Azure Policies are an excellent tool for standardizing and scaling your environment within Azure. They can be used to configure log collection from Azure resources to Microsoft Sentinel. While you can manually set up log collection if your Azure environment is small, a growing cloud presence will …

DCRs and their ingestion-time transformations have been around for quite a while. They are commonly used in modern Sentinel deployments, but I’ve utilized several specific configurations that are particularly useful during SIEM onboarding, migration, and troubleshooting scenarios. The primary …

Read the blog post on BlueVoyant’s site: Sentinel Phantom Fields: Understanding and Managing Inaccessible Data. Microsoft has transitioned to a DCR-based log ingestion and manual schema management for tables for some time now. Lots of organizations are adopting this modern approach over the …

When selecting a new security technology, cost is a crucial factor. It does not matter how effective a tool may be, it becomes irrelevant if it’s unaffordable for you. As a result, it is critical to have someone who is experienced with the solution to prevent overpayment and maximize your …

A slightly different version of this article appeared on BlueVoyant’s website. Click on this link to read it there: https://www.managedsentinel.com/defender-for-cloud-and-defender-xdr-connectors-in-sentinel/ Alternately, you may read it on my blog by scrolling down. Defender for Cloud and Defender …

Sentinel’s watchlist is a collection of entities that can be used to correlate your logs with a rarely changing data set. Although watchlists can be updated via the Azure Portal GUI or even its API, watchlists are typically left in Sentinel unmaintained and untouched for extended periods. I …

The initial release of this article appeared on BlueVoyant’s website. Click on this link to read it there, along with some lovely diagrams: https://www.managedsentinel.com/log-splitting-with-data-collection-rules/ Alternately, you may read it on my blog by scrolling down. In a recent article, …

I’m pretty sure you’ve already dealt with the ingestion delay issue if you use a SIEM with scheduled rules. There are numerous articles on the internet that explain how to handle ingestion latency without missing any events and without having your rules double-process a log. While these …

You may want to forward Azure resource logs to a different tenant from time to time. Fortunately, using the Diagnostic settings option in Azure to forward -at least some of the- logs to another tenant is quite simple. I needed to test out some of the interesting scenarios because I couldn’t …