Since Microsoft Defender for Endpoint is a suite of products, rather than just one single piece of software, there are various places where you can create exclusions for different features. Also, there are integrations in other products, that result in possible side effects when enabling certain settings. Most of these products have separate documentations, there is no single documentation page that contains all the information about exclusions available in Microsoft Defender for Endpoint.

Creating and maintaining a secure environment is hard. And with every technology or product added to your environment it gets more complicated. Microsoft Azure as a cloud environment is no exception to this rule and with the many services and features that get added every year it just gets more complicated even if you did not change a thing. Because keeping your IT assets secure is important as you move to the cloud, it is important to know which bad practices to avoid and which attack scenarios are out there.

While working on another blog post I looked at different lateral movement paths an attacker can use, when she has compromised the Azure AD Connect server. Since this is the gateway to the cloud environment there already is quite some research available. When reading the existent posts about this topic, the main lateral movement path mentioned is a password reset to take over a privileged account synced to the cloud. But with a restrictive Conditional Access policy in place that requires MFA or even FIDO2 for administrative users, this is not enough for an account takeover.

If you have worked with Microsoft Sentinel you will, at one point, stumbled over two different file formats for Analytics Rules: YAML and ARM. The YAML format is mostly used to distribute Analytics Rules between people. All Analytics Rules you will find in the official Sentinel GitHub repo and others out there are offered in this format. The ARM format is what you need to deploy the Analytics Rules when using a pipeline or even if you want to import them using the UI in Microsoft Sentinel.

Business email compromise and phishing are just two of the threats sent to hundreds and thousands of email inboxes around the world every day. As defenders, we use various tools and methods to limit the delivery of these emails to the intended target. In most cases, the attackers start by registering a domain that closely resembles the target company’s own domain name, or simply include the company name in the domain (e.

Integrate MDI health alerts in Microsoft Sentinel or how to turn every e-mail notification in a custom alert in Sentinel and customize alert details for your benefit.

Over the weekend I finished a really fun project I had in mind for a couple of weeks. My newest website: AnalyticsRules.Exchange In this post I will explain the reason why I created this new website, as well on how I did it. At the moment I will not publish the code, not because I don’t want to share it, but because it’s super ugly and not something I want to be a source for other people to start with.

Am Mittwoch, den 26. Oktober, spreche ich beim Microsoft 365 Security & Compliance User Group. Das Thema meines Vortrags ist “Why using a FIDO2 security key is important”. Abstract Learn why classic MFA based authentication is still at risk of being phished using AiTM techniques and how FIDO2 security keys can mitigate such attacks. You can also use Azure AD conditional access to add an additional layer of security. Agenda Uhrzeit (BST) 18:15-19:00 Terry Hugill - Installing, Configuring, and Using AIP Scanner 19:15-20:00 Fabian Bader MVP - Why using a FIDO2 security key is important Mehr Informationen zur “Microsoft 365 Security & Compliance User Group” findet ihr hier.