Subscribe

Microsoft Defender XDR & Sentinel

Analyzing MDE Network Inspections

Analyzing MDE Network Inspections

Microsoft Defender for Endpoint and Network Monitoring In November 2022, Microsoft announced they integrated the Zeek open-source network traffic analyzer in Microsoft Defender for Endpoint. This analyzer helps Defender for Endpoint in analyzing suspicious network traffic and detect network related attacks. In April 2023 they extended the support with Zeek

Defender for Identity NNR and health monitoring

Defender for Identity NNR and health monitoring

Introduction Defender for Identity is a very important sensor to detect threats in an Active Directory environment. Therefore, it is important to make sure the sensors are performing well, and no health issues are being reported. When a sensor is in an unhealthy state, detections can be missed, or False

Get control over corporate networks with device discovery

Get control over corporate networks with device discovery

Introduction During the last few years, I worked with a couple of customers who struggle with getting control over their corporate networks. Even though we all know corporate networks should be managed well with all the correct security controls like segmentation, Network Access Control implementations, and zero-trust designs, a lot

AitM detection with Sentinel via custom CSS

AitM detection with Sentinel via custom CSS

Introduction You are probably wondering, what has CSS to do with detecting AitM sites. In this blog post, we will go over how we can use a custom CSS template in Microsoft Entra ID Company Branding, to trigger a logic that detects when a user visited a Microsoft login page

Demystifying Data Collection Rules and Transformations

Demystifying Data Collection Rules and Transformations

Introduction Data Collection Rules in Azure can be very confusing once you really start using all of their potential. During my experience using them in complex setups, I identified a couple of pitfalls I would like to tackle for you. These pitfalls include the complex structures and types of DCRs,

Mapping MDE and Windows Security Events overlap

Mapping MDE and Windows Security Events overlap

Introduction In my last blog post, I talked about using MITRE ATT&CK to support Microsoft Sentinel use cases. Today, I will be showing you how we can compare data coverage of data sources in Sentinel with MITRE ATT&CK and OSSEM. In this post you will find

Deploy sentinel analytic rules with bicep and PowerShell

Deploy sentinel analytic rules with bicep and PowerShell

Introduction Managing a Microsoft Sentinel environment can get very complex, especially when you are responsible for managing multiple environments as MSSPs do. This is why Infrastructure as Code becomes very important. It makes sure that your environments are consistent, easy to roll out, and modular since you can standardize certain

Operationalizing MITRE ATT&CK to support Microsoft Sentinel deployments and detections

Operationalizing MITRE ATT&CK to support Microsoft Sentinel deployments and detections

Introduction Managing a SIEM can be a challenging task to do. When you insert too many log sources in your SIEM without enough filtering and finetuning, your SIEM can get very noisy in no time. An in-depth post about how to manage a SIEM will be available on this site

Microsoft Entra ID

Entra ID Private Access with private integrated storage accounts

Entra ID Private Access with private integrated storage accounts

Introduction In the past couple of weeks, I worked on a project where I needed to provide access to a securely private integrated Azure Storage Account via the Entra ID Private access profile. During this project I encountered a very interesting bug, that made me better understand the insights of

Cyber back to school: Microsoft Token Theft Unveiled

Cyber back to school: Microsoft Token Theft Unveiled

Introduction I am thrilled to participate in the Cyber Back to School initiative hosted during cyber awareness month! This session is all about Primary Refresh Token VS Access Token stealing in Microsoft Entra ID, and will show the practical countermeasures for each of them. I preferred to write a blog

Client Credentials - Client Certificate

Client Credentials - Client Certificate

Introduction The process is quite similar to the client secret flow described here, so be sure to take a look! The challenge here lies in generating a JWT (JSON Web Token) based on a certificate. I will provide a detailed explanation of how the JWT is generated and exchanged for

Client Credentials - Client Secret

Client Credentials - Client Secret

Introduction The next authentication flow in my series will be the Client Credentials Flow. Be sure to check out the first one here! We will first take a look at the client secret model. I will skip the basics in this article as this has been explained in my other

T1556.009 - Detect and prevent suspicious conditional access policy modifications

T1556.009 - Detect and prevent suspicious conditional access policy modifications

Introduction In April 2024, MITRE came with their new V15 version of ATT&CK. In this version a new sub-technique was introduced called 'T1556.009 - Modify Authentication Process: Conditional Access Policies'. This was, in my opinion, a great addition to the framework, since it is an

Authorization Code Flow

Authorization Code Flow

Introduction In the past, I was always curious about the workings of Connect-AzAccount, the authentication command from the Az.Accounts PowerShell module. This led me to delve into debugging, and the subsequent article is a product of that exploration. It's intriguing that both Az CLI and Az PowerShell

Using WDAC to ingest missing MDE events and detect token stealing

Using WDAC to ingest missing MDE events and detect token stealing

Introduction In a previous blog post I talked about how adversaries can exploit SSO capabilities of Hybrid or fully Entra ID joined devices. I mentioned the different ways we can steal tokens from the devices, either by using BrowserCore.exe or MicrosoftAccountTokenProvider.dll. Here I concluded that exploiting BrowserCore.exe

From hybrid / fully joined devices to Entra ID

From hybrid / fully joined devices to Entra ID

Introduction Adversaries are more and more interested in the data and infrastructure that lives in Cloud environments like Azure and Microsoft 365 solutions. Since Microsoft EntraID is the most common central IDP solution for these environments, it is important to identify the possible paths attackers can use to move from

Using Managed Identities in Logic App HTTP triggers

Using Managed Identities in Logic App HTTP triggers

Introduction During the past few months, I have been assessing the security configurations of applications created in Azure. During these assessments, I found that people like to use Logic Apps and HTTP triggers to create simple APIs or integration flows. Often these HTTP triggers are being called by other Azure

Infrastructure as Code

Bicep: Dynamic naming technique

Bicep: Dynamic naming technique

Introduction When designing IaC modules finding the correct syntax to deploy a certain resource type is often not the hardest thing to do. What I found in 3 years of writing Bicep code, is that defining a dynamic way to name your resources which is also easy to use, seems

Ghost blogging on Azure Container Apps

Ghost blogging on Azure Container Apps

Introduction Hosting a blog these days can easily be done without having to cost anything. There are a lot of solutions in the likes of Medium, Weebly, Wix,... But for the more technology-minded people like us, who want to go the extra mile, we didn't go for the

Powershell & CICD