Creating smart Data Collection Rules by parsing EventIDs from Analytic Rules
Data Collection Rules allows us to create custom filters based on XPath-queries. If we do this based on active Analytic Rules, we can create DCRs that only ingest the data we actually have detection for.
Posted on October 4, 2022
Tags:
Microsoft Sentinel, Active Directory, Azure Monitor Agent, Azure Arc, Data Collection Rules, Windows Security Events
Azure Lighthouse 101
What is Azure Lighthouse, what does it do and how does it do it?
Posted on September 21, 2022
Tags:
Azure, Azure Lighthouse, ARM Template, Managed Services
Templating Microsoft Sentinel Analytic Rules using Powershell and CI/CD pipelines
Using the Microsoft Sentinel API and Powershell we can download all the components we want and template them for deployment - this allows you to create Analytic Rules in the Azure Portal and deploy them to multiple customers using CI/CD pipelines.
Posted on September 15, 2022
Tags:
Microsoft Sentinel, Azure DevOps, Analytic Rules, Powershell, Microsoft Sentinel API, ARM-templates
Adding a Key Vault to your Microsoft Sentinel Data Connector ARM-template
A subset of Data Connector for Sentinel come in the form of Azure Functions deployed using an ARM-template. Most if not all of these functions avoid actually implementing a Key Vault to secure your variables, so here's the snippets to implement it yourself.
Posted on September 12, 2022
Tags:
Microsoft Sentinel, ARM-templates, Azure Functions, Data connectors, Key vault
Hardening Azure Active Directory
Going over some attack paths for Azure Active Directory (that I know of) and how to harden your environment to avoid exploitation (or just minimize the risk slightly). The focus for this post is app registrations and basic enumeration.
Posted on September 11, 2022
Tags:
Microsoft Sentinel, Azure Active Directory, Hardening, Logging, App registration, Enterprise applications, Consent
