Archiving is a fairly new feature in Sentinel that was introduced to help you decrease the cost of your long-term data retention for events that are not used or only rarely used. Previously, you either retained your data outside of Sentinel or had to pay the costly retention fees, but now you can …

Near-Real-Time (NRT) rule is a pretty new addition to Microsoft Sentinel. There are already blog posts out there detailing the functionality of this rule type and explaining in which scenarios it can be useful. There is some information on Microsoft’s site though that left some people …

This post is to show you a practical implementation of a prototype honeytoken which is based on Remote Template Injection and Azure Function App. There are lots of honeytoken solutions on the market. You can find free options as well as expensive commercial services out there. A lot of them also …

When you deal with logs and events in an environment you have to ensure that your log sources and forwarders are up and running. Monitoring the health of these devices is crucial. You can have the best SOC team in the world and a ‘catch all attack’ detection rule collection, but without …

If you deploy Sentinel daily, you possibly have a step-by-step process you follow to maximize your efficiency. A process like this is needed to be effective and to be able the make your setup reliable and repeatable. Rule creation in Sentinel can be a part of the procedure and it often isn’t the …

When you handle logs in a SIEM, times are really important. It doesn’t matter whether you investigate alerts, or you create a detection, having the proper times and knowing the different time-related fields can be critical. One of these time fields is the ingestion time value which tells you …

The log retention period in any SIEM can have a big impact on your cost as well as your investigation and threat hunt capabilities. Defining a low period can be cheaper but it also limits your capabilities to find patterns in your network, to do proper incident response, and to carry out a threat …

A SIEM is the foundation of a modern, well-working SOC. This also means a significant part of the SOC budget can be the cost of the SIEM. Azure Sentinel offers you various payment options based on your usage. Choosing the proper one can make a big difference and can save you a lot of money compared …

A few months ago, Microsoft introduced a new functionality in the Sentinel Analytics Rules which can be used to dynamically define values in incidents. Instead of hardcoding values like the name of the incident or its description, one can specify the content based on the KQL-query used for alerting. …