Common mistakes during Microsoft Defender for Endpoint deployments
Microsoft Defender for Endpoint (MDE) is part of Microsoft 365 Defender and can be deployed via multiple configurations. During my experience with the product, I deployed/ reviewed and evaluated many Defender for Endpoint instances and configured new instances for many customers around the…
How to use Automatic Attack Disruption in Microsoft 365 Defender (BEC, AiTM & HumOR)
Last year Microsoft announced a new feature called; Automatic attack disruption which uses correlated insights from the Microsoft 365 ecosystem and powerful AI models to stop sophisticated attack techniques while the attack is in progress. Automatic attack disruption supports the adversary-in-the-middle (AiTM) attacks….
How to troubleshoot Live Response in Defender for Endpoint
Live Response is a powerful feature as part of the Microsoft 365 Defender portal. With the use of Live Response Security Operations Teams can establish a remote session to collect more files/ or forensic evidence/ run scripts remotely. With the use of Live…
Onboard and configure Defender for Endpoint for non-persistent VDI environments
Microsoft supports multiple onboardings methods for Defender for Endpoint. For non-persistent VDI’s there is always a challenge since non-persistent VDI’s are working differently in comparison with typical endpoints. For Defender for Endpoint, there is a challenge during the onboarding and configuration of Defender…
Block apps (discovered/ shadow IT) with Defender for Cloud Apps and Defender for Endpoint
With the use of Defender for Cloud Apps in combination with Defender for Endpoint it is possible to block unsanctioned apps, the block of apps is possible based on discovered applications. Blog information:Blog published: July 26, 2023Blog latest updated: July 26, 2023 One…
Manage Defender for Endpoint for Windows, macOS, and Linux via Security settings management
Recently Microsoft announced a couple of new improvements related to the new security settings management for Windows, macOS, and Linux as part of Defender for Endpoint. In the past years, there was always a bit of a cap between the usage of Defender…
AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2023 edition)
Adversary-in-the-middle phishing attacks are still more common in use. Since the removal of basic authentication from Exchange Online more and more attackers are using more modern attacks like adversary-in-the-middle phishing, cookie theft, and other used attacks. Last year I blogged about several modern…
Onboard Defender for Endpoint without Azure Arc via Direct onboarding
Previously, onboarding hybrid servers to Defender for Servers with MDE required Azure Arc as a pre-requisite for the deployment. Since the standalone plan was removed from the licensing options some time ago (for CSP customers without EA agreement). Azure Arc gives a benefit…
Block gTLD (.zip)/ FQDN domains with Windows Firewall and Defender for Endpoint
Recently there was some news with new gTLD domains. Google Registry launched eight new top-level domains: .dad, .phd, .prof, .esq, .foo, .zip, .mov, and .nexus. From a security point of view, the .zip and .mov can be dangerous (of course more TLDs are known as malicious targets). Malicious actors can put an…
Block C2 communication with Defender for Endpoint
Human-operated ransomware (HumOR) is growing and needs different layers of protection. Microsoft released some new features to protect against C2 communication. Attackers rely heavily on C2 communications for multiple stages, and blocking these direct connections can disrupt or mitigate attacks in the earlier…
