Sentinel
Lessons from the field. Always landing on my feet.
Block Device Code Phishing in Entra Without Breaking Legit Workflows
Device code phishing is nasty because the user does not hand over a password. They hand over a session. The lure sends the victim to a legitimate Microsoft device sign-in page. The victim enters a short code. Entra ID issues tokens to the attackerβs β¦
Agent 365 Launch Playbook: I Tested the Defender Response for AI Agent Attacks
Microsoft announced that Agent 365 would become generally available on May 1, 2026. Most launch-week posts explain what it is. I wanted to answer a different question: What does an AI agent attack look like in a real Microsoft defender stack as Agent β¦
Scan Every Blob, Trace Every Read: Defender for Storage + Sentinel
Storage is where malware waits. A blob uploaded to ingest/ by a pipeline step, a partnerβs SFTP connector, or a misconfigured Logic App sits quietly until something downstream opens it β a Data Factory copy, a Function app, a Synapse notebook, a β¦
Detecting Infostealer Session Hijacking with Microsoft Sentinel
Nearly 70% of incidents in the Americas now begin with stolen or misused accounts. Infostealers are the engine behind that number β families like Lumma, RedLine, and Vidar export browser cookies and session tokens directly from the victimβs machine, β¦
Investigate Hidden Privilege Paths with Microsoft Sentinel Data Federation and Custom Graphs
After a compromised service principal incident, the first triage question is always the same: βWhat else can this identity reach?β The answer usually lives outside Sentinel, buried in entitlement exports, RBAC snapshots, or asset inventories that β¦
Building Custom Sentinel Connectors in One Click with CCF Push
Getting custom data into Microsoft Sentinel has traditionally required a lot of moving parts. You need a Data Collection Endpoint, a Data Collection Rule, an Entra app registration with a client secret, RBAC role assignments, a custom table β¦
AKS Runtime Security: Binary Drift, Anti-Malware & Gated Deployment with Defender for Cloud
In December, I published a post on securing the container supply chain β SBOM generation, image signing, and build provenance with GitHub Actions. That covered build-time security: making sure the image you ship is the image you built. But what β¦
Detecting OAuth Redirect Abuse with Microsoft Sentinel and Entra ID
On March 2, 2026, Microsoft published an advisory on OAuth redirection abuse enabling phishing and malware delivery. Microsoft described phishing-led campaigns where attackers register OAuth apps with attacker-controlled redirect URIs, then send β¦