Uros Babic
Lead Product Engineer - Microsoft Security DevOps at Global CoE SoftwareOne team, Microsoft Security MVP, MCT
Belgrade, Serbia
Actions
I am a Lead Product Engineer - Microsoft Security DevOps at Global CoE SoftwareOne team, driving innovation in MXDR for Microsoft Sentinel and accelerating Managed SOC capabilities across EMEA. My focus areas include security automation, incident response, threat hunting, SOC-as-Code engineering, and Unified SecOps development at scale. With over 20 years of experience in cybersecurity, I specialize in designing and implementing Azure-based security infrastructure, CI/CD pipelines, and multi-tenant deployment architectures using GitHub Actions, ARM templates, Bicep, and PowerShell. I actively contribute to product and service design, ensuring strategic alignment and operational excellence in Managed SOC environments. Recognized as a Microsoft Security MVP (SIEM & XDR, Cloud Security) and Microsoft Certified Trainer, I share knowledge through blogs, meetups, and conferences, with a passion for leveraging Microsoft Defender, Sentinel, and AI-driven security automation to strengthen organizational resilience in today’s evolving threat landscape.
Badges
Area of Expertise
Automating Microsoft Sentinel Deployment with GitHub Actions: A Practical Deep Dive
In this session, I take you through a practical deep dive into automating Microsoft Sentinel deployment using GitHub Actions. The focus is entirely on real implementation: building Infrastructure‑as‑Code templates, creating secure CI/CD pipelines, and automating deployment of Sentinel content such as analytics rules, playbooks, workbooks, and hunting queries.
I will demonstrate a production‑ready workflow where a single GitHub commit triggers a full Sentinel deployment. You will also see how this automation integrates with Microsoft Defender XDR to streamline detection, investigation, and response across the entire security operations environment.
This practical session is hands‑on blueprint for building an automated, consistent, and scalable SOC deployment pipeline
Automating Microsoft Sentinel Deployment with GitHub Actions: A Complete DevSecOps Blueprint
Learn how to fully automate Microsoft Sentinel deployment using GitHub Actions. Includes a live practical demo showing end‑to‑end automation, secure pipelines, and IaC-driven Sentinel deployment in real time.
Automating Microsoft Sentinel: A Practical DevSecOps Pipeline with GitHub Actions
Modern SOC teams operate under constant pressure to deliver secure, consistent, and production‑ready deployments at scale. Manual Sentinel setup no longer meets these expectations — automation does.
In this session, we’ll show how to build a fully automated, enterprise‑grade Microsoft Sentinel deployment pipeline using GitHub Actions and Infrastructure‑as‑Code.
Through a live, practical demo, you’ll see how Bicep modules, secured workflows, PR‑driven governance, and automated rollout of analytics rules, playbooks, workbooks, and automation rules come together into a unified DevSecOps model.
The entire workflow is based on proven MDR production patterns — giving you a reusable blueprint for your own SOC or MSSP automation journey.
Unlocking Microsoft Security Copilot Agents: Practical Use Cases for Modern SOC Automation
In this session, I explore the power of Microsoft Security Copilot’s agentic AI model and demonstrate how Security Copilot agents transform modern SOC operations through automation, context‑aware reasoning, and workflow optimization. I explain what Security Copilot agents are, their core features, and the key terminology behind Microsoft’s agentic ecosystem—including skills, adapters, memory, grounding, and orchestrators—so attendees understand how they interact with platforms like Microsoft Defender XDR, Microsoft Sentinel, and Microsoft Entra. I then walk through practical examples such as the Conditional Access Optimization Agent, which analyzes and improves Conditional Access policies; the Phishing Triage Agent, which automates the investigation of suspicious emails and accelerates analyst decision‑making; and the Threat Intelligence Briefing Agent, which synthesizes threat intelligence feeds and organizational exposure into actionable reporting. I conclude by clarifying how Security Copilot capabilities are included within the Microsoft 365 E5 subscription and what organizations gain by leveraging these agents in real-world SOC workflows. Attendees will leave with practical knowledge of how I use Security Copilot agents to reduce operational overhead, build Al agent and improve detection quality, and enhance overall security posture.
Introducing Defender for Cloud in XDR: Unified Multi-Cloud Security
Microsoft Defender for Cloud now integrates seamlessly into the Defender XDR portal, delivering unified security insights across your multi-cloud and multi-pipeline environments. This session will cover the latest CNAPP capabilities, including integrated cloud alerts, advanced correlation, and automated response workflows. Through practical demos, we’ll show how these new features empower SOC teams to detect, investigate, and disrupt threats across Azure and hybrid workloads—all from a single pane of glass.
Deep Dive into Microsoft Sentinel Data Lake in Unified SecOps
Explore the power of Microsoft Sentinel Data Lake within the Unified SecOps platform. This session covers architecture and data tiering strategies, showcases live KQL queries over the Data Lake, and demonstrates how notebook jobs and AI integration enhance threat detection and investigation. Learn practical approaches to cost optimization and long-term data retention to maximize security insights at scale.
Agentic AI in Action: Security Copilot Agents for Autonomous SecOps
Discover how Agentic AI is revolutionizing cybersecurity operations through Microsoft Security Copilot. This session dives deep into the architecture and capabilities of Security Copilot agents—modular, intelligent assistants that autonomously triage alerts, investigate incidents, and optimize security posture across Microsoft Defender XDR, Sentinel, Entra ID, Intune, and Purview.
We’ll explore real-world use cases, including phishing triage, identity protection, vulnerability remediation, conditional access optimization and threat intelligence briefings.
Entra ID Delegation
Entra ID session will focus on providing a hands-on experience with practical examples to illustrate the current state and proposed new initiatives regarding Entra ID Delegation. We will delve into topics such as the Division Centric model, the current permission model in Entra ID, Administrative Units, and Restricted Management Administrative Units within Microsoft Entra ID. Throughout the session, we aim to offer valuable suggestions and highlight Microsoft's best practices.
Microsoft Sentinel in Unified Security Operations: Real-World SOC Scenarios
In today’s complex threat landscape, SOCs must evolve to be more agile, intelligent, and unified. This session explores how Microsoft Sentinel empowers modern SOCs by delivering a cloud-native, scalable, and AI-driven SIEM and SOAR solution.
Through real-world scenarios, I’ll demonstrate how Sentinel integrates across your security ecosystem to detect, investigate, and respond to threats more effectively with practical insights into how organizations are leveraging MS Sentinel to unify data, automate response, and enhance visibility across hybrid and multi-cloud environments.
Unified Network Security at Scale: Azure Firewall + Firewall Manager in Action
In a world where cloud environments are growing rapidly and becoming increasingly complex, maintaining consistent and scalable network security is a top priority. This keynote dives into how Azure Firewall and Azure Firewall Manager work together to deliver centralized, cloud-native network protection across distributed environments.
Whether you're managing a hybrid network or a multi-cloud architecture, this session will equip you with the tools and strategies to simplify operations, strengthen your security posture, and scale with confidence.
Securing SaaS: Real-case scenario with Microsoft Defender for Cloud Apps
In today’s cloud-first world, organizations rely heavily on SaaS applications to drive productivity, collaboration, and innovation. But with this shift comes a new set of security challenges—data sprawl, shadow IT, and evolving threat vectors that traditional tools can’t fully address.
In this session, I’ll demonstrate how Microsoft Defender for Cloud Apps empowers security teams to gain deep visibility, enforce granular controls, and detect threats across their cloud ecosystem. Through real-world scenarios and practical insights, we’ll demonstrate how to build a proactive, intelligent, and scalable cloud security strategy that aligns with Zero Trust principles.
Power of attack simulations in Microsoft Unified Security Operations
During a hands-on lab, we simulated an attack on an isolated AD DS domain controller and Windows device using a Fileless PowerShell script with process injection and SMB recon. My goal was to investigate, remediate, and resolve the incident effectively with threat hunting activity. I utilized Unified Security Operations with Microsoft Sentinel, Defender XDR and Security Copilot for comprehensive security measures and automatic attack disruption.
Microsoft Security Exposure Management
I will demonstrate practically Microsoft Security Exposure Management product feature in Defender XDR suite: a comprehensive security solution offering a unified perspective on your company's assets and workloads. With Security Exposure Management we can enhance asset details with crucial security insights, empowering proactive management of attack surfaces, safeguarding vital assets, and addressing exposure risks effectively.
From Zero to Hero with Azure Web Application Firewall
Web Application Firewall provides centralized protection of your web applications from common exploits and vulnerabilities. Web applications are increasingly targeted by malicious attacks that exploit commonly known vulnerabilities. I will practically demonstrate WAF deployment scenarios with Azure Application Gateway, Azure Front Door, and Azure Content Delivery Network (CDN) service.
Data Security Posture Management for AI
Data Security Posture Management (DSPM) for AI is a proactive approach to securing AI systems in Microsoft Purview by continuously assessing risks including Microsoft Security 365 Copilot, mitigating vulnerabilities, and protecting AI models, data, and infrastructure with DLP polices and data assessment. Focus on practical use cases.
Key aspects of DSPM include:
Data Discovery: Identifying where sensitive data is stored across various cloud services and environments.
Data Classification: Categorizing data based on sensitivity to prioritize security measures.
Risk Assessment: Evaluating the security posture of data stores and applications to identify vulnerabilities.
Policy Enforcement: Implementing and enforcing security policies to protect sensitive data.
Incident Detection and Response in Microsoft Unified Security Operations
Microsoft’s Unified Security Operations platform integrates several powerful tools to enhance incident detection and response. This platform combines Microsoft Sentinel and Microsoft Defender XDR with Security Copilot to provide a comprehensive security solution.
Azure DDoS Protection simulation training
It’s a good practice to test your assumptions about how your services respond to an attack by conducting periodic simulations:
- Validate how Azure DDoS Protection helps protect your Azure resources from DDoS attacks.
- Optimize your incident response process while under DDoS attack.
- Document DDoS compliance.
- Train your network security teams.
Azure Network Security
Azure offers a comprehensive suite of network security services to protect your applications and cloud workloads from cyberattacks
Agenda:
- Hub and Spoke topology with Azure
- Network Security Groups (NSG)
- Application Security Groups
-Service Endpoints
- Private Endpoints
- Azure Application Gateway
- Web Application Firewall
- Azure Front Door
- ExpressRoute
- Azure Firewall
- Azure DDoS protection
Unifying XDR, SIEM and Security Copilot in Security Opertions
In the rapidly evolving world of cybersecurity, the role of artificial intelligence (AI) is becoming increasingly important. With the sheer volume and complexity of threats, a holistic approach to cybersecurity is necessary, and AI is proving to be a crucial element in detecting and fighting against advanced attacks.
Now Microsoft Defender, XDR, Microsoft Sentinel, and Microsoft Security Copilot are available as a unified experience, all your alerts, incidents, playbooks, and policies in one place with more AI, more automation, and an unparalleled view of emerging threats enriching it all. One dashboard to manage defenses. A single portal for threat investigation, detection, and response. A single command center built on a common data model to help you manage your SOC and work faster. One place to investigate all incidents. Making incident triage more straightforward, investigation more seamless and insights more holistic. One place to search and hunt for threats across all data. Simplified with help from Security Copilot, translating natural language to KQL. Copilot is generating all the queries, and these are, and you need to know KQL now.
During this session, Microsoft Security MVP, MCT Uros Babic will be speaking about the future of cybersecurity incident response with AI. Real stories incident investigations with Microsoft Defender XDR, Sentinel and Security Copilot will be presented.
Driving Microsoft’s transformation with Data and AI
Get started with Azure AI Services
2. Azure AI services
Azure Machine L earning
Cognitive Services
Azure OpenAl Services
3. Microsoft Copilot
4. AI for Security
5. Al Shared responsibility model
6. Accelerate cloud-native app innovation with Azure and Al
Manage Identity and Access in Microsoft Entra ID
Entra ID is the core of any secure solution you will build on Azure. You need to know verify who is accessing your systems, what they have access to, and monitor how they are using your solutions
How to Forensic Investigate Security Incidents in Microsoft Azure
When a security incident is detected on the Azure cloud platform, forensic investigators must examine the log data collected from various sources. If a VM is found to be affected, it is important to take a snapshot of the OS disk of the VM for further investigation. This ssession discusses the forensic acquisition methodology of an Azure VM and discusses an assumed scenario to divide the whole process into multiple steps
Active Directory Incident Response and Remediation in Microsoft Azure
Azure AD incident response explores how Azure AD investigates, manages and responds cybersecurity incidents. It involves skills, knowledge and experience with best practices to protect Azure Active Directory on day to day IR operations, remediation techniques and describes Azure AD incident response - life cycle, proces and tools.
Attack Simulation & Automated Defense with Microsoft XDR, Sentinel, and Copilot
ands-on session showcasing a real-world Red vs Blue attack simulation using Microsoft Defender XDR, Microsoft Sentinel, and Copilot in Unified SecOps. We’ll walk through the entire lifecycle of an attack—from initial compromise to detection, lateral movement, investigation, and automated disruption. Learn how integrated Microsoft SecOps tools empower security teams to respond faster, hunt threats effectively, and leverage AI-driven insights for advanced defense strategies. This session will demonstrate practical techniques, threat hunting queries, and Copilot-assisted workflows that can transform your security operations.
Automating Microsoft Sentinel: A Practical DevSecOps Pipeline
Modern SOC teams operate under constant pressure to deliver secure, consistent, and production‑ready deployments at scale. Manual Sentinel setup no longer meets these expectations — automation does.
In this session, we’ll show how to build a fully automated, enterprise‑grade Microsoft Sentinel deployment pipeline using GitHub Actions and Infrastructure‑as‑Code.
Through a live, practical demo, you’ll see how Bicep modules, secured workflows, PR‑driven governance, and automated rollout of analytics rules, playbooks, workbooks, and automation rules come together into a unified DevSecOps model.
The entire workflow is based on proven MDR production patterns — giving you a reusable blueprint for your own SOC or MSSP automation journey.
Global Azure & AI Community Day User group Sessionize Event Upcoming
Azure Spring Clean 2026 Sessionize Event
Azure Cloud Native User group Sessionize Event
Festive Tech Calendar 2025 Sessionize Event
Azure User Group Sweden User group Sessionize Event
Cyber Back to School 2025 Sessionize Event
Azure Back to School 2025 Sessionize Event
Azure Spring Clean 2025 Sessionize Event
"12 Reasons Why" with Tech Experts Sessionize Event
Festive Tech Calendar 2024 Sessionize Event
Cyber Back to School Sessionize Event
Azure Back to School 2024 Sessionize Event
Gimme-Cloud-Talks-Global-Azure-2024 Sessionize Event
Festive Tech Calendar 2023 Sessionize Event
Microsoft Azure Serbia Meetup Group User group Sessionize Event
Azure Back to School 2023 Sessionize Event
Gimme-Cloud-Talks-Global-Azure-2023 Sessionize Event
Please note that Sessionize is not responsible for the accuracy or validity of the data provided by speakers. If you suspect this profile to be fake or spam, please let us know.
Jump to top