Category Archives: Main Articles

MDE Hunting 101

People that start working with Defender for Endpoint (MDE) often ask the question “where should I start when I see an alert in MDE?”. There is lot of valuable information available in the portal to help judge if an alert is a real incident or a false positive. Additionally, you can query the raw telemetry via KQL. But there is still lot of room for interpretation. So, what should you do to get started? And what is even more important: how do I keep the overview?

Read more

Azure Sentinel Internals: Incidents

In my experience, people – due to a lack of knowledge or plain laziness (and I am one of them) sometimes mix-up terms like Events, Alerts, Alarms and Incidents in their conversations. In addition, different tools have different terms for the objects they are displaying in their GUIs. With this article, we will go through all those entities in Sentinel and take a deep dive into their correlations.

Read more
« Older Entries