Kubernetes for Security Admins and Analysts
Implement Kubernetes security in Microsoft Sentinel using a mix of old and new methods. Microsoft Kubernetes Service (MKS) and Container Registries have been some of the fastest growing cloud services in Microsoft. This is because of how scalable and flexible Kubernetes is for software developers. With a sizable amount of Kubernetes entering the IT environment, […]
Squeeze More Data Out of Your Analytic Rules
Enrich investigations with the new Alert Enrichment. The Microsoft Sentinel team has just recently come out with “Alert Enrichment” which is a replacement for the old “Extend” system. This is good news for analysts because they can now customize the nodes in their Microsoft Sentinel investigation graphs without having to write KQL statements that sometimes […]
Use JSON to Improve Microsoft Sentinel Operations
Be more efficient and unlock new tools with JSON. When working on security in Microsoft Sentinel it is important to understand how the components of the platform work. JSON is one of the major components of Microsoft Sentinel because it uses value pairs to communicate how some of the most important features are supposed to […]
How do I Format Microsoft Sentinel Comments?
Clean up comments with a text editor and HTML tags. Microsoft Sentinel allows analysts to add comments to incidents, but unfortunately in preview state we still don’t have the ability to format the text in the comment boxes. When an analyst leaves a comment, the words chop in half as soon as they reach the […]
Querying an “Unqueryable” Table
Get creative to get past MCAS table restrictions. Microsoft Cloud App Security (MCAS) is Microsoft’s Cloud Access Security Broker (CASB) service. MCAS provides centralized management of cloud apps and generates alerts based on cloud app activity, but it has one serious limitation—as of the writing of this blog—in the “Activity Log”. The Activity Log is […]
Become Proficient with KQL in 10 Minutes
Learn the 5 functions that make up 90% of KQL queries. Kusto Query Language (KQL) is the querying language that Microsoft uses on all their cloud platforms. It may seem like an intimidating challenge to learn a whole new query language to work with Microsoft, but most of the queries become straightforward after learning the […]
Why Do I Have So Many Secure Scores?
Make use of a score for each area of cloud security. Microsoft has multiple teams working on different aspects of cybersecurity for their cloud services. This has resulted in 6 different secure scores, which’ll likely leave many cybersecurity analysts wondering what each of them does. In this blog, we will go over a summary of […]
Investigate Cloud Activity in Microsoft Defender for Cloud
Use cloud EDR to investigate cloud resources. Microsoft Defender for Cloud is a cloud EDR tool built into Microsoft Security Center that can monitor an expanding list of cloud platforms. The following example image shows which platforms Microsoft Defender for Cloud can protect, they all operate differently, but they can all be investigated with the […]
Microsoft Sentinel Workbooks that All SOCs Should Have.
Get more value out of your data for free with Workbooks. Microsoft Sentinel Workbooks allow security analysts and admins to view data about security in their environment using graphical displays. This is a powerful tool because any data that can be queried can now also be displayed in an easy-to-understand graphical format. Charts like the […]