Robbe Van den Daele
@robbevddaele.bsky.social
SSCP | MC2MC | Security Consultant & SOC Engineer
Detect suspicious foci token logins:
github.com/HybridBrothe...
#MicrosoftSecurity #EntraID #Token #KQL #MicrosoftSentinel
github.com/HybridBrothe...
#MicrosoftSecurity #EntraID #Token #KQL #MicrosoftSentinel
github.com
March 27, 2025 at 4:25 PM
Detect suspicious foci token logins:
github.com/HybridBrothe...
#MicrosoftSecurity #EntraID #Token #KQL #MicrosoftSentinel
github.com/HybridBrothe...
#MicrosoftSecurity #EntraID #Token #KQL #MicrosoftSentinel
Do not forget to tag the Exchange Trusted Subsystem, Exchange Windows Permission, and Organization Management groups as sensitive in #MDI if you have on-premise exchange without the split permission model. These groups are not tagged as sensitive by default by MDI.
March 9, 2025 at 1:15 PM
Do not forget to tag the Exchange Trusted Subsystem, Exchange Windows Permission, and Organization Management groups as sensitive in #MDI if you have on-premise exchange without the split permission model. These groups are not tagged as sensitive by default by MDI.
Reposted by Robbe Van den Daele
Another great newsletter of Kusto Insights curated by @ugurkoc.de and @bertjancyber.bsky.social!
Awesome highlighted #KQL query by @robbevddaele.bsky.social.
🔗 kustoinsights.substack.com/p/kusto-insi...
#MicrosoftSecurity #MicrosoftDefender #MicrosoftSentinel #KustoQuery
Awesome highlighted #KQL query by @robbevddaele.bsky.social.
🔗 kustoinsights.substack.com/p/kusto-insi...
#MicrosoftSecurity #MicrosoftDefender #MicrosoftSentinel #KustoQuery
Kusto Insights - February Update
Welcome to a new Monthly Update.
kustoinsights.substack.com
March 7, 2025 at 8:17 PM
Another great newsletter of Kusto Insights curated by @ugurkoc.de and @bertjancyber.bsky.social!
Awesome highlighted #KQL query by @robbevddaele.bsky.social.
🔗 kustoinsights.substack.com/p/kusto-insi...
#MicrosoftSecurity #MicrosoftDefender #MicrosoftSentinel #KustoQuery
Awesome highlighted #KQL query by @robbevddaele.bsky.social.
🔗 kustoinsights.substack.com/p/kusto-insi...
#MicrosoftSecurity #MicrosoftDefender #MicrosoftSentinel #KustoQuery
Detections to find ADWS requests from unexpected binaries on the source devices already exist. But if an unknown device found a way to connect to ADWS, these cannot be used. Rather than flagging all ADWS requests, you can flag them from unknown source devices:
#DefenderXDR #KQL
#DefenderXDR #KQL
March 6, 2025 at 5:20 AM
Detections to find ADWS requests from unexpected binaries on the source devices already exist. But if an unknown device found a way to connect to ADWS, these cannot be used. Rather than flagging all ADWS requests, you can flag them from unknown source devices:
#DefenderXDR #KQL
#DefenderXDR #KQL
Did you know that the logs of #Microsoft #Entra GSA contain data that helps a lot in detection engineering and incident investigations when combined with MDE? Read my latest blog on how you can correlate logs of these two solutions, and what the benefits are.
hybridbrothers.com/correlating-...
hybridbrothers.com/correlating-...
Correlating Defender for Endpoint and Global Secure Access Logs
Introduction
If you are working with Microsoft security solutions, you might have heard of the new kid on the block called Microsoft Global Secure Access. Being a blue teamer myself, I asked myself...
hybridbrothers.com
February 16, 2025 at 12:53 PM
Did you know that the logs of #Microsoft #Entra GSA contain data that helps a lot in detection engineering and incident investigations when combined with MDE? Read my latest blog on how you can correlate logs of these two solutions, and what the benefits are.
hybridbrothers.com/correlating-...
hybridbrothers.com/correlating-...
Reposted by Robbe Van den Daele
@robbevddaele.bsky.social talks about how to combine Defender for Endpoint and Global access secure together #wpninjasnl #wpninjaconnect
February 5, 2025 at 11:36 AM
@robbevddaele.bsky.social talks about how to combine Defender for Endpoint and Global access secure together #wpninjasnl #wpninjaconnect
Interested in how I parse #CEF syslog messages from network security appliances to the CommonSecurityLog table in #MicrosoftSentinel without using AMA? Read my latest blog post at:
hybridbrothers.com/parsing-cef-...
#Microsoft #MicrosoftSecurity
hybridbrothers.com/parsing-cef-...
#Microsoft #MicrosoftSecurity
Parsing CEF messages without Azure Monitor Agent
Introduction
During my time as SOC Engineer, I do a lot of third-party data source ingestion projects for clients into their Microsoft Sentinel instances. Most of these data sources are network sec...
hybridbrothers.com
January 13, 2025 at 11:47 AM
Interested in how I parse #CEF syslog messages from network security appliances to the CommonSecurityLog table in #MicrosoftSentinel without using AMA? Read my latest blog post at:
hybridbrothers.com/parsing-cef-...
#Microsoft #MicrosoftSecurity
hybridbrothers.com/parsing-cef-...
#Microsoft #MicrosoftSecurity
In my latest blog post, I wanted to talk about the nuances most organizations overlook with #defenderforendpoint device isolation and containment, and how these capabilities can co-exist next to containment actions via networking equipment.
hybridbrothers.com/device-isola...
#Microsoft
hybridbrothers.com/device-isola...
#Microsoft
Device isolation and containment strategies
Introduction
As a Security Operation Center, you want to be able to contain devices and users on a network as a response to an adversary event. However, depending on the security stack you are usin...
hybridbrothers.com
December 9, 2024 at 10:09 PM
In my latest blog post, I wanted to talk about the nuances most organizations overlook with #defenderforendpoint device isolation and containment, and how these capabilities can co-exist next to containment actions via networking equipment.
hybridbrothers.com/device-isola...
#Microsoft
hybridbrothers.com/device-isola...
#Microsoft
Reposted by Robbe Van den Daele
WP Connect Speaker announcement:
Our next speaker is @robbevddaele.bsky.social. He is talking how to use Defender for Endpoint and Global Secure Access better together.
More information about the event check: https://buff.ly/4fHGe78
#WPNinjasNL #WPNinjaNLConnect #WPNinjaConnect
Our next speaker is @robbevddaele.bsky.social. He is talking how to use Defender for Endpoint and Global Secure Access better together.
More information about the event check: https://buff.ly/4fHGe78
#WPNinjasNL #WPNinjaNLConnect #WPNinjaConnect
December 5, 2024 at 1:00 PM
WP Connect Speaker announcement:
Our next speaker is @robbevddaele.bsky.social. He is talking how to use Defender for Endpoint and Global Secure Access better together.
More information about the event check: https://buff.ly/4fHGe78
#WPNinjasNL #WPNinjaNLConnect #WPNinjaConnect
Our next speaker is @robbevddaele.bsky.social. He is talking how to use Defender for Endpoint and Global Secure Access better together.
More information about the event check: https://buff.ly/4fHGe78
#WPNinjasNL #WPNinjaNLConnect #WPNinjaConnect
Reposted by Robbe Van den Daele
📅 We are pleased to share the agenda for MC2MC Connect, taking place on February 6 in Antwerp.
You can view the full agenda here: connect.mc2mc.be/agenda/
We hope to see you there! 🚀
#MC2MC #ConnectMC2MC #Connect #Collaborate #Create
You can view the full agenda here: connect.mc2mc.be/agenda/
We hope to see you there! 🚀
#MC2MC #ConnectMC2MC #Connect #Collaborate #Create
December 3, 2024 at 1:14 PM
📅 We are pleased to share the agenda for MC2MC Connect, taking place on February 6 in Antwerp.
You can view the full agenda here: connect.mc2mc.be/agenda/
We hope to see you there! 🚀
#MC2MC #ConnectMC2MC #Connect #Collaborate #Create
You can view the full agenda here: connect.mc2mc.be/agenda/
We hope to see you there! 🚀
#MC2MC #ConnectMC2MC #Connect #Collaborate #Create
OnePlus OxygenOS 14.1 seems to support third-pary passkey providers again, allowing us to use passkeys in #Microsoft #EntraID again. 👀
December 1, 2024 at 10:50 AM
OnePlus OxygenOS 14.1 seems to support third-pary passkey providers again, allowing us to use passkeys in #Microsoft #EntraID again. 👀