Automated incident triage with Security Copilot and Microsoft Sentinel/ Defender XDR
With the use of Security Copilot, it is possible to enrich and triage alerts automatically using GenAI data. Microsoft recently developed new SOC automation playbooks to accelerate AI-automated triage based on Security Copilot and Microsoft Sentinel. Since the launch of…
AI workload threat protection in Microsoft Defender for Cloud
Recently, Microsoft announced a new protection plan for AI workloads as part of the Microsoft Defender for Cloud suite. AI security is becoming more important as AI continues to rise, with more products and companies leveraging its capabilities.” This version…
Configure automatic Attack Disruption in Microsoft Defender XDR
Microsoft Defender XDR includes a powerful response capability with the name Attack Disruption. As part of the Defender XDR solution attack disruption capabilities can protect the environment against sophisticated, high-impact attacks. Attack Disruption works automatically; however, it still needs manual…
How to protect against Device Code Flow abuse (Storm-2372 attacks) and block the authentication flow
Since August 2024 there has been a sophisticated phishing campaign actively leveraging the device code authorization flow. Currently, there is a wide range of attacks targeting a wide range of sectors including government/ IT services and critical industries. The attack…
Common mistakes during Microsoft Defender for Endpoint deployments
Microsoft Defender for Endpoint (MDE) is part of Microsoft Defender XDR and can be deployed via multiple configurations. During my experience with the product, I deployed/ reviewed and evaluated many Defender for Endpoint instances and configured new instances for many…
How to check for OAuth apps with specific Graph permissions assigned
OAuth apps are still an important target for attackers to misuse in organizations. Since the MFA baseline is improved with number matching and additional controls attackers are finding new ways to gain access to environments/ and collect data. One of…
AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)
Adversary-in-the-middle phishing attacks are still more common in use, in the last year and the start of 2025 there is still a more visible increase in AiTM/ MFA phishing. Since the removal of basic authentication from Exchange Online more and…
How to check and block “malicious” browser extensions with Microsoft Defender and Intune?
In the past years, malicious browser extensions have been on the rise and are more popular to be used as part of cyberattacks. With the use of malicious extensions, it is possible to gain data/ cookies or gain initial access…
How to use Microsoft Security Exposure Management (XSPM)
Microsoft Security Exposure Management is a new product/feature in the Defender XDR suite. This blog will explain more about it and the difference between Vulnerability Management/ Secure Score and XSPM since there is still a difference between the Microsoft Security…
Configure File Integrity Monitoring (FIM) using Defender for Endpoint
Previously the File Integrity Monitoring (FIM) feature in Defender for Server P2 was based on the MMA and/or Azure Monitor Agent. Since the MMA agent is almost retired/ EOL, Microsoft decided to switch to a new technique and release the…
