Check out my blog post "Mastering (Orphan) API Connections in Microsoft Sentinel Playbooks" in which I demonstrate how to manage the API connections of your Microsoft Sentinel Playbooks and identify orphaned ones.
blog.ambrozzo.ch/posts/master...
#microsoftsentinel #LogicApps #IaC
Disabling a user account during a security incident removes them from all Microsoft Teams. Private channel membership is not automatically restored. This #KQL query lists all private channels the user was removed from.
github.com/lorisAmbrozz...
While diving into Defender XDR Attack Disruption with x.com/nicolonsky, I noticed that the Enterprise App Microsoft Defender for Identity (formerly Radius Aad Syncer) is responsible for the response actions in Entra ID. The #KQL query lists these actions.
github.com/lorisAmbrozz...
That's a simple one but could be quite useful also in combination with other #detections. π₯Since a few days, it's possible to use #KQL to detect when a global admin elevates access to manage all subscriptions and management groups.
github.com/lorisAmbrozz...
I was wondering the same thing this morning π in one customer environment it is also available and in another tenant, there is still no MDCA available. Let's hope soon π€
Check out my first blog post about "Insight on Azure Instance Metadata Service from an attacker and defender perspective" π‘οΈβοΈ!
lorisambrozzo.medium.com/insight-into...
#MicrosoftAzure #IMDS #MicrosoftSentinel #MicrosoftDefenderXDR
