Incident Response in Microsoft Sentinel: A Practical SOC Analyst’s Workflow
A structured, repeatable incident response workflow for Microsoft Sentinel — from triage and investigation through containment, documentation, and closure.
-
-
#SOC | Azure Sentinel | Blogging | Cyber Security | Data management | incident management | Microsoft | Microsoft security
Detection Engineering in Microsoft Sentinel (2026): Why Most SOCs Get It Wrong
Many SOC teams struggle with alert overload and high false positives, not due to insufficient tools like Microsoft Sentinel, but because of poor detection strategies. Effective detection engineering focuses on enabling suitable rules for specific environments and emphasizes understanding log data, deploying detections strategically, and regularly reviewing their effectiveness to improve overall trust in alerts.
-
azure | Azure Sentinel | Blogging | Cyber Security | Data management | incident management | Microsoft | Microsoft security
Microsoft Sentinel Cost Engineering (2026)
This guide presents a framework to optimize Microsoft Sentinel costs while maintaining security. Key cost drivers include unclassified log ingestion and inefficient KQL execution. By classifying logs, implementing Data Collection Rules, and separating retention tiers, organizations can minimize expenses and ensure compliance without compromising detection capabilities.
-
Automation | azure | Azure Sentinel | Cyber Security | Data management | incident management | Microsoft | Microsoft security
Microsoft Sentinel Storage Explained: Analytics Tier vs Data Lake vs Data Archive
Microsoft Sentinel offers three storage options: Analytics Tier, Sentinel Data Lake, and Data Archive, each serving distinct purposes. Proper storage tiering is crucial to avoid high costs and inefficiencies. Understanding each tier’s intended use—detection, investigation, or compliance—is vital for effective security operations and maintaining a scalable system.
-
azure | Azure Sentinel | Cyber Security | Data management | incident management | Microsoft security
Log Source Availability Monitoring with KQL in Microsoft Sentinel: An Essential Query for SOC Teams
In a Security Operations Center (SOC), timely and accurate data is crucial for identifying and responding to threats. Delays in receiving security logs can lead to gaps in monitoring and create blind spots that adversaries may exploit. Ensuring that logs are being ingested at the expected frequency is critical for maintaining a proactive defense posture….
-
Suppressing Defender for XDR Incidents Using Automation Rules in Microsoft Sentinel: A Step-by-Step Guide
In today’s cybersecurity landscape, managing a high volume of security alerts can be overwhelming for security operations teams. This is especially true for organizations using Microsoft Defender for XDR (Extended Detection and Response) integrated with Microsoft Sentinel. While these tools provide robust threat detection and response capabilities, the sheer number of incidents generated can lead…
-
azure | Azure Sentinel | Cyber Security | Data management | incident management | Microsoft | Microsoft security
Mastering Sentinel: The Essential KQL Query for Every SOC Team
🚨 Just published a new blog post on mastering KQL in Microsoft Sentinel! 🚨
In this post, I dive into a must-have query that provides detailed insights into your SOC operations, including total incidents, new, active, and closed incidents, as well as incident duration. Whether you’re looking to optimize your incident response or improve reporting, this query is a game-changer for every SOC team.
-
Automation | azure | Azure Sentinel | Cyber Security | incident management | Microsoft | Microsoft security
Troubleshoot Log Ingestion Drops to Microsoft Sentinel from Linux Machines: Addressing /var/log Capacity Issues
In this blog, we’ll address a common issue causing drops in log ingestion from Linux machines to Microsoft Sentinel: the /var/log directory filling up. Learn how to automate log maintenance with cron jobs to keep your logs flowing smoothly and ensure uninterrupted monitoring and analysis with Microsoft Sentinel.
-
Why Incident Counts Differ in Microsoft Sentinel: Portal vs. SecurityIncident Table
Ever noticed a difference between incident counts in the Microsoft Sentinel Incident portal and the SecurityIncident table? This blog explains why the SecurityIncident table shows higher counts due to ungrouped alerts, while the Incident portal consolidates them. Understanding the query behind this helps you better interpret your security data.
-
Streamlining Bulk Incident Closure in Azure Sentinel with PowerShell
Automate Azure Sentinel incident closure with PowerShell. Effortlessly close multiple incidents at once, saving time for critical security tasks.
