Blog
Improving your security baseline with KQL
One of my favourite sayings is ‘don’t let perfect be the enemy of good’. I think in cyber security, we can all be guilty of striving for perfection. Whether that is your MFA deployment, reducing local admin privilege or whatever your project may be. The reality is, in most larger organizations you will always have&ellipsis;Read the full post »
KQL lessons learnt from #365daysofKQL
If you follow my Twitter or GitHub account, you know that I recently completed a #365daysofKQL challenge. Where I shared a hunting query each day for a year. To round out that challenge, I wanted to share what I have learnt over the year. Like any activity, the more you practice, the better you become&ellipsis;Read the full post »
Azure AD Conditional Access Insights & Auditing with Microsoft Sentinel
If you have spent any time in Azure Active Directory, chances are you have stumbled across Azure AD Conditional Access. It is at the very center of Microsoft Zero Trust. At its most basic, it evaluates every sign in to your Azure AD tenant. It takes the different signals that form that sign in. The&ellipsis;Read the full post »
Monitoring Active Directory with Microsoft Sentinel – the agent deep dive.
If you are looking at using Microsoft Sentinel, then Active Directory is likely high on your list of sources to onboard. If you already use it, you probably spend a fair bit of time digging through Active Directory logs. Despite Microsoft’s push to Azure Active Directory, on premise Active Directory is still heavily used. You&ellipsis;Read the full post »
Deception in Microsoft Sentinel with Thinkst Canaries
Honeypots have been around for a long time in InfoSec. The idea is that you set up some kind of infrastructure – maybe a file server or virtual machine. It isn’t a ‘real’ server, it is designed just to be hidden and should anyone find it, you will be alerted. The idea is to catch&ellipsis;Read the full post »
Maintaining a well managed Azure AD tenant with KQL
This article is presented as part of the #AzureSpringClean event. The idea of #AzureSpringClean is to promote well managed Azure environments. This article will focus on Azure Active Directory and how we can leverage KQL to keep things neat and tidy. Much like on premise Active Directory, Azure Active Directory has a tendency to grow&ellipsis;Read the full post »
Detecting malware kill chains with Defender and Microsoft Sentinel
The InfoSec community is amazing at providing insight into ransomware and malware attacks. There are so many fantastic contributors who share indicators of compromise (IOCs) and all kinds of other data. Community members and vendors publish detailed articles on various attacks that have occurred. Usually these reports contain two different things. Indicators of compromise (IOCs)&ellipsis;Read the full post »
Too much noise in your data? Summarize it!
Defenders are often looking for a single event within their logs. Evidence of malware or a user clicking on a phishing link? Whatever it may be. Sometimes though you may be looking for a series of events, or perhaps trends in your data. Maybe a quick increase in a certain type of activity. Or several&ellipsis;Read the full post »
KQLCeption – use KQL to investigate Microsoft Sentinel
For people that use a lot of cloud workloads you would know it can be hard to track cost. Billing in the cloud can be volatile if you don’t keep on top of it. Bill shock is a real thing. While large cloud providers can provide granular billing information. It can still be difficult to&ellipsis;Read the full post »
Detecting privilege escalation with Azure AD service principals in Microsoft Sentinel
Defenders spend a lot of time worrying about the security of the user identities they manage. Trying to stop phishing attempts or deploying MFA. You want to restrict privilege, have good passphrase policies and deploy passwordless solutions. If you use Azure AD, there is another type of identity that is important to keep an eye&ellipsis;Read the full post »
Loading…
Something went wrong. Please refresh the page and/or try again.
Follow My Blog
Get new content delivered directly to your inbox.
Microsoft Sentinel 101 