Microsoft Sentinel Security Testing Ground Rules
Keeping test incidents from being actual incidents. Cybersecurity testing is important for ensuring that the security controls that your organization is implementing are working. Cloud cybersecurity testing takes on the same level of importance, but in the cloud your security testing faces some unique challenges because of the constraints placed by the cloud services providers […]
Why Isn’t My Microsoft Sentinel CI/CD Pipeline Working?
Using DevOps to automate management of Microsoft Sentinel features. The “Deploying and Managing Microsoft Sentinel as Code” Tech Community article is a popular blog that describes how to use Microsoft DevOps to create a CI/CD pipeline for Microsoft Sentinel features. The tool described in the article is very powerful, but it is also so complex […]
Essential Azure Sentinel Automations
Boost productivity by automating routine tasks. One of the ways that Azure Sentinel is attempting to differentiate itself from the competition is by integrating the automation tools available in Azure. A Security Operations Center (SOC) can use a combination of Azure Logic Apps, Azure Runbooks, and Azure DevOps to automate many of the incident management […]
Why Aren’t My Microsoft Sentinel Playbooks Working?
Solutions to some common Playbook pitfalls. Some of the error messages that appear in Playbooks are either very cryptic or simply unexplained because many Microsoft Sentinel Logic App components are in preview. Security analysts that are deploying Microsoft Sentinel Playbooks for the first time may see esoteric error messages like the example below and get […]
Advanced Threat Hunting in Microsoft Sentinel.
When Existing Data isn’t Enough, Look for Metadata. Microsoft Sentinel has a constantly expanding list of advanced hunting queries that Microsoft has gathered from around the community to help with finding useful information when investigating cybersecurity incidents. As of the last count, there are 200+ queries available out-of-the-box in Microsoft Sentinel. It is worthwhile […]
Investigating with Microsoft Defender for Endpoints (MDE)
Use a focused methodology to resolve multi-stage incidents quickly and effectively Microsoft Defender for Endpoints (MDE) uses AI and analytics to correlate alerts to create an incident, and it is not shy about showing all the alerts that could potentially be involved with the incident. If a security analyst expands a multistage incident, they may […]
Using Microsoft MCAS Effectively
How to Investigate Cloud Incidents in Microsoft MCAS Microsoft Cloud App Security (MCAS) is a Cloud Access Security Broker (CASB) service that manages security activity in the cloud. When security analysts see cybersecurity alerts from MCAS, it can be often confusing to investigate these alerts because of the user interface (UI) design. Instead of seeing traditional […]
Are You Challenged with the Microsoft Sentinel Investigation Graph?
Use a focused methodology to avoid getting lost. Microsoft Sentinel’s investigation graph uses nodes to represent security data, and those nodes can be expanded to view all the related entities. If a security analyst expands the investigation graph information just once for each node, the investigation graph looks like the example image below. Therein lies […]
Accelerating Zero Trust Security (ZTS) – Part 2
How to prioritize your zero trust security (ZTS) initiatives In part 1 of this blog post on zero trust security (ZTS), we discussed the trends that are accelerating digitization and why CIO/CISOs need to adapt their cybersecurity posture as a result. We’d submit to you that Zero Trust Security is arguably the most important development […]