Plan types now show up in the Usage table
The Usage table now exposes plan information, making it much easier to break down Microsoft Sentinel ingestion by Analytics, Basic, and Auxiliary w...
Read Article →Microsoft Sentinel Security Posts
Discover the latest insights, best practices, and security research related to Microsoft Sentinel cloud-native SIEM.
Search Sentinel Posts
Filter Posts
Posts
[DxBP] Part 2 - Detection Engineering Best Practices: Performance, Readability & Maintenance
Deep dive into detection engineering best practices focusing on KQL performance, readability, and maintainability for Microsoft Sentinel and Defend...
Read Article →AADGraphActivityLogs is now available
Quick notes on the new AADGraphActivityLogs table, sample data generation with AADInternals and ROADtools, and some starter queries.
Read Article →How to use Log Horizon to improve Microsoft Sentinel posture
A tutorial to using the Log Horizon tool to get an overview of your Microsoft Sentinel deployment, including logs, detection and Defender XDR integ...
Read Article →Update: Log Horizon
Log Horizon 0.5.0 adds self-contained HTML export, deeper transform analysis, stronger hardening, and improved CI-friendly reporting for Microsoft ...
Read Article →Microsoft Security Copilot for M365 E5/E7 recommendations from the field
Customers with Microsoft 365 E5 and E7 receive 400 Security Compute Units (SCUs) per month for every 1,000 paid user licenses, up to a maximum of 1...
Read Article →Building a practical log baseline
How to classify security logs into primary and secondary data, use Sentinel tiers pragmatically, and keep cost aligned with detection value.
Read Article →Tool Release: Log Horizon
A PowerShell module that connects to your Sentinel workspace and tells you if your logs are earning their keep.
Read Article →Upcoming Microsoft Sentinel features
Microsoft summarized their RSAC 2026 Sentinel announcements and there’s a lot in there to digest. If you are a part of the Security Advisors Progra...
Read Article →Defender Unified Role-Based Access Control (RBAC) support for Microsoft Sentinel is here
Intro During my latest engagements with different customers I frequently received the question why you still have to configure Azure permissions if...
Read Article →Copilot Studio Agent Security misconfigurations — part II
In my previous blog I explain different security misconfigurations in Microsoft Copilot Studio agents including⚠️risk and ✅mitigations.This blog co...
Read Article →Agent Identity Security controls …
Agent Identity Security controls …From a Security perspective it is recommended to provide Security Controls for AI Agents as if they where humans ...
Read Article →Tool Release: rustymisp2sentinel
From idea to execution, the story of how I'm still trying to learn rust.
Read Article →How to natively archive Defender XDR logs for up to 12 years
For years, customers have asked for ways to extend data retention in Microsoft Defender XDR beyond the default limits to support advanced hunting a...
Read Article →Monitor New Actions in Sentinel & Defender XDR (V2)
Learn how to monitor new actions in Microsoft Sentinel and Defender XDR with KQL, Logic Apps, and Graph API. Automate weekly reports and improve SO...
Read Article →Tool Release: misp-filter-builder
A little weekend project to help build filters for MISP and misp2sentinel
Read Article →Disable correlation for Analytic Rules in Microsoft Sentinel
Simple script that automates the job of excluding analytic rules from correlation in Defender XDR.
Read Article →Microsoft Sentinel Cost Management: How to get insights in data lake usage
Microsoft announced the public preview of Microsoft Sentinel Cost Management at Microsoft Ignite 2025. The new feature brings more in-depth cost vi...
Read Article →Migrating Microsoft Sentinel to Microsoft Defender XDR
An in-depth look at why this change is happening and some things to expect from the migration.
Read Article →Lab - Defender for IoT configuration
My first project on the new lab - setting up Defender for IoT on my IoT network to capture some traffic and see how it works.
Read Article →Defender XDR VS Microsoft Sentinel table changes
Introduction When connecting Microsoft Sentinel to Defender XDR, there are a couple of changes happening in tables which you should be aware of. Ev...
Read Article →Collect Microsoft Entra Connect Sync Audit Events
Starting with version 2.4.129.0, Microsoft Entra Connect Sync introduces a new admin audit logging feature that is enabled by default. This capabil...
Read Article →Microsoft Sentinel Data Lake Tier: Deep Dive and Comparison
Copyright © 2025 Microsoft Security - All Rights Reserved.
Read Article →Remove old or orphaned Sentinels from the XDR Streaming API
This blog post is a sleeper. I documented it in 2023 and never came around to publish it. The post was always too short in my opinion, too niche. B...
Read Article →GraphApiAuditEvents: The new Graph API Logs
The new GraphApiAuditEvents table in Advanced Hunting have been in Public Preview since July this year. These valuable logs give new insights into ...
Read Article →Script: Sentinel Data Lake Table Management
Microsoft Sentinel’s data lake story is quietly powerful: you get fast, 90-day Analytics (Shortterm) for hunting and detections, plus scalable, ......
Read Article →How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost
In recent years, an increasing number of customers have requested options to extend retention in Microsoft Defender XDR beyond the default 30 days ...
Read Article →Microsoft Sentinel data lake: How to use/enable and set-up the unified data lake
Microsoft released the new Microsoft Sentinel data lake in public preview this month. With the data lake feature, it is possible to scale and store...
Read Article →Microsoft Sentinel Data Lake - FAQ
Answering some common questions people might have - Data lake is here, rejoice. It also brings up a bunch of questions, like do I still need Micros...
Read Article →How to not mess up your Microsoft Sentinel deployment
Looking beyond just the technical details - I recently did a presentation with the same title as this post and figured it would be a good idea to a...
Read Article →Hunting Through APIs - Logic App Edition
Logic Apps allow organizations to easily automate processes, in the last blog the APIs to run KQL are discussed. This blog builds upon the knowledg...
Read Article →Transition from Microsoft Sentinel to Defender XDR - Practical challenges
Introduction Microsoft announced on the 1st of July 2025 that the Microsoft Sentinel Azure Portal UI will be deprecated at the 1st of July 2026, an...
Read Article →Defender XDR - Custom Detection Rules Push/Pull via API
A little primer to pushing and pulling new content via the graph beta API - Jumping straight into this one, custom detection rules are similar to a...
Read Article →Microsoft Sentinel UEBA: 2025 Guide to Behavior Analytics
Copyright © 2025 Microsoft Security - All Rights Reserved.
Read Article →Microsoft 365 Security & Compliance User Group
Together with Thijs, I gave our updated session on how we architect a SOC on top of Microsoft Defender XDR and Microsoft Sentinel. Since there were...
Read Article →Creating a CCP connector: Part 4
Hi there! Welcome (back) to my blog series about building a connector using Microsoft’s Sentinel Codeless Connector Platform (CCP). In the previous...
Read Article →Automated incident triage with Security Copilot and Microsoft Sentinel/ Defender XDR
With the use of Security Copilot, it is possible to enrich and triage alerts automatically using GenAI data. Microsoft recently developed new SOC a...
Read Article →Creating a CCP connector: Part 3
Hey there, glad to see you’re still with me on this journey! If this is your starting point, you might want to considered reading the previous part...
Read Article →Creating a CCP connector: Part 2
Hey there, welcome back! In this blog series I’ll show you how you can make your own Sentinel Codeless Connector Platform (CCP) connector. If you h...
Read Article →Creating a CCP connector: Part 1
Hey there! In this blog series I’ll be going to walk you through a step by step guide on how to build your own Codeless Connector Platform (CCP) da...
Read Article →Workspace Transformation Rules in Practice
This post will show you two very useful workspace transformation rules that you can use to save money on your data ingestion in Microsoft Sentinel....
Read Article →Monitor For New Actions In Sentinel And MDE
Sometimes I get the question, how can I keep up with all the new actions that are added to our security solutions? This question is very valid, as ...
Read Article →Parsing CEF messages without Azure Monitor Agent
Introduction During my time as SOC Engineer, I do a lot of third-party data source ingestion projects for clients into their Microsoft Sentinel ins...
Read Article →KQL Sources - 2025 Update
What started as a single blog is now becoming a yearly trend. More and more KQL related repositories are created, not only with a focus on security...
Read Article →Tool Release: pwshuploadindicatorsapi
This module is a wrapper for the Microsoft Sentinel related Upload Indicators API, allowing you to upload indicators of compromise (IOC) to a Micro...
Read Article →Tool Release: pwshmisp
In an attempt to make using MISP easier, I have created a PowerShell module to interact with MISP. The release of this module is the first step tow...
Read Article →Announcing the Netskope CCP connector!
Over the past couple of weeks I’ve been working in close collaboration with the Netskope team to build and design a new Sentinel data connector for...
Read Article →UAL = Unaligned Activity Logs
The unified audit log is a centralized repository for M365 user and admin activities. The activities originate from different applications, such as...
Read Article →Improving automated Sentinel detection validation.
IntroductionMicrosoft Sentinel offers a lot of features, one being the ability to manage your analytic rules (detection rules) as infrastructure as...
Read Article →Cyber Back to School
I spoke together with my colleague Thijs Lecomte at Cyber back to School, where we recorded our session on how to architect a SOC on top of Microso...
Read Article →Import and Export Automation rules for Microsoft Sentinel – Unified SOC Platform
Last Updated on January 21, 2025 by Michael Morten Sonne Intoduction Microsoft Sentinel, a security information and event… The post Import an...
Read Article →Optimize Costs using Auxiliary Logs for Verbose Logging
Today, we use logging for many purposes including security hunting with SIEM (Sentinel), troubleshooting, performance telemetry, compliance reporti...
Read Article →Use Cases For Sentinel Summary Rules
Microsoft has announced a new Sentinel feature: Summary Rules. Those rules are aimed at aggregating large sets of data in the background for a smoo...
Read Article →Exploring the Microsoft Sentinel Codeless Connector Platform (CCP)
There are many different ways of getting your security data into Microsoft Sentinel: You can use agent based software, play around with Diagnostic ...
Read Article →Microsoft IT/OT convergence in Defender XDR (New) and Sentinel
Disclaimer there is no change for existing Microsoft Defender for IoT (Azure) deployments.OT (Operational Technology) is (often old) technology (ha...
Read Article →5 Years On - The Microsoft Sentinel Experience
Around 5 years ago, Microsoft announced the general availability of Azure Sentinel. This post aims to assess how far we along we have come - the go...
Read Article →Experts Live Netherlands
I spoke together with my colleague Thijs Lecomte at Experts Live, where we talked about how we architecture a Security Operations Center on top of ...
Read Article →Get control over corporate networks with device discovery
Introduction During the last few years, I worked with a couple of customers who struggle with getting control over their corporate networks. Even t...
Read Article →Security Copilot Scalable Capacity Management for non-24×7 SOC scenario
Background Some of my customers are not having 24×7 SOC but still wants to utilize Microsoft Security Copilot during their ... Read more
Read Article →Microsoft Defender XDR – Unified Security Operations Platform (Sentinel and Defender)
Last Updated on April 4, 2024 by Michael Morten Sonne Intoduction What is comming to the Microsoft Defender… The post Microsoft Defender XDR ...
Read Article →Re-onboard LogAnalytics to Sentinel, if SecurityInsights solution is deleted by mistake
Critical features will break or stop working, if you delete too much in Legacy solutions like SecurityInsights, SQLAdvancedThreatProtection or SQLV...
Read Article →AitM detection with Sentinel via custom CSS
Introduction You are probably wondering, what has CSS to do with detecting AitM sites. In this blog post, we will go over how we can use a custom C...
Read Article →Microsoft Entra Workload ID - Incident Response with Microsoft Sentinel Playbooks and Conditional Access
In the recent parts of the blog post series, we have gone through the various capabilities to detect threats and fine-tune incident enrichment of W...
Read Article →Microsoft Entra Workload ID - Advanced Detections and Enrichment in Microsoft Sentinel
Collecting details of all workload identities in Microsoft Entra ID allows to build correlation and provide enrichment data for Security Operation ...
Read Article →Microsoft’s AI Strategy for Security Depends on Data
Microsoft's security strategy is all about AI with Security Copilot leading the charge. Even in a world of AI tools, knowing how to use KQL and Sen...
Read Article →Microsoft Entra Workload ID - Threat detection with Microsoft Defender XDR and Sentinel
Attack techniques has shown that service principals will be used for initial and persistent access to create a backdoor in Microsoft Entra ID. This...
Read Article →Microsoft Sentinel User Forum
Together with my colleague Louis Mastelinck, we talked on the Microsoft Sentinel user forum about Microsoft Sentinel data ingestion and avoiding al...
Read Article →Sentinel & SOAR: Part 4 - Error handling
IntroductionHello there, welcome back to part 4 of my Sentinel & SOAR series! If you’re new to this series you might want to check out any earl...
Read Article →MC2MC
My first public speaking experience! I spoke together with my colleague Sander Bougrine on MC2MC, where we deep dived into how to integrate 3th par...
Read Article →Microsoft Defender Threat Intelligence (Defender TI) integrations with Microsoft Sentinel
Microsoft Defender Threat Intelligence (MDTI) previously known as RiskIQ brings the threat intelligence data together from multiple sources. With t...
Read Article →Deploy sentinel analytic rules with bicep and PowerShell
Warning We ‘archived’ this blogpost during a migration from the old HybridBrothers website framework to the new one, since it is more t...
Read Article →Microsoft Defender for Endpoint series – Automation via Logic Apps and Sentinel – Part9
It is time for part 9 of the Microsoft Defender for Endpoint (MDE) series. Part 9 is focused on the automation part of Defender for Endpoint with t...
Read Article →Deploy Sysmon and collect additional data with Sentinel and the AMA agent
System Monitor (Sysmon) is one of the most common add-ons for Windows logging. With Sysmon, you can detect malicious activity by tracking code beha...
Read Article →How to save $$$ by storing your Syslog and Defender for Endpoint long-term logs in Azure Data Explorer cluster using Azure Data Factory and Azure Storage Account export – while keeping Kusto query functionalities ?
This blog is about keeping long-term Sentinel logs, giving you insight to the options today – with great opportunities to ... Read more
Read Article →Sentinel Alert Rules Management with Add / Update / Remove & Alert Rule Action automation
Do you want to automate alert rules including creating new alert rules and update existing – with checks every x ... Read more
Read Article →Real example with 43% cost savings on Sentinel log-costs: How to exclude Syslog log-events from banned IPs using AbuseIPDB-service with integration to firewalls
This is a real-life example of how I helped reduce the log-cost by 43% for LogAnalytics & Sentinel combined for ... Read more
Read Article →How to do data transformation with Azure LogAnalytics – to enrich information, optimize cost, remove sensitive data?
One of the cool features in Azure LogAnalytics is the capability to do data-transformation before the data enters your LogAnalytics ... Read more
Read Article →Operationalizing MITRE ATT&CK to support Microsoft Sentinel deployments and detections
Warning We ‘archived’ this blogpost during a migration from the old HybridBrothers website framework to the new one, since it is more t...
Read Article →Which data connector and activity is free in Microsoft Sentinel?
After the initial onboarding of Microsoft Sentinel, connectors can be used for ingesting data. Microsoft invested in pre-build connectors which can...
Read Article →Use automation/playbooks in Microsoft Sentinel during incident update activity using update triggers
Automation is critical for modern SOC environments to handle the volume of upcoming threats and manage day-to-day tasks. Ideally most of the featur...
Read Article →What happens without RDP protection after 24+ hours in Microsoft Sentinel & Microsoft security products
For many years, abuse of Remote Desktop Protection (RDP) has been the most common root cause of all ransomware events. At the moment one of the mos...
Read Article →Protecting Microsoft Teams with Microsoft Sentinel
Microsoft Teams and other online collaboration tools increases massively in the last 2-3 years. Working from home became the new normal in most of ...
Read Article →Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR
The Microsoft Sentinel Data Connector that utilizes the modern agent (AMA) for collecting Windows Security Events is for a couple of months general...
Read Article →Monitor Microsoft Sentinel Data Connectors using Health Monitoring and Logic App
Microsoft announced a new public preview which contains the new Microsoft Sentinel Health Monitoring feature. Microsoft Sentinel now provides the&#...
Read Article →Microsoft Sentinel content hub: Using solutions and start with the Training Lab content
Microsoft Sentinel is in the last months improved with a huge amount of new interesting features. One of the announced features is the content hub....
Read Article →Stream Azure AD Identity Protection events to Microsoft Sentinel/ Log Analytics
Microsoft recently added a new function that gives the option for stream events from Azure AD Identity Protection into Microsoft Sentinel. In this ...
Read Article →Cloud App Discovery with MCAS & MDE for Shadow IT monitoring and integration with Azure Sentinel
Cloud discovery is one of the most interesting functions available with the Cloud App Discovery product. With Cloud Discovery, organizations will g...
Read Article →Protecting against Lateral Movement with Defender for Identity and monitor with Azure Sentinel
Lateral movement refers to the techniques that a cyber attacker uses, after gaining initial access, to move deeper into a network in search of sens...
Read Article →Searching and finding data
Welcome to the fifth blog post in the series becoming a Kusto Knight. While the previous blog post was about time in Kusto, this blog post will be ...
Read Article →Protecting against password spray attacks with Azure Sentinel and Azure AD
A Password Spraying Attack is a type of brute force attack where a malicious actor attempts the same password on many accounts before moving on to ...
Read Article →Hunting for unsigned drivers, like Printer Nightmare
It has been busy times, and I have not written much lately. So, I have had some time to think about new detections. And while there are enough blog...
Read Article →Use Sysmon for monitoring servers with Microsoft Sentinel
System Monitor (Sysmon) is one of the most common add-ons for Windows logging. With Sysmon, you can detect malicious activity by tracking code beha...
Read Article →Using Defender for Endpoint Live response API with Sentinel Playbooks/ Automation
Live response is a function from Defender for Endpoint and is available for Windows 10 and Server 1803/1903. Live response gives security operation...
Read Article →Using the Azure Sentinel Windows Security Events Connector for getting custom events
Microsoft announced on 14th June 2021 a new version of the Windows Security Events data connector. The new feature reached currently the public pre...
Read Article →PrintNightmare – Use Microsoft Defender/ Sentinel toolings to get insights
Technical details and a proof-of-concept (PoC) exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that makes ...
Read Article →Monitor RDP Brute Force Attack with Azure Sentinel & Azure Security Center
Since the last years, there is a large increase in cybercriminals attempting to run attacks by exploiting the login credentials. With the current w...
Read Article →Review service principals with Azure AD Access Reviews and monitor with Azure Sentinel
A new feature in public preview is the Azure AD access review functionality. With the new AzureAD access reviews function it is possible to review ...
Read Article →Monitor Azure AD break-glass accounts with Microsoft Sentinel
Conditional Access configuration for AzureAD accounts is important. With Conditional Access you can protect easy accounts, block outdated protocols...
Read Article →Integrate Azure Sentinel with Microsoft Teams for seamlessly collaboration
Working from home became the new normal in most of the work environments. With the increase of working from home also the security impact changed. ...
Read Article →Use Microsoft technology for the detection and prevention of the SolarWinds chain attack
SolarWinds has revealed how monitoring products it released earlier this year may have been tampered with in a supply chain attack. In this blog po...
Read Article →Collect Microsoft Teams activity in Azure Sentinel and start hunting
Azure Sentinel is a cloud-native security information and event management platform. (SIEM). Sentinel uses AI to analyze large volumes of data. Azu...
Read Article →Inzicht in Brute-force & Password spray attack via Azure Sentinel
Azure Sentinel is een cloud-native Security Information Event Management-oplossing, ook wel bekend als een SIEM-oplossing. Azure Sentinel is cloud-...
Read Article →Azure Sentinel: Wat kan je met de nieuwe security oplossing van Microsoft?
Azure Sentinel is een van de nieuwste security producten van Microsoft. Maar wat is nu precies het doel van Azure Sentinel binnen de Microsoft omge...
Read Article →