Clean up comments with a text editor and HTML tags. Microsoft Sentinel allows analysts to add comments to incidents, but unfortunately in preview state we still don’t have the ability to format the text in the comment boxes. When an analyst leaves a comment, the words chop in half as soon as they reach the […]
How do I Format Microsoft Sentinel Comments? Read More »
Get creative to get past MCAS table restrictions. Microsoft Cloud App Security (MCAS) is Microsoft’s Cloud Access Security Broker (CASB) service. MCAS provides centralized management of cloud apps and generates alerts based on cloud app activity, but it has one serious limitation—as of the writing of this blog—in the “Activity Log”. The Activity Log is
Querying an “Unqueryable” Table Read More »
Learn the 5 functions that make up 90% of KQL queries. Kusto Query Language (KQL) is the querying language that Microsoft uses on all their cloud platforms. It may seem like an intimidating challenge to learn a whole new query language to work with Microsoft, but most of the queries become straightforward after learning the
Become Proficient with KQL in 10 Minutes Read More »
Make use of a score for each area of cloud security. Microsoft has multiple teams working on different aspects of cybersecurity for their cloud services. This has resulted in 6 different secure scores, which’ll likely leave many cybersecurity analysts wondering what each of them does. In this blog, we will go over a summary of
Why Do I Have So Many Secure Scores? Read More »
Use cloud EDR to investigate cloud resources. Microsoft Defender for Cloud is a cloud EDR tool built into Microsoft Security Center that can monitor an expanding list of cloud platforms. The following example image shows which platforms Microsoft Defender for Cloud can protect, they all operate differently, but they can all be investigated with the
Investigate Cloud Activity in Microsoft Defender for Cloud Read More »
Know the differences to optimize investigations. Microsoft recently began reorganizing their Microsoft Defender 365 security platform to make it easier to use for cybersecurity analysts. With the recent additions to the Microsoft 365 Security menu, there are now four different menus that analysts can go to for investigations involving Defender for Office 365. In this
Why Do I Have four Defender O365 Investigation Menus? Read More »
Keeping test incidents from being actual incidents. Cybersecurity testing is important for ensuring that the security controls that your organization is implementing are working. Cloud cybersecurity testing takes on the same level of importance, but in the cloud your security testing faces some unique challenges because of the constraints placed by the cloud services providers
Microsoft Sentinel Security Testing Ground Rules Read More »
Boost productivity by automating routine tasks. One of the ways that Azure Sentinel is attempting to differentiate itself from the competition is by integrating the automation tools available in Azure. A Security Operations Center (SOC) can use a combination of Azure Logic Apps, Azure Runbooks, and Azure DevOps to automate many of the incident management
Essential Azure Sentinel Automations Read More »
When Existing Data isn’t Enough, Look for Metadata. Microsoft Sentinel has a constantly expanding list of advanced hunting queries that Microsoft has gathered from around the community to help with finding useful information when investigating cybersecurity incidents. As of the last count, there are 200+ queries available out-of-the-box in Microsoft Sentinel. It is worthwhile
Advanced Threat Hunting in Microsoft Sentinel. Read More »
Use a focused methodology to resolve multi-stage incidents quickly and effectively Microsoft Defender for Endpoints (MDE) uses AI and analytics to correlate alerts to create an incident, and it is not shy about showing all the alerts that could potentially be involved with the incident. If a security analyst expands a multistage incident, they may
Investigating with Microsoft Defender for Endpoints (MDE) Read More »