Category Archives: Security Automation

Transform Azure Sentinel incident to Log Analytics Workspace with Logic App

As a SOC Analyst or Manager who are working on Azure Sentinel you would like to have a view of how productive your team is (response time, resolution..). As being familiar with Log Analytics query, you might wish to do … Continue reading

Posted in Security Automation | Tagged , , | 1 Comment

Be careful when you have escape char in Key Vault secret value

I recently had some works that required to use Azure Key Vault. Specifically a secret that stored a service principal’s password that contained some special characters (escape ones). This article just shows you my finding and how to fix it … Continue reading

Posted in Security Automation | Tagged | Leave a comment

Quick look at new Azure Sentinel Incident API

I got some questions from people who worked with Microsoft product team about the new incident API they were introduced. I took a glance at it and thought I would need to write something about it, especially wrote a new … Continue reading

Posted in Security Automation | Tagged , | 5 Comments

Quick notes in deploying Guest Configuration Extension on Azure VM

Azure Policy Guest Configuration allows you to audit configuration inside host. It sounds very much similar to Azure Automation Account Desired State Configuration (DSC). In fact the concept is similar to DSC but Azure Policy uses a dedicated agent called … Continue reading

Posted in Security Automation | Tagged , | Leave a comment

Enable Microsoft Defender ATP integration in Azure Security Center programmatically

If you have worked with Azure Security Center and Microsoft Defender ATP (Advanced Threat Protection) you may know a setting in Azure Security Center called Threat Detection where you can allow Microsoft Cloud App Security (MCAS) or Microsoft Defender ATP … Continue reading

Posted in Azure Security Center, Security Automation | Tagged , | Leave a comment

Get all comments in an Azure Sentinel incident programmatically

For any kind of report you may want to get all comments in an Azure Sentinel in order to archive as an forensic or incident artifact in an incident case before it is closed. Even comments in Azure Sentinel is … Continue reading

Posted in Security Automation | Tagged , , | Leave a comment

Update Azure Sentinel incident programmatically

There has to be a case that you want to update Azure Sentinel incidents namely label or assignment. For example you would like all brute-force attack related incidents to have label brute-force and to assign to a specific person/team that … Continue reading

Posted in Security Automation | Tagged , | 7 Comments

Parse ExtendedProperty in Azure Sentinel alert for Logic App use

I got a few questions from readers about processing data in ExtendedProperties in alert data. They didn’t want to send a full JSON format. Instead they wanted to extract piece of information from helpful field like ExtendedProperties to compose a … Continue reading

Posted in Security Automation | Tagged , | 3 Comments

Notify Azure Sentinel alert to your email automatically

Currently there is not any built-in functionality that notifies you via email if there is an incident that is generated in Azure Sentinel. Checking Azure Sentinel every time wouldn’t be an idea while working with email is simply a habit. … Continue reading

Posted in Security Automation | Tagged , , | 6 Comments

Guidance for CVE Crypto and RDG vulnerability patching on Azure VM

There are a lot of buzz these days around the most recent Microsoft Tuesday Patch January 2020.  There are critical vulnerabilities found in the core Windows crypto functionality as well as Remote Desktop Gateway (RDG).  While the crypto related vulnerability … Continue reading

Posted in Security Automation | Tagged , , | 11 Comments