Robbe Van den Daele

Detect suspicious foci token logins:

github.com/HybridBrothe...

#MicrosoftSecurity #EntraID #Token #KQL #MicrosoftSentinel

Do not forget to tag the Exchange Trusted Subsystem, Exchange Windows Permission, and Organization Management groups as sensitive in #MDI if you have on-premise exchange without the split permission model. These groups are not tagged as sensitive by default by MDI.

Kusto Insights - February Update Welcome to a new Monthly Update.

Another great newsletter of Kusto Insights curated by @ugurkoc.de and @bertjancyber.bsky.social!

Awesome highlighted #KQL query by @robbevddaele.bsky.social.

🔗 kustoinsights.substack.com/p/kusto-insi...

#MicrosoftSecurity #MicrosoftDefender #MicrosoftSentinel #KustoQuery

github.com/HybridBrothe...

Detections to find ADWS requests from unexpected binaries on the source devices already exist. But if an unknown device found a way to connect to ADWS, these cannot be used. Rather than flagging all ADWS requests, you can flag them from unknown source devices:

#DefenderXDR #KQL

Correlating Defender for Endpoint and Global Secure Access Logs Introduction If you are working with Microsoft security solutions, you might have heard of the new kid on the block called Microsoft Global Secure Access. Being a blue teamer myself, I asked myself...

Did you know that the logs of #Microsoft #Entra GSA contain data that helps a lot in detection engineering and incident investigations when combined with MDE? Read my latest blog on how you can correlate logs of these two solutions, and what the benefits are.

hybridbrothers.com/correlating-...

@robbevddaele.bsky.social talks about how to combine Defender for Endpoint and Global access secure together #wpninjasnl #wpninjaconnect

Parsing CEF messages without Azure Monitor Agent Introduction During my time as SOC Engineer, I do a lot of third-party data source ingestion projects for clients into their Microsoft Sentinel instances. Most of these data sources are network sec...

Interested in how I parse #CEF syslog messages from network security appliances to the CommonSecurityLog table in #MicrosoftSentinel without using AMA? Read my latest blog post at:

hybridbrothers.com/parsing-cef-...

#Microsoft #MicrosoftSecurity

Device isolation and containment strategies Introduction As a Security Operation Center, you want to be able to contain devices and users on a network as a response to an adversary event. However, depending on the security stack you are usin...

In my latest blog post, I wanted to talk about the nuances most organizations overlook with #defenderforendpoint device isolation and containment, and how these capabilities can co-exist next to containment actions via networking equipment.

hybridbrothers.com/device-isola...

#Microsoft

WP Connect Speaker announcement:

Our next speaker is @robbevddaele.bsky.social. He is talking how to use Defender for Endpoint and Global Secure Access better together.

More information about the event check: https://buff.ly/4fHGe78

#WPNinjasNL #WPNinjaNLConnect #WPNinjaConnect

📅 We are pleased to share the agenda for MC2MC Connect, taking place on February 6 in Antwerp.

You can view the full agenda here: connect.mc2mc.be/agenda/

We hope to see you there! 🚀

#MC2MC #ConnectMC2MC #Connect #Collaborate #Create

OxygenOS 14.1

OxygenOS 14.0

OnePlus OxygenOS 14.1 seems to support third-pary passkey providers again, allowing us to use passkeys in #Microsoft #EntraID again. 👀

On OnePlus phones they supported third-party passkey providers, but suddenly stopped supporting it around may this year. On OxygenOS 14.1 they no do support it again!