MTG-2026-04-13 — Security Team Onsite
Onsite security team meeting covering five active workstreams. Microsoft engineers present for Defender and Sentinel sessions.
Attendees
-
Sarah Clizer — Deputy CISO
-
Evan Rosado — ISE Engineer III
-
Microsoft Engineers
-
Team members
Abnormal Security
|
ESA → Abnormal Migration — Active Risk Window
During any email security migration there is a gap window where neither system has full visibility. Confirm overlap period and compensating controls before cutover is finalized. |
- Migration Status
-
Current state of ESA → Abnormal Security migration. Confirm timeline and phases.
- Quarantine Alignment
-
Review quarantine behavior in Microsoft Defender portal. Confirm Abnormal and Defender are not creating duplicate or conflicting quarantine actions.
- Mail Flow Validation
-
Confirm no gaps between ESA cutover and Abnormal enforcement. Validate MX records, connectors, and routing rules are correct.
- Rollback Plan
-
What is the rollback procedure if Abnormal misses a threat category ESA was catching? Who owns the decision to roll back?
-
ESA → Abnormal migration status and timeline
-
Quarantine review — Microsoft Defender portal alignment
-
Mail flow validation — no gaps between ESA cutover and Abnormal enforcement
-
Rollback plan confirmed and documented
-
Abnormal detection coverage vs ESA — what categories are covered, what is not
-
Microsoft Defender
|
Microsoft Engineers Present
Prepare specific technical questions in advance. Do not leave this session without confirmed answers on connector config and licensing. |
|
Defender Docs — Local Git Repository
Microsoft publishes all Defender documentation as a public GitHub repo.
Cloned to |
- Telemetry Gap Assessment
-
What is Defender feeding into Sentinel today vs. what is missing. Identify blind spots before Sentinel goes live.
- MDE Onboarding Status
-
Which endpoints are enrolled in Microsoft Defender for Endpoint. Which are not — and why. Prioritize unmanaged endpoints.
- Defender for Identity
-
Are we covering Active Directory lateral movement scenarios. Kerberoasting, pass-the-hash, DCSync detection coverage.
Defender Docs — Linux Toolchain
# Repository location
cd ~/atelier/_bibliotheca/defender-docs
# Keep current
git pull
# Total page count
find defender-office-365 -name "*.md" | wc -l (1)
# Explore structure
ls defender-office-365/ (2)
find defender-office-365 -name "*.md" | sort | head -20 (3)| 1 | Total documentation pages in the Defender for Office 365 module |
| 2 | Top-level directory contents |
| 3 | First 20 pages — get bearings on taxonomy |
Email Policy — Search Patterns
cd ~/atelier/_bibliotheca/defender-docs
# PRESET SECURITY POLICIES
rg "preset" defender-office-365 --type md -l (1)
rg "Standard\|Strict" defender-office-365 --type md -l (2)
rg "preset" defender-office-365 --type md -C 2 (3)
# ANTI-SPAM
rg "anti-spam\|antispam" defender-office-365 --type md -l -i (4)
rg "spam confidence\|SCL" defender-office-365 --type md -i (5)
rg "bulk complaint\|BCL" defender-office-365 --type md -i (6)
rg "quarantine\|junk" defender-office-365 --type md -l -i (7)| 1 | All files mentioning preset security policies |
| 2 | Files comparing Standard vs Strict policy tiers |
| 3 | Preset references with 2 lines of surrounding context |
| 4 | All anti-spam policy pages |
| 5 | Spam Confidence Level references — key tuning metric |
| 6 | Bulk Complaint Level references — bulk mail threshold |
| 7 | Quarantine and junk mail policy pages |
# ANTI-PHISHING
rg "anti-phish\|antiphish" defender-office-365 --type md -l -i (1)
rg "spoof\|spoofing" defender-office-365 --type md -l -i (2)
rg "impersonation" defender-office-365 --type md -l -i (3)
rg "DKIM\|DMARC\|SPF" defender-office-365 --type md -l (4)
# ANTI-MALWARE
rg "anti-malware\|antimalware" defender-office-365 --type md -l -i (5)
rg "safe attachments\|safe links" defender-office-365 --type md -l -i (6)
rg "zero-hour auto purge\|ZAP" defender-office-365 --type md -i (7)| 1 | Anti-phishing policy pages |
| 2 | Spoof intelligence and anti-spoofing controls |
| 3 | User and domain impersonation protection |
| 4 | Email authentication — DKIM, DMARC, SPF pages |
| 5 | Anti-malware policy pages |
| 6 | Safe Attachments and Safe Links policy pages |
| 7 | Zero-Hour Auto Purge — retroactive threat removal |
# QUARANTINE POLICIES
rg "quarantine policy\|quarantine tag" \
defender-office-365 --type md -l -i (1)
rg "end-user spam\|end user notification" \
defender-office-365 --type md -i -l (2)
rg "release\|report message" \
defender-office-365 --type md -i -l (3)
# EXCHANGE ONLINE PROTECTION
rg "EOP\|Exchange Online Protection" \
defender-office-365 --type md -l (4)
find . -name "*eop*" -o -name "*exchange-online-protection*" | sort (5)
# MAIL FLOW
rg "mail flow\|mailflow" defender-office-365 --type md -l -i (6)
rg "connector\|transport rule" defender-office-365 --type md -l -i (7)
rg "MX record" defender-office-365 --type md -i (8)| 1 | Quarantine policy and tag configuration pages |
| 2 | End-user quarantine notification settings |
| 3 | Message release and reporting workflow |
| 4 | Exchange Online Protection coverage pages |
| 5 | EOP-specific files by filename |
| 6 | Mail flow configuration pages |
| 7 | Connector and transport rule pages |
| 8 | MX record configuration references |
Extract Policy Settings — awk
# The two most important files — read these first
less defender-office-365/recommended-settings-for-eop-and-office365.md (1)
less defender-office-365/preset-security-policies.md (2)
# Extract recommended settings section
awk '/^## Recommended/,/^## /' \
defender-office-365/recommended-settings-for-eop-and-office365.md (3)
# Extract prerequisites
awk '/^## Prereq/,/^## /' \
defender-office-365/preset-security-policies.md (4)
# Extract frontmatter — title, description, date
awk 'NR==1,/^---$/' \
defender-office-365/preset-security-policies.md (5)
# Extract all policy comparison tables
grep -n "^|" \
defender-office-365/recommended-settings-for-eop-and-office365.md \
| head -30 (6)
# Extract full table block
awk '/^\|.*\|/{found=1} found{print} /^$/{found=0}' \
defender-office-365/recommended-settings-for-eop-and-office365.md \
| head -50 (7)| 1 | Recommended settings — authoritative Microsoft policy values bible |
| 2 | Preset policies — Standard vs Strict full comparison |
| 3 | Pull recommended settings section to next heading |
| 4 | Pull prerequisites section |
| 5 | YAML frontmatter — title, description, last updated date |
| 6 | Line numbers of all table rows — find policy comparison tables fast |
| 7 | Extract first 50 rows of policy comparison tables |
Track Microsoft Changes
# Files updated in last 30 days
git log --since="30 days ago" --name-only --pretty=format: \
| grep "defender-office-365.*\.md$" | sort -u (1)
# What changed in a specific file
git log --follow -p \
defender-office-365/preset-security-policies.md | head -50 (2)
# All email policy pages with titles
find defender-office-365 -name "*.md" \
| xargs grep -l "policy\|policies" \
| xargs awk '/^title:/{print FILENAME": "$2}' \
| sort (3)
# Most referenced policy terms — understand the vocabulary
rg "policy" defender-office-365 --type md -oh -i \
| sort | uniq -c | sort -rn | head -20 (4)| 1 | All Defender for Office 365 docs updated in last 30 days |
| 2 | Full diff history for preset security policies page |
| 3 | All policy pages with their titles extracted from frontmatter |
| 4 | Top 20 most referenced policy terms — learn the vocabulary fast |
Convert to AsciiDoc for Codex
# Requires pandoc
pandoc \
defender-office-365/preset-security-policies.md \
-f markdown -t asciidoc \
-o ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/pages/codex/security/defender-preset-policies.adoc
pandoc \
defender-office-365/recommended-settings-for-eop-and-office365.md \
-f markdown -t asciidoc \
-o ~/atelier/_bibliotheca/domus-captures/docs/modules/ROOT/pages/codex/security/defender-recommended-settings.adoc-
What is the recommended Defender → Sentinel connector config for a healthcare environment?
-
Are we on the correct licensing SKU — MDE P1 vs P2?
-
Defender for Identity — what AD attack scenarios are covered out of the box?
-
What telemetry is not forwarded to Sentinel by default that we should enable?
-
HIPAA/healthcare-specific analytic rules — what does Microsoft recommend?
-
Preset security policies — Standard vs Strict for a healthcare org?
-
What is the recommended quarantine policy for end-user notifications?
-
Safe Attachments — what is the recommended action for detected malware in healthcare?
-
Safe Links — time-of-click protection scope — internal email covered?
-
Clone confirmed —
~/atelier/_bibliotheca/defender-docs -
Read
recommended-settings-for-eop-and-office365.md— policy values bible -
Read
preset-security-policies.md— Standard vs Strict comparison -
Extract KQL queries from advanced hunting docs into
codex/security/kql -
Review preset security policies — Standard vs Strict for CHLA
-
Confirm MDE onboarding status — enrolled vs not enrolled
-
Confirm Defender for Identity — AD lateral movement coverage
-
Confirm licensing SKU — MDE P1 vs P2
-
Connector config validated for healthcare environment
-
Telemetry gap confirmed — what Defender sends to Sentinel today
Microsoft Sentinel
|
Cost Projections Pending
Do not commit to ingestion volume or cost estimates in this meeting. Sentinel workspace tier must be confirmed in Azure Portal before any numbers are presented to leadership. Financial projections are currently excluded from all migration reports pending confirmation. |
- KQL Query Library
-
Current status of KQL detection rules. What is built, what is missing, what maps to existing QRadar offense rules.
- Detection Coverage Gap
-
Which QRadar offense rules have no Sentinel equivalent yet. These are the highest-risk items for the migration.
- Workspace Configuration
-
Confirm workspace tier — PAYG vs commitment. Required before any cost projection can be produced.
-
What analytic rules does Microsoft recommend for healthcare/HIPAA environments?
-
Which Sentinel data connectors cover our log source types — Cisco, CrowdStrike, Windows?
-
What is the recommended retention configuration for a healthcare org?
-
How does Sentinel handle high-volume sources — is there a cost cap or throttle?
-
What is the ingestion latency from connector to queryable data?
// Authentication failures by protocol
// Adapt from QRadar MSCHAPv2 migration data
SecurityEvent
| where EventID == 4625
| summarize FailureCount = count() by Account, LogonType, IpAddress
| sort by FailureCount desc-
KQL query library — current coverage status
-
Detection gap analysis vs QRadar offense rules
-
Workspace tier confirmed in Azure Portal
-
Sentinel connector mapping — LogSourceType → Sentinel connector
-
Retention configuration for HIPAA compliance confirmed
KQL Queries — Extraction Patterns
cd ~/atelier/_bibliotheca/defender-docs
# Find all files containing KQL blocks
find . -name "*.md" \
-exec grep -l '```kql\|```kusto' {} \; | sort (1)
# Count KQL examples per file — ranked
grep -rc '```kql\|```kusto' . \
--include="*.md" | grep -v ":0" | sort -t: -k2 -rn (2)
# Extract all KQL blocks from entire repo
find . -name "*.md" \
| xargs awk '/```kql|```kusto/{found=1; print "# FILE: "FILENAME}
found{print}
/```$/{found=0}' 2>/dev/null (3)
# Extract KQL from specific high-value files
awk '/```kql|```kusto/,/```/' \
defender-xdr/advanced-hunting-overview.md (4)
awk '/```kql|```kusto/,/```/' \
defender-xdr/advanced-hunting-query-language.md (5)
# Save all KQL to a single reference file
find . -name "*.md" \
| xargs awk '/```kql|```kusto/{found=1; print "\n-- SOURCE: "FILENAME}
found && !/```/{print}
/```$/{found=0}' \
> /tmp/all_kql_queries.txt
wc -l /tmp/all_kql_queries.txt (6)| 1 | All files containing KQL code blocks across the entire repo |
| 2 | Files ranked by number of KQL examples — start with the richest |
| 3 | Every KQL block with its source file — full extraction |
| 4 | Advanced hunting overview — broad KQL patterns |
| 5 | Advanced hunting query language reference |
| 6 | Preview extracted queries — check quality before using |
# KQL by security domain
rg '```kql' defender-xdr --type md -l (1)
rg '```kql' defender-office-365 --type md -l (2)
rg '```kql' defender-endpoint --type md -l (3)
rg '```kql' defender-identity --type md -l (4)
# Specific detection patterns
rg "DeviceLogonEvents\|IdentityLogonEvents" \
. --type md -l (5)
rg "EmailEvents\|EmailAttachmentInfo" \
. --type md -l (6)
rg "DeviceProcessEvents\|DeviceNetworkEvents" \
. --type md -l (7)
rg "AlertEvidence\|AlertInfo" \
. --type md -l (8)
rg "IdentityDirectoryEvents\|IdentityQueryEvents" \
. --type md -l (9)| 1 | KQL in Defender XDR — cross-domain hunting |
| 2 | KQL in Defender for Office 365 — email threats |
| 3 | KQL in Defender for Endpoint — device telemetry |
| 4 | KQL in Defender for Identity — AD attack detection |
| 5 | Logon event tables — authentication hunting |
| 6 | Email event tables — phishing and malware hunting |
| 7 | Process and network event tables — endpoint hunting |
| 8 | Alert tables — incident investigation |
| 9 | Identity directory tables — AD lateral movement hunting |
# Extract specific table schemas — understand what fields are available
rg "DeviceLogonEvents" . --type md -A 5 | head -50 (1)
rg "EmailEvents" . --type md -A 5 | head -50 (2)
# Find join examples — cross-table hunting
rg "join\|union" . --type md -i \
| grep -i "kql\|kusto\|hunting" | head -20 (3)
# Healthcare-relevant hunting queries
rg "lateral movement\|pass.the.hash\|kerberoast" \
. --type md -i -l (4)
rg "privilege escalation\|credential" \
. --type md -i -l (5)
rg "ransomware\|exfiltration\|C2\|command and control" \
. --type md -i -l (6)| 1 | DeviceLogonEvents schema and usage examples |
| 2 | EmailEvents schema and usage examples |
| 3 | Cross-table join patterns — advanced hunting |
| 4 | Lateral movement detection queries — AD attack paths |
| 5 | Privilege escalation and credential theft queries |
| 6 | Ransomware, exfiltration, C2 detection queries
|
PowerShell — Extract and Reference
cd ~/atelier/_bibliotheca/defender-docs
# Find all PowerShell blocks
find . -name "*.md" \
-exec grep -l '```powershell\|```ps1' {} \; | sort (1)
# Count PowerShell examples per file
grep -rc '```powershell\|```ps1' . \
--include="*.md" | grep -v ":0" | sort -t: -k2 -rn (2)
# Extract all PowerShell blocks with source file
find . -name "*.md" \
| xargs awk '/```powershell|```ps1/{found=1; print "\n# FILE: "FILENAME}
found && !/```/{print}
/```$/{found=0}' \
> /tmp/all_powershell.txt
wc -l /tmp/all_powershell.txt (3)| 1 | All files containing PowerShell blocks |
| 2 | Files ranked by PowerShell example count |
| 3 | Preview — verify extraction quality |
# PowerShell by domain
rg '```powershell' defender-office-365 --type md -l (1)
rg '```powershell' defender-endpoint --type md -l (2)
rg '```powershell' defender-identity --type md -l (3)
# Specific cmdlet families
rg "Get-AntiPhish\|Set-AntiPhish\|New-AntiPhish" \
. --type md -l (4)
rg "Get-HostedContentFilterPolicy\|Set-HostedContentFilter" \
. --type md -l (5)
rg "Get-SafeAttachmentPolicy\|Set-SafeAttachment" \
. --type md -l (6)
rg "Get-SafeLinksPolicy\|Set-SafeLinks" \
. --type md -l (7)
rg "Get-QuarantinePolicy\|Set-QuarantinePolicy" \
. --type md -l (8)
rg "Get-MalwareFilterPolicy\|Set-MalwareFilter" \
. --type md -l (9)
rg "Get-TransportRule\|New-TransportRule\|Set-TransportRule" \
. --type md -l (10)| 1 | Office 365 PowerShell management commands |
| 2 | Endpoint PowerShell management commands |
| 3 | Identity PowerShell management commands |
| 4 | Anti-phishing policy cmdlets |
| 5 | Anti-spam / hosted content filter cmdlets |
| 6 | Safe Attachments policy cmdlets |
| 7 | Safe Links policy cmdlets |
| 8 | Quarantine policy cmdlets |
| 9 | Anti-malware filter cmdlets |
| 10 | Transport rule / mail flow cmdlets |
# Extract PowerShell for specific policy areas
awk '/```powershell/,/```/' \
defender-office-365/anti-spam-policies-configure.md (1)
awk '/```powershell/,/```/' \
defender-office-365/anti-phishing-policies-eop-configure.md (2)
awk '/```powershell/,/```/' \
defender-office-365/safe-attachments-policies-configure.md (3)
awk '/```powershell/,/```/' \
defender-office-365/quarantine-policies.md (4)
# Find all Connect cmdlet patterns
rg "Connect-ExchangeOnline\|Connect-MgGraph\|Connect-MsolService" \
. --type md -l (5)
# Find all Export/Import patterns — useful for migration
rg "Export-\|Import-" . --type md -i \
| grep -i "policy\|rule\|config" | head -20 (6)| 1 | Anti-spam policy PowerShell commands |
| 2 | Anti-phishing policy PowerShell commands |
| 3 | Safe Attachments PowerShell commands |
| 4 | Quarantine policy PowerShell commands |
| 5 | Connection cmdlets — auth patterns for each service |
| 6 | Export/Import cmdlets — policy migration and backup
|
Microsoft Defender & Sentinel API Docs
cd ~/atelier/_bibliotheca/defender-docs
# Find all API reference files
find . -name "*.md" \
-exec grep -l "api\|REST\|endpoint" {} \; \
| grep -i "api\|rest" | sort (1)
# API-specific directories
find . -type d -name "*api*" | sort (2)
ls defender-xdr/ | grep -i api (3)
# API endpoint patterns
rg "https://api\.security\.microsoft\.com" \
. --type md -l (4)
rg "https://graph\.microsoft\.com" \
. --type md -l (5)
rg "https://management\.azure\.com" \
. --type md -l (6)| 1 | All files referencing API or REST concepts |
| 2 | API-specific directories in the repo |
| 3 | API files in Defender XDR module |
| 4 | Microsoft Security API endpoints |
| 5 | Microsoft Graph API endpoints — identity and email |
| 6 | Azure Management API endpoints — Sentinel workspace |
# Authentication patterns
rg "Bearer\|access_token\|oauth\|client_id\|tenant_id" \
. --type md -i -l (1)
rg "client_credentials\|authorization_code" \
. --type md -i -l (2)
# Defender XDR API — incidents, alerts, hunting
rg "/api/incidents" . --type md -l (3)
rg "/api/alerts" . --type md -l (4)
rg "runHuntingQuery\|advancedHunting" . --type md -l (5)
# Sentinel / Log Analytics API
rg "workspaces.*query\|loganalytics" \
. --type md -i -l (6)
rg "analyticsRules\|dataConnectors\|incidents\|watchlists" \
. --type md | grep "management\.azure\|sentinel" -i \
| head -20 (7)| 1 | All files covering API authentication |
| 2 | OAuth flow types — client credentials for automation |
| 3 | Incidents API — list, get, update incidents |
| 4 | Alerts API — list, get, update alerts |
| 5 | Advanced hunting API — run KQL via API |
| 6 | Log Analytics query API references |
| 7 | Sentinel resource types via ARM API |
# Extract all API code examples — curl patterns
find . -name "*.md" \
| xargs awk '/```bash|```http|```curl/{found=1;
print "\n# FILE: "FILENAME}
found && /curl/{print}
/```$/{found=0}' \
> /tmp/all_api_curl.txt
wc -l /tmp/all_api_curl.txt (1)
# Extract Python API examples
find . -name "*.md" \
| xargs awk '/```python/{found=1; print "\n# FILE: "FILENAME}
found{print}
/```$/{found=0}' \
| grep -A 20 "requests\|msal\|azure" \
> /tmp/all_api_python.txt
wc -l /tmp/all_api_python.txt (2)| 1 | All curl-based API calls extracted from docs — preview first 50 |
| 2 | All Python API examples — requests, MSAL, azure-sdk patterns
|
Monad Pipeline — Syslog Level Strategy
|
Syslog Levels RFC 5424
This strategy applies across all log sources feeding into Sentinel via Monad. Establish this as a pipeline standard before any connector goes live. |
- Forwarding Policy
-
Levels 0-5 → forward always, no filtering
Level 6 (info) → selective by source — see approved list below
Level 7 (debug) → drop at pipeline, never forward to Sentinel
| Level | Keyword | Forward? | Rationale |
|---|---|---|---|
0 — Emergency |
|
Always |
System unusable — never drop |
1 — Alert |
|
Always |
Immediate action required |
2 — Critical |
|
Always |
Critical conditions |
3 — Error |
|
Always |
Error conditions |
4 — Warning |
|
Always |
Warning conditions |
5 — Notice |
|
Always |
Significant normal conditions |
6 — Informational |
|
Selective |
High-value sources only — see below |
7 — Debug |
|
Never |
Too noisy — local troubleshooting only |
-
ISE — auth pass/fail events
-
FTD/FMC — connection events
-
WLC 9800 — association and authentication events
-
CrowdStrike — detection context
-
VyOS — firewall allow (selective)
-
AD/DNS/DHCP — correlation data
-
Epic — access events
-
Vault — secret access and policy changes
-
SNMP polling
-
UPS/PDU informational
-
Backup job success notifications
-
Print servers
-
Load balancer health checks
-
DHCP renewals (unless forensics required)
|
Debug Level — No Exceptions
Never forward level 7 to Monad or Sentinel in steady state. For incident response or active troubleshooting, use a time-bound Monad rule scoped to a single source with auto-expiry. |
- Monad Filter Rule Pattern
-
IF severity <= 5 → FORWARD IF severity == 6 AND source IN [approved_list] → FORWARD IF severity == 6 AND source NOT IN [approved_list] → DROP IF severity == 7 → DROP
-
Define approved level 6 source list in Monad pipeline config
-
Confirm drop rules for noisy level 6 sources
-
Document time-bound debug escalation procedure for incident response
-
Add syslog level filter as standard to all Monad pipeline definitions
-
Firewall / DMZ Architecture
|
Critical Security Concern
Relying on a load balancer reverse proxy as the sole Layer 7 control for DMZ services is insufficient if WAF is not enabled and properly configured. This must be assessed and remediated before any new services are exposed in the DMZ. |
- DMZ Inventory
-
Full inventory of devices, services, and exposed ports in the DMZ. This does not currently exist in a complete form — it must be produced.
- Load Balancer WAF Status
-
Does the load balancer have a WAF capability? If yes — is it enabled, what profile, what ruleset? If no — what is the compensating control for Layer 7 attacks against DMZ services?
- DMZ Segmentation
-
Are DMZ services segmented from each other or is the DMZ flat? A compromised DMZ host should not have lateral movement capability to other DMZ hosts or inside zone resources.
- Egress Filtering
-
Can DMZ hosts initiate outbound connections freely? Unrestricted egress from DMZ is a C2 beaconing risk.
- Rule Audit
-
DMZ ↔ LB ↔ Inside Zone rules must be audited for least-privilege. Any rule broader than necessary is an attack surface.
-
Produce full DMZ device and service inventory
-
Document all firewall rules — DMZ ↔ LB ↔ Inside Zone
-
Confirm WAF status on load balancer — enabled, profile, ruleset
-
Assess DMZ segmentation — east-west traffic between DMZ hosts
-
Confirm egress filtering — no unrestricted outbound from DMZ
-
Identify services relying solely on LB reverse proxy for security
-
Document compensating controls for any gap found
-
Full DMZ inventory — devices, services, exposed ports
-
Firewall rule audit — DMZ ↔ LB ↔ Inside Zone least-privilege
-
WAF status confirmed — enabled/disabled, profile, ruleset
-
DMZ segmentation assessed — flat vs segmented
-
Egress filtering validated — no unrestricted outbound from DMZ
-
Compensating controls documented for identified gaps
Action Items
| # | Action | Owner | Due |
|---|---|---|---|
1 |
Confirm ESA → Abnormal cutover timeline and document rollback plan |
Evan Rosado |
TBD |
2 |
Validate mail flow — no gaps between ESA and Abnormal |
Evan Rosado |
TBD |
3 |
Confirm MDE onboarding status — enrolled vs not enrolled |
Evan Rosado |
TBD |
4 |
Confirm Sentinel workspace tier in Azure Portal |
Victor / CloudOps |
TBD |
5 |
Produce full DMZ inventory |
Evan Rosado |
TBD |
6 |
Audit DMZ ↔ LB ↔ Inside Zone firewall rules |
Evan Rosado |
TBD |
7 |
Confirm WAF status on load balancer |
Evan Rosado |
TBD |
8 |
Map QRadar LogSourceType to Sentinel connectors |
Evan Rosado |
TBD |
9 |
Open ticket to extend QRadar Ariel retention |
Evan Rosado |
TBD |
10 |
Read recommended-settings-for-eop-and-office365.md |
Evan Rosado |
Today |
11 |
Extract KQL queries from defender-docs into codex/security/kql |
Evan Rosado |
TBD |
12 |
Define approved syslog level 6 source list for Monad |
Evan Rosado |
TBD |
Live Notes
- Security portal
- Datalake regions
-
us-west2
us-west3