Detect and block Credential Dumps with Defender for Endpoint & Attack Surface Reduction
Credential dumping or password dump is a technique used by cybercriminals to gain access to a network. They will enter the workstation through phishing and controls through the typical way the admin uses and monitors the network to find more exposed credentials (Lateral…
MFA prompt spamming/ MFA fatigue – What can you do to prevent/ detect attacks?
MFA prompt spamming/ MFA fatigue is a quite new term and seeing more after the LAPSUS$ attack. Currently there are many MFA options including SMS, One Time Passwords (OTP), and push notifications from the Microsoft Authenticator app. And while the intent of these…
Use Microsoft Defender for Identity Response Actions for on-premises AD accounts
Microsoft announced recently the public availability of the native response actions in Defender for Identity. Security teams can now directly impact the on-premises AD account from one single experience part of the Defender security portal. In this blog post, the new long-awaited response…
What happens without RDP protection after 24+ hours in Microsoft Sentinel & Microsoft security products
For many years, abuse of Remote Desktop Protection (RDP) has been the most common root cause of all ransomware events. At the moment one of the most common attacks against VMs in Azure/ AWS or other clouds is based on the RDP brute-force…
Protecting Microsoft Teams with Microsoft Sentinel
Microsoft Teams and other online collaboration tools increases massively in the last 2-3 years. Working from home became the new normal in most of the work environments and securing IT cloud environments changes. Recent changes in Microsoft Teams bring more options for attackers…
Collect Security Events in Microsoft Sentinel with the new AMA agent and DCR
The Microsoft Sentinel Data Connector that utilizes the modern agent (AMA) for collecting Windows Security Events is for a couple of months general available. The Log Analytics/MMA agent will be retired in 2024, which seems like a long way off. Preparing to use…
Protect against AzureAD OAuth Consent phishing attempts (Illicit consent attack)
In the last couple of months, there is a large increase visible in consent phishing emails (illicit consent attacks). Microsoft threat analysts are tracking a continued increase in consent phishing attempts/mails. This blog described some of the Microsoft prevention/detection capabilities against OAuth Consent…
Monitor Microsoft Sentinel Data Connectors using Health Monitoring and Logic App
Microsoft announced a new public preview which contains the new Microsoft Sentinel Health Monitoring feature. Microsoft Sentinel now provides the SentinelHealth data table to help monitor the connector health and provides some insights which are interesting for further monitoring. Important: Feature currently in public preview….
Tag domain controllers automatically in Defender for Endpoint using KQL, Logic App, and API
The use of device tags within Microsoft Defender for Endpoint (MDE) is important for environments. Device tags can be used to give more control over how you manage your devices and scope devices for different groups. When onboarded many devices without any good…
Onboard Microsoft Defender for Endpoint using Azure Arc for non-Azure devices
Microsoft Defender for Endpoint deployment is possible based on multiple deployment mechanisms. Microsoft Defender for Cloud (previous Azure Defender) is available in Azure, with Microsoft Defender for Cloud it is possible to manage devices in Azure. By using Azure Arc, it is possible…
