How to Configure Splunk to pull Windows Defender ATP alerts

Posted onLeave a comment

Windows Defender ATP provides SIEM integration, allowing you to pull alerts from Windows Defender ATP Security Center into Splunk. The SIEM integration uses the Windows Defender ATP Alerts Rest API. Since I have an actual customer demand for such an integration, I thought it’s about time to get a feel for how this works. Prerequisites An active Windows Defender ATP subscription with portal admin access Windows Defender ATP SIEM integration enabled within the portal. A Read More …

Configuring Windows Defender Credential Guard with ConfigMgr

Posted onLeave a comment

I’m currently engaged in multiple customer projects where Windows 10 is already in production, but unfortunately without Windows Credential Guard enabled. For those who think “Credential ….what?” Windows Defender Credential Guard uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. More details can be found here. Some of you might think, why wasn’t Read More …

How to customize Windows Defender ATP Alert Email Notifications

Posted onLeave a comment

During a recent customer engagement, I was asked whether the it would be possible to add additional information to the Alert email that is send out by Windows Defender ATP when a new alert occurs. @RagoReady from Microsoft gave me a good hint to look into Microsoft Flow and the Windows Defender ATP connector. When you enable Alert Notifications within the Windows Defender ATP portal, subscribed users get an alert email that looks as shown Read More …

Check Windows Defender ATP Client Status with PowerShell

Posted onLeave a comment

Here’s a little utility to check the status of Windows Defender ATP on a local or remote client. I basically took some code from the WDATP connectivity verification tool, removed the network connectivity testing part (I might add that later as well) and transformed the code so it can be used to check whether the client is properly onboarded and if all required services are running.

Retrieving Azure MFA registration status with PowerShell

Posted onLeave a comment

I’m in the process of supporting one of our clients to enable Azure Multifactor Authentication for all their users because at a later stage we want to introduce Conditional Access. In a larger environment it’s probably a good idea to start informing users about MFA, why and how it works. Then ask users to start registering themselves. In our case we’re using the Converged registration for self-service password reset and Azure Multi-Factor Authentication which is Read More …

Windows 7 Hybrid Join and MFA ramblings

Posted onLeave a comment

Today I ran into an issue where Windows 7 would not hybrid join as expected. Before going into the details, for those who might not be aware like Windows 10 and Server 2016, you can also hybrid join down-level devices. The functionality is of course not built into Windows so you need to install the “Microsoft Workplace Join for non-Windows 10 computers” software. One reason why you want to hybrid join Windows 7 devices is Read More …

How to enable DKIM in Office 365

Posted onLeave a comment

Just in case you are not familiar with what DKIM is all about but still interested, I suggest you first read Use DKIM to validate outbound email sent from your custom domain in Office 365 If you’re looking for detailed instructions how to enable DKIM in Office 365 continue reading. Prerequisites Windows PowerShell PowerShell Script Validate-DkimConfig.ps1 download from here Access to Exchange Online through PowerShell Access to DNS Connect to Exchange Online First we connect Read More …

How to manage LAPS DebugLogging with PowerShell

Posted onLeave a comment

If you need to troubleshoot the Local Administrator Password Solution LAPS you can configure how much information is written into the Windows Event log. Logging options are set through the following REG_DWORD values described below under: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{D76B9641-3288-4f75-942D-087DE603E3EA}\ExtensionDebugLevel Value Meaning 0 Silent mode; log errors only When no error occurs, no information is logged about CSE activity This is a default value 1 Log Errors and warnings 2 Verbose mode, log everything Becasue navigating manually Read More …

How to monitor your Azure AD emergency account with Cloud App Security

Posted onLeave a comment

As a best practice you should have at least one or two emergency accounts in your Azure Active Directory. You would use these accounts in the event where due to a configuration mistake you inadvertently locked yourself out of the Azure Active Directory or when for some reason you can’t use MFA that should be enabled on all administrative accounts. For more guidance about creating emergency accounts I suggest you read Manage emergency access accounts Read More …

Stay in Control of AzureAD Enterprise Application registrations with Cloud App Security

Posted onLeave a comment

Azure Active Directory provides a simple process that provides users with a single sign-on (SSO) experience for accessing cloud-based applications using their AzureAD identity. This is a great capability as it removes the need for users to manage multiple identities while enterprises keep visibility and if needed control over which applications are used by their employees. By default, all users within Azure Active Directory have the rights to register an application and users can allow Read More …