2025 Microsoft Defender Optimization & Configuration Cheat Sheet
With just 2 remaining months in 2025, it is a good idea to check the Microsoft Defender environment and check of new features are correctly configured. In recent months, Microsoft has released numerous new features and security solutions to protect…
AiTM/ MFA phishing attacks in combination with “new” Microsoft protections (2025 edition)
Adversary-in-the-middle phishing attacks are still more common in use, in the last year and the start of 2025 there is still a more visible increase in AiTM/ MFA phishing. Since the removal of basic authentication from Exchange Online more and…
How to store Defender XDR data for years in Sentinel data lake without expensive ingestion cost
In recent years, an increasing number of customers have requested options to extend retention in Microsoft Defender XDR beyond the default 30 days at a low cost, all with the requirement of having the KQL experience available. Blog information: Feature is…
Microsoft Sentinel data lake: How to use/enable and set-up the unified data lake
Microsoft released the new Microsoft Sentinel data lake in public preview this month. With the data lake feature, it is possible to scale and store data more easily for less cost. The new Microsoft Sentinel data lake is a new…
Configure automatic Attack Disruption in Microsoft Defender XDR
Microsoft Defender XDR includes a powerful response capability with the name Attack Disruption. As part of the Defender XDR solution attack disruption capabilities can protect the environment against sophisticated, high-impact attacks. Attack Disruption works automatically; however, it still needs manual…
How to protect against Device Code Flow abuse (Storm-2372 attacks) and block the authentication flow
Since August 2024 there has been a sophisticated phishing campaign actively leveraging the device code authorization flow. Currently, there is a wide range of attacks targeting a wide range of sectors including government/ IT services and critical industries. The attack…
How to check for OAuth apps with specific Graph permissions assigned
OAuth apps are still an important target for attackers to misuse in organizations. Since the MFA baseline is improved with number matching and additional controls attackers are finding new ways to gain access to environments/ and collect data. One of…
How to check and block “malicious” browser extensions with Microsoft Defender and Intune?
In the past years, malicious browser extensions have been on the rise and are more popular to be used as part of cyberattacks. With the use of malicious extensions, it is possible to gain data/ cookies or gain initial access…
How to use Microsoft Security Exposure Management (XSPM)
Microsoft Security Exposure Management is a new product/feature in the Defender XDR suite. This blog will explain more about it and the difference between Vulnerability Management/ Secure Score and XSPM since there is still a difference between the Microsoft Security…
How to check for a healthy Defender for Endpoint environment?
When using Defender for Endpoint it is important to make sure the agent are healthy. I performed many reviews/ configurations in the past years and onboarded around a million devices to Defender for Endpoint for small and larger “enterprise” customers….
