Archives
- January 2021 (1)
- August 2020 (1)
- July 2020 (3)
- June 2020 (1)
- March 2020 (5)
- February 2020 (3)
- January 2020 (18)
- December 2019 (22)
- November 2019 (3)
- October 2019 (1)
- July 2019 (1)
- April 2019 (2)
- January 2019 (2)
- October 2018 (2)
- September 2018 (1)
- August 2018 (4)
- July 2018 (4)
- February 2018 (6)
- January 2018 (3)
- November 2017 (1)
- August 2017 (3)
- May 2017 (4)
- April 2017 (4)
- December 2016 (1)
Categories
- Application Security (1)
- Azure Security Center (10)
- Governance & Compliance (10)
- Host Protection (3)
- Identity & Access Control (7)
- Monitoring & Detection (16)
- Network Security (2)
- Secure Development (8)
- Security Automation (32)
- Security Operation (14)
- Service Overview (1)
Archives
- January 2021 (1)
- August 2020 (1)
- July 2020 (3)
- June 2020 (1)
- March 2020 (5)
- February 2020 (3)
- January 2020 (18)
- December 2019 (22)
- November 2019 (3)
- October 2019 (1)
- July 2019 (1)
- April 2019 (2)
- January 2019 (2)
- October 2018 (2)
- September 2018 (1)
- August 2018 (4)
- July 2018 (4)
- February 2018 (6)
- January 2018 (3)
- November 2017 (1)
- August 2017 (3)
- May 2017 (4)
- April 2017 (4)
- December 2016 (1)
Categories
- Application Security (1)
- Azure Security Center (10)
- Governance & Compliance (10)
- Host Protection (3)
- Identity & Access Control (7)
- Monitoring & Detection (16)
- Network Security (2)
- Secure Development (8)
- Security Automation (32)
- Security Operation (14)
- Service Overview (1)
Tag Archives: azure sentinel
Get Alert Relation from an Incident using Azure Sentinel Incident Relation API
I have a few questions recently asking if we can get an associated alert for an incident. The idea is to know which alert that caused an incident so SecOps team could better investigate the issue. In this article, let’s … Continue reading
Posted in Security Automation
Tagged azure sentinel, azure sentinel api, azure sentinel incident
Leave a comment
Transform Azure Sentinel incident to Log Analytics Workspace with Logic App
As a SOC Analyst or Manager who are working on Azure Sentinel you would like to have a view of how productive your team is (response time, resolution..). As being familiar with Log Analytics query, you might wish to do … Continue reading
Posted in Security Automation
Tagged azure logic app, azure sentinel, azure sentinel incident
1 Comment
Authenticate with Log Analytics workspace interactively in Azure Sentinel notebooks
One of the common steps before a SecOps analyst starts investigating and writing hunting query is to authenticate with the Log Analytics workspace where security data and event log are stored, using kqlmagic. Most common way is to let Azure … Continue reading
Get started with Azure Sentinel Notebooks
Hunting in Azure using Kusto Query Language to write query against Log Analytics workspace may not be enough for you. Given an example like this article, you would want to extract all attacker IP addressees and use VirusTotal to verify … Continue reading
An analysis of Suspicious Authentication activity from Azure Security Center
There are some readers after following this article to simulate alerts generated from Azure Security Center approaching me asking about one of the alerts they have seen named Suspicious authentication activity. They don’t know whether their testing virtual machines in … Continue reading
Posted in Monitoring & Detection
Tagged azure security analysis, azure security center, azure sentinel
2 Comments
Create a fully customized Azure Sentinel incident
There are ways to create an incident in Azure Sentinel. Simulating an alert from Azure Security Center and feeding it to become an Azure Sentinel incident is one of the ways. Another way is to create a simple scheduled analytics … Continue reading
Delete an Azure Sentinel incident (from ASC)
Is it possible to remove an Azure Sentinel incident? The answer is Yes. However, this is not going to be a recommendation for security operation. Let’s see how to make that happen.
Azure Sentinel ARM Template
I got a question from some readers asking about if there is a way to deploy Azure Sentinel through Azure ARM template and what are common use cases for deploying such an ARM template. In this article, let’s explore the … Continue reading
Extract all Azure Sentinel incidents
I got asked by a few readers after reading this article if there was a way to extract all incidents in Azure Sentinel so they could conduct a report and send out to their managers. In this article, let’s see … Continue reading
Posted in Security Automation
Tagged azure sentinel, azure sentinel api, azure sentinel incident
5 Comments
Get all comments in an Azure Sentinel incident programmatically
For any kind of report you may want to get all comments in an Azure Sentinel in order to archive as an forensic or incident artifact in an incident case before it is closed. Even comments in Azure Sentinel is … Continue reading →