Exporting Events from Disconnected Systems to Ingest into Azure Sentinel

I had the occasion recently to work with a customer that had domain controllers that were disconnected from the Internet, but still wanted to ingest the server event logs into Azure Sentinel. Sifting through research I found there's a myriad of ways to do it (including standing up a Log Analytics gateway) but one of … Continue reading Exporting Events from Disconnected Systems to Ingest into Azure Sentinel →

Azure Sentinel Tip for Table Details and Descriptions

I wrote a recent article that talks about tips for doing Data Sampling for Azure Sentinel. Data Sampling is a method that allows the Sentinel Analyst to figure out where and what data exists in the Log Analytics workspace to help hone KQL queries to produce good data results. Read that here if you missed … Continue reading Azure Sentinel Tip for Table Details and Descriptions →

Understanding Microsoft Security Baselines and Applying Them – Part 2

Importing the Security Baselines into AD easily The easiest method of importing all the settings into AD is a script that is included with the baselines, its stored beneath the Scripts folder named "Baseline-ADImport.ps1". Baseline-ADImport.ps1 Imported GPO's in AD In the image above you can see everything that is imported with the Security Baseline for … Continue reading Understanding Microsoft Security Baselines and Applying Them – Part 2 →

Tips for KQL Data Sampling as part of Azure Sentinel Investigations

When you're working against the data ingested in your Azure Sentinel Log Analytics workspace, you sometimes don't know right away exactly where the data exists or even what data is available. For example, what if you simply want to figure out if 'zoom.exe' exists in your data store? A lot of times someone has already … Continue reading Tips for KQL Data Sampling as part of Azure Sentinel Investigations →

Tip: Keeping Track of Azure Sentinel GitHub Updates

One of the suggested recommendations in the continuing Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel series is to keep track of updates for a variety of the Azure Sentinel components. Our GitHub repository is a valuable resource for new and updated KQL queries, Workbooks, etc. It is updated constantly by our Sentinel teams, … Continue reading Tip: Keeping Track of Azure Sentinel GitHub Updates →

Field Notes: Azure MFA and SSPR combined registration now Generally Available

As organizations are asking employees to work from home to slow the spread of COVID-19, it’s even more important that users are registered for MFA and SSPR. We want to make it easier for remote workers to keep their accounts secure.

Deploy Azure Advanced Threat Protection (ATP)

In this post I will take you through the steps to deploy Azure ATP in your on-premise Active Directory to detect and investigate threats in your environment.

Azure Sentinel Daily Task: Hunting Queries and Bookmarks

This is part of a continuing series in relation to the Suggested Daily, Weekly, and Monthly Tasks for Azure Sentinel, which outlines tasks for security analysts. In this article, I'll talk about investigating incidents as part of a daily regimen for an Azure Sentinel analyst. There's deeper discussions and training that's required to get a … Continue reading Azure Sentinel Daily Task: Hunting Queries and Bookmarks →

WFH: Implement a no-data-on-the-cloud VPN solution Azure

In this blog we will discuss how, even if your company has a no-data-in-the-cloud policy, we can utilize azure to (very) quickly implement a scalable and cost efficient VPN solution to thousands of employees if needed.

What’s in that Event Log? Discovering possible Event ID’s

Learn how to use PowerShell to dump a full list of possible EventID's from many Windows logs