Security Automation Blog

Practical Microsoft Sentinel, Defender XDR, and MISP guides focused on detection engineering, log strategy, and automation.

Browse field-tested walkthroughs on security monitoring architecture, cost optimization, threat intelligence pipelines, and practical detection engineering.

Browse all posts in chronological order

Latest Posts

The three most recent posts from the site.

Exploring artifacts of a desired state to build health checks with limited access

Learn an artifact-based architecture pattern for verifying Microsoft Sentinel UEBA state with limited RBAC access. Use existing SPN permissions (Log Analytics Contributor + Sentinel Contributor) to validate desired state without adding new privileges.

OpenTelemetry from coding agents to Azure Monitor

How OpenTelemetry works end-to-end, and one concrete way to ship logs from coding agents (VS Code Copilot, Claude Code) into Application Insights / Log Analytics via a collector in Azure Container Apps.

Microsoft Sentinel Usage Table Plan Field: KQL Queries for Cost Analysis

Use the Plan field in the Usage table to break down Microsoft Sentinel ingestion by Analytics, Basic, and Auxiliary with practical KQL queries.

Curated Topic Clusters

Start here if you want a focused reading path by topic.

Sentinel Cost and Data Strategy

Cost control, retention choices, and data-tier planning for real-world Sentinel operations.

Detection Engineering and XDR Operations

Detection design, custom rule operations, and Defender XDR execution patterns.

MISP and Threat Intelligence Pipelines

Threat intel ingestion, pipeline hardening, and MISP-to-Sentinel implementation patterns.

All Posts

Everything on the blog, with tag filtering if you want to narrow it down.

Graph API Microsoft Sentinel Data and logging Detection Engineering

Exploring artifacts of a desired state to build health checks with limited access

A short look how we can use existing access to tools like Microsoft Sentinel to build desired state configuration checks.

Jun 10, 2026 Read more →

OpenTelemetry Azure Monitor Application Insights Microsoft Sentinel

Shipping OpenTelemetry logs from coding agents to Microsoft Sentinel

A small, single-tenant OTel collector in Azure Container Apps that forwards telemetry from VS Code Copilot and Claude Code into Application Insights and Log Analytics.

Jun 2, 2026 Read more →

Microsoft Sentinel Data and logging Log Analytics

Plan types now show up in the Usage table

The Usage table now exposes plan information, making it much easier to break down Microsoft Sentinel ingestion by Analytics, Basic, and Auxiliary with native KQL.

May 15, 2026 Read more →

Entra ID Microsoft Sentinel Data and logging Detection Engineering

AADGraphActivityLogs is now available

Quick notes on the new AADGraphActivityLogs table, sample data generation with AADInternals and ROADtools, and some starter queries.

May 5, 2026 Read more →

Presentation Skills Conference Speaking Public Speaking

A Guide to Presenting Stuff, sort of

A semi-practical guide to how presenting better helps you learn, whether you're on stage, in a meeting, or just trying to explain a technical idea clearly.

Apr 30, 2026 Read more →

Microsoft Sentinel PowerShell Data and logging Cost Optimization

How to use Log Horizon to improve Microsoft Sentinel posture

A tutorial to using the Log Horizon tool to get an overview of your Microsoft Sentinel deployment, including logs, detection and Defender XDR integration.

Apr 16, 2026 Read more →

Microsoft Sentinel PowerShell Data and logging Cost Optimization

Update: Log Horizon

Log Horizon 0.5.0 adds self-contained HTML export, deeper transform analysis, stronger hardening, and improved CI-friendly reporting for Microsoft Sentinel.

Apr 9, 2026 Read more →

Microsoft Sentinel Data and logging Detection Engineering Cost Optimization

Building a practical log baseline

How to classify security logs into primary and secondary data, use Sentinel tiers pragmatically, and keep cost aligned with detection value.

Apr 6, 2026 Read more →

Microsoft Sentinel PowerShell Data and logging Cost Optimization

Tool Release: Log Horizon

A PowerShell module that connects to your Sentinel workspace and tells you if your logs are earning their keep.

Apr 1, 2026 Read more →

Microsoft Sentinel Data and logging MCP Detection Engineering

Upcoming Microsoft Sentinel features

Diving into some of the recent RSAC announcements

Mar 30, 2026 Read more →

Entra ID Privileged Access PIM Conditional Access

Privileged Access 101 in Entra ID

My potentially 'realistic-ish' take on privileged access in Entra ID, Azure and Microsoft 365. Not perfect, not nothing, maybe just good enough to actually work.

Mar 29, 2026 Read more →

Microsoft Defender XDR Graph API Custom Detection Rules PowerShell

Defender XDR - Custom Detection Rules PowerShell Module

A simple PowerShell module for managing custom detection rules via the Graph API, with SPN support

Feb 17, 2026 Read more →

Analytic Rules Microsoft Sentinel Powershell

Tool Release: rustymisp2sentinel

From idea to execution, the story of how I'm still trying to learn rust.

Jan 24, 2026 Read more →

Detection Engineering Security Monitoring

Make some noise - a note on detections

Most detection engineers already know this, but based on experience many companies will fail to consider noise in their detection strategy.

Jan 22, 2026 Read more →

Security Monitoring EDR Powershell Defender for Endpoint

Testing the SinkVPN-concept to silence EDRs

Can we silence Defender for Endpoint using a rogue VPN-server?

Jan 18, 2026 Read more →

MISP Microsoft Sentinel Threat Intelligence

Tool Release: misp-filter-builder

A little weekend project to help build filters for MISP and misp2sentinel

Jan 12, 2026 Read more →

Cyber Security C2

Could you build a simple C2-framework using World of Warcraft?

Yes. Sort of, at least. Join me to explore how we can potentially use WoW and it's ecosystem as a C2

Jan 10, 2026 Read more →

Analytic Rules Microsoft Sentinel Powershell

Disable correlation for Analytic Rules in Microsoft Sentinel

Simple script that automates the job of excluding analytic rules from correlation in Defender XDR.

Jan 7, 2026 Read more →

Cyber Security Security Monitoring Microsoft Sentinel Microsoft Defender XDR

Migrating Microsoft Sentinel to Microsoft Defender XDR

An in-depth look at why this change is happening and some things to expect from the migration.

Jan 4, 2026 Read more →

Cyber Security PowerShell Azure Azure Lighthouse

Tool Release: DarkLighthouse

DarkLighthouse is a PowerShell module for discovering Azure Lighthouse delegations. Great for security assessments and understanding your multi-tenant attack surface.

Jan 1, 2026 Read more →

SIEM XDR Custom Detection Rules Analytic Rules

This can't possibly work - building a detection engineering assistant

My entry for this years Festive Tech Calendar 2025 is a little detection engineering assistant

Dec 21, 2025 Read more →

Lab Defender for IoT Microsoft Sentinel IoT

Lab - Defender for IoT configuration

My first project on the new lab - setting up Defender for IoT on my IoT network to capture some traffic and see how it works.

Dec 4, 2025 Read more →

Lab Hyper-V

Lab - Setting up Hyper-V host

Getting started on my local lab. This post is mainly me troubleshooting Intel I225/226 network adapters.

Nov 30, 2025 Read more →

Microsoft Defender XDR Advanced Hunting Detection Engineering Data and logging

Defender for Endpoint - Custom Data Collection Rules

Expand the logging capability of the DFE agent using custom rules

Nov 22, 2025 Read more →

Microsoft Defender XDR Advanced Hunting Custom Detection Rules Analytic Rules

Practical Detection Engineering

A look at detection engineering from inception to completion

Nov 11, 2025 Read more →

Microsoft Defender XDR Advanced Hunting

Microsoft Defender XDR - Take action on advanced hunting results

The level below automation and above manual actions per asset

Aug 22, 2025 Read more →

Microsoft Sentinel Microsoft Defender XDR Graph API Azure Lighthouse

Microsoft Sentinel Data Lake - FAQ

Answering some common questions people might have

Jul 29, 2025 Read more →

Microsoft Sentinel Microsoft Defender XDR Graph API Azure Lighthouse

How to not mess up your Microsoft Sentinel deployment

Looking beyond just the technical details

Jul 20, 2025 Read more →

Microsoft Defender XDR Graph API Custom Detection Rules

Defender XDR - Custom Detection Rules Push/Pull via API

A little primer to pushing and pulling new content via the graph beta API

Jun 1, 2025 Read more →

Cyber Security Entra ID Maester Azure

Azure Spring Clean - Maestering Azure Tenant Security

A look into how we can utilize Maester to secure our Azure Tenant with a sprinkle of AI on top

Feb 28, 2025 Read more →

Cyber Security Microsoft Sentinel Azure Log Analytics

Workspace Transformation Rules in Practice

This post will show you two very useful workspace transformation rules that you can use to save money on your data ingestion in Microsoft Sentinel.

Feb 24, 2025 Read more →

Cyber Security Security Monitoring Threat Intelligence MISP

Expanding on Cyber Threat Intelligence for Security Monitoring

Three levels of detection engineering using Threat Intelligence as our guiding light

Jan 26, 2025 Read more →

Cyber Security Security Monitoring Threat Intelligence MISP

On the use of Threat Intelligence in Detection

If applied correctly, Threat Intelligence can be a useful tool in your belt. Mostly, however, it might be barking up the wrong tree depending on your maturity level. Let's explore that!

Jan 12, 2025 Read more →

Cyber Security PowerShell Threat Intelligence MISP

Tool Release: pwshuploadindicatorsapi

This module is a wrapper for the Microsoft Sentinel related Upload Indicators API, allowing you to upload indicators of compromise (IOC) to a Microsoft Sentinel instance.

Dec 27, 2024 Read more →

Cyber Security PowerShell Threat Intelligence MISP

Tool Release: pwshmisp

In an attempt to make using MISP easier, I have created a PowerShell module to interact with MISP. The release of this module is the first step towards creating a powershell integration function for pushing data from MISP to Microsoft Sentinel.

Dec 23, 2024 Read more →

Cyber Security Entra ID Security Monitoring Azure

Test Yourself Part 1: Identity

Some tips, tricks and tools to help you get started testing your own infrastructure. This is the part 1 where we'll look into identity and how you can test it.

Oct 26, 2024 Read more →

Microsoft Sentinel Entra ID Hardening Data and logging

Hardening Entra ID

This is an update to a previous article I wrote on hardening Azure Active Directory. The idea of this update is to provide a table of default settings that I would change in any Entra ID-tenant I manage.

Oct 18, 2024 Read more →

Security Monitoring Data and logging SIEM Use Cases

Security Monitoring - Threat Modeling and Data Sources

One of the most misunderstood aspects of security monitoring is determining what data sources to use for what purpose. In this post, we will go through the process of determining what data sources to use for what purpose, where to prioritize developing use cases and how to plan for the future.

Aug 25, 2024 Read more →

Cyber Security Security Architecture Antipatterns Security Monitoring

Security Monitoring Antipatterns

A little bit of a deconstruction of some antipatterns in Security Operations

Aug 19, 2024 Read more →

Nice to know Entra ID Azure Logic App

Adding Graph API permissions to Managed Identities

Making a little note of this in Graph API so it's easy to find for using it

Aug 16, 2024 Read more →

Cyber Security Security Monitoring Microsoft Sentinel Microsoft Security

5 Years On - The Microsoft Sentinel Experience

Around 5 years ago, Microsoft announced the general availability of Azure Sentinel. This post aims to assess how far we along we have come - the good, the bad and the ugly.

Jul 9, 2024 Read more →

Cyber Security Entra ID Security Monitoring Azure

Test Yourself: The Prelude

Some tips, tricks and tools to help you get started testing your own infrastructure. This is the start, where I'll just lay out some basic principles of security that we need to keep in mind moving forward.

Jun 21, 2024 Read more →

Entra ID Azure Managed Identity Identity and Access Management

Authenticate to Azure DevOps using Managed Identity and REST API

How to add a managed identity to Azure DevOps and get access tokens for Azure Devops

Apr 17, 2024 Read more →

Nice to know Entra ID Azure Azure DevOps

Download Azure DevOps Repositories using a Managed Identity and REST API

Everything you need to know to download Azure DevOps repositories using a Managed Identity and REST API

Apr 17, 2024 Read more →

Cyber Security Entra ID Security Monitoring Azure

Tools You Should Know: ScubaGear

Developed by CISA, ScubaGear is an assessment tool that verifies a Microsoft 365 (M365) tenant’s configuration conforms to the policies described in the Secure Cloud Business Applications (SCuBA) Security Configuration Baseline documents.

Mar 9, 2024 Read more →

Microsoft Sentinel Automation SOAR Security Monitoring

Automating Security Monitoring - Part 2: Automation

A look at automating alerts and incident-handling.

Feb 3, 2024 Read more →

Microsoft Sentinel Automation SOAR Security Monitoring

Automating Security Monitoring - Part 1: Data

A look at how to get started automating security monitoring (or just stuff in general).

Jan 31, 2024 Read more →

PowerShell Cyber Security MISP

Christmas Wrappers - Part 2

How to create a wrapper script in Powershell

Jan 15, 2024 Read more →

PowerShell Cyber Security MISP

Christmas Wrappers - Part 1

How to create a wrapper script in Powershell

Dec 18, 2023 Read more →

Cyber Security Security Monitoring SIEM Use Cases

Security Monitoring - Developing Use Cases

Some thoughts on developing use cases and the importance of detection engineering

Sep 17, 2023 Read more →

MISP Threat Intelligence Microsoft Sentinel IOC

Figuring out MISP2Sentinel Event Filters

How they work, how to use them and some (hopefully not horrible) examples.

Sep 2, 2023 Read more →

Cloud Security Microsoft Sentinel Data and logging Azure Functions

Use Update Indicators API to push Threat Intelligence from MISP to Microsoft Sentinel

A quick intro on how to set up MISP, Azure Functions and Sentinel to push threat intelligence from MISP to Sentinel

Aug 3, 2023 Read more →

Cloud Security Microsoft Sentinel Data and logging Azure Functions

Pushing Threat Intelligence from MISP to Microsoft Sentinel

A quick intro on how to set up MISP, Azure Functions and Sentinel to push threat intelligence from MISP to Sentinel

Jun 4, 2023 Read more →

Cloud Security Microsoft Sentinel Data and logging Azure Functions

Increasing the default timeout of Azure Functions

Azure Functions are used for most data connectors, but some of them have a very low default timeout.

Jun 2, 2023 Read more →

Cloud Security Azure IAM

Removing orphaned Azure resource assigments

Simple fix for removing any "identity not found" on resources in Microsoft Azure.

May 15, 2023 Read more →

Cloud Security Microsoft Sentinel Workspace Manager MSSP

Microsoft Sentinel Workspace Manager

Short introduction to the new preview, what it does and what I think of it currently.

Apr 24, 2023 Read more →

Cloud Security Microsoft Sentinel Data and logging

Field notes on security strategy

Some thoughts and notes around implementing security features and what it is that we keep doing the wrong way.

Mar 4, 2023 Read more →

Azure Azure Lighthouse ARM Templates Managed Services

Azure Lighthouse access design considerations

Considerations when creating an Azure Lighthouse managed service design.

Jan 10, 2023 Read more →

Cloud Security Microsoft Sentinel Data and logging

Cost estimation in Microsoft Sentinel

How to estimate Microsoft Sentinel cost with the Sentinel Cost Estimator, real ingestion data, and practical tiering decisions.

Jan 2, 2023 Read more →

Cloud Security Azure DevOps PowerShell Microsoft Sentinel

I want you to steal my job

I'm a Security Engineer (whatever that means) and maybe you want to be to? Hopefully this helps a little towards that.

Dec 2, 2022 Read more →

Cloud Security Azure Lighthouse Privileged Identity Management Privileged Access Groups

Design an MSSP access strategy for Microsoft Sentinel

Some thoughts and considerations when designing an Azure Lighthouse access strategy

Nov 8, 2022 Read more →

Cloud Security Azure DevOps Webhook triggers Pipelines

Simple security in Azure DevOps pipelines

Quick introduction to starting pipelines with webhook triggers and (hopefully) making them secure-ish

Oct 28, 2022 Read more →

Cloud Security Microsoft Sentinel Playbooks

IP Allowlisting in Microsoft Sentinel Playbooks

Quick introduction to IP allowlisting in Microsoft Sentinel and some thoughts around how to (not) implement it.

Oct 26, 2022 Read more →

Cloud Security Defender for Cloud Defender for DevOps Azure DevOps

Enable Defender for DevOps in Azure DevOps pipelines

Quick introduction to Defender for DevOps and how to enable it in an Azure DevOps pipeline.

Oct 13, 2022 Read more →

Microsoft Sentinel Active Directory Azure Monitor Agent Azure Arc

Creating smart Data Collection Rules by parsing EventIDs from Analytic Rules

Data Collection Rules allows us to create custom filters based on XPath-queries. If we do this based on active Analytic Rules, we can create DCRs that only ingest the data we actually have detection for.

Oct 4, 2022 Read more →

Azure Azure Lighthouse ARM Templates Managed Services

Azure Lighthouse 101

What is Azure Lighthouse, what does it do and how does it do it?

Sep 21, 2022 Read more →

Microsoft Sentinel Azure DevOps Analytic Rules PowerShell

Templating Microsoft Sentinel Analytic Rules using Powershell and CI/CD pipelines

Using the Microsoft Sentinel API and Powershell we can download all the components we want and template them for deployment - this allows you to create Analytic Rules in the Azure Portal and deploy them to multiple customers using CI/CD pipelines.

Sep 15, 2022 Read more →

Microsoft Sentinel ARM Templates Azure Functions Data and logging

Adding a Key Vault to your Microsoft Sentinel Data Connector ARM-template

A subset of Data Connector for Sentinel come in the form of Azure Functions deployed using an ARM-template. Most if not all of these functions avoid actually implementing a Key Vault to secure your variables, so here's the snippets to implement it yourself.

Sep 12, 2022 Read more →

Microsoft Sentinel Azure Active Directory Hardening Data and logging

Hardening Azure Active Directory

Going over some attack paths for Azure Active Directory (that I know of) and how to harden your environment to avoid exploitation (or just minimize the risk slightly). The focus for this post is app registrations and basic enumeration.

Sep 11, 2022 Read more →

Microsoft Sentinel Azure Lighthouse LAQueryLogs AzureActivity

Auditing Microsoft Sentinel queries in an Azure Lighthouse-environment

Quick introduction to auditing Microsoft Sentinel queries in a cross-tenant scenario - and some things to be aware of.

Aug 25, 2022 Read more →

Azure REST API Microsoft Sentinel Azure Lighthouse ARM Templates

Assign roles to managed identities in Microsoft Sentinel playbooks using Azure Lighthouse

Grant access via Azure Lighthouse using User Access Administrator delegation, ARM-templates, pipelines and powershell.

Jul 6, 2022 Read more →

Azure REST API Microsoft Sentinel Azure Lighthouse ARM Templates

Create Managed Identity and assign roles using Azure Lighthouse

Create Managed Identites and grant access via Azure Lighthouse using User Access Administrator delegation.

Jun 7, 2022 Read more →

Azure REST API Microsoft Sentinel SecurityInsights Automation Rules

Deploying Automation Rules via API

Automate more of your Azure Sentinel deployment by combining the Az Powershell-module and the 2019-01-01-preview API to deploy Automation Rules from JSON-templates.

Aug 23, 2021 Read more →

Hacking HackTheBox