How to Generate Azure Sentinel Incidents for Testing

Do you want to generate an Incident in Azure Sentinel for testing/demoing? Here's a couple easy ways to do it. These are a few of the methods I use (and have customers use) after building a customer lab. Additionally, I may update this post from time-to-time to include more methods and I'm only going to … Continue reading How to Generate Azure Sentinel Incidents for Testing

Creating Cloud Shell Storage Resources in a Different Azure Region

I had a situation recently where I needed to test to determine if a specific cmdlet for the Azure Sentinel PowerShell module would run in a specific Azure region. Cloud Shell instances require storage to function. When you initiate a Cloud Shell instance and accept the defaults it generates a random set of storage account … Continue reading Creating Cloud Shell Storage Resources in a Different Azure Region

The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

The Azure Sentinel product group continues to crank out new Data Connector after new Data Connector. There is a significant goal to provide as many customer requested Data Connectors as possible and I hope you've seen the mighty effort in place toward this goal. There's new Data Connectors available constantly. The Data Connector is intended … Continue reading The Holy Grail of Azure Sentinel Data Connections: The Azure Service Diagnostic Setting

Microsoft Intune and Log Analytics Integration

The ability to leverage your data for rich analytics, alerting and automated response is a powerful capability and useful in many environments. Intune data is no different. Use the integration between Intune data and Log Analytics in Azure to develop rich queries to pinpoint the exact data of interest, built alerting around relevant findings and … Continue reading Microsoft Intune and Log Analytics Integration

Flowing gMSA accounts into MIM Portal

The purpose for this document is to guide someone through adding Group Managed Service Accounts (gMSA) into the MIM Portal.  At my customer, we have started utilizing gMSA’s more and more as opposed to regular service accounts.  With increased usage this means that gMSA’s are showing up as members of various Security Groups.  Anyone who … Continue reading Flowing gMSA accounts into MIM Portal

An Azure Sentinel GitHub Reorg and a Playbook to Auto-close MCAS Alerts

I hear from customers quite a bit that it's hard to identify what's new for Azure Sentinel -- both in new console features and in additional GitHub repository collateral. Personally, I use the RSS feed to monitor what's new. And, you can too. Load the following up in your favorite RSS reader... Azure Sentinel GitHub … Continue reading An Azure Sentinel GitHub Reorg and a Playbook to Auto-close MCAS Alerts

Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

I noted recently how powerful and valuable Microsoft Cloud App Security (MCAS) is, but also how noisy it can make the Azure Sentinel console unless the MCAS policies are tuned correctly. See: Tuning the Noise Out of MCAS for Azure Sentinel That post struck a chord with a number of people. So, I thought I'd … Continue reading Tuning the MCAS Analytics Rule for Azure Sentinel: System Alerts and Feature Deprecation

Tuning the Noise Out of MCAS for Azure Sentinel

It's funny, the first question out of my mouth when a customer asks for help tuning the noise for Azure Sentinel is: "Is your noisiest connection MCAS, by any chance?" 95% of the responses are a resounding: "Yes" Most customers think that it's Azure Sentinel's problem, but it's not. It's actually a tuning issue for … Continue reading Tuning the Noise Out of MCAS for Azure Sentinel