Getting domain controller security events into Microsoft Sentinel has more failure modes than it should. Four layers must all work correctly (audit policy, Azure Arc, AMA, and the Data Collection Rule), and a misconfiguration at any one of them drops events silently, with no error and no alert. This post covers the full configuration chain, the gotchas that burn people in production (Event ID 5136 disappearing on Minimal, raw operation codes that break KQL filters, fields that look like columns but aren't), and the verification steps to confirm the pipeline is actually working end to end.

A new Codeless Connector Framework kind just landed for Azure Blob Storage, and it's architecturally different from anything CCF has done before.

A playbook of patterns for building reliable LLM workflows, covering meta-prompting, state externalisation, and adversarial validation. Derived from analysing the GSD framework.

A practical walkthrough for connecting Google Workspace activity logs to Microsoft Sentinel, including the undocumented gotchas that'll save you from a frustrating afternoon.

Practical lessons learned from programmatically invoking Claude Code on Windows, including the gotchas around tool permissions and system prompts that took some time to figure out.

Microsoft's new Unified Tenant Configuration Management (UTCM) looks promising for drift monitoring, but doesn't fit the bill for point-in-time security assessments.

How security professionals can leverage Claude Code's extensibility framework to enforce deterministic security checks on AI-generated code, treating AI coding assistants like any other developer on the team.

A technique for fingerprinting which third-party email services organisations have authorised through their Proofpoint Hosted SPF implementation.

A comprehensive guide to Microsoft Sentinel Data Lake as at October 2025

A cautionary tale about vibe coding utilities that combine synchronous and asynchronous code.