Exploring artifacts of a desired state to build health checks with limited access
A short look how we can use existing access to tools like Microsoft Sentinel to build desired state configuration checks.
Read more →
security automation blog
newest posts
Shipping OpenTelemetry logs from coding agents to Microsoft Sentinel
A small, single-tenant OTel collector in Azure Container Apps that forwards telemetry from VS Code Copilot and Claude Code into Application Insights and Log Analytics.
Read more →
Plan types now show up in the Usage table
The Usage table now exposes plan information, making it much easier to break down Microsoft Sentinel ingestion by Analytics, Basic, and Auxiliary with native KQL.
Read more →
AADGraphActivityLogs is now available
Quick notes on the new AADGraphActivityLogs table, sample data generation with AADInternals and ROADtools, and some starter queries.
Read more →
Tools and repositories
log-horizon
Microsoft Sentinel SIEM log source analyzer. Classifies tables, scores cost-vs-detection value, and generates recommendations.
PowerShell
27
MicrosoftSentinel-Scripts
Repository for publishing scripts related to Microsoft Sentinel.
PowerShell
8
misp2sentinelone
Proof of concept PowerShell functions for sending TI from MISP to SentinelOne.
PowerShell
7
DarkLighthouse
Simple tool to detect Azure Lighthouse delegations and automate persistence setup.
PowerShell
6
rustymisp2sentinel
Rust tool for sending threat intelligence from MISP to Microsoft Sentinel.
Rust
2
pwshmisp
Module for interacting with a MISP server using PowerShell.
PowerShell
misp-filter-builder
Web app for building MISP warninglist filters quickly and safely.
TypeScript
pwshuploadindicatorsapi
PowerShell module for sending indicators of compromise to the Upload Indicators API (Microsoft Sentinel).
PowerShell
MicrosoftSentinel-Templates
Collection of ARM and other templates for Microsoft Sentinel.
JSON