Microsoft warned about OAuth redirect abuse on March 2, 2026. This isn't credential theft or classic token theft by itself. It weaponizes Entra ID error handling.

An attacker registers an OAuth app with a malicious redirect URI, sends a crafted login.microsoftonline.com link designed to fail, and Entra ID's 302 redirect lands the victim on a phishing page or malware dropper. The sign-in fails and the attacker still wins.

I built a detection and hardening kit you can deploy to an existing Sentinel workspace:

• 4 analytics rules: consent after risky sign-in, suspicious redirect URIs, OAuth error clustering, bulk consent

• 5 hunting queries: permissions baseline, non-corporate IP auth, high-privilege apps, URI inventory, token replay

• 1 workbook: OAuth Security Dashboard
Entra hardening: verified-publisher consent restriction, MFA policy for risky OAuth sign-ins

• OAuth app audit: flags suspicious redirect URIs and overprivileged permissions across app registrations

Blog post: https://nineliveszerotrust.com/blog/oauth-redirect-abuse-sentinel/

Companion lab on GitHub: https://github.com/j-dahl7/oauth-redirect-abuse-sentinel

#MicrosoftSentinel #EntraID #DetectionEngineering #OAuth #IdentitySecurity #BlueTeam

🚨 Turn threat intelligence into action in @microsoft Sentinel

With the CrowdSec Sentinel Playbook, enrich your alerts using CrowdSec’s CTI and automatically detect malicious IPs involved in auth or security events.

Learn more 👉 https://doc.crowdsec.net/u/cti_api/api_integration/integration_ms_sentinel/

#MicrosoftSentinel #SecurityAutomation #CTI #cybersecurity

Happy New Year! 🎉

Microsoft's Sentinel MCP Server went GA on November 18, 2025.

MCP (Model Context Protocol), an open standard from Anthropic, enables AI agents to query your Sentinel data lake using natural language. The AI generates KQL for you behind the scenes. The CSA tracked more than 16,000 MCP servers within 8 months of release. Adoption is outpacing security guidance.

The attack surface is real. Sentinel logs contain attacker-influenced fields like email subjects, command lines, and user agents. When AI processes this data, prompt injection becomes possible. The Supabase MCP incident demonstrated this exact pattern.

It's Microsoft-hosted, but you own the risk. You configure identity, client environment, and monitoring. Data returned is scoped to the caller's permissions.

Full walkthrough (setup, vectors, hardening):

https://nineliveszerotrust.com/blog/sentinel-mcp-server-security/

#MicrosoftSentinel #AISecurity #MCP #ZeroTrust #InfoSec #CyberSecurity #PromptInjection

New blog post live for my Sentinel Saturday series!   
Read the blog 👉 https://marshsecurity.org/sentinel-saturday-using-tasks-with-automation/

In this post, I explore the power of using Microsoft Sentinel Tasks as part of your automation workflows.

Most teams aren’t getting the full #value out of Tasks in Microsoft Sentinel. Are you? When you combine Sentinel Tasks with automation, they become a game-changer.

- Auto-create tasks when automation fails (so nothing slips through the cracks)
- Auto-complete tasks when automation succeeds
- Use tasks to verify automation outcomes
- Build engineering feedback loops and automation #QA

Read the blog 👉 https://marshsecurity.org/sentinel-saturday-using-tasks-with-automation/

#MicrosoftSentinel #SentinelAutomation #CyberSecurity #SOCAutomation
#CloudSecurity #AzureSecurity #SIEM #SecOps #Automation #InfoSec
#CyberSecurityCommunity #BlueTeam #ThreatDetection #SecurityEngineering #SecurityOperations

Take control of your security data like never before! With our expert guide, you’ll learn how to integrate Microsoft Sentinel for a seamless, scalable security data lake. Harness the full power of cloud analytics to stay ahead of evolving threats—one simple step at a time.

Read more 👉 https://lttr.ai/AlLt0

#SecurityDataLake #AzureDataExplorer #MicrosoftSentinel

🚨 GreyNoise for Microsoft Sentinel is here!
Filter out internet background noise automatically. Focus on real threats.
#MicrosoftSentinel #AppAssure

🔗 https://techcommunity.microsoft.com/blog/MicrosoftSentinelBlog/ignite-2025-new-microsoft-sentinel-connectors-announcement/4454613

🕵️‍♂️ KQL is both a science and an art.

If you’ve ever felt your Sentinel queries were running slow or costing more than they should, you’re not alone.
This week’s #SentinelSaturdays covers how to write leaner, faster, more efficient KQL queries with practical examples you can use today.

🔗 Read the full walkthrough here: https://marshsecurity.org/sentinel-skills-saturday-edition-one/

Share your comments 👇
What’s YOUR top KQL tip or favourite optimisation trick?

Let’s build a thread of practical advice for the hunting community.
#MicrosoftSentinel #KQL #ThreatHunting #SecurityOperations

Step-by-Step Guide to Creating a Security Data Lake Using Microsoft Sentinel
▸ https://lttr.ai/Ajglf

#SecurityDataLake #AzureDataExplorer #MicrosoftSentinel

🚀 @microsoft Sentinel Graph (Public Preview) is here.
🔹 Connects endpoints, cloud, SaaS, and threat intel into one graph
🔹 Visualizes attack blast radius for faster mitigation
🔹 Enables proactive threat hunting & insider risk analysis
Attackers think in graphs. Now defenders can too.
💬 Will graph-powered AI become the new SOC standard?
👉 Follow @technadu for cybersecurity + AI defense insights.

#MicrosoftSentinel #CyberSecurity #AI #SOC #ThreatHunting #CloudSecurity #DataProtection

Step-by-Step Guide to Creating a Security Data Lake Using Microsoft Sentinel.

Read more 👉 https://lttr.ai/Ai6es

#SecurityDataLake #AzureDataExplorer #MicrosoftSentinel