Jan 9, 2024
Microsoft Sentinel Data Segregation Options
So, you want to segregate your data in Sentinel? Well, you came to the right place! In this blog we are going to review four different ways that you can segregate data in Microsoft Sentinel. Keep in mind that there are pros and cons to every segregation option and that the best choice for your […]
Read More Jan 4, 2024
Complex Sentinel Deployments Using ARC and AMA Over Private Links and Private Endpoints
Large organizations sometimes opt for an architectural choice to use private links and private endpoints in the context of ingesting data from on-premise servers into Microsoft Sentinel. The typical reasons for this choice includes: Alignment with existing Azure architecture where solutions connecting datacenter to cloud such as ExpressRoute, or Azure VPN gateways are already adopted […]
Read More Oct 2, 2023
Log Splitting with Data Collection Rules
In a recent article, Microsoft discussed log splitting in Data Collection Rules (DCRs), also known as Multi-Destination Data Collection Rules. Microsoft mentioned a few uses for this capability. I’ve worked with numerous clients in the past who had certain needs that log splitting would have made much simpler to fulfill. In this blog post, I’ll […]
Read More Sep 18, 2023
From Noise to Action: Analyzing Activity Alerts and Preventing Genuine Threats with Defender for Cloud Apps
If you worked in a SOC, you know that during an analysis, correlating sessions to identify malicious activity or compromise is necessary, yet hard or impossible to perform, based on the available logs from activity-based alerts from Defender for Cloud Apps. In this blog post, we will go over the following topics: What are the […]
Read More Aug 31, 2023
Maximizing the Value of Azure Automation for SOCs
A BlueVoyant Custom Levenshtein Detection What Does This Detection Mitigate? This use case has been designed to capture email spoofing attempts from an external attacker where the attacker impersonates an internal user or trusted supplier. As domain verification is not built into the Simple Mail Transfer Protocol (SMTP), attackers can counterfeit email addresses with the […]
Read More Jul 25, 2023
Microsoft Sentinel Design - Updated One-Page Diagram
Microsoft Sentinel has introduced a significant number of new features and improvement of existing ones since our last diagram update. Some notable ones are increased incident management options, addition of large number of solutions including data connectors, detection rules and workbooks, content management options such as Workspace Manager, centralized data collection rules via the Azure […]
Read More Aug 25, 2021
Microsoft 365 Defender, Azure Defender, Azure Sentinel One-Page Diagram
In the past we have published individual diagrams for a number of Microsoft cloud security solutions, but in the end we always intended to have the larger picture that can provide analysts with a visual understanding on what type of data is exchanged between various Microsoft security controls and how that data is used to […]
Read More Jul 13, 2021
Mapping of On-Premises Security Controls Versus Services Offered by Major Cloud Providers
We are happy to publish the fifth version of a diagram that started in March 2017, with just AWS and Azure versus On-Premises. The diagram began as an effort to make a translation between the typical on-premises security controls that everybody, more or less, knows what they do and the various services advertised by major […]
Read More Aug 3, 2020
Azure AD Identity Protection Design
Azure AD Identity Protection Design by Adrian Grigorof, CISSP, CISM, CRISC, CCSK , Marius Mocanu, CISSP, CISM, CEH, SCF, Dorian Birsan Last update: August 3rd, 2020 Azure AD Identity Protection (AAIP) is another piece of the Microsoft M365 security stack puzzle, extending the detection of threats related to identities. It provides ability to enforce policies, […]
Read More May 24, 2020
Microsoft Defender Advanced Threat Protection (ATP) Design
Defender ATP is one of the stars of Microsoft’s security stack, with a meteoric rise in Gartner’s Magic Quadrant for endpoint protection. With 6 layers of protection geared towards specific requirements of the modern EDR, it takes advantage of the complementary Microsoft security services, such as Microsoft Cloud App Security, Azure ATP, Azure Information Protection, […]
Read More May 10, 2020
Azure Sentinel Incidents & KPI Dashboards
Since its release in preview mode in February 2019, Azure Sentinel has provided the Incidents blade in its portal as a platform to monitor and manage the situation when the configured use cases (alerts) are triggered. As the product evolved in bounds and leaps, the Incidents features has become more mature and now, combined with […]
Read More May 10, 2020
Azure Advanced Threat Protection (ATP) Design
Azure Advanced Threat Protection (ATP) is probably a bit misunderstood as its main purpose is to identify threats in the traditional on-premises Active Directory with the help of multiple sources of information from other security controls that have visibility into various streams of data. It combines information collected from critical Windows event logs, network traffic […]
Read More 
