The past month was an amazing moth for Azure Sentinel. A large amount of new connectors has been released. With these new connectors an update on the connector for the Azure Active Directory connector has been released. The connector now includes new categories of sign-in logs and a brand new log containing provisioning activities.

The Azure Sentinel connector for the Azure Active Directory has been expanded with new options for sign-ins and the provisioning logs.

Before this update, only active user sign-ins were logged in Azure Sentinel. This means that you could not build detections on logs executed non-interactive or logins that were executed by applications using a service principal. …


Security is quite a complex and important topic. The complexity is in the technology and organisation of security. Security is complex as it requires your organisation to have a skilled set of people, decent processes and good technology in place. The importance of cyber security has its origin in the increasing amount of cyber security attacks that are executed and the increasing amount of vulnerabilities that are found.

The following graph shows the amount of CVEs per day that have been reported to the NVD (https://nvd.nist.gov/). The graph is generated by using the following Jupyter runbook: https://github.com/jgamblin/CVEStats

CVE’s per day that have been reported to the NVD (National Vulnerability Database of the U.S.)

As the above…


This week I had the great opportunity to work with the REST API of Azure Sentinel. For the SOAR platform my team and I are creating, we had to implement the Azure Sentinel API so we could get data out of Azure Sentinel and update data that resides in Azure Sentinel.

In the first place, this didn’t look challenging as Microsoft has decent documentation related to this API. …


I recently had the opportunity to implement Dapr in one of the applications that is part of a security platform my team is developing. In this story I will explain what Dapr is, where you could use it for, and what my findings are so far.

More and more developers build cloud native applications that consists of microservices. Building your (enterprise) application out of multiple microservices, brings a lot of benefits:

  • The codebase of a single microservers is smaller than a whole monolithic application. …


In a lot of cases Azure Sentinel and Azure Monitor are reporting IP addresses in a separate column. This makes it quite easy to work with them. You can easily use them in a summarize statement or use them in a join.

These kind operations are getting a lot more complex when the IP address is used in a string with other text around them. A common example where you can find this is the SSH log:

It is possible to extract the IP…


According to Gartner, in 2022 will 75% of all organisations run containerised applications. At he moment Kubernetes is the most populair container orchestrator available. Azure Kubernetes Service (AKS) is Microsofts “cloud implementation” of Kubernetes.

As Kubernetes is quite a complex orchestrator, security isn’t simple either. In this story I will give some insights of the way how you can deploy Azure Kubernetes with security in mind. In this story I will mainly be focussing on the Azure part of AKS. In upcoming stories I will get into detail on security of the cluster itself.

Azure Kubernetes Service is represented as…


If you are working in the security business, you probably know solving alerts “in the wild” isn’t the best thing to do. You should follow a decent Incident Management process. In the more professional companies an Incident Management System is deployed that supports this process. These kind of systems will track the incident in the process of solving and will make life of the SOC engineers easier.

Connecting all security services to an incident management system can be a tough job. You need to have a good understanding of the software development world (so you can implement the API using…


When building a SOC, dashboards are an important component. Aside from the regular dashboard features in Azure you can us Grafana as tool to build your dashboards. According to the website of Grafna, Grafana is the open source analytics and monitoring solution for every database. Grafana doesn’t provide an out-of-the-box Azure Sentinel connector; but as all Sentinel data is stored in Log Analytics, we could use the Azure Monitor data resource in Grafana to query Sentinel data. Grafana has a couple of features that I personally love:

  • You can create dashboards for users without having them access the data (they…


In the past year I build several SOCs for my customers and the organisation I work for. A question I get asked quite often is: “What data is in which Sentinel table?” and “Where can I find X or Y data?”

In this post I will try to go over the most important tables and explain what data is in there.

  • SigninLogs — This table contains al the signin logs of the Azure Active Directory. You will find here which user have tried to login using the Azure Active Directory, from which IP and with what device. …


With the digital transformation that is happening, more and more data is transferred to Microsoft Azure. A big part of that data is stored in SQL databases. It is only logical to use Microsofts PaaS service for that kind of data: Azure SQL Databases.

In this post I will explain how you can protect your Azure SQL databases with Azure Sentinel so you will be able to detect security related incidents in your databases.

Azure SQL Databases is able to log to Azure Log Analytics. As Azure Log Analytics is the main driver of Azure Sentinel, we can use that…

Jeroen Niesen

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store