Blog
Azure AD Conditional Access Insights & Auditing with Microsoft Sentinel
If you have spent any time in Azure Active Directory, chances are you have stumbled across Azure AD Conditional Access. It is at the very center of Microsoft Zero Trust. At its most basic, it evaluates every sign in to your Azure AD tenant. It takes the different signals that form that sign in. The&ellipsis;Read the full post »
Monitoring Active Directory with Microsoft Sentinel – the agent deep dive.
If you are looking at using Microsoft Sentinel, then Active Directory is likely high on your list of sources to onboard. If you already use it, you probably spend a fair bit of time digging through Active Directory logs. Despite Microsoft’s push to Azure Active Directory, on premise Active Directory is still heavily used. You&ellipsis;Read the full post »
Deception in Microsoft Sentinel with Thinkst Canaries
Honeypots have been around for a long time in InfoSec. The idea is that you set up some kind of infrastructure – maybe a file server or virtual machine. It isn’t a ‘real’ server, it is designed just to be hidden and should anyone find it, you will be alerted. The idea is to catch&ellipsis;Read the full post »
Maintaining a well managed Azure AD tenant with KQL
This article is presented as part of the #AzureSpringClean event. The idea of #AzureSpringClean is to promote well managed Azure environments. This article will focus on Azure Active Directory and how we can leverage KQL to keep things neat and tidy. Much like on premise Active Directory, Azure Active Directory has a tendency to grow&ellipsis;Read the full post »
Detecting malware kill chains with Defender and Microsoft Sentinel
The InfoSec community is amazing at providing insight into ransomware and malware attacks. There are so many fantastic contributors who share indicators of compromise (IOCs) and all kinds of other data. Community members and vendors publish detailed articles on various attacks that have occurred. Usually these reports contain two different things. Indicators of compromise (IOCs)&ellipsis;Read the full post »
Too much noise in your data? Summarize it!
Defenders are often looking for a single event within their logs. Evidence of malware or a user clicking on a phishing link? Whatever it may be. Sometimes though you may be looking for a series of events, or perhaps trends in your data. Maybe a quick increase in a certain type of activity. Or several&ellipsis;Read the full post »
KQLCeption – use KQL to investigate Microsoft Sentinel
For people that use a lot of cloud workloads you would know it can be hard to track cost. Billing in the cloud can be volatile if you don’t keep on top of it. Bill shock is a real thing. While large cloud providers can provide granular billing information. It can still be difficult to&ellipsis;Read the full post »
Detecting privilege escalation with Azure AD service principals in Microsoft Sentinel
Defenders spend a lot of time worrying about the security of the user identities they manage. Trying to stop phishing attempts or deploying MFA. You want to restrict privilege, have good passphrase policies and deploy passwordless solutions. If you use Azure AD, there is another type of identity that is important to keep an eye&ellipsis;Read the full post »
Microsoft Sentinel and the power of functions
Functions in Microsoft Sentinel are an overlooked and underappreciated feature in my experience, there is no specific Sentinel guidance provided by Microsoft on how to use them, however they are covered more broadly under the Azure Monitor section of the Microsoft docs site. In general terms though, they allow us to save queries to our&ellipsis;Read the full post »
Using Logic Apps and Microsoft Sentinel to alert on expiring Azure AD Secrets
Azure AD app registrations are at the heart of the Microsoft Identity Platform, and Microsoft recommend you rotate secrets on them often. However, there is currently no native way to alert on secrets that are due to expire. An expired secret means the application will no longer authenticate, so you may have systems that fail&ellipsis;Read the full post »
Loading…
Something went wrong. Please refresh the page and/or try again.
Follow My Blog
Get new content delivered directly to your inbox.
Microsoft Sentinel 101 