Note This post is part of a series about Microsoft Threat Protection. You can find part 1 about unified hunting here: https://chrisonsecurity.net/2019/12/15/microsoft-threat-protection-unified-hunting/ In my last post about Microsoft Threat Protection (MTP) I talked about unified hunting where you can use data signals from Defender ATP, Office ATP, and (coming soon) MCAS / Azure ATP to…
Looking back at 2019
Hello everyone! While I usually only post about technological topics, I will also speak about some personal topics of the year (and decade) that is now almost finished. The blog But first lets have a look at what happened on my blog this year. Although I started it in November 2018, I only started writing…
Microsoft Threat Protection – unified hunting
Note This post is part of a series about Microsoft Threat Protection. You can find part 2 about unified incident management here: https://chrisonsecurity.net/2020/01/24/microsoft-threat-protection-unified-incidents/ When you work on security incidents, information is key. What is just as important: correlation. The value of data heavily increases if it can be associated with other signals. At Ignite 2018,…
MDATP + Azure Logic Apps: Default connectors vs. HTTP REST
Automating security rocks! In a previous post I showed how to get started with Microsoft Defender ATP and Microsoft Flow: https://chrisonsecurity.net/2019/10/22/automate-mdatp-response-with-microsoft-flow/ Now, lets get a bit more into detail about automating security workflows. Unlike last time, I will use Azure Logic Apps instead of Flow. Both technologies are quite similar, however, they differ in licensing…
Azure AD Security Defaults – one click and done?
Security in the Microsoft world has never been an on/off switch. Looking back at Windows and especially Active Directory there have always been multiple steps that had to be considered. With the cloud and Azure AD, some companies used the possibility not to start with the same mistakes that were made in the past. Unfortunately,…
Automate MDATP response with Microsoft Flow
I recently met with a customer to discuss their migration from Kaspersky to Microsoft Defender ATP. They also use macmon to query the AV’s database to detect alerts and move affected clients to an isolated VLAN. Although MDATP is capable of handling incidents itself, the customer wanted to retain the capability to auto-isolate machines. At…
Going passwordless with Azure Active Directory – part 2
The passwordless story is not over. A while back, I summarized the possibilites we have to reduce the usage of passwords with Azure AD. You can find this post here: https://chrisonsecurity.net/2019/07/28/going-passwordless-with-azure-active-directory/ This topic will become more and more important in the future, so I decided to to a follow up to cover some additional things….
Defending against obfuscated malicious content via e-mail
When it comes to cyber attacks, e-mails are still in most cases the initial point of compromise. Users are either lured to enter their credentials on a spoofed website or malware is attached in an obfuscated way. For example, by leveraging Office macros or making the user to “Enable content” which is disabled by default…
Microsoft Cloud App Security – 5 reasons to start using it
As a Cloud Access Security Broker (CASB), Microsoft Cloud App Security – or MCAS as I will call it in this post – is a central cloud security tool that let’s you gain visibility and control over your cloud services. It also offers a variety of ways to analyse cloud usage and potential threats like…
From the field: forced password reset in Azure AD Identity Protection
Azure AD Identity Protection is one of the most sophisticated features in Azure Active Directory (Premium P2). Based on Microsoft’s Intelligent Security Graph it detects users and sign-ins at risk and responds at a level you select. If you have the required licenses it should be part of every cloud security baseline. It features different…