Cloud Security
Lessons from the field. Always landing on my feet.
From Authorization to Action: Operationalizing CISA's Microsoft Cloud Logs Playbook in Sentinel
CISA originally released the Microsoft Expanded Cloud Logs Implementation Playbook on January 15, 2025. The CISA resource page shown below also has a May 1, 2026 revision date, and the May 2026 DOCX I reviewed is marked as version 1.1 with general β¦
Copy Fail in the Cloud: A Defender, Sentinel, and AKS Response Guide for CVE-2026-31431
A Linux local privilege escalation bug is easy to dismiss if you only think in traditional server terms. An attacker already needs local access, so how bad can it be? In cloud environments, that assumption breaks fast. A compromised container, a β¦
Agent 365 Launch Playbook: I Tested the Defender Response for AI Agent Attacks
Microsoft announced that Agent 365 would become generally available on May 1, 2026. Most launch-week posts explain what it is. I wanted to answer a different question: What does an AI agent attack look like in a real Microsoft defender stack as Agent β¦
Scan Every Blob, Trace Every Read: Defender for Storage + Sentinel
Storage is where malware waits. A blob uploaded to ingest/ by a pipeline step, a partnerβs SFTP connector, or a misconfigured Logic App sits quietly until something downstream opens it β a Data Factory copy, a Function app, a Synapse notebook, a β¦
Investigate Hidden Privilege Paths with Microsoft Sentinel Data Federation and Custom Graphs
After a compromised service principal incident, the first triage question is always the same: βWhat else can this identity reach?β The answer usually lives outside Sentinel, buried in entitlement exports, RBAC snapshots, or asset inventories that β¦
Building Custom Sentinel Connectors in One Click with CCF Push
Getting custom data into Microsoft Sentinel has traditionally required a lot of moving parts. You need a Data Collection Endpoint, a Data Collection Rule, an Entra app registration with a client secret, RBAC role assignments, a custom table β¦
AKS Runtime Security: Binary Drift, Anti-Malware & Gated Deployment with Defender for Cloud
In December, I published a post on securing the container supply chain β SBOM generation, image signing, and build provenance with GitHub Actions. That covered build-time security: making sure the image you ship is the image you built. But what β¦
The February 2026 Microsoft Sentinel Drop: UEBA Essentials, Copilot Connector, and 9 New GA Connectors
February 2026 brought one of the more substantial Sentinel drops in recent memory. UEBA Essentials hit v3.0.6 with a refined workbook and more than 30 hunting queries (including multi-cloud detections shipped in earlier releases), the M365 Copilot β¦
Sentinel MCP Server: Securing Your SOC's New AI Attack Surface
In September 2025, Microsoft announced the Sentinel MCP Server, a Model Context Protocol implementation that lets MCP-compatible AI assistants query your Sentinel data using natural language. Microsoft highlights GitHub Copilot, Copilot Studio, and β¦
Terraform 1.11 Write-Only Arguments: Keep Supported Secrets Out of State
If youβve worked with Terraform and secrets, youβve probably wondered: βWait, is my password actually in that state file?β The answer has historically been: yes. The sensitive = true flag does a great job hiding values from CLI output, but the state β¦