Querying an “Unqueryable” Table
Get creative to get past MCAS table restrictions. Microsoft Cloud App Security (MCAS) is Microsoft’s Cloud Access Security Broker (CASB) service. MCAS provides centralized management of cloud apps and generates alerts based on cloud app activity, but it has one serious limitation—as of the writing of this blog—in the “Activity Log”. The Activity Log is […]
Become Proficient with KQL in 10 Minutes
Learn the 5 functions that make up 90% of KQL queries. Kusto Query Language (KQL) is the querying language that Microsoft uses on all their cloud platforms. It may seem like an intimidating challenge to learn a whole new query language to work with Microsoft, but most of the queries become straightforward after learning the […]
Why Do I Have So Many Secure Scores?
Make use of a score for each area of cloud security. Microsoft has multiple teams working on different aspects of cybersecurity for their cloud services. This has resulted in 6 different secure scores, which’ll likely leave many cybersecurity analysts wondering what each of them does. In this blog, we will go over a summary of […]
Investigate Cloud Activity in Microsoft Defender for Cloud
Use cloud EDR to investigate cloud resources. Microsoft Defender for Cloud is a cloud EDR tool built into Microsoft Security Center that can monitor an expanding list of cloud platforms. The following example image shows which platforms Microsoft Defender for Cloud can protect, they all operate differently, but they can all be investigated with the […]
Microsoft Sentinel Workbooks that All SOCs Should Have.
Get more value out of your data for free with Workbooks. Microsoft Sentinel Workbooks allow security analysts and admins to view data about security in their environment using graphical displays. This is a powerful tool because any data that can be queried can now also be displayed in an easy-to-understand graphical format. Charts like the […]
Why Do I Have four Defender O365 Investigation Menus?
Know the differences to optimize investigations. Microsoft recently began reorganizing their Microsoft Defender 365 security platform to make it easier to use for cybersecurity analysts. With the recent additions to the Microsoft 365 Security menu, there are now four different menus that analysts can go to for investigations involving Defender for Office 365. In this […]
Microsoft Sentinel Security Testing Ground Rules
Keeping test incidents from being actual incidents. Cybersecurity testing is important for ensuring that the security controls that your organization is implementing are working. Cloud cybersecurity testing takes on the same level of importance, but in the cloud your security testing faces some unique challenges because of the constraints placed by the cloud services providers […]
Why Isn’t My Microsoft Sentinel CI/CD Pipeline Working?
Using DevOps to automate management of Microsoft Sentinel features. The “Deploying and Managing Microsoft Sentinel as Code” Tech Community article is a popular blog that describes how to use Microsoft DevOps to create a CI/CD pipeline for Microsoft Sentinel features. The tool described in the article is very powerful, but it is also so complex […]
Essential Azure Sentinel Automations
Boost productivity by automating routine tasks. One of the ways that Azure Sentinel is attempting to differentiate itself from the competition is by integrating the automation tools available in Azure. A Security Operations Center (SOC) can use a combination of Azure Logic Apps, Azure Runbooks, and Azure DevOps to automate many of the incident management […]