Creating a codeless data connector for Microsoft Sentinel

Microsoft recently introduced the Codeless Connector Platform – a new preview feature for Microsoft Sentinel that enables partners, developers and power users with the ability to create custom connectors to ingest data from third-party REST APIs without writing a single line of code. In this post we’ll explore the process of using the platform to ingest Atlassian Jira audit logs into Microsoft Sentinel…

Infrastructure as Code in practice: Building a Blue Team lab with Bicep

Experienced cyber security professionals often recommend students looking to break into the industry invest in a home lab, and I wholeheartedly agree. However, if you’re anything like me you’ll tend to spin up new lab environments only to then rip them down and recreate them a few days later, which can quickly become onerous. You know the saying – if you do it more than once, automate it – and what better way to do that than with Infrastructure as Code?

Just-in-time conditional access with Azure AD Privileged Identity Management

Microsoft curate a list of common conditional access policies that align with their best-practice recommendations for securing Azure Active Directory, including requiring multi-factor authentication for all users and blocking legacy authentication protocols, just to name a few. These policies are great, but in practise they can be difficult to implement…

Automating vulnerability reports with Microsoft Defender – Part 2

In Part 1 of this series we brainstormed an idea for an app that would generate automated vulnerability reports using the Microsoft Defender for Endpoint API and email those recommendations directly to our end-users. We created the app registration in Azure AD, granted it the appropriate permissions to query the various Microsoft APIs, and finally scoped those application permissions so that our app could only send mail on behalf of a specific shared mailbox. With all of that supporting infrastructure sorted we can finally get started writing the script…

Automating vulnerability reports with Microsoft Defender – Part 1

Microsoft Defender for Endpoint has built-in functionality that allows you to configure email notifications to alert your security team when vulnerable software is detected on your users’ devices. You can configure these rules based on the severity of the vulnerability, what groups the device belongs to, and even have it notify you when an public exploit following the initial disclosure. This is great, but there are cases where you may need more control over the reporting process…