I was flying home from a security conference in Boston on a Friday evening, enjoying an unexpected complimentary upgrade to business class, listening to Dungeon Crawler Carl, and reflecting on some of the conversations I had over the previous few days. During one of those conversations, I had confidently stated that a YouTube channel I… Read More: Building a YouTube Statistics Tracker at 35,000 Feet »
Over the last two years, Microsoft’s AI ecosystem has expanded incredibly fast. What initially started as a relatively straightforward launch of Microsoft 365 Copilot has rapidly evolved into a much broader platform involving enterprise grounding, semantic intelligence, multi-model orchestration, AI agents, delegated workflows, governance platforms, and enterprise AI security controls. Along the way, Microsoft has… Read More: Understanding Microsoft’s Growing AI Ecosystem »
The phrase “AI Security” is becoming increasingly difficult to define because the risks change dramatically depending on how organizations interact with AI. Sometimes employees are simply using public AI services to summarize documents or generate content. Sometimes organizations deploy enterprise copilots grounded on internal data. Increasingly, organizations are building AI workflows and agents capable of… Read More: Securing AI Depends on How AI Is Being Used »
Security teams are starting to use and pay closer attention to tools like MCP servers, AI agents, GitHub Copilot, VS Code integrations, and other AI-assisted operational tooling. As organizations become more familiar with these tools, it naturally raises questions around the privacy and security implications of connecting them to enterprise systems. The real issue is… Read More: Authorized Access Unauthorized Destinations »
What started as a simple idea, exploring how AI could support a modern Security Operations Center, has grown into a structured series that documents both real solutions and the learning journey behind them. This collection of articles is intended to walk through the evolution from traditional, deterministic automation toward more adaptive, agent-driven approaches, while sharing… Read More: AI-Driven SOC Series Overview »
This started as a straightforward idea. I wanted to get Defender Threat and Vulnerability Management (TVM) data into Microsoft Sentinel for long-term retention and dashboarding. The data potentially has value, and Sentinel is designed to ingest large volumes of security data, so on the surface it felt like something that should already exist. After building… Read More: Sentinel TVM Snapshot Data Connector »
This article builds on a series of previous discussions around building an agentic SOC solution, comparing agentic versus deterministic logic, and walking through an overview of Sentinel MCP. In this one, the focus shifts to hands-on evaluation. The goal here is to take Microsoft Sentinel MCP and run it inside Visual Studio Code to see… Read More: Using Sentinel MCP in VS Code »
Earlier this week, I had a conversation about Sentinel MCP where I gave a quick gut reaction. I said Sentinel MCP, or more broadly this type of model, might be on its way out. The thinking felt reasonable at the time. With how easy it is to vibe code API integrations now, why introduce another… Read More: Sentinel MCP and the Evolution of Automation »
There is a subtle shift happening in how we design incident response systems. For years, most solutions followed a deterministic (explicit, rule-based, structured) model. An alert fires, a playbook runs, actions execute in a defined order, and results are returned. When something breaks, we trace the path, fix the logic, and run it again. That… Read More: Deterministic vs. Agentic Incident Response »
I want to take a few minutes to explore the perceived risk of public cloud endpoints, and why that risk is often misunderstood. If something has a public endpoint, it is easy to assume it is exposed. In reality, that is only part of the story. The Door in the City Imagine you have something… Read More: Are Public Endpoints Risky? »
I am excited to announce the public release of KQL Event Viewer. This is easily the most complete and useful project I have built to date. KQL Event Viewer is a Windows Event Viewer-style experience for KQL data. Instead of starting with a query, you start with the data. Tables are organized, pre-filtered, and easy… Read More: Introducing KQL Event Viewer! »
A practical alternative and complement to Security Copilot I wrote about Alternatives to Microsoft Security Copilot last year and why many organizations are still looking for practical ways to bring AI into their SOC. That conversation has continued to come up in customer engagements. Some teams do not have access yet. Others are constrained by… Read More: Building a SOC AI API with Azure AI Foundry »
In the last article, I introduced Azure AI Foundry as a way to stand up a private AI service for SOC use cases. The key idea is that the model itself is not the solution. The value comes from how you shape requests using system prompts and structured input. One deployment can support many different… Read More: SOC AI Series, Part 2: Using Logic Apps »
Azure Workbooks are surprisingly capable and frustrating. In many ways, they are far more powerful than they appear at first glance. The UI does not always make it obvious where things live or how features connect, so it takes some effort to learn which buttons to push and in what order. Like many things in… Read More: Azure Workbooks: Hidden Gems »
I was working with a customer recently who was trying to track down changes across several subscriptions. Nothing unusual there, except we quickly realized something was missing. A number of subscriptions were not sending Azure Activity Logs to Microsoft Sentinel at all. No errors, no alerts, just silent gaps. It stood out because this is… Read More: Azure Activity Logs: A Few Practical Tips »
I put together a small project called Global Threat Atlas. It started out simple, and 500+ commits later it turned into something production-ready. It can be deployed today in Azure commercial subscriptions. This is built with an operations center in mind. It works well as a glanceable wallboard, but you can also interact with it… Read More: Global Threat Atlas – Public Release »
I recently worked with a customer who had done the right thing from a security perspective. They followed the best practice of separating standard user accounts from privileged admin accounts. Day-to-day work was done with a normal account, and elevated tasks required a separate admin identity. What they chose not to do was record the… Read More: Reconnecting Admin and User Accounts in Entra »
I recently built an Azure Monitor workbook to help customers who are struggling to verify that all Azure virtual machines are fully onboarded to Microsoft Defender for Endpoint (MDE). Repo: AndrewBlumhardt/workbooks In theory, this should be straightforward. When Defender for Servers is enabled as part of Microsoft Defender for Cloud, Azure VMs are automatically onboarded… Read More: Verifying MDE Protection for Azure VMs »
I recently ran into confusion around Azure Logic Apps that came from viewing them through a Power Automate lens. On the surface the two platforms look nearly identical. They share connectors, workflows, and even the same HTTP action. But applying Power Automate’s security assumptions to Logic Apps leads to incorrect conclusions about risk, governance, and… Read More: Securing Power Automate vs. Azure Logic Apps »
Vibe Learning is a new approach to education that uses AI tools like ChatGPT and Copilot to create a fast, interactive, and engaging learning experience. By shifting from traditional study methods to conversational exploration, learners can accelerate understanding, focus on what matters, and build knowledge more efficiently.