/images/avatar.png

Work and live with IT

Use Unified Sign-In logs in Advanced Hunting

One thing that always makes analyzing Sign-In logs for Azure AD users a bit complicated is the different types of Sign-In logs available. For user accounts “Interactive user sign-ins” as well as “Non-interactive user sign-ins” are where to look. And don’t get me wrong, I love that we have the non-interactive logs available. They are super important and the separation is correct. But when working with those logs in the Azure portal is get’s complicated fast.

Windows Hello for Business Cloud Trust and KDC proxy

Windows Hello for Business cloud trust is the latest addition to deployment methods that can be used for Windows Hello for Business. Windows Hello for Business cloud trust Windows Hello for Business is Microsofts passwordless logon solution that uses an asymmetric key pair for authentication instead of using username and password. The private key is securely stored in the Trusted Platform Module (TPM), preventing the private key from getting leaked. All the technical complexity of the logon process is completely transparent to the user, she only has to unlock the credentials stored in the TPM using either a PIN or some kind biometrics.

The Hitchhiker's Guide to Microsoft Defender for Endpoint exclusions

Since Microsoft Defender for Endpoint is a suite of products, rather than just one single piece of software, there are various places where you can create exclusions for different features. Also, there are integrations in other products, that result in possible side effects when enabling certain settings. Most of these products have separate documentations, there is no single documentation page that contains all the information about exclusions available in Microsoft Defender for Endpoint.

Vortrag @ Cloud Workplace Meetup

Am Donnerstag, den 12. Mai, werde ich bei der Cloud Workplace Meetup sprechen. Das Thema meines Vortrags ist “Use external threat intelligence in Microsoft Defender for Endpoint”. Ausblick Mit Microsoft Defender Tamper Protection bietet Microsoft einen essentiellen Baustein für die Absicherung der Antivirenlösung auf Endpoints, Server wir Clients zugleich. Die Funktion verhindert die Abschaltung der Schutzkomponenten und erschwert es Angreifern Ihren Payload unbemerkt zu starten. In dieser Session erörtert Fabian Bader welche Bereiche der Antiviren Software durch diesen Schutz abgedeckt sind und zeigt auf welche Konfigurationsänderungen weiterhin möglich sind.

Vortrag @ Microsoft Cloud Security User Group

Am Donnerstag, den 28. April, werde ich bei der Microsoft Cloud Security User Group sprechen. Das Thema meines Vortrags ist “Use external threat intelligence in Microsoft Defender for Endpoint”. Ausblick Extend alarming and protection capabilities of Microsoft Defender for Endpoint using external data sources. In this showcase Fabian Bader will demonstrate how easy you can tap into open source threat intelligence using the Feodo Tracker project and use it to protect your endpoints.

Why using a FIDO2 security key is important

Microsoft offers a great variety of options to use as your primary authentication method, when signing-in with your Azure AD identity using a browser. Username and Password Phonenumber and SMS Username and Passwordless phone sign-in Certificate-based authentication Windows Hello for Business FIDO2 security keys Using conditional access you can further protect the accounts, enforcing the need for a second factor, device compliance, location based restrictions and many more configuration options.