Earlier this week, I had a conversation about Sentinel MCP where I gave a quick gut reaction. I said Sentinel MCP, or more broadly this type of model, might be on its way out. The thinking felt reasonable at the time. With how easy it is to vibe code API integrations now, why introduce another… Read More »
There is a subtle shift happening in how we design incident response systems. For years, most solutions followed a deterministic (explicit, rule-based, structured) model. An alert fires, a playbook runs, actions execute in a defined order, and results are returned. When something breaks, we trace the path, fix the logic, and run it again. That… Read More »
I want to take a few minutes to explore the perceived risk of public cloud endpoints, and why that risk is often misunderstood. If something has a public endpoint, it is easy to assume it is exposed. In reality, that is only part of the story. The Door in the City Imagine you have something… Read More »
I am excited to announce the public release of KQL Event Viewer. This is easily the most complete and useful project I have built to date. KQL Event Viewer is a Windows Event Viewer-style experience for KQL data. Instead of starting with a query, you start with the data. Tables are organized, pre-filtered, and easy… Read More »
This week marked the end of an era. I am in the process of transitioning to a new role, and I will share more about that soon. As part of that transition, I delivered what will likely be my final class in this program, a three-day remote cybersecurity session. Keeping an audience engaged for three… Read More »
I have been working with Microsoft Sentinel since before it reached general availability in September 2019, supporting customers, delivering training, and developing real-world deployment guidance. Over that time, I have worked with dozens of organizations across both commercial and government environments, ranging from small universities to large global enterprises. I share that context only to… Read More »
A practical alternative and complement to Security Copilot I wrote about Alternatives to Microsoft Security Copilot last year and why many organizations are still looking for practical ways to bring AI into their SOC. That conversation has continued to come up in customer engagements. Some teams do not have access yet. Others are constrained by… Read More »
In the last article, I introduced Azure AI Foundry as a way to stand up a private AI service for SOC use cases. The key idea is that the model itself is not the solution. The value comes from how you shape requests using system prompts and structured input. One deployment can support many different… Read More »
Over the past few months, I have shared a set of workbooks focused on closing visibility gaps across identity and endpoint security data. These were built from real-world scenarios where the signals existed, but the connections between them were not always obvious. Today I am releasing major updates to both, expanding their scope and making… Read More »
I keep seeing the same pattern, and it is getting frustrating. Microsoft is calling custom chatbots “agents,” and now everyone is building them. The problem is most of these so-called agents are not agents at all. They are just slightly modified chat prompts wrapped in a UI. I said this before, but it is worth… Read More »
Azure Workbooks are surprisingly capable and frustrating. In many ways, they are far more powerful than they appear at first glance. The UI does not always make it obvious where things live or how features connect, so it takes some effort to learn which buttons to push and in what order. Like many things in… Read More »
I was working with a customer recently who was trying to track down changes across several subscriptions. Nothing unusual there, except we quickly realized something was missing. A number of subscriptions were not sending Azure Activity Logs to Microsoft Sentinel at all. No errors, no alerts, just silent gaps. It stood out because this is… Read More »
I was introduced to the Copilot Earth project late last year, and that got me thinking about how a similar concept could be applied to security. The idea of visualizing activity at a global level, enriched and interactive, felt like something that should exist for a SOC. From there, one idea led to another. I… Read More »
I put together a small project called Global Threat Atlas. It started out simple, and 500+ commits later it turned into something production-ready. It can be deployed today in Azure commercial subscriptions. This is built with an operations center in mind. It works well as a glanceable wallboard, but you can also interact with it… Read More »
My oldest child is a game design major. The program is very anti-AI. That reaction is understandable when you are trying to learn the fundamentals of a craft. Nobody wants shortcuts replacing real skill while they are still trying to master the basics. One thing that surprised me is how many students in the program… Read More »
I write a lot of prompts. Easily dozens a day at this point. Between experimenting with ideas, vied coding , vibe learning, asking questions, and drafting content, a good part of my day involves typing into some kind of LLM prompt. The odd part is that I have never been a great typist, despite thousands… Read More »
I was reminded of something recently that I have been aware of for a long time. The first time it was explained clearly to me was many years ago during a presentation on profit strategies for video game arcades. The core idea is simple. People behave differently when they feel like they are spending money.… Read More »
I see a growing amount of chatter about “securing AI,” but that phrase is so broad that it almost loses meaning. Securing what exactly? Most of these conversations are really about large language models (LLMs). And even then, the security discussion is very different depending on whether you are talking about public LLMs, enterprise LLMs,… Read More »
I recently worked with a customer who had done the right thing from a security perspective. They followed the best practice of separating standard user accounts from privileged admin accounts. Day-to-day work was done with a normal account, and elevated tasks required a separate admin identity. What they chose not to do was record the… Read More »
I recently built an Azure Monitor workbook to help customers who are struggling to verify that all Azure virtual machines are fully onboarded to Microsoft Defender for Endpoint (MDE). Repo: AndrewBlumhardt/workbooks In theory, this should be straightforward. When Defender for Servers is enabled as part of Microsoft Defender for Cloud, Azure VMs are automatically onboarded… Read More »