Monitoring Service principal sign-ins with AzureAD and Azure Sentinel

Here is a conversation between Jeffrey (Developer) and Marc (IT Admin) working for ECorp Ltd. Looks familiar? Take a look in your Azure Active directory, how many applications do you have there? In an ideal world you maintain an inventory of all these applications somewhere in your asset management database so that you know who is the owner of the Application and what it is used for and what API permissions are granted. As for Read More …

How to create your Defender ATP Admin Audit Log Dashboard

Hello everyone, In today’s blogpost I will walk you through the process of creating an admin audit log dashboard for Defender Advanced Threat Protection. During my past customer engagements, I was often asked if there is a way to show device actions taken by Defender ATP admins. The answer is yes, this is possible. First the information is available through the Defender ATP API, second the information is also stored within the Windows event log Read More …

Microsoft Defender ATP Advanced Hunting – Who’s logging on with local admin rights?

Note: I have updated the kql queries below, but the screenshots itself still refer to the previous (old) schema names If you’re among those administrators that use Microsoft Defender Advanced Threat Protection, here’s a handy tip how to find out who’s logging on with local administrators’ rights. But first when would you want to run this? Well here are some scenarios I can think of: You want to find users that have local administrator rights Read More …

OMS Security and Audit Baseline Assessment

The Microsoft Operations and Management Suite, Security and Audit Solution includes a Baseline Assessment component. The Baseline configuration definition includes a set of Registry, audit policy and security policy settings rules that are recommended to configure to achieve a secure operating environment. Within the Console we get an overview of “Rules” that have failed, because the servers don’t have the recommended configuration applied. While looking at this, I wondered where I can find the complete Read More …

OMS Log Analytics HTTP Data Collector API – Work notes

I believe that the Microsoft Operations Management Suite is yet another example of how cool Cloud based solutions can be. Instead of first having to spin up an entire backend infrastructure before you can actually start collecting data, with the Microsoft Operations Management Suite you can directly start focusing on the task of collecting and visualizing your data. This blog post is basically a summary of my notes and scripts that I created while exploring Read More …