<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"><channel><title>Marcel Graewer - Blog</title><description>Cybersecurity deep-dives: Microsoft Sentinel, detection engineering, LLM hardening and security tooling.</description><link>https://graewer.com/</link><language>en</language><item><title>RoguePlanet: The Fourth Defender Zero-Day, and Why the Patch Is Not the End of It</title><link>https://graewer.com/blog/rogueplanet-defender-lpe/</link><guid isPermaLink="true">https://graewer.com/blog/rogueplanet-defender-lpe/</guid><description>CVE-2026-50656 is patched, but the fix ships as an engine update, not a Patch Tuesday KB. What RoguePlanet does, how it rhymes with BlueHammer, and the retrospective hunt and patch validation blue teams still owe themselves.</description><pubDate>Sun, 12 Jul 2026 00:00:00 GMT</pubDate><category>windows</category><category>defender</category><category>vulnerability</category><category>detection-engineering</category><category>sentinel</category><category>lpe</category><category>kql</category></item><item><title>The Classic-Agent Blind Spot: Detecting Non-Human Identities in Microsoft Sentinel</title><link>https://graewer.com/blog/classic-ai-agents-sentinel-detection/</link><guid isPermaLink="true">https://graewer.com/blog/classic-ai-agents-sentinel-detection/</guid><description>Microsoft Entra Agent ID secures the agents you build tomorrow. The service principals and managed identities you already run - the classic agents - are a different story. Two KQL detections, the diagnostic switch nobody flips, and what to do this week.</description><pubDate>Wed, 17 Jun 2026 00:00:00 GMT</pubDate><category>microsoft-sentinel</category><category>entra-id</category><category>non-human-identities</category><category>ai-agents</category><category>detection-engineering</category><category>kql</category><category>service-principals</category></item><item><title>Wiring Microsoft Security Exposure Management Into Sentinel - Triage with Asset Criticality and Attack-Path Context</title><link>https://graewer.com/blog/sentinel-msem-incident-enrichment/</link><guid isPermaLink="true">https://graewer.com/blog/sentinel-msem-incident-enrichment/</guid><description>MSEM gives Sentinel something it never had: asset criticality and attack-path context per entity. Architecture, KQL patterns for incident enrichment, and the entity-matching pitfalls that quietly break them.</description><pubDate>Thu, 23 Apr 2026 00:00:00 GMT</pubDate><category>microsoft-sentinel</category><category>msem</category><category>defender-xdr</category><category>exposure-management</category><category>kql</category><category>detection-engineering</category></item><item><title>BlueHammer: A Defender&apos;s Perspective on the Unpatched Windows LPE</title><link>https://graewer.com/blog/bluehammer-windows-lpe/</link><guid isPermaLink="true">https://graewer.com/blog/bluehammer-windows-lpe/</guid><description>What we know about the BlueHammer zero-day, where the public exploit chain is fragile, and what blue teams can actually do today.</description><pubDate>Tue, 07 Apr 2026 00:00:00 GMT</pubDate><category>windows</category><category>defender</category><category>vulnerability</category><category>detection-engineering</category><category>sentinel</category><category>lpe</category></item><item><title>From Azure Sentinel Log Analytics Workspace to Data Lake - Why Now Is the Right Time</title><link>https://graewer.com/blog/sentinel-data-lake-migration/</link><guid isPermaLink="true">https://graewer.com/blog/sentinel-data-lake-migration/</guid><description>The Sentinel Data Lake Tier changes the cost equation for high-volume security logging. Architecture, migration playbook, KQL examples, and the pitfalls nobody warns you about.</description><pubDate>Sat, 04 Apr 2026 00:00:00 GMT</pubDate><category>microsoft-sentinel</category><category>azure</category><category>siem</category><category>data-lake</category><category>kql</category><category>cost-optimization</category></item><item><title>LLM Hardening in Practice - What Actually Secures Agent Deployments</title><link>https://graewer.com/blog/llm-hardening/</link><guid isPermaLink="true">https://graewer.com/blog/llm-hardening/</guid><description>A technical deep-dive into securing LLM-based agent deployments against prompt injection, data exfiltration, and tool abuse. Based on real-world hardening of OpenClaw-based systems.</description><pubDate>Mon, 23 Feb 2026 00:00:00 GMT</pubDate><category>llm-security</category><category>prompt-injection</category><category>hardening</category><category>openclaw</category><category>owasp</category></item><item><title>Building Heimdall - A Threat Intelligence MCP Server From Scratch</title><link>https://graewer.com/blog/building-heimdall/</link><guid isPermaLink="true">https://graewer.com/blog/building-heimdall/</guid><description>How I built a FastMCP-based threat intelligence toolset that integrates VirusTotal, AbuseIPDB, Shodan, and MITRE ATT&amp;CK mapping. The messy reality of building security tools, including the bugs.</description><pubDate>Sat, 15 Mar 2025 00:00:00 GMT</pubDate><category>threat-intelligence</category><category>mcp</category><category>python</category><category>soc</category><category>tooling</category></item></channel></rss>