Skip to main content
Ejecuta cualquier Skill en Manus
con un clic
Repositorio de GitHub

microsoft-security-skills

microsoft-security-skills contiene 88 skills recopiladas de vinayaklatthe, con cobertura ocupacional por repositorio y páginas de detalle dentro del sitio.

skills recopiladas
88
Stars
158
actualizado
2026-06-18
Forks
34
Cobertura ocupacional
5 categorías ocupacionales · 100% clasificado
explorador de repositorios

Skills en este repositorio

agent-identity-governance
Analistas de seguridad de la información

Guidance for governing the identities of AI agents and non-human identities (NHIs) — Microsoft 365 Copilot Studio agents, Microsoft Foundry agents, custom AI agents, and traditional service principals/managed identities — through their full lifecycle. Covers ownership and tagging, scoped permissions and consent (delegated vs application; Sites.Selected; mailbox-scoped Graph), credential hygiene (federated credentials, certificates, no secrets), Conditional Access for workloads, agent-level access reviews via Entra ID Governance, lifecycle workflows for agent decommissioning, audit (agent prompts, agent actions, agent identity sign-ins), incident response when an agent is compromised, and integration with Purview AI Hub for usage signals. WHEN: AI agent identity governance, non-human identity governance, NHI lifecycle, Copilot Studio agent identity, Foundry agent governance, agent service principal, scoped Graph permissions agent, agent access review, decommission AI agent, agent credential rotation, compromis

2026-06-18
azure-ai-content-safety
Analistas de seguridad de la información

Guidance for Azure AI Content Safety — programmatic content moderation for text, images, multimodal, and generative AI guardrails. Covers Content Safety categories (hate, violence, sexual, self-harm) with severity levels, Prompt Shields for jailbreak and indirect prompt injection detection, groundedness detection (hallucination check vs grounding sources), protected material detection (text and code), custom categories, blocklists, Content Safety Studio for tuning, integration with Azure OpenAI as input/output filters (built-in plus custom), latency/cost trade-offs, agent guardrails, and deployment patterns (sidecar in app, integrated with Azure OpenAI). WHEN: Azure AI Content Safety, prompt shields, jailbreak detection, indirect prompt injection, groundedness check, protected material detection, content moderation, generative AI guardrails, harmful content categories, custom blocklist AI, agent guardrail. DO NOT USE for AI workload threat detection / SOC alerts (use defender-for-cloud-ai), end-user AI usage

2026-06-18
azure-bastion-jit
Analistas de seguridad de la información

Guidance for secure remote VM management in Azure using Azure Bastion combined with Defender for Cloud just-in-time (JIT) VM access. Covers Bastion SKU selection (Developer / Basic / Standard / Premium), IP-based and shareable-link connections, native client (RDP/SSH from local machine via az CLI), session recording (Premium), private-only deployment, JIT request workflow and policy, RBAC for connect operations, integration with Conditional Access (via Bastion + Entra login on the VM), Azure Policy enforcement to require Bastion + JIT and prohibit public IP on VMs, and migration off VPN/jump-box patterns. WHEN: Azure Bastion design, Bastion SKU comparison, JIT VM access, just-in-time access Azure, Bastion shareable link, native client Bastion, session recording Bastion, eliminate public IP on VMs, replace jump host with Bastion, secure RDP SSH Azure, Bastion Premium recording. DO NOT USE for hybrid/SD-WAN VPN design, GSA Private Access (use entra-global-secure-access), or cluster-only K8s access.

2026-06-18
azure-confidential-computing
Analistas de seguridad de la información

Guidance for Azure Confidential Computing — protecting data in use through hardware-based Trusted Execution Environments (TEEs). Covers Confidential VMs (AMD SEV-SNP, Intel TDX), Confidential containers on AKS (Kata + AMD SEV-SNP), confidential GPU VMs (NVIDIA H100 with TDX), Azure Key Vault Managed HSM and Premium with secure-key-release for confidential workloads, attestation (Microsoft Azure Attestation service), confidential ledger, scenarios (multi-party data sharing, regulated workload isolation, AI training on sensitive data), key-release policies tying secrets to attested TEE state, and decision criteria vs CMK/Customer Key. WHEN: Azure Confidential Computing, AMD SEV-SNP, Intel TDX, confidential VM, confidential AKS container, confidential GPU H100, Azure Attestation, secure key release, multi-party computation, confidential AI, encrypted memory Azure, hardware enclave Azure. DO NOT USE for general data-at-rest CMK (use azure-key-vault), application encryption SDK only, or non-Azure TEE design.

2026-06-18
azure-ddos-protection
Analistas de seguridad de la información

Guidance for Azure DDoS Protection — Network Protection (per-VNet) and IP Protection (per public IP) tiers built on the same always-on Microsoft platform. Covers tier selection vs free Basic infrastructure protection, scope (VNet vs single IP), traffic profiling and mitigation policy auto-tuning, attack analytics and metrics, attack alerts to Sentinel, DDoS Rapid Response engagement, integration with Azure WAF and Front Door, cost-protection guarantee, mitigation reports for compliance, and per-region capacity planning. WHEN: Azure DDoS Protection, DDoS Network Protection, DDoS IP Protection, layer 3/4 DDoS, attack analytics Azure, DDoS rapid response, cost protection DDoS, DDoS metrics, mitigation report, simulate DDoS Azure. DO NOT USE for layer 7 / app-layer attack mitigation alone (use azure-waf), Azure Firewall design (use azure-firewall), or hybrid network DDoS via on-prem appliances.

2026-06-18
azure-monitor-security
Analistas de seguridad de la información

Guidance for the security-side use of Azure Monitor and Log Analytics — designing the workspace strategy that feeds Microsoft Sentinel and Defender for Cloud, choosing analytics vs basic vs auxiliary log tiers, retention and archive, table-level transformations to drop noise pre-ingestion, Data Collection Rules (DCRs) and Azure Monitor Agent (AMA), workspace topology (single vs regional vs sovereign), commitment tiers and cost control, customer-managed keys for the workspace, RBAC including table-level RBAC, integration with Sentinel (workspace requirements), and decommissioning legacy MMA. WHEN: Log Analytics workspace design, Azure Monitor security data, Sentinel workspace, log tier basic auxiliary, AMA Azure Monitor Agent, DCR data collection rule, drop columns ingestion transform, log retention archive, workspace CMK, table-level RBAC, log ingestion cost control. DO NOT USE for Sentinel detection authoring (use sentinel-detection-engineering), App Insights instrumentation (use appinsights-instrumentation)

2026-06-18
azure-waf
Analistas de seguridad de la información

Guidance for Azure Web Application Firewall — deployed on Azure Front Door (global, edge-tier) or Azure Application Gateway (regional, integrated with backend pools). Covers WAF policy design with managed rule sets (Microsoft Default Rule Set, Bot Manager, OWASP CRS), custom rules (rate limit, geo-block, IP allow/deny), exclusion design (the long-tail tuning task that decides whether WAF stays in Prevention), JSON challenge / CAPTCHA, log analytics integration, false-positive triage workflow, integration with Defender for Cloud and Sentinel, regional vs global trade-off, and migration from third-party WAF. WHEN: Azure WAF, Front Door WAF, Application Gateway WAF, OWASP CRS Azure, bot manager Azure, WAF custom rules, WAF rate limiting, WAF false positives, WAF exclusions, WAF prevention vs detection, JSON challenge WAF, geo-block WAF. DO NOT USE for L3/L4 DDoS (use azure-ddos-protection), Azure Firewall design (use azure-firewall), or non-HTTP workloads.

2026-06-18
compliance-manager
Oficiales de cumplimiento

Guidance for Microsoft Purview Compliance Manager — continuous compliance posture across Microsoft and non-Microsoft assets, mapped to 360+ regulatory templates (ISO 27001/27018/27701, SOC 2, NIST 800-53/171/CSF, PCI DSS, HIPAA, GDPR, FedRAMP, IRAP, Essential Eight, DORA, EU AI Act, etc.). Covers compliance score, improvement actions (Microsoft-managed vs customer-managed), evidence collection, assessment authoring (custom templates from CSV), multi-assessment grouping, automated testing of technical controls via Microsoft 365 / Defender for Cloud / Entra, evidence repository, audit-ready reports, and continuous assessment vs point-in-time. WHEN: Compliance Manager, compliance score, regulatory assessment Purview, NIST 800-53 assessment, ISO 27001 evidence, FedRAMP assessment, custom compliance template, improvement action, technical control automation, audit evidence M365, DORA assessment, EU AI Act assessment. DO NOT USE for Defender for Cloud regulatory dashboard (use defender-for-cloud-hardening), Records

2026-06-18
copilot-for-m365-readiness
Analistas de seguridad de la información

Guidance for safely deploying Microsoft 365 Copilot — end-to-end readiness covering oversharing remediation, SharePoint Advanced Management (SAM) restricted sites and content discovery, sensitivity label coverage, Purview DLP for Copilot, Restricted SharePoint Search (RSS) interim safeguard, site lifecycle and ownership, Copilot interaction auditing, Copilot in Defender XDR alerts, prompt-shield risks, licensing prerequisites, and a phased rollout that doesn't surface confidential data on day one. WHEN: M365 Copilot rollout, Copilot oversharing remediation, SAM, SharePoint Advanced Management, Restricted SharePoint Search, RSS Copilot, sensitivity labels Copilot, DLP for Copilot, Copilot audit, safe Copilot deployment, Copilot pilot, prevent Copilot data leakage. DO NOT USE for tenant-wide oversharing program design (use m365-oversharing), Purview DSPM for AI alone (use purview-dspm-ai), or Microsoft Foundry agent security (use microsoft-agent-365).

2026-06-18
defender-easm
Analistas de seguridad de la información

Guidance for Microsoft Defender External Attack Surface Management (Defender EASM) — discovers and inventories an organization's internet-facing assets (domains, hosts, IPs, SSL certs, ASNs, web pages, contacts) from the outside-in. Covers seed-based discovery, attack surface insights (CVEs, expiring certs, deprecated tech, unsanctioned cloud), labels and groups, integration with Defender for Cloud (CSPM), Defender XDR, and Sentinel, and pricing model (per asset). WHEN: Defender EASM, external attack surface management, internet-facing inventory, shadow IT discovery, expired SSL discovery, exposed RDP discovery, unknown subdomain, attack surface insights, seed-based discovery, outside-in scanning, third-party asset risk, M&A asset discovery. DO NOT USE for internal asset discovery (use defender-for-cloud-hardening / Defender XDR), endpoint vuln scan (use defender-for-endpoint MDVM), or Sentinel hunting alone.

2026-06-18
defender-for-business
Analistas de seguridad de la información

Guidance for Microsoft Defender for Business (MDB) — the SMB-segment endpoint security product (≤300 employees), bundled with Microsoft 365 Business Premium and available as a standalone SKU. Covers what's included vs MDE Plan 1/2 (next-gen AV, EDR with simplified configuration, ASR, automated investigation and response, vulnerability management, web content filtering, attack surface reduction, mobile threat defense add-on), wizard-driven onboarding, server add-on for SMB servers, the simplified portal experience vs full Defender XDR, transition path to MDE P2 / E5 as the org grows, and integration with Microsoft 365 Lighthouse for MSP delivery. WHEN: Defender for Business, MDB, SMB endpoint security, M365 Business Premium security, MDB server add-on, simplified EDR small business, MSP Defender for Business, M365 Lighthouse Defender, SMB upgrade to MDE Plan 2. DO NOT USE for enterprise EDR (use defender-for-endpoint), Defender XDR cross-product investigation (use defender-xdr), or Defender for Servers / Cloud

2026-06-18
defender-for-cloud-ai
Analistas de seguridad de la información

Guidance for Microsoft Defender for Cloud — AI workload protection (AI-SPM and runtime threat detection for generative AI). Covers AI Security Posture Management (discovery of Azure OpenAI / Azure AI Foundry / Amazon Bedrock / Google Vertex AI resources, identification of grounding data exposure, model deployment posture), runtime threat detection on Azure OpenAI (prompt injection / jailbreak attempts, sensitive data leakage in prompts/responses, wallet abuse, credential leakage), integration with Azure AI Content Safety Prompt Shields, attack path analysis for AI workloads, alert investigation in Defender XDR, and pairing with Purview DSPM for AI (user side) and Azure AI Content Safety (model side). WHEN: Defender for Cloud AI, AI-SPM, AI workload protection, Azure OpenAI threat detection, prompt injection alert, jailbreak alert Azure OpenAI, AI wallet abuse, AI workload posture, Amazon Bedrock posture, Vertex AI posture, generative AI security Azure. DO NOT USE for end-user AI usage governance (use purview-

2026-06-18
defender-for-containers
Analistas de seguridad de la información

Guidance for Microsoft Defender for Containers — Kubernetes and container security across AKS, Azure Arc-enabled Kubernetes, EKS, GKE, and OpenShift. Covers agentless discovery, agentless vulnerability assessment for images and running containers (powered by Microsoft Defender Vulnerability Management), runtime threat detection via the Defender sensor (eBPF on Linux), Kubernetes data plane hardening with Azure Policy / Gatekeeper, registry scanning for ACR / ECR / GAR, admission control, attack path analysis, and Sentinel integration. WHEN: Defender for Containers, AKS security, container runtime threat detection, Kubernetes admission control, image vulnerability scanning, ACR scan, EKS GKE security in Defender for Cloud, K8s posture, container attack path, Defender container sensor, Gatekeeper Azure Policy AKS, agentless container scan. DO NOT USE for VM/host hardening (use defender-for-servers), AKS networking design (use azure-network-security-design), or general AKS day-2 ops unrelated to security.

2026-06-18
defender-for-iot
Analistas de seguridad de la información

Guidance for Microsoft Defender for IoT — agentless OT/ICS network detection and response for industrial environments, plus enterprise IoT (EIoT) protection integrated with Defender XDR. Covers OT sensor deployment (physical/virtual, SPAN/TAP), Purdue model alignment, on-premises management console, cloud-managed sensors, EIoT (printers, cameras, VoIP) discovered through MDE, asset inventory, vulnerability data, threat intelligence, and integration with Sentinel and Defender XDR. WHEN: Defender for IoT, OT security, ICS security, SCADA monitoring, Purdue model network security, OT sensor deployment, SPAN port monitoring, enterprise IoT discovery, unmanaged device protection, factory floor security, NDR for OT, ICS threat detection, IoT asset inventory. DO NOT USE for IoT Hub data-plane security (Azure platform), Azure Sphere device hardening, or generic endpoint EDR (use defender-for-endpoint).

2026-06-18
defender-for-servers
Analistas de seguridad de la información

Guidance for Microsoft Defender for Servers (Plan 1 and Plan 2) — server-specific protection in Microsoft Defender for Cloud. Covers plan selection, agentless vs agent-based scanning, MDE for Servers integration, file integrity monitoring (FIM via MDE), just-in-time VM access, vulnerability assessment, adaptive application controls, network hardening, and free data ingestion to Sentinel/Log Analytics. Applies to Azure VMs, Azure Arc-enabled servers (on-prem, AWS EC2, GCP Compute), and Azure VMSS. WHEN: Defender for Servers, MDE for Servers, server EDR, FIM, file integrity monitoring, JIT VM access, just-in-time access, agentless scanning servers, vulnerability assessment for VMs, hybrid server protection, Arc-enabled servers security, AWS EC2 in Defender for Cloud, GCP Compute in Defender for Cloud, server hardening Azure, Plan 1 vs Plan 2 servers. DO NOT USE for endpoint client devices (use defender-for-endpoint), generic Azure resource posture (use defender-for-cloud-hardening), or container hosts (use defe

2026-06-18
defender-for-storage
Analistas de seguridad de la información

Guidance for Microsoft Defender for Storage — threat protection for Azure Storage accounts (Blob, Files, Data Lake Gen2). Covers the v2 (per-storage-account) plan, on-upload malware scanning powered by Defender Antivirus, sensitive data threat detection (integrated with Purview classification), activity-based threat detection, override per storage account, exclusion of high-volume accounts, Event Grid integration for scan results, and cost controls (per-GB scan cap). WHEN: Defender for Storage, Azure Storage malware scan, Blob malware scanning, sensitive data threat detection, on-upload scan, Defender for Storage v2, Storage account threat protection, scan results Event Grid, Purview classification storage, malicious blob upload, exfiltration alert storage, untrusted upload scan. DO NOT USE for SQL/Cosmos DB protection (use defender-for-cloud-hardening), VM disk malware (use defender-for-servers agentless scan), or M365 SharePoint/OneDrive (use defender-for-office-365).

2026-06-18
defender-tvm
Analistas de seguridad de la información

Guidance for Microsoft Defender Threat Intelligence (Defender TI) and Microsoft Defender Vulnerability Management (MDVM) — the threat-and-vulnerability layer of Defender XDR. Covers MDVM exposure score, CVE prioritization with threat insights and active campaigns, security baselines (CIS/STIG), browser-extension and certificate inventory, network share assessment, hardware/firmware inventory, security recommendations and remediation tasks (Intune integration), and Defender TI for adversary-tracked indicators, intel profiles, infrastructure pivoting, and MDTI APIs. WHEN: Defender Vulnerability Management, MDVM, MDVM add-on, exposure score, threat-aware vulnerability prioritization, CIS benchmark CVEs, security baselines assessment, browser extension inventory, firmware vuln, Microsoft Defender Threat Intelligence, MDTI, intel profiles, threat actor tracking, IOC pivoting, MDTI API, threat hunting with intel. DO NOT USE for endpoint EDR config (use defender-for-endpoint), Sentinel detections (use sentinel-detec

2026-06-18
entra-external-id
Analistas de seguridad de la información

Guidance for Microsoft Entra External ID — the unified customer identity and access management (CIAM) and external collaboration platform that replaces Azure AD B2C (for new tenants) and consolidates B2B guest scenarios. Covers external tenant creation, user flows (sign-up/sign-in, password reset), custom branding, identity providers (Google, Facebook, Apple, SAML/OIDC), email OTP and passkey support, custom attributes, custom authentication extensions (replaces B2C custom policies), API connectors, Conditional Access for external users, self-service sign-up in workforce tenants, B2B collaboration vs B2B direct connect, cross-tenant access settings, and migration considerations from Azure AD B2C. WHEN: Entra External ID, CIAM Microsoft, customer identity, replace Azure AD B2C, B2B guest user, B2B direct connect, cross-tenant access settings, external tenant, self-service sign-up, custom authentication extension, social identity provider, partner collaboration Entra, external user lifecycle, guest user expirat

2026-06-18
entra-global-secure-access
Analistas de seguridad de la información

Guidance for Microsoft Entra Global Secure Access (GSA) — Microsoft's Security Service Edge (SSE) combining Entra Internet Access (SWG/Secure Web Gateway) and Entra Private Access (ZTNA replacement for VPN). Covers client deployment (Windows, macOS, iOS, Android), traffic forwarding profiles (Microsoft, Internet, Private), Conditional Access for network traffic, source IP restoration, app discovery, Quick Access and per-app access for Private Access, connector deployment, branch site connectivity (IPSec), TLS inspection, and Universal CA integration. WHEN: Entra Global Secure Access, GSA, Microsoft SSE, Entra Internet Access, Entra Private Access, ZTNA Microsoft, replace VPN with ZTNA, secure web gateway Entra, Conditional Access on network, source IP restoration, Quick Access app, Private Access connector, branch IPSec to Microsoft, GSA client rollout. DO NOT USE for general Conditional Access policy design (use conditional-access-mfa), Azure VPN/ExpressRoute design, or third-party SSE (Zscaler/Netskope) con

2026-06-18
entra-verified-id
Analistas de seguridad de la información

Guidance for Microsoft Entra Verified ID — verifiable credentials issuance and verification platform based on open standards (W3C Verifiable Credentials, DIDs, OpenID4VC). Covers issuer setup (tenant configuration, DID registration, signing key in Key Vault), credential schema design, rules and display files, issuance flows (QR / deep link), verification flows, Face Check biometric matching, integration with Entra ID for workforce onboarding and access, integration with verification partners, and use cases (employee verification, remote onboarding, low-friction account recovery, vendor/contractor identity proofing). WHEN: Entra Verified ID, verifiable credentials, decentralized identity, DID issuance, issue credential Entra, verify credential, Face Check, remote onboarding identity proofing, account recovery with VC, contractor identity verification, vendor verification, workforce onboarding VC. DO NOT USE for B2C/CIAM (use entra-external-id), workforce identity admin (use entra-id), or PKI/certificate design

2026-06-18
entra-workload-identity
Analistas de seguridad de la información

Guidance for Microsoft Entra workload identities — managed identities, service principals, and workload identity federation. Covers system-assigned vs user-assigned managed identity, federated credentials (GitHub Actions, Azure DevOps, Kubernetes, other OIDC issuers) to eliminate secrets, Workload Identities Premium (Conditional Access for workloads, risk detection, lifecycle reviews), credential hygiene (no client secrets where federation works), least-privilege RBAC, and integration with Defender for Cloud / Microsoft Entra Permissions Management. WHEN: managed identity, system-assigned identity, user-assigned identity, service principal hardening, workload identity federation, GitHub OIDC to Azure, Azure DevOps OIDC, AKS workload identity, kill client secrets, federated credential, Workload Identities Premium, Conditional Access for workloads, non-human identity governance, NHI, app registration hardening. DO NOT USE for user/human identity (use entra-id), permissions discovery across clouds (use entra-per

2026-06-18
iac-security
Desarrolladores de software

Guidance for securing Infrastructure-as-Code (Bicep, ARM, Terraform, and ACI/Container) pipelines on Azure — shift-left scanning, policy-as-code, secret hygiene, identity for pipelines, drift detection, and supply chain. Covers Microsoft Defender for Cloud DevOps Security (GitHub / Azure DevOps connectors), Microsoft Security DevOps (MSDO) extension, Bicep linter and template specs, Terraform best practices on Azure (state management, backend hardening, provider versions), Azure Policy as deploy-time and CI-time gate, GitOps with Flux/ArgoCD on AKS, secret scanning and dependency review, signed commits / artifact signing, OIDC federation for pipeline identity (no client secrets), and integration with Defender for Cloud posture. WHEN: IaC security, Bicep security, Terraform Azure security, Defender for Cloud DevOps Security, MSDO, Microsoft Security DevOps, shift-left Azure, policy as code, OIDC GitHub Actions Azure, secrets in IaC, drift detection, signed Bicep, supply chain Azure. DO NOT USE for Kubernetes a

2026-06-18
macos-intune-baseline
Analistas de seguridad de la información

Guidance for hardening macOS endpoints managed by Microsoft Intune — automated device enrollment via Apple Business Manager (ABM), platform single sign-on (PSSO) with Entra ID, FileVault disk encryption escrow, security configuration profiles (Gatekeeper, XProtect, system extensions allowlist, firewall, login window, Privacy Preferences Policy Control / PPPC), Microsoft Defender for Endpoint on macOS, app management (VPP / managed apps / shell scripts via Intune), patching strategy (managed software updates / DDM), Conditional Access compliance signal, and cross-platform identity model. WHEN: Mac Intune baseline, macOS hardening Intune, FileVault escrow, ABM Apple Business Manager, Platform SSO macOS, PSSO Entra, MDE on Mac, Gatekeeper Intune, system extensions Intune, PPPC Intune, macOS compliance Conditional Access. DO NOT USE for general Intune device management end-to-end (use intune-device-mgmt), MDE config alone (use defender-for-endpoint), or iOS device management.

2026-06-18
passkeys-fido2
Analistas de seguridad de la información

Guidance for rolling out passkeys (device-bound and synced) and FIDO2 security keys in Microsoft Entra ID as the primary phishing-resistant authentication method. Covers passkey types (device-bound in Microsoft Authenticator, synced passkeys via platform providers, hardware security keys), Conditional Access authentication strength, registration campaigns, Temporary Access Pass (TAP) bootstrapping, lifecycle (lost device, attestation), Conditional Access requiring phishing-resistant MFA, decommissioning legacy methods (SMS, voice, weaker app push), and integration with Windows Hello for Business. WHEN: passkey rollout, FIDO2 keys, phishing-resistant MFA, Microsoft Authenticator passkey, device-bound passkey, synced passkey, Temporary Access Pass, TAP, Conditional Access authentication strength, kill SMS MFA, retire voice MFA, passwordless rollout, FIDO2 attestation, security key registration. DO NOT USE for general CA policy authoring (use conditional-access-mfa), Windows desktop sign-in design end-to-end (us

2026-06-18
purview-ai-hub
Analistas de seguridad de la información

Guidance for Microsoft Purview AI Hub (now part of Data Security Posture Management for AI) — discover, govern, and protect sensitive data flowing into AI applications (Microsoft 365 Copilot, Copilot Studio agents, ChatGPT, Gemini, third-party generative AI). Covers AI app discovery via Defender for Cloud Apps + endpoint signals, sensitive data risk surface, ready-to-use policies for Copilot oversharing and risky AI usage, DLP for generative AI endpoints (browser blocking), prompt/response auditing, integration with IRM (risky AI usage), Sentinel reporting, and difference vs Defender for Cloud AI workload protection. WHEN: Purview AI Hub, DSPM for AI, AI app discovery, ChatGPT data leakage, Gemini DLP, generative AI risk, prompt audit, Copilot Studio agent governance, sensitive data to AI, shadow AI, agent data risk. DO NOT USE for Defender for Cloud's AI workload protection (use defender-for-cloud-ai), Azure AI Content Safety (use azure-ai-content-safety), or Microsoft 365 Copilot rollout (use copilot-for-m3

2026-06-18
purview-customer-key
Analistas de seguridad de la información

Guidance for Microsoft Purview Customer Key and Double Key Encryption (DKE) — customer-controlled encryption for service-side data (Customer Key for Exchange/SharePoint/OneDrive/Teams/Purview) and client-side double encryption for highly sensitive documents (DKE via sensitivity labels and a customer-hosted key service). Covers Azure Key Vault setup (HSM-backed, recoverable, soft-delete, purge protection, redundant regions), data encryption policies (DEPs) for M365 services, key rotation and revocation, DKE service deployment (containerized key release service), DKE label authoring, end-user experience trade-offs (no eDiscovery into DKE content), and decision criteria vs Microsoft-managed encryption. WHEN: Customer Key M365, BYOK Exchange, DKE Microsoft, double key encryption, customer-managed keys SharePoint OneDrive Teams, key rotation Customer Key, HYOK alternative, sovereignty encryption, regulator-controlled encryption, sensitivity label DKE. DO NOT USE for Azure resource CMK (use azure-key-vault), genera

2026-06-18
purview-insider-risk-management
Analistas de seguridad de la información

Guidance for Microsoft Purview Insider Risk Management (IRM) — detect, investigate, and act on risky user activity (data theft by departing employees, intellectual property leaks, security policy violations) using signals from M365, Entra, Defender, Windows endpoints, HR systems, and Adaptive Protection. Covers policy templates (data theft by departing users, data leaks, security policy violations), HRIS connector setup, indicator selection, sequence detection, anomaly detection, alerts triage, case investigation with content explorer, integration with eDiscovery and Communication Compliance, Adaptive Protection's automatic DLP policy adjustment, privacy controls (pseudonymization), role separation, and tenant-allow-list. WHEN: insider risk management, IRM policy, data theft departing user, IP leak detection, HRIS connector Purview, Adaptive Protection, insider risk indicators, sequence detection Purview, IRM case investigation, IRM privacy controls, IRM pseudonymization, insider risk Sentinel. DO NOT USE for

2026-06-18
purview-records-management
Analistas de seguridad de la información

Guidance for Microsoft Purview Records Management — declaring, managing, and disposing records across SharePoint, OneDrive, Exchange, and Teams. Covers retention labels with record / regulatory record options, file plan import, event-based retention (employee leaves, contract expires), disposition review (single- and multi-stage), proof of deletion / records of disposition, retention label policies vs auto-apply policies (KQL/sensitive info types/trainable classifiers), label-aware DLP, integration with Information Governance vs Records Management licensing, and role separation between records managers and admins. WHEN: records management Purview, file plan, retention label record, regulatory record, event-based retention, disposition review, record declaration SharePoint, immutable records, audit-proof deletion, file plan import. DO NOT USE for non-records data lifecycle (use purview-data-lifecycle), DLP policies (use purview-dlp-policy), or eDiscovery (use purview-ediscovery).

2026-06-18
sentinel-detection-engineering
Analistas de seguridad de la información

Guidance for detection engineering in Microsoft Sentinel — building, testing, deploying, and maintaining analytics rules, hunting queries, and SOAR automation. Covers the Content Hub solution model, MITRE ATT&CK mapping, scheduled vs near-real-time (NRT) vs Fusion vs anomalies analytics, KQL detection patterns (joins, summarize, bin, materialize), entity mapping and incident enrichment, custom detections from Defender XDR vs Sentinel-only, automation rules, playbooks (Logic Apps), watchlists, threat intel matching, content as code with Azure DevOps / GitHub repositories integration, and detection lifecycle (validate → tune → version). WHEN: Sentinel analytics rule, KQL detection, MITRE mapping, Sentinel content hub, scheduled analytics, NRT rule, hunting query, Sentinel automation rule, Logic App playbook, custom detection, repositories Sentinel CI/CD, detection-as-code, watchlist, threat intel matching analytics, fusion alerts, anomalies, incident enrichment, entity mapping. DO NOT USE for Sentinel architect

2026-06-18
windows-11-security-baseline
Analistas de seguridad de la información

Guidance for the Windows 11 enterprise security baseline — Microsoft's recommended security settings deployed via Intune (Settings catalog / security baselines) or GPO. Covers core hardware-rooted controls (TPM 2.0, Secure Boot, virtualization-based security / VBS, Hypervisor-Protected Code Integrity / HVCI, Memory Integrity, Credential Guard, Local Security Authority protection), Windows LAPS (Microsoft's modern local admin password solution, replacement for legacy LAPS), Smart App Control, Personal Data Encryption (PDE), Windows Hello for Business deployment, controlled folder access, exploit protection, BitLocker baseline, app control with WDAC, removable storage controls, and integration with Intune compliance and Defender for Endpoint. WHEN: Windows 11 baseline, Windows security baseline, VBS HVCI Memory Integrity, Credential Guard, LSA protection, Windows LAPS, replace legacy LAPS, Smart App Control, WDAC, exploit protection, PDE Windows 11, Intune security baseline. DO NOT USE for endpoint EDR config (

2026-06-18
microsoft-agent-365
Analistas de seguridad de la información

Guidance for managing AI agents at enterprise scale with Microsoft Agent 365 - the control plane that lets admins observe, govern, and secure every agent (Microsoft, Copilot Studio, and third-party) from a single registry, using Microsoft Entra Agent ID for identity, Microsoft Purview for data security, and Microsoft Defender for runtime threat protection. WHEN: Microsoft Agent 365, Agent 365, manage agents at scale, agent control plane, agent registry, agent map, observe govern secure agents, Entra Agent ID, agent identity lifecycle, third-party agent governance, secure AI agents tenant-wide, agent sprawl, agent inventory. DO NOT USE for Purview-only data controls on a single agent (use purview-agent-365-security) or end-user Copilot oversharing (use purview-copilot-oversharing).

2026-06-12
m365-oversharing
Analistas de seguridad de la información

Guidance for remediating oversharing across Microsoft 365 (SharePoint, OneDrive, Teams, Exchange) using the Secure & Governed Data Foundation blueprint - a three-pillar program (remediate oversharing, set up guardrails, meet regulations) built on SharePoint Advanced Management data access governance, sensitivity and container labels, secure-by-default labelling, Restricted Access Control, and Microsoft Purview. WHEN: Microsoft 365 oversharing, M365 oversharing, secure and governed data foundation, oversharing blueprint, too many people have access to SharePoint, EEEU everyone except external users, tighten permissions, data access governance report, restricted content discovery, secure by default labels, prepare data foundation, reduce sharing link sprawl, governed data estate. DO NOT USE for Copilot-specific readiness framing only (use purview-copilot-oversharing) or building a broad DLP program (use purview-dlp-policy).

2026-06-12
api-security-design
Analistas de seguridad de la información

Guidance for designing secure APIs on Azure - authentication, authorization, gateway controls, input validation, rate limiting, secret management, and runtime threat detection - aligned to OWASP API Security Top 10 and Azure API Management. WHEN: API security design, secure API, OWASP API Top 10, API authentication, API gateway security, rate limiting, validate JWT, protect backend API, API Management security policies, secure API architecture, BOLA, BFLA. DO NOT USE for general application security or web app design (use security-architecture / threat-modelling) or for API runtime detection only (use defender-for-apis).

2026-06-11
azure-role-selector
Analistas de seguridad de la información

Guidance for selecting the right Azure RBAC role with least privilege - mapping required actions to built-in roles, deciding when a custom role is needed, scoping assignments correctly, and choosing between control-plane and data-plane roles. Covers scope levels (management group → resource), groups vs direct assignment, and PIM for privileged roles. WHEN: which Azure role, least privilege role, Azure RBAC role selection, built-in vs custom role, scope role assignment, role for managed identity, data plane role, assign minimal permissions, RBAC design, control plane vs data plane, Storage Blob Data Reader vs Reader. DO NOT USE for Entra ID directory roles (use entra-id) or for Microsoft 365 admin roles (use m365-govern-manage).

2026-06-11
cloud-app-security-posture
Analistas de seguridad de la información

Guidance for cloud and SaaS security posture management - combining Defender for Cloud CSPM (IaaS/PaaS) and Defender for Cloud Apps SSPM (SaaS) to assess and harden posture across cloud and SaaS apps. Covers Secure Score, MCSB, attack-path analysis, SSPM recommendations, and governance. WHEN: cloud security posture, SaaS security posture management, SSPM, CSPM, secure cloud apps, posture recommendations, harden SaaS configuration, app security posture, multicloud and SaaS hardening, harden Microsoft 365 SaaS settings, find misconfigured Salesforce or ServiceNow settings, SaaS app misconfiguration. DO NOT USE for IaaS/PaaS workload threat protection plans (use defender-for-cloud-hardening) or for SaaS threat detection only (use defender-for-cloud-apps).

2026-06-11
compromise-recovery
Analistas de seguridad de la información

Guidance for responding to and recovering from a significant identity/tenant compromise - regaining administrative control, evicting the adversary in a single coordinated action, and hardening to prevent reentry. Covers trusted foundation (PAW), containment, eviction, identity recovery (krbtgt, federation), and post-eviction hardening. WHEN: compromise recovery, incident response, regain control after breach, evict attacker, tenant compromise, rebuild trust, ransomware recovery, post-breach hardening, kick out adversary, emergency response, attacker is in our tenant right now, ransomware hit our organisation, regain admin access after a breach, adversary has domain admin or Global Admin. DO NOT USE for routine SOC investigation (use defender-xdr / sentinel) or for preventive hardening with no active compromise (use security-architecture / entra-id).

2026-06-11
security-architecture
Analistas de seguridad de la información

Guidance for designing security architecture using Zero Trust, the Microsoft Cybersecurity Reference Architectures (MCRA), Cloud Adoption Framework Secure methodology, and Well-Architected Security pillar. Covers the six Zero Trust pillars, defense-in-depth, and reference architecture alignment. WHEN: security architecture, Zero Trust design, MCRA, defense in depth, security reference architecture, CAF secure methodology, Well-Architected security pillar, end-to-end security design, security strategy, target state. DO NOT USE for tactical product configuration (use the product-specific skill) or for SOC tooling design (use sentinel / unified-secops-platform).

2026-06-11
security-copilot
Analistas de seguridad de la información

Guidance for Microsoft Security Copilot - the generative-AI security platform that helps analysts investigate, hunt, summarise, and respond using natural language, plugins, promptbooks, and embedded experiences. Covers SCU provisioning, plugins, promptbooks, governance, and the standalone vs embedded experience choice. WHEN: Microsoft Security Copilot, AI for SOC, security copilot units SCU, promptbooks, Copilot plugins, natural language investigation, summarise incident with AI, Copilot for Security setup, how do I use AI in my SOC, explain a KQL query with AI, summarise an alert for a stakeholder. DO NOT USE when the goal is configuring autonomous triage or remediation agents (use security-copilot-agents).

2026-06-11
threat-modelling
Analistas de seguridad de la información

Guidance for threat modelling using STRIDE and the Microsoft Security Development Lifecycle (SDL). Covers data-flow diagrams, trust boundaries, the STRIDE categories, mitigation mapping, and tooling (Microsoft Threat Modeling Tool). WHEN: threat modeling, STRIDE, data flow diagram, trust boundary, identify threats, SDL threat modeling, security design review, threat model a system, mitigation mapping, Microsoft Threat Modeling Tool, secure design review, design-time security. DO NOT USE for org-wide security architecture (use security-architecture) or for runtime detection (use sentinel / defender-xdr).

2026-06-11
unified-secops-platform
Analistas de seguridad de la información

Guidance for the Microsoft unified security operations platform that brings Microsoft Sentinel, Microsoft Defender XDR, Security Copilot, Threat Intelligence, and Microsoft Security Exposure Management together in the Microsoft Defender portal. Covers prerequisites, onboarding Sentinel, unified incident queue, advanced hunting across SIEM+XDR, and RBAC. WHEN: unified SecOps, onboard Sentinel to Defender portal, single SOC pane of glass, unified incident queue, connect Sentinel workspace to Defender XDR, exposure management, unified portal, merge Sentinel and Defender XDR, reduce context-switching for analysts, single pane of glass, move off the Azure Sentinel portal. DO NOT USE for Sentinel-only workspace design (use sentinel) or Defender XDR-only incident investigation (use defender-xdr).

2026-06-11
Mostrando las 40 principales de 88 skills recopiladas en este repositorio.