Since Microsoft Defender for Endpoint is a suite of products, rather than just one single piece of software, there are various places where you can create exclusions for different features. Also, there are integrations in other products, that result in possible side effects when enabling certain settings. Most of these products have separate documentations, there is no single documentation page that contains all the information about exclusions available in Microsoft Defender for Endpoint.

Creating and maintaining a secure environment is hard. And with every technology or product added to your environment it gets more complicated. Microsoft Azure as a cloud environment is no exception to this rule and with the many services and features that get added every year it just gets more complicated even if you did not change a thing. Because keeping your IT assets secure is important as you move to the cloud, it is important to know which bad practices to avoid and which attack scenarios are out there.

Graph databases offer great insights into existing data, that relational databases cannot or can only solve with more resources. Tools that leverage this ability to find lateral movement paths (edges) between user, computers and other entities (nodes) like Bloodhound offer an amazing data source for red teams and blue teams alike. But still the use in the defender world is yet limited. This might be because blue teams don’t like to use red teamers toolkit (really?

Microsoft Defender for Cloud Apps is one of the many puzzle pieces of the Microsoft XDR solution that helps you to secure your corporate environment. While Defender for Endpoint and Defender for Office 365 may be the more prominent names in this puzzle, Defender for Cloud Apps has a few aces up it’s sleeve that help you to protect access to corporate data on a complete other level. Many of you might already know the cloud discovery capabilities, which help you to get a deep insight into your companies usage of Software as a Service solutions.

With the release of the public preview for Passkey in Entra ID, I think, the broad adoption of passwordless and phishing resistant authentication adoption in the enterprise is coming close. Of course we had phishing resistant, passwordless methods available before. FIDO2 security keys are already a supported way to sign-in to Entra ID. But realistically this was always just for the technical savvy, the admins and power users and there were still limitations on mobile platforms.

Device Code Flow is a great feature. You are signed in on a machine that does not have any UI but need to connect to an Azure or Microsoft 365 resource? No problem, device code flow to the rescue. All major PowerShell cmdlets, the az tools and many other tools support this authentication flow. What makes it so flexible and great? You can go to https://microsoft.com/devicelogin enter a generated code that is displayed on another device and sign-in using your normal user and bam, you are in.

Since a few weeks I recognized an uptick in Entra ID Protection alerts regarding “Anonymous IP address” detections. Normally this is a high-fidelity indicator that someone is using a Tor browser or some other method to cover their tracks. While this behavior is totally fine in a private setting, in enterprise IT the use of such anonymizers is not considered baseline behavior. While analyzing the related alerts for common patterns I stumbled upon the IP address information.

A few months ago in November 2023 PowerShell 7.2 was made “General Available” in Azure Automation. One important feature was yet missing from the documentation: deployment using Bicep or ARM templates. As confirmed by Microsoft, the API was already supporting this behind the scenes. Yes, both Bicep and ARM template support is available. After I checked with a few people to no avail, Jan-Henrik finally gave my the right hint.