MCP servers are now the default way to connect AI to real systems, tools and data. In SOC scenarios, they are used to pull logs, run hunts, and automate response steps. It feels clean and simple: you ask the model, it calls the tool, you get what you were looking for. Reality is messier. MCP servers …

MCP servers have become a go-to for AI-driven access to services and capabilities. In cyber security, tools, agents and people use them daily to fetch logs, hunt threats, or automate responses - straightforward in theory. In practice, though, they often ship without enterprise safeguards. …

In a previous post, I explored how Azure Monitor Agent (AMA) could turn Event Hubs into a reliable, scalable backbone for your logging infrastructure, effortlessly pulling logs from Azure VMs and routing them to Event Hubs or Storage Accounts. But here comes the bad news: Microsoft just announced …

Jupyter Notebooks are remarkably versatile tools, even within Microsoft Sentinel’s data lake where current capabilities are limited. While Microsoft frequently highlights historical threat intelligence correlation and long-term threat hunting as use cases, notebooks unlock far more practical …

When discussing Microsoft Sentinel data lake, the narrative centers on immediate value: cheaper ingestion, long-term storage, and historical correlation. These benefits are real, but they don’t address some interesting options. Sentinel data lake with KQL Jobs and Notebooks transforms how SIEM …

Microsoft has just introduced Sentinel Data Lake (SDL) in public preview, and there’s already a flurry of excitement in the cybersecurity world. Most community blog posts so far focus on how to turn it on and when you might want to use it, but very few delve into how it will change your …

Managing logs in a SIEM environment can be challenging, especially when aiming to design a solution that is extensible, highly available, future-proof, and reasonably priced. In this third installment of the ‘Powerful Capabilities of Data Collection Rules’ series, I show how the …

In the last post, we looked at the ‘Direct’ DCR that simplifies API-based data ingestion. Today, we’re looking at the AgentDirectToStore Data Collection Rule type, which gives you more options for where to send your data. The ‘AgentDirectToStore’ DCR lets the Azure …

DCRs are the modern backbone of data ingestion for Azure Sentinel, replacing legacy methods with a scalable, flexible, and consistent approach that uses a common data ingestion pipeline for all data sources. DCRs enable advanced filtering, transformation, and routing of data before it even hits your …