AC&AI domain is the largest technology domain within the Microsoft Consulting Services Organization. We aim to deliver world-class solutions with our team of expert Consultants, Project Managers and Architects across Data & AI, Apps, Security and Azure Infrastructure
With the recent (and awesome, btw) release of the SOC Process Framework Workbook from my good friend Rin Ure, some of you may be wondering how to accomplish replacing the [CUSTOMER] value with your own SOC's team or org name - and doing it quickly. So, for our example of how to replace code in … Continue reading How to Quickly Replace Code in an Azure Sentinel Workbook
There's been discussion recently over the classifications available when you close an Incident in Azure Sentinel. Specifically, those questions are around what each classification means and how applying the correct classification will make the system more intelligent. Incident Classifications Importance of Classifications Before digging into the definitions and recommendations for each classification, its important to … Continue reading How and Why to Use the Closed Classification Properly for Azure Sentinel Incidents
Recently, I joked about the potential for an analyst assistant for Azure Sentinel. The blog post "Is it Time for an Analyst Assistant for Azure Sentinel?" garnered a fair bit of attention. In fact, I was interested to find from that there's already some efforts internally to build an assistant-type security knowledge AI for something … Continue reading Interim Analyst Assistant for Azure Sentinel
This will be a series of articles on how to investigate MCAS alerts. In this first article I will start to cover the basics for activity and anomaly alerts. As we already know, in todays Microsoft Cloud App Security, we can encounter different alerts every day. How do we know where to start the investigation? … Continue reading Field notes: Working with MCAS Alerts
Just a quick clarification of something that I think needs some explanation because this does come up from time-to-time and yes, it can be confusing. On our Azure Sentinel pricing page, in the FAQ, there's this section titled: "What data can be ingested at no cost with Azure Sentinel?" I'm sure you've seen this before. … Continue reading Alerts Versus Logs for the Azure Sentinel “Free” Connectors
From time-to-time, customers ask about an MVP - or Minimum Viable Product - when discussing standing up Azure Sentinel. An MVP would be the base configuration (with all connectors, analytics rules, workbooks, etc.) for the environment. Unfortunately, this is a gray area, and it concludes with the most famous Microsoft response to ever be issued: … Continue reading How to Identify Log Sources Required to Expose Specific Activity in Azure Sentinel
Just a fun little blog post. Nothing serious here, just wanted to bring some joy into your life. I posted earlier about our new Incident Response Playbooks. These are awesome. And, if more of these are made available consistently, SOCs will have a great resource with which to build policies, procedures, and workflows specific to … Continue reading Is it Time for an Analyst Assistant for Azure Sentinel?
A new section has been developed and released in our Security Best Practices section of the docs platform. With hope that this will be built out further and we'll see additional guidance released, the Incident Response Playbooks section contains the following to start: PhishingPassword sprayApp consent grant Bookmark this page and watch for updates. These … Continue reading Incident Response Playbooks are the Guidance You Need
The SC-200 exam is for the Microsoft Security Operations Analyst and contains questions and content about Azure Defender and Azure Sentinel. Its not a tough exam, by any means - particularly if you have worked with Defender and Sentinel for any length of time. Here's the skills that are measured with their approximate percentages of … Continue reading How to Get Prepped to Take the SC-200 Exam
This has been one of the most popularly requested asks for Azure Sentinel customers for the last many months: How can I tell the feature differences between the government cloud and the commercial cloud for Azure Sentinel? Well, you no longer have to guess - or as I've done - maintained separate gov't and commercial … Continue reading How to Know the Azure Sentinel Feature Differences Between Government and Commercial Clouds