Using Defender for Endpoint Live response API with Sentinel Playbooks/ Automation
Live response is a function from Defender for Endpoint and is available for Windows 10 and Server 1803/1903. Live response gives security operations teams instantaneous access to a device using a remote shell connection. With live response it is possible to do an…
Using the Azure Sentinel Windows Security Events Connector for getting custom events
Microsoft announced on 14th June 2021 a new version of the Windows Security Events data connector. The new feature reached currently the public preview release. In comparison with the current public Security Events connector some new improvements are added for the new Security…
PrintNightmare – Use Microsoft Defender/ Sentinel toolings to get insights
Technical details and a proof-of-concept (PoC) exploit have been accidentally leaked for a currently unpatched vulnerability in Windows that makes remote code execution possible. The issue affects Windows Print Spooler. The researchers named it PrintNightmare. Currently, the latest June 2021 security patches do not…
Monitor RDP Brute Force Attack with Azure Sentinel & Azure Security Center
Since the last years, there is a large increase in cybercriminals attempting to run attacks by exploiting the login credentials. With the current work-from-home scenario, more attacks are visible against the RDP protocol. At the moment one of the most common attacks against…
Review service principals with Azure AD Access Reviews and monitor with Azure Sentinel
A new feature in public preview is the Azure AD access review functionality. With the new AzureAD access reviews function it is possible to review service principals in the Azure environment. With the more growing trend of cloud services and application service principals…
Monitor Azure AD break-glass accounts with Azure Sentinel
Conditional Access configuration for AzureAD accounts is important. With Conditional Access you can protect easy accounts, block outdated protocols and create more security cases to protect corporate data. An important part of Conditional Access is the usage of break-glass accounts. In this blog…
Integrate Azure Sentinel with Microsoft Teams for seamlessly collaboration
Working from home became the new normal in most of the work environments. With the increase of working from home also the security impact changed. During security incidents, most of the collaboration will be done with chat, email, or video, there is no…
Use Microsoft technology for the detection and prevention of the SolarWinds chain attack
SolarWinds has revealed how monitoring products it released earlier this year may have been tampered with in a supply chain attack. In this blog post an overview of detection methods and IOC available for the detection and prevention of the SolarWinds attack. In…
Collect Microsoft Teams activity in Azure Sentinel and start hunting
Azure Sentinel is a cloud-native security information and event manager platform. (SIEM). Sentinel uses AI to analyze large volumes of data. Azure Sentinel is developed based on existing Azure services. Log Analytics and Logic apps are part of the foundation. What is Azure…
Inzicht in Brute-force & Password spray attack via Azure Sentinel
Azure Sentinel is een cloud-native Security Information Event Management-oplossing, ook wel bekend als een SIEM-oplossing. Azure Sentinel is cloud-native ontwikkeld op het schaalbare Azure platform en maakt gebruik van meerdere bestaande Azure services. In dit blog een toelichting over de detectie van Brute-force…