Demystifying Log Collection in Azure: Navigating Windows and Linux Server Logging for Microsoft Sentinel I'm crafting this blog post to shed light on the target tables in Log Analytics, specifically for non-Azure server logs. Just a heads-up: this article won't cover the setup process for log ingestion. However, I'll make sure to include pertinent links throughout. Many of
Identifying Security Weakness in Function Apps and Storage Accounts BLUF: If an adversary can List Keys on a storage account that contains Azure Function, they can already modify the Azure Function because the only person that can List Keys is the owner of the Storage Account and any inherited owners. I recently had a customer ask to get a
Microsoft Sentinel Pricing and Monitoring When I meet with customers for the first time, the cost of Microsoft Sentinel is a common topic of discussion. I'm updating this blog to reflect recent pricing model changes and include additional pricing considerations. It's important to note that this isn't an analysis
Ensure Critical Log Collection in Microsoft Sentinel This solution was inspired by one of my customers. They wanted to know if they could use a Microsoft Sentinel Watchlist in combination with Usage logs to be alerted if they were no longer getting log data on one of their collections. For this example, I created a Watchlist that
Microsoft Sentinel Log4j Ubiquiti Analytic Rule I created a quick Analytic Rule for those using Ubiquiti logs with Microsoft Sentinel. First of all, I just took two existing rules and made a new one. To get the IOCs for Log4j published on the Sentinel GitHub page, I utilized the code from a recently published rule in
Microsoft Sentinel Azure AD Connector Log Breakdown I have been getting a lot of questions from customers about the configuration of the Azure AD Connector in Microsoft Sentinel. OK, I have not been asked, but just in case I am, I want to be sure I can explain the various logs ingested by Microsoft Sentinel. The Azure
Microsoft Sentinel Log Usage Recently I had a customer, well more than one, that wanted to understand the usage and cost of their ingestion of log data into Sentinel. First, the ingestion cost for Sentinel can be confusing because you also pay for ingestion into Log Analytics. I am hoping this will be made
Azure Sentinel GCIA and Sentinel Recently I completed my GCIA [https://www.giac.org/certification/certified-intrusion-analyst-gcia] (GIAC Certified Intrusion Analyst) certification, which focuses on hunting for adversaries. The course and exam focus on monitoring, network traffic analysis, and intrusion detection. The benefit of this course is two-fold. First, it directly engages a skill set I
Advanced Threat Protection by Microsoft I just wanted to throw together a quick post explaining the differences between the "Advanced Threat Protection" solutions from Microsoft. These different offerings sometimes confuse me, and I work for Microsoft. So let me start from the desktop and soar to the cloud. Keep in mind, all these
Azure Flow Log Aggregation (SOF-ELK) I recently completed the SANS FOR572 | Advance Network Forensics: Threat Hunting, Analysis, and Incident Response course delivered by Phil Hagen [https://www.linkedin.com/in/philhagen/] and the tested and certified in GIAC Network Forensic Analysis (GNFA). During my study time I wanted to dig deeper into the SOF-ELK distribution.
Automated Azure Cyber Lab I just wrapped up an Azure Government Hack-a-thon, where our team had to come up with a solution based on five different scenario choices. Now this is not a hack-a-thon from the perspective of penetration testing. It was a make-it-real type of training and challenge. We designed and built a
Red Team Rookie This year's Vigilant Guard for the State of Maryland had a cyber security component that comprised of joint Army and Air National Guard, Civilian, Government and Maryland Defense Forces (MDDF). I had the pleasure of being the NCOIC of the Red Team in the cyber defense portion of
Locked Shields 2017 Recently I participated in Locked Shields, considered one of the biggest live-fire cyber defense exercises in the world. This was my second year being part of a blue team in such a fun and challenging event. Locked Shields is an annual exercise organized by the Tallinn-based NATO Cooperative Cyber Defence
Intro to Python I have been programming since I got my first Commodore VIC20 back in about 1984. Back then I would buy a Compute magazine and type in the programs, mostly games. Then debug or modify the code to see what would happen. Of course these were simple computer games. This is
"Hello World!" OK, I am finally getting around to managing a blog. I have done this in the past, a bit. Hopefully now I can get down to business. I now know what I want to be when I grow up. For years I have been focused on all sorts of areas
