (SOC) analysts. Security Copilot is a generative AI-powered chat assistant add-on designed for various Microsoft Security tools. It enables security analysts to converse with an AI assistant, share conversations, and use generative… Read More: Microsoft Security Copilot Alternatives »
A simplified approach to following the DOD (U.S. Department of Defense) Zero Trust roadmap using Microsoft security solutions. Introduction The DoD Zero Trust Portfolio Management Office (ZT PfMO) released the Department of Defense Zero Trust Strategy and Roadmap on Nov 22, 2022. It defined what the DOD needs to do to execute Zero Trust. A… Read More: DOD Zero Trust with Microsoft Made Simple »
Are your Entra ID (AAD) logs getting too expensive in Sentinel? I have a theory on this. These logs appear to be created primarily for reporting purposes. Optimal sizing may not have been a primary consideration. In my experience these logs can grow rapidly and may become too expensive to retain in Sentinel. The two… Read More: Ways to reduce Entra ID (AAD) log size in Microsoft… »
It is often necessary to setup alert or ticket integration between two monitoring solutions. For example, sending alerts from one system to an ITSM or SIEM. I will refer to the data being transferred as alerts here for simplicity. Where do you start? First determine your requirements: Look for out of the box and community… Read More: How to design a ticket integration solution? »