When I initially started this blog, I wasn’t always 100% sure what I wanted to talk about. I was younger in my career, going through a lot of change in my personal life with career shifts and moving my family across the country, and generally interested in everything under the sun when it came to the Microsoft cloud ecosystem. At the time I put a lot of focus on Microsoft Sentinel and Microsoft XDR as those were the tools I was embedded in every day. I was a Solutions Engineer at a small MSP as well as one of our Security SMEs, supporting a highly regulated industry for a niche community (CMMC is a trigger word for me now). I was in a pivotal point of my career where I wanted to spend some time specializing, but wasn’t sure where I really wanted my focus to go.

Last year I shifted to a consultant role at a reputable firm and have spent some time re-exposing myself to all the possibilities in the Microsoft cloud ecosystem. With the latest changes in Identity Security and the mass exposure to Agentic AI solutions, Identity has become a topic I just can’t ignore. Zero trust adoption remains a critical pillar of adoption for any organization serious about transitioning to the cloud. Agents and workload identities continue to expand the attack surface of who (or what we need to protect). Architecting robust identity solutions will, in my opinion, be what fundamentally makes or breaks the security postures of all businesses as we enter into this new AI-driven landscape.

Enter, Atomic Entra

Atomic Entra is simply my way of saying that I want to share as much of what I know, and what I’m learning, in the Microsoft Identity ecosystem. With the fast evolution of Entra as the center of Microsoft’s identity universe, and the vast number of organizations reducing their reliance on the legacy architecture that is Active Directory, I have become increasingly fascinated and busy with the Identity problems of today. “Atomic” is, simply put, my way of saying that I want to keep it focused and try and make it simple for as many people as I can. Whether it’s a video on TikTok, a LinkedIn post, or this newsletter, I want to distill as much as I can into a format that allows anyone learning Entra or trying to improve their environment can take action on what I can share.

This doesn’t come without trepidation. I suffer from what I, kindly, refer to as “Shiny Object Syndrome.” For years I’ve hopped from cool thing to cool thing, never quite being able to answer the question of “What do I want to do when I grow up.” It wasn’t until I started giving myself the ability to focus my efforts on a single topic, and diving deeply into the weeds on certain problems, that I started to discover that answer. That commitment now, however, does give me pause as I also have to be able to admit that I didn’t have that drive and focus previously, and this could come off as “yet another pivot” or shiny object. I didn’t give myself the chance to dive deeply into any one thing. A large part of that, if I were to self-diagnose myself, was due to imposter syndrome and never quite believe that I had anything worth sharing. I aim to overcome this hurdle for myself, and finally give myself the space to share with whoever is willing to listen.

What’s Next?

I intend to, as I learn more and work to solve more Identity problems, share as much as I can with as wide of an audience as I can. Between my TikTok account, LinkedIn, and this newsletter, my goal is simple:

Share knowledge about Microsoft Entra and work to solve the big identity problems.

I hope you’ll join me, and find something useful along the way.

Thanks for being here, and I look forward to sharing more soon!

What’s Microsoft Sentinel?

As organizations the world over continue to increase their adoption of cloud services, it only makes sense that security event management would require a cloud native solution as well. While AWS has tools like CloudTrail, and GCP has Chronicle, Microsoft has brought their own solution to the table. Microsoft Sentinel is a cloud native Security Information and Event Management (SIEM) platform that can ingest log data from Microsoft 365, Azure Services, Cloud Service Providers like AWS and GCP, and on-premises severs to help organizations detect and respond to potential threats in your environment.

Sentinel is packed to the brim with features like threat intelligence feeds, investigation graphs, MITRE ATT&CK coverage, automation rules, prebuilt and custom analytics, workbooks for visualization and notebooks for analysis, and the list goes on. Being cloud native also means Sentinel is scalable, removing the requirement to scale the service yourself and letting Microsoft do the heavy lifting as your SOC and telemetry expand. There are even AI and machine learning features baked in to enrich alert data and aid in event correlation.

All that to say, Microsoft Sentinel is great on paper, and certainly an enticing option if you’re considering leaving your current SIEM for a more cloud-centric approach. But why might you actually consider using it? When does it make sense? Let’s talk about it.

When and Why to use Microsoft Sentinel?

Organizations looking to either implement a SIEM for the first time or move away from their existing SIEM to something new can feel inundated by the number of choices that exist. A simple google search for “SIEM tools” would give you:

• Microsoft Sentinel (duh)

• Splunk

• Exabeam

• CrowdStrike Next-Gen SIEM

• Elastic SIEM

• Google Chronicle

• AWS CloudTrail and Guard Duty (I guess these together are kind of a SIEM solution? I can’t be sure…)

• And on, and on, and on….

This list is only a fraction of the available offerings on the market today and if you were left to figure out which one you needed, you’d be reviewing offerings and doing demos for weeks. There also isn’t a one size fits all solution as every organization has different and unique requirements that will weigh heavily on their final decision. To help you determine if Microsoft Sentinel is a good choice for your organization, I’ve come up with a few criteria that might put Sentinel at the top of the list:

1. Your Organization heavily uses Microsoft 365 and Azure.

This one might seem obvious to most, and that’s probably a good thing. It goes without saying that if you’ve already heavily invested in M365 for collaboration, and are building your applications in Azure, that having Sentinel as your SIEM only makes sense. With all the first-party Data Connectors Microsoft has created for ingesting log data from Microsoft services, integration with Microsoft XDR, and Microsoft Automation, Sentinel is a great choice for organizations that are already deeply invested in Microsoft’s cloud.

2. You want your Cloud Provider to automatically scale your SIEM

While this feature may not be unique to Sentinel itself, it’s still a point in its favor. SIEM solutions that are running in on-premises environments will be entirely managed by the IT team, needing to eventually build multiple servers and manage vast amounts of storage. Solutions that are running in virtualized cloud solutions like AWS EC2 or Azure VMs still have similar issues, even if the virtual infrastructure is handled for you. Log Analytics Workspace, the underlying log management solution that Sentinel sits on top of, is a Platform-as-a-Service offering that removes the need for organizations to manage the infrastructure and scaling and instead lets your focus on collecting the log data your need and building alerts in Sentinel to identify threats. Don’t get me wrong, there’s still a cloud consumption cost associated with using Log Analytics and Sentinel, but the convenience of having a scalable SIEM that grows as you can make that tradeoff worthwhile.

3. You want a thriving marketplace of third-party connectors

Chances are, if your organization is a large one, Microsoft first-party connectors aren’t the only ones you need. Maybe you have on-premises firewalls to monitor. A Secure Web Gateway solution. Maybe you even want to monitor your other Cloud Service Provider accounts. Sentinel has you covered. With hundreds of connectors and various solutions supporting them, Sentinel can ingest information from a huge variety of sources, alert on activity, visualize the data with workbooks, and more. Can’t find a connector that suites your needs? Reach for Microsoft’s Codeless Connector Framework (CCF) and build the connector you need.

Microsoft Sentinel has a bright future

Microsoft Sentinel has grown a lot over the years. I was first introduced to it in 2021 while still Active Duty in the Navy. We were migrating to the Navy away from our legacy on-premises infrastructure and into the cloud, desperately seeking a way to improve collaboration during the pandemic. With a large-scale migration like that comes a need to monitor for potential threats. When I got my hands on Sentinel back then, I got a glimpse into the promise that Microsoft was trying to make. Observe activity across all your environments, in near real time, and hunt threats in a solution that will grow with you. Now in 2025, Microsoft Sentinel continues to aid organizations in that same goal, with better tools and integrations, with advanced AI and machine learning, and so much more on the way.

Thanks for tuning in! If this helped you out, let me know! In Part 2, we will be covering the different considerations organizations should make when deploying Sentinel for the first time. Hope to see you there!

In the last few years the term “Zero Trust” has been used to both define a new security strategy, and as a buzzword to sell more security products. Depending on which one you were marketed, your understanding and trust (see what I did there?) of the phrase could vary wildly. Our goal in today’s short article is simple:

1. Define what Zero Trust means and discuss it’s purpose

2. Discuss how Microsoft Sentinel can support a Zero Trust strategy for an organization.

What is Zero Trust?

Zero Trust, by definition, is not a product or a service. It’s a strategic security approach to designing and implementing a core set of principles in your environment. Those principles are:

1. Verify Explicitly: Just because I say who I say I am, or tell you I should be here, doesn’t make it true. Check my creds, cross-check your list, and verify it’s true.

2. Use least privileged access: No, you don’t need Global Administrator to reset a password. You get Password Administrator. Use the role that gives you the bare minimum required to do your job, and use Privileged Identity Management (PIM) for Just-in-Time (JIT) access

3. Assume breach: Just because the alarm bells aren’t ringing and you’ve got a fancy new AI-empowered firewall doesn’t mean there isn’t someone snooping around. Use encryption, verify everything, don’t put all your eggs (or in this case, data or network segments) in one basket to be stolen all at once.

This is why the tagline behind Zero Trust is “Never trust, always verify.”

Where did it come from?

The term “Zero Trust” was originally coined in 1994 by Stephen Paul Marsh in a doctoral these on computer security. Since that point the term morphed and evolved throughout the different eras of IT until 2018 when research conducted by the National Institute of Standards and Technology (NIST) and the National Cybersecurity Center of Excellence (NCCoE) led to the publication of the NIST SP 800-207, Zero Trust Architecture.

The publication defines Zero Trust as a collection of concepts that reduce uncertainty by enforcing per-request access decision in IT systems and networks that were already viewed as potentially compromised. This led to the concept of Zero Trust Architecture, which is a cybersecurity plan that include all three of the following elements:

• Enhanced identity governance and policy-based access controls.

• Micro-segmentation

• User overlay networks or software-defined perimeters

Okay, but how does Sentinel play a part in Zero Trust?

Sentinel is Microsoft’s cloud native security information and event management (SIEM) and security orchestration, automation, and response (SOAR) product that allows organizations to receive and view security events and respond to those events in a variety of automated ways. As both a SIEM and a SOAR tool, Sentinel can support a Zero Trust Architecture in a variety of ways, but here’s a few that I find to be most significant:

1. “Assume Breach”: With a core tenant of ZT being the assumption that any organization’s IT could already be breached, Sentinel provides the tooling to continuously monitor your environment for malicious activity. With its plethora of 1st and 3rd party solutions and connectors, Sentinel can aggregate a huge amount of log data into meaningful alerts and incidents, giving SOC Analysts an opportunity to find threats in near real-time.

2. Automation: The threat landscape for most organizations is only getting larger. From Internet of Things (IoT) to Bring-your-own-Device (BYOD), and an increasing number of 3rd party SaaS solutions for everything from Collaboration to Sales and Engineering to Marketing, the number of attack vectors a SOC Analyst has to be aware of quickly becomes daunting. With built-in automation in the form of Playbooks and Automation Rules, Sentinel gives Analysts and Hunters the power to handle known threats automatically, freeing them up to look for more obscure threats around critical systems.

3. Integrated Zero Trust Solutions: A little on the nose, but did you know that Sentinel has a native Zero Trust offering? The Zero Trust (TIC 3.0) solution provided by Microsoft helps organizations respond to Zero Trust principles and the Trusted Internet Connections (TIC) 3.0 initiative. While Zero Trust and TIC 3.0 aren’t the same, they share a lot of common themes. This solution helps teams from all parts of the organization gain visibility into how their architecture aligns with these two frameworks and provides recommendations for improving your alignment with Zero Trust and TIC 3.0. Make sure you check out the prerequisites so you get the most out of this solution!

Summary

Zero Trust is a valuable framework for securing organizations against threats by adhering to the three core principles of:

• Verify Explicitly

• Use Least Privileged Access

• Assume Breach.

By integrating Microsoft Sentinel into your Zero Trust architecture, organizations can improve their security posture through advanced threat detection, automated response, and comprehensive visibility. Sentinel’s capabilities align seamlessly with Zero Trust principles, providing a robust framework to protect against evolving cyber threats and ensuring a resilient security environment.

Thanks for reading!

For those interested, I’ve put together a short survey so I can get an idea of what content my readers would like to see. If you have a few minutes to spare, I’d really love to hear from you!

What is Sentinel’s User and Entity Behavior Analytics

User and Entity Behavior Analytics (UEBA) allows Sentinel to collect logs and alerts from different data sources and build baseline profiles for entities within an organization. Entities can be IP addresses, host devices, users, and applications. Sentinel will analyze this data over time and leverage machine learning capabilities to identify anomalous activity. With all this data, Sentinel can help determine if an entity has been compromised and the blast radius of the compromise and its potential impact. This gives analysts easy prioritization when conducting an investigation or responding to an incident.

How does UEBA Work?

Let’s break down how the UEBA works from front to back.

1. Data Collection: Microsoft Sentinel collects data from various sources, including logs, events, and threat intelligence feeds. UEBA can also collect from Third-party systems and clouds such as on-premises firewalls, AWS, GCP, or Intrusion Detection Systems.

2. Data Processing: The collected data is processed and normalized to extract relevant entities (e.g., users, devices) and events (e.g., logins, file access). Event correlation and aggregation starts happening at this stage.

3. Behavioral Profiling and Anomaly Detection: The UEBA engine creates behavioral profiles for each user and entity, capturing their normal behavior patterns. Sentinel leverages machine learning algorithms help identify these patterns against threat intelligence sources and the entity profile, looking for anomalies amongst entity-related data such as location and time period.

4. Risk Scoring: The UEBA engine assigns a risk score to each user and entity based on their behavior, taking into account factors like anomaly detection, threat intelligence, and user attributes. Risk scoring is continuously updated as new data is ingested and processed.

5. Alerting and Investigation: When a user or entity exceeds a predefined risk threshold, Microsoft Sentinel generates an alert, allowing security analysts to investigate and respond to potential security threats.

How do I turn it on and use it?

Activating the UEBA features is really straight forward.

First, some prerequisites:

1. A Sentinel Workspace 😎

2. Global Admin or Security Admin Entra ID Roles

3. Microsoft Sentinel Contributor or Log Analytics Contributor Azure roles

Second, how to turn it on:

1. Login to the Azure Portal

2. In the search bar at the top, Search for and click on Sentinel, then select your workspace.

3. From the Sentinel main page, select “Settings” in the Configuration section on the left-hand flyout.

   1. 

4. Inside the “Settings” window, select the “Settings” tab and click “Set UEBA” under “Entity Behavior Analytics”

   1. 

5. In the “Entity behavior configuration” menu, flip the “Turn on UEBA feature” to “On”

   1. 

6. Make sure you select the directory service you want to sync entities from. I use Microsoft Entra ID for my tenant.

7. Next, select the data sources you want to enable behavior analytics with. Right now, I just have Audit and Sign-in logs while I continue to configure other features in this Tenant.

Done! UEBA is active and ready to start building those entity profiles!

Checking out your UEBA Data

Once UEBA is active, you might want to visualize your data and alerts. Right now, there are two main ways that I do that.

Entity Behavior Dashboard: The “Entity Behavior” menu in the Threat Management section of Sentinel is a built-in dashboard that will give you a way to search for entities and provides a breakdown of alerts by entity type. The best part of the is dashboard is that it can be extended with “Enrichment Widgets”, which provides access to supported third-party APIs that can enrich entity data in your environment. Currently available out of the box is VirusTotal, Recorded Future, Anomali, and AbuseIPDB.

UEBA Workbook from the Content Hub: Within the content hub inside Sentinel, you can install the “User and Entity Behavior Analytics” workbook. This provides a template Workbook that can help you visualize your UEBA data using KQL queries in a single page. The benefit with the workbook is that, because each section is backed by code, you can modify the Workbook to better display the data that is important to you!

Summary

In short, User and Entity Behavior Analytics (UEBA) compiles data from multiple sources to create baseline profiles for entities in your organization. Entities can include IP address, host devices, users, and applications. These profiles are created by combining entity related behavior with machine learning models to create a baseline, allow sentinel to allocate a risk score to behaviors that don’t meet the baseline. This provides SOC Analysts and Threat Hunters with an advanced toolset to monitor entities against their baselines and catch potentially malicious activity before an incident takes place!

Resources

Advanced threat detection with User and Entity Behavior Analytics (UEBA) in Microsoft Sentinel | Microsoft Learn

Enable entity behavior analytics to detect advanced threats | Microsoft Learn

New updated version of the User and Entitity Behavior Analytics workbook (microsoft.com)

What is Microsoft Graph Security API?

The Microsoft Graph Security API is a pivotal element in Microsoft’s security architecture. It provides a unified interface and schema to integrate with security solutions from Microsoft and ecosystem partners. This empowers organizations to streamline security operations and better defend against increasing cyber threats. The API consolidates and correlates security alerts from multiple sources, automates security tasks, and provides visibility into security data to enable proactive risk management.

How do you access the Microsoft Graph Security API?

Connecting to the Microsoft Graph Security API requires a few steps:

1. Register Your Application: Begin by registering your application with the Microsoft identity platform to obtain an Application ID

2. Configure Permissions: Assign the necessary permissions to your application in the Azure portal. This typically involves selecting the appropriate API permissions for Microsoft Graph

3. Grant Admin Consent: An administrator must grant consent for the permissions requested by your application. This step is crucial for the application to access the Microsoft Graph Security API

4. Obtain an Access Token: Use OAuth 2.0 to acquire an access token from the Microsoft identity platform. This token will be used to authenticate API calls

5. Make API Calls: With the access token, your application can make authenticated calls to the Microsoft Graph Security API and access the required security data

For more specific details on how to connect, check out this document from Microsoft.

How can we leverage PowerShell with the Microsoft Graph Security API?

PowerShell, as a first-class citizen of the Microsoft ecosystem, is a fantastic tool to leverage the Microsoft Graph Security API. PowerShell is usually pre-installed on all Windows workstations without the need for additional configuration, and has the capability to make HTTP requests against REST endpoints like the Graph API without needing any additional modules!

Check out this example of connecting to the Graph Security API and querying the endpoint to get a list of alerts:

# Authenticate and connect to the Microsoft Graph Security API
$tenantId = "<Your-Tenant-ID>"
$appId = "<Your-App-ID>"
$appSecret = "<Your-App-Secret>"
$resource = "https://graph.microsoft.com"
$tokenEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/token"
$body = "resource=$resource&client_id=$appId&client_secret=$appSecret&grant_type=client_credentials"
$oauth = Invoke-RestMethod -Method Post -Uri $tokenEndpoint -Body $body -ContentType "application/x-www-form-urlencoded"

# Set the header with the access token
$headers = @{'Authorization' = "Bearer $($oauth.access_token)"}

# Query the Microsoft Graph Security API for alerts
$alertsUrl = "https://graph.microsoft.com/v1.0/security/alerts"
$alerts = Invoke-RestMethod -Uri $alertsUrl -Headers $headers -Method Get

# Output the list of alerts
$alerts.value

Note: Be sure to customize the above script template with your tenant’s specific information.

The Point

PowerShell, having been around for nearly 2 decades, can look like an outdated tool at first glance. But don’t be fooled! With the updates that have been brought to PowerShell in recent years, the introduction of Graph API, and its tight integration with Azure and M365, PowerShell for Security in a Microsoft environment is still an excellent choice for automation, data enrichment, and administration across the board. If you want to learn more, check out some of the links in the resources section to get started with PowerShell, Microsoft Graph API, and Microsoft Graph Security API.

Resources

• Microsoft Graph overview - Microsoft Graph | Microsoft Learn

• Use the Microsoft Graph security API - Microsoft Graph v1.0 | Microsoft Learn

• Get started with Windows PowerShell - Training | Microsoft Learn

• Automate administrative tasks by using PowerShell - Training | Microsoft Learn

Subscribe now