Microsoft Defender XDR on Anything About IT

Modern Security for Legacy Systems

Sun, 30 Nov 2025 12:43:15 +0000

Despite rapid OS refresh cycles, many organizations continue to run older systems such as Windows 7 or Windows Server 2008 R2. In many cases, critical line-of-business applications only run on older frameworks, specialized production machines rely on vendor-locked drivers, or long hardware replacement cycles make immediate upgrades unrealistic. Some companies also operate regulated or validated environments where any OS change requires extensive re-certification.

Until now, these legacy endpoints posed a persistent security risk because unsupported or limited protection allowed attackers to exploit vulnerabilities with little resistance.

Monitoring Windows built-in local security Groups with Microsoft Defender XDR or Sentinel

Sun, 04 Feb 2024 21:50:36 +0000

Windows Built-in local security groups

Windows has several built-in local security groups that are designed to manage permissions and access rights on a computer. These groups are predefined by Windows, and each group has specific rights and permissions. The exact groups available can vary depending on the version of Windows you’re using or the features that are enabled, but here’s a general overview of the most commonly found built-in local security groups in Windows systems:

Defender for Endpoint – unified solution for Windows Server 2012 R2 and 2016 (Part2)

Mon, 06 Dec 2021 20:28:53 +0000

Hello everyone,

In my previous post (Part1) I provided an overview of the new Microsoft Defender for endpoint unified solution for Windows Server 2012-R2 and 2016 and how to deploy the solution manually to a new provisioned server. In this blog post I would like to walk you through the process of migrating a Windows 2016 server to the new unified solution using Microsoft Endpoint Configuration Manager.

For this we will be using the upgrade script that Microsoft provides. But let’s go through this step by step.

How to remediate Defender for Endpoint onboarding with ConfigMgr

Thu, 25 Feb 2021 18:57:49 +0000

During the past 5 years I have onboarded a couple of thousand devices into Microsoft Defender for Endpoint and can say that, provided that you done your homework with regards to network connectivity, onboarding devices into Defender for Endpoint usually just works. But as always in IT, there are exceptions.

Should you ever run into an issue with onboarding devices, I recommend checking the guidance provided here: Troubleshoot Microsoft Defender for Endpoint onboarding issues. Now if you have just a couple of devices to manage you will most likely spot any missing device within the Defender for Endpoint management portal, but what if you have several hundred or even thousands of devices? How would you find out that that particular device Computer0073 in Building D1 on the 6th floor is not correctly onboarded?

Generating Advanced hunting queries with PowerShell

Fri, 10 Jul 2020 23:21:46 +0000

I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as sown below

// Find all machines running a given Powersehll cmdlet.
let powershellCommandName = "Invoke-RickAscii"; 
DeviceEvents 
| where ActionType == "PowerShellCommand" 
| where AdditionalFields contains powershellCommandName

But if you are looking for several functions, then there is going to be a lot of manual editing, and so the idea was born to use PowerShell to help me generate an advanced hunting query. The below function can do the following:

Defender ATP Advanced hunting with TI from URLhaus

Sun, 21 Jun 2020 14:57:47 +0000

Hello everyone, in today’s article we are going to take look at how we can use Threat Intelligence (TI) data from URLhaus with Microsoft Defender ATP advanced hunting.

URLhaus

URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. https://urlhaus.abuse.ch/ The project provides several ways to find and retrieve information about malware URLs.

You can browse the URL database interactively through https://urlhaus.abuse.ch/browse/

Managing Time Zone and Date formats in Microsoft Defender Security Center

Tue, 09 Jun 2020 15:49:25 +0000

When you receive security alerts or are investigating security related events , the aspect of time is important element. By default, date and time is displayed in Coordinated Universal Time (UTC) within the Microsoft Defender security center portal.

In todays’ blog post, I want to provide you with some insights and tips how to manage Timezone and the date time format within the Microsoft Defender security center.

Time zones

You can use the Time zone menu to change the time to your local time.

Advance your Microsoft Defender ATP hunting skills using the Atomic execution framework

Fri, 05 Jun 2020 12:38:56 +0000

Hello everyone, during the past months I took a closer look at MITRE ATT&CK to advance my hunting skills using Microsoft Defender Advanced Threat Protection. For those not familiar with MITRE ATT&CK, in short, it is a knowledge base knowledge base of adversary tactics and techniques based on real-world observations.

To familiarize myself with MITRE ATT&CK, I first started reading through all the tactics and techniques, to be honest while reading, I often couldn’t resists to get my hands on the keyboard and try things out, but I kept discipline and completed studying all the content first.

Meet the new Microsoft Defender ATP evaluation lab

Sun, 24 May 2020 14:23:52 +0000

This week Hadar Feldmann, senior program manager and security researcher at Microsoft announced the public preview of the new Microsoft Defender ATP evaluation lab that now includes two attack simulation solutions from AttackIQ and SafeBreach. The term ’evaluation’ might indicate that the lab is only intended for new customers hat are in the process of evaluating Microsoft Defender ATP, but that’s not the case, personally I think that it is also a perfect playground for existing customers to advance their investigation and hunting skills using Microsoft Defender ATP.

Exploring Microsoft Cloud App Security with PowerShell – Part1

Sun, 05 May 2019 13:45:37 +0000

Last Friday I was given the opportunity to present at the Configuration Manager Community Event (CMCE1905) in Bern, Switzerland. Although Microsoft Cloud App Security is not really related to ConfigMgr, many of the attendees are dealing with managing classic and modern workplaces and security is almost on everyone’s list of interest. During my session “Unleash the power of Microsoft Cloud App Security” I also demonstrated how one can explore information within Microsoft Cloud App Security through PowerShell. So, for all those interested how to do that, here we go.