This article focuses on collecting Teams activity logs in Azure Sentinel.

Microsoft Teams is the hub for teamwork that combines chat, video meetings, calling and file into a single, integrated app. For detailed product feature description and implementation guidance, see Microsoft Teams service description.

Azure Sentinel is a SIEM (Security Information Event Management) and SOAR (Security Orchestration Automated Response) system in Azure. Documentation is available here.

Image for post
Image for post
Teams core capabilities

Microsoft has released the Office 365 log connector’s extension for Microsoft Teams. Now it is in public preview, so it’s available now for all customers.

Before Office 365 connector’s extension, many organizations have used a kind of custom connector based on a Sentinel Playbook, leveraging Office 365 Management API and Powershell code. …


How to get statistics, KPIs about DNS service leveraging Pi-Hole running on Raspberry Pi.

In my previous article I reported how to onboard Raspberry PI on Azure Sentinel. Basically I decided to enable cloud data logging with Raspberry PI with reference to two main security related use cases. Services that my device is running are:

  1. Pi-Hole to block network ad-serving domains (great article here)
  2. Open VPN terminator.

Pi-Hole definition from Wikipedia: Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole (and optionally a DHCP server), intended for use on a private network. …


Cloud data logging with Raspberry PI

The Raspberry Pi is a low cost, credit-card sized computer developed by the Raspberry Pi Foundation. Several generation of Raspberry Pis have been released. All models feature a Broadcom chip with an integrated ARM-compatible CPU. The Raspberry Pi foundation provides Raspbian, a Debian based Linux distribution. Other Operating Systems are available as well: (Ubuntu, Windows 10 IoT Core, FreeBSD, ArchLinux, CentOS, etc).

Image for post
Image for post

Several accessories are available to extend Raspberry capabilities and allow to implements tens or hundreds use cases. Among the most important areas, I cannot fail to mention following use cases:

  • Use in…


How to automate threat hunting based on Threat Intelligence feeds using Azure Sentinel and MDATP

This article is the 4th in my Microsoft security integrations serie. It started with a post about Microsoft Intelligence Security Graph and Security API, then I posted an article about Microsoft Defender ATP and MineMeld integration, closing with article about Azure Sentinel and MineMeld integration.

Now I’d like to share how to consume your threat intelligence feeds to automatically start threat hunting processes in Microsoft Defender ATP.

Building blocks:

  1. Onboarding Azure Sentinel. Ref here
  2. Microsoft Defender ATP service up and running
  3. Integrate your Threat Intelligence provider app in Azure Sentinel. An example here
  4. Configuring Security Playbook using Azure Logic App

Scenario…


How to correlate Threat Intelligence provided by external parties with internal information collected by a SIEM — Azure Sentinel

This article is the 3rd in my Microsoft security integrations serie. It started with a post about Microsoft Intelligence Security Graph and Security API, then I posted an article about Microsoft Defender ATP and MineMeld integration.

Now I’d like to share how to bring your threat intelligence feeds into Azure Sentinel.

The most important use case is about enriching your streamed data into Azure Sentinel with the threat intelligence feeds that you use across your organization. This lets you check and prioritize your alerts, correlating them with threat intelligence information that you own, manage and trust.

For example, if you get an alert from a specific IP address, domain, url or file, your threat intelligence provider will be able to let you know if that IP address, domain or url was found to be malicious and/or linked to a known threat campain. …


This article is the 2nd in my Microsoft security integrations series. It started with a post about Microsoft Intelligence Security Graph and Security API. As I mentioned in the last article, I will focus on real security integration use cases. It’s really important to build a fully integrated security ecosystem. Many organizations have invested (or are planning to invest) in Threat Intelligence Platforms. Several cybersecurity vendors have their own Threat Intelligence services powering their products. As reported in my last article Microsoft provides intelligence through its Intelligence Security Graph.

The main topic of this article is how to integrate Microsoft Defender Advanced Threat Protection with 3rd party Threat Intelligence Platform (TPI). TPI platform I chose for this article is MineMeld and I decided to share how send IoCs from Italian CERT PA to Microsoft Defender ATP. …


This article is the first in my Microsoft security integrations series. I’d like to share insights about how leverage existing integrations to build a fully integrated IT Security ecosystem.

Most organizations have dozens of security solutions deployed in their environments, dealing with noisy security alerts, often with low or no context information.

I should like to start with a quote: “Defenders think in lists. Attackers think in graphs. As long as this is true, attackers win.” — John Lambert

Microsoft has built its graph — Intelligence Security Graph — which combines massive amount of security signals and threat intelligence feeds from Microsoft products and partners. …

Antonio Formato

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store