Work and live with IT

Other Entra ID / Azure AD SignIn errors

The challenge Most of us analyzing Azure AD SignIn logs have been there. You come across a failed sign-in, but the ResultDescription is not really helpful, but only shows “Other”. Other? But what other? When using the Entra ID portal UI most of those error codes will perfectly translate to a more helpful error message. What the sign-in logs cannot do, the portal UI is able to So how can you have the same experience when using KQL?

Sync Defender for Cloud Alerts with Sentinel Incidents

When working with Defender for Cloud and Microsoft Sentinel the two product greatly integrate into each other. If integration is enabled each Defender for Cloud alert will generate an Sentinel incidents which contains the entities, description, the title and more information of the DfC alert. Also there is a direct link to the alert and if bi-directional alert synchronization is enabled it keeps the alerts, you guessed it, in sync.

Going passwordless with Window Hello for Business and SCRIL

…or SCRIL in a hybrid environment. What could possibly go wrong? Way before the term “passwordless” was used by Microsoft to promote the use of alternative authentication methods besides a password there already was a way to go passwordless. In Active Directory there is a feature called SCRIL to achieve exactly this. SCRIL which is short for “Smart card is required for interactive logon” is an effective way to prevent any interactive sign-in to a domain joined machine using a password for the user that holds this attribute.

Sentinel Pester Framework

When you work with one or multiple Microsoft Sentinel workspaces you may find it necessary to not only deploy Analytics rules and other configuration artifacts using a version controlled source control (CI/CD) to limit human error and enforce consistency. But you might also want to independently verify your deployment on a regular basis. I certainly did and set out to write a test driven solution. Since I love to use PowerShell and there is already a superb test framework, the tool to use for the task at hand was an easy choice: Pester.

From on-prem to Global Admin without password reset

While working on another blog post I looked at different lateral movement paths an attacker can use, when she has compromised the Entra ID (Azure AD) Connect server. Since this is the gateway to the cloud environment there already is quite some research available. When reading the existent posts about this topic, the main lateral movement path mentioned is a password reset to take over a privileged account synced to the cloud.

Convert Sentinel Analytics Rules with PowerShell

If you have worked with Microsoft Sentinel you will, at one point, stumbled over two different file formats for Analytics Rules: YAML and ARM. The YAML format is mostly used to distribute Analytics Rules between people. All Analytics Rules you will find in the official Sentinel GitHub repo and others out there are offered in this format. The ARM format is what you need to deploy the Analytics Rules when using a pipeline or even if you want to import them using the UI in Microsoft Sentinel.