Hybrid Brothers - Microsoft Security Blog on Hybrid Brothers

MC2MC Live: License to Secure

Thu, 19 Mar 2026 00:00:00 +0000

After the great feedback from YellowHat, I decided to give my ‘From a cloud-only Entra account to Domain Admin’ session on our own MC2MC Live event. The crowd was great and asked very interesting questions. I had lots of fun giving a session to my own Belgian community.

Find the slide deck here

MC2MC Live

Purple Teaming

Microsoft Security

Remediating Agent Identities for Identity Admins and SOCs

Mon, 16 Feb 2026 00:00:00 +0000

Introduction

With Microsoft launching Agent ID at the end of 2025, a new kind of identities were born in Entra ID. These identities are specially built for dynamic requirements of AI Agents, and is therefore a completely new concept to understand for Identity Administrators. But more importantly, how is your organization going to respond if one of these new identities are compromised? We will go over it in this blogpost, focussing specifically on how to remediate the identities linked to the agent.

Getting a first grip on Copilot Studio agents as an administrator

Wed, 28 Jan 2026 00:00:00 +0000

Introduction

With the rise of AI Agents in organizations, I see at many customers AI Identities rapidly being created in Entra ID. One of the first questions most admins almost immediately have is, how can we know who created the AI Agent Identities, and how can we know where the related Agent lives? In this blogpost I will talk you through the steps on how to answer these basic but important governance questions.

Yellowhat

Tue, 13 Jan 2026 00:00:00 +0000

Yellowhat has always been on my bucket list, and what an event is was! Speaking for 200+ on-site and 2000+ livestream attendees was really amazing! Below you can find the slide-deck with all the references to the detection use cases mentioned during the talk at the end of the slide deck.

Find the slide deck here

Yellowhat

Purple Teaming

Microsoft Security

Entra ID Synced Passkeys and security considerations

Tue, 18 Nov 2025 00:00:00 +0000

Introduction

At Ignite 2025, Microsoft announced Entra ID would be supporting Synced Passkeys for multiple credential providers.

This means users can now create phishing resistant credentials, and sync those credentials across devices. This new authentication method has a lot of advantages, but also raises a couple of questions. Let’s go over them together.

Synced passkeys

The benefits

Stronger security

Obviously, passkeys provide phishing resistant authentication meaning users are protected against attacks such as access token stealing. This method introduces better security than basic MFA methods, and ensures attackers are only able to compromise the login when the system where the passkeys is stored is compromised.

Defender XDR VS Microsoft Sentinel table changes

Sat, 11 Oct 2025 08:00:00 +0000

Introduction

When connecting Microsoft Sentinel to Defender XDR, there are a couple of changes happening in tables which you should be aware of. Even though they are documented in the Microsoft Learn, I it is not always clear what the exact impact is. Let’s go over it together.

IdentityInfo table

In the transition guidance from Microsoft Sentinel to the Defender Portal, there is a subtile mention that the IdentityInfo table schema changes when connecting Sentinel to Defender XDR when you have enabled UEBA in Microsoft Sentinel. It mentions that ‘Some fields that existed when used in the Azure portal are either renamed in the Defender portal, or aren’t supported at all’, and proceeds to urge you to check your queries and update them as needed. But what are the exact changes?

Important changes to HybridBrothers.com

Wed, 01 Oct 2025 00:00:00 +0000

What is changing

As a valued member of our community, we would like to inform you that we are migrating our HybridBrothers.com blogging website to a new framework. More specifically, we are moving away from our current Ghost framework to Hugo. While the Ghost blogging platform works great, we decided to move away from it due to the hosting complexity it introduces.

In the new framework, a couple of features will unfortunately not exist anymore. These features are:

Transition from Microsoft Sentinel to Defender XDR - Practical challenges

Fri, 04 Jul 2025 00:00:00 +0000

Introduction

Microsoft announced on the 1st of July 2025 that the Microsoft Sentinel Azure Portal UI will be deprecated at the 1st of July 2026, and all requests will be redirected to the Security Portal instead. This means that all Microsoft Sentinel customers have 1 year time to transition to the Defender portal and change their processes.

Even though the technical switch is very easy to do, I had a lot of challenges to be able to switch to the Defender Portal during the last year. A lot of issues and bugs are already solved by now, but there are still some caveats and nuanced that you need to take into account when switching. In the first part you can read the challenges I personally struggled with, and in the second part you can find other challenges and nuances documented in the Learn pages.

Microsoft 365 Security & Compliance User Group

Wed, 30 Apr 2025 00:00:00 +0000

Together with Thijs, I gave our updated session on how we architect a SOC on top of Microsoft Defender XDR and Microsoft Sentinel. Since there were a lot of changes during the last couple of months in the Microsoft XDR and SIEM stack, we had a lot of new stuff to talk about!

The session covered the latest developments in Microsoft’s security stack and how organizations can leverage these changes to improve their security posture.

Detecting non-privileged Windows Hello abuse

Sat, 26 Apr 2025 00:00:00 +0000

Introduction

I recently followed a live session of Dirk-Jan Mollema and Ceri Coburn on how Windows Hello for Business can be abused as a non-privileged user. I was very intrigued by the concept of the attack they demonstrated, which is why a spend a couple of days thinking of ways how we can counter this attack with detective controls as blue teamers.

Before diving into the controls, let’s first do a recap on what the attack scenario is all about. Interesting to note is that I flagged each detection rule and hunting query I created with the below banner throughout this blogpost:

MDE Device Discovery - Improving the monitored network page

Wed, 19 Mar 2025 00:00:00 +0000

Introduction

This blogpost is probably the first of a series that I will create in the coming months on Device Discovery. I regularly see organizations buy a specific tool to create an asset inventory list of what lives in their networks, while this is something we can actually do with Microsoft Defender for Endpoint (with some nuances). By using the tools we already have, we can save costs, and make sure that everything is as much centralized as possible in the Defender XDR asset inventory. But to be completely honest, the Microsoft tooling that provide these insights can use some improvements here and there. Because of this, I wanted to talk in this blogpost what I think could be done better, and how you can actually get these insights via some KQL queries.

Correlating Defender for Endpoint and Global Secure Access Logs

Sun, 16 Feb 2025 00:00:00 +0000

Introduction

If you are working with Microsoft security solutions, you might have heard of the new kid on the block called Microsoft Global Secure Access. Being a blue teamer myself, I asked myself how we can use this new Secure Service Edge solution - and specifically the Internet Access logs - to make our detections better.

During my research I found that these logs are especially interesting when we correlate them with the EDR solution of Microsoft called Microsoft Defender for Endpoint. If you want to learn how you can do this, make sure to keep reading.

MC2MC Connect

Thu, 06 Feb 2025 00:00:00 +0000

Speaking at my very own event, that was something else! I brought my session about how Microsoft Defender for Endpoint and Global Secure Access to a fully packed room, and it was amazing!

Speaking to a packed room at MC2MC Connect

Discussing Microsoft Defender for Endpoint integration

Q&A session with the audience

Workplace Ninja Connect Netherland

Wed, 05 Feb 2025 00:00:00 +0000

I was honored to bring my session on how Microsoft Defender for Endpoint and Global Secure Access can be used together to have better network detection strategies at Workplace Ninja Connect in the Netherlands!

Demonstrating integration between Defender for Endpoint and Global Secure Access

Full room

Selfie with the banner

Privacy Policy

Sat, 18 Jan 2025 00:00:00 +0000

Privacy Policy

How to contact us

Should you have any questions about this privacy policy, the data we hold on your, or you would like to exercise one of your data protection rights, please do not hesitate to contact us at info@hybridbrothers.com

Background

Hybrid Brothers is committed to user privacy.

The policy on protection of individuals with regard to the processing of personal data by Hybrid Brothers is based on the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

Parsing CEF messages without Azure Monitor Agent

Mon, 13 Jan 2025 00:00:00 +0000

Introduction

During my time as SOC Engineer, I do a lot of third-party data source ingestion projects for clients into their Microsoft Sentinel instances. Most of these data sources are network security solutions like firewalls and proxy solutions.

When you want to ingest this data into Microsoft Sentinel, you have a couple of scenario’s and architectures you can build to accomplish this. The architecture you will find the most on the internet is by using the Azure Monitoring Agent. Even though the features in the AMA agents are getting better, I still prefer to use Logstash during my ingestion projects instead. In my opinion, Logstash is more flexible and provides more capabilities than the AMA agent currently does.

MC2MC Live - Forward to the Past

Thu, 19 Dec 2024 00:00:00 +0000

At MC2MC Live: Forward to the past I was able to give a session on how to manage Azure Bicep templates at scale and automatically. Very happy to have given this session to such a big audience in West Flanders!

Presenting Bicep template management strategies

Demonstrating automated deployment workflows

Big room

The session focused on practical approaches to managing infrastructure as code at enterprise scale, including automated testing and deployment pipelines.

Device isolation and containment strategies

Mon, 09 Dec 2024 00:00:00 +0000

Introduction

As a Security Operation Center, you want to be able to contain devices and users on a network as a response to an adversary event. However, depending on the security stack you are using, containing a device can be done using multiple ways. Each way of performing a containment action can bring benefits from another, and sometimes it is hard to understand which option is the best one to use.

Entra ID Private Access with private integrated storage accounts

Mon, 04 Nov 2024 00:00:00 +0000

Introduction

In the past couple of weeks, I worked on a project where I needed to provide access to a securely private integrated Azure Storage Account via the Entra ID Private access profile. During this project I encountered a very interesting bug, that made me better understand the insights of how Global Secure Access works.

The setup

The requirement for this setup is that access to the Storage Account was provided by using the Azure Storage Explorer application. Via this applications we needed to tunnel the data through Entra ID Private Access, and allowed it to access the private integrated Storage Account.

Cyber back to school: Microsoft Token Theft Unveiled

Fri, 25 Oct 2024 00:00:00 +0000

Introduction

I am thrilled to participate in the Cyber Back to School initiative hosted during cyber awareness month! This session is all about Primary Refresh Token VS Access Token stealing in Microsoft Entra ID, and will show the practical countermeasures for each of them. I preferred to write a blog post for this instead of a PowerPoint deck since there are a lot of technical details and references I want to cover.

Client Credentials - Client Certificate

Mon, 21 Oct 2024 00:00:00 +0000

Introduction

The process is quite similar to the client secret flow described here, so be sure to take a look! The challenge here lies in generating a JWT (JSON Web Token) based on a certificate. I will provide a detailed explanation of how the JWT is generated and exchanged for an access token below.

Flow Details

For more information about this flow be sure to check the previous article. However in short:

Client Credentials - Client Secret

Mon, 14 Oct 2024 00:00:00 +0000

Introduction

The next authentication flow in my series will be the Client Credentials Flow. Be sure to check out the first one here! We will first take a look at the client secret model. I will skip the basics in this article as this has been explained in my other article.

Flow Details

Above you can see this flow provided by the OAuth docs. It’s a lot simpler then the Authorization Code Flow, however this is inherent because it is a non-interactive sign-in flow meaning mostly used by daemons, services, etc… There’s only one step and it’s the exchange of your client secret or a JWT (JSON Web Token) for an access token.

Bicep: Dynamic naming technique

Thu, 03 Oct 2024 00:00:00 +0000

Introduction

When designing IaC modules finding the correct syntax to deploy a certain resource type is often not the hardest thing to do. What I found in 4 years of writing Bicep code, is that defining a dynamic way to name your resources which is also easy to use, seems to pose quite the challenge. This article won’t define the best way to get this but a way that seems to work for me and the customers I have worked with in the past.

Cyber Back to School

Tue, 01 Oct 2024 00:00:00 +0000

I spoke together with my colleague Thijs Lecomte at Cyber back to School, where we recorded our session on how to architect a SOC on top of Microsoft Sentinel and Microsoft Defender XDR. You can find the video here.

Azug @ Noest

Thu, 26 Sep 2024 00:00:00 +0000

At a recent community event, I presented a deep dive into various authentication flows in Entra Id, showcasing how to retrieve an ARC server from a resource group. During the session, I reverse-engineered four main flows, with one having 4 sub-flows:

Authorization Code Flow: Designed for user authentication
Client Credentials Flow: Explored with certificate, secret, and federated credentials for service-to-service authentication.
Device Code Flow: Highlighted for user interaction on devices with limited input capabilities.
Managed Identity Flow: Demonstrated seamless authentication for services running on Azure without needing credentials. In this case I used an ARC-enrolled server.

You can download the session slides here.

Analyzing MDE Network Inspections

Fri, 26 Jul 2024 00:00:00 +0000

Microsoft Defender for Endpoint and Network Monitoring

In November 2022, Microsoft announced they integrated the Zeek open-source network traffic analyzer in Microsoft Defender for Endpoint. This analyzer helps Defender for Endpoint in analyzing suspicious network traffic and detect network related attacks. In April 2023 they extended the support with Zeek by including a couple of network signatures in Advanced Hunting. By doing this Microsoft allows security professionals to create threat-hunting and custom detection rules on top of the data Zeek is gathering.

T1556.009 - Detect and prevent suspicious conditional access policy modifications

Wed, 26 Jun 2024 00:00:00 +0000

Introduction

In April 2024, MITRE came with their new V15 version of ATT&CK. In this version a new sub-technique was introduced called ‘T1556.009 - Modify Authentication Process: Conditional Access Policies’. This was, in my opinion, a great addition to the framework, since it is an important technique which can be abused by adversaries. By changing a Conditional Access policy (later referred to as ‘CA policy’), an adversary can establish Credential Access, Defense Evasion, and Persistence in Entra ID. Since it is such a vital component, I thought it was time to do a bit of a deep dive into how we can detect and mitigate suspicious CA policy changes.

Authorization Code Flow

Sat, 22 Jun 2024 00:00:00 +0000

Introduction

In the past, I was always curious about the workings of Connect-AzAccount, the authentication command from the Az.Accounts PowerShell module. This led me to delve into debugging, and the subsequent article is a product of that exploration. It’s intriguing that both Az CLI and Az PowerShell are operational across all tenants, even the newly created ones. I aimed to emulate this functionality in PowerShell and utilize it in my scripts. For instance, this could be beneficial when executing commands across various tenants, a task that the Az modules are not adept at handling.

Experts Live Netherlands

Tue, 04 Jun 2024 00:00:00 +0000

I spoke together with my colleague Thijs Lecomte at Experts Live, where we talked about how we architecture a Security Operations Center on top of Defender XDR and Microsoft Sentinel. It was an amazing experience, and I definitely recommend going to the conference! If you missed the session, you can find the slide deck below.

Selfie with Thijs and Louis

Badge and t-shirt

Thijs and I giving our session

You can download the session slides here.

Resolving MDI NNR issues

Sat, 27 Apr 2024 00:00:00 +0000

Introduction

Defender for Identity is a very important sensor to detect threats in an Active Directory environment. Therefore, it is important to make sure the sensors are performing well, and no health issues are being reported. When a sensor is in an unhealthy state, detections can be missed, or False Positives can lead to alert fatigue on the SOC.

In this blogpost, I wanted to talk about one of the important features of Defender for Identity, which in practice has a lot of dependencies for it to work properly. We will go over these dependencies, how you can spot unhealthy scenarios, and how you can identify possible pain points.

Get control over corporate networks with device discovery

Sun, 14 Apr 2024 00:00:00 +0000

Introduction

During the last few years, I worked with a couple of customers who struggle with getting control over their corporate networks. Even though we all know corporate networks should be managed well with all the correct security controls like segmentation, Network Access Control implementations, and zero-trust designs, a lot of organizations keep struggling with knowing what devices are present on legacy network segments.

There are a couple of great network scanning and documentation solutions out there that can help organizations in getting insights into their networks. Although these dedicated network scanning solutions have many more features than what we are going to discuss in this post, I hope to inspire people you do not always need an expensive fancy network scanning solution to know what exists on your network. In this post I want to show you how we can get better network insights with just a couple of MDE onboarded devices with Device Discovery enabled, a sentinel workbook, and a list of your network segments described in a watchlist. Using this, I am confident you will have better insights into your network compared to what Device Discovery provides out of the box.

Using WDAC to ingest missing MDE events and detect token stealing

Fri, 01 Mar 2024 00:00:00 +0000

Introduction

In a previous blog post I talked about how adversaries can exploit SSO capabilities of Hybrid or fully Entra ID joined devices. I mentioned the different ways we can steal tokens from the devices, either by using BrowserCore.exe or MicrosoftAccountTokenProvider.dll.

Here I concluded that exploiting BrowserCore.exe to steal the PRT token can be detected via two different ways, but that we lack data in the DeviceImageLoad event of MDE to detect exploitation of MicrosoftAccountTokenProvider.dll because of the heavy filtering of these events. In this blog post I want to talk about how WDAC policies can actually help us solve this problem.

AitM detection with Sentinel via custom CSS

Thu, 01 Feb 2024 00:00:00 +0000

Introduction

You are probably wondering, what has CSS to do with detecting AitM sites. In this blog post, we will go over how we can use a custom CSS template in Microsoft Entra ID Company Branding, to trigger a logic that detects when a user visited a Microsoft login page via an AitM site. The idea of this detection was not initially my idea, so the credit for it goes to the projects I will refer to throughout the blog. I re-used the logic of these projects to build a Logic App that creates Microsoft Sentinel incidents when a suspected AitM connection is detected.

From hybrid / fully joined devices to Entra ID

Thu, 21 Dec 2023 00:00:00 +0000

Introduction

Adversaries are more and more interested in the data and infrastructure that lives in Cloud environments like Azure and Microsoft 365 solutions. Since Microsoft EntraID is the most common central IDP solution for these environments, it is important to identify the possible paths attackers can use to move from a device to possible crown jewels that live in these Cloud solutions.

In this blog post, I wanted to talk about how adversaries can use Entra ID Joined or Hybrid Joined devices to move laterally to the cloud, using EntraID SSO features, and how they can get a foothold on these devices. This blog post is based on a Red-Teaming scenario I encountered in a real-life, and is written from a Blue-Teaming perspective.

Belgium Microsoft Cloud & Security Community

Thu, 30 Nov 2023 00:00:00 +0000

“If you know the enemy and know yourself, you do not need to fear the result of a hundred battles.” ~ Sun Tzu ⚔

I spoke at the Belgian Microsoft Cloud & Security Community on the 30th of November, hosted at The Collective Consulting. I talked about how we can leverage various MITRE toolsets in combination with the Microsoft Security stack, so we can arm us with vital knowledge about ourselves and our enemies.

Microsoft Sentinel User Forum

Thu, 26 Oct 2023 00:00:00 +0000

Together with my colleague Louis Mastelinck, we talked on the Microsoft Sentinel user forum about Microsoft Sentinel data ingestion and avoiding alert fatigue. If you missed out on the session, you can find the slide deck below.

You can download the session slides here.

Using Managed Identities in Logic App HTTP triggers

Thu, 03 Aug 2023 00:00:00 +0000

Warning

We ‘archived’ this blogpost during a migration from the old HybridBrothers website framework to the new one, since it is more than 2 years old and might not contain the latest information. This means we did not migrate this blogpost to the new site, but you can still find a PDF version of this blogpost below.

MC2MC

Thu, 22 Jun 2023 00:00:00 +0000

My first public speaking experience! I spoke together with my colleague Sander Bougrine on MC2MC, where we deep dived into how to integrate 3th part data connectors with Microsoft Sentinel.

You can download the session slides here.

Demystifying Data Collection Rules and Transformations

Sun, 21 May 2023 00:00:00 +0000

Warning

Mapping MDE and Windows Security Events overlap

Sat, 25 Mar 2023 00:00:00 +0000

Warning

Deploy sentinel analytic rules with bicep and PowerShell

Thu, 09 Feb 2023 00:00:00 +0000

Warning

Ghost blogging on Azure Container Apps

Sun, 29 Jan 2023 00:00:00 +0000

Introduction

Hosting a blog these days can easily be done without having to cost anything. There are a lot of solutions in the likes of Medium, Weebly, Wix,… But for the more technology-minded people like us, who want to go the extra mile, we didn’t go for the easiest solution. We chose to run our blog on Azure Container Apps using the Ghost blogging platform.

In this post, I’ll go deeper into how the site is hosted as well as how the deployment is done at this moment, which is not yet automated.

Operationalizing MITRE ATT&CK to support Microsoft Sentinel deployments and detections

Tue, 22 Nov 2022 00:00:00 +0000

Warning