Loris Ambrozzo
@lorisambrozzo.bsky.social
Security Consultant @baseVISION
Interested in anything related to cloud security and identity topics
Interested in anything related to cloud security and identity topics
Disabling a user account during a security incident removes them from all Microsoft Teams. Private channel membership is not automatically restored. This #KQL query lists all private channels the user was removed from.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
November 7, 2025 at 10:06 AM
Disabling a user account during a security incident removes them from all Microsoft Teams. Private channel membership is not automatically restored. This #KQL query lists all private channels the user was removed from.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
While diving into Defender XDR Attack Disruption with x.com/nicolonsky, I noticed that the Enterprise App Microsoft Defender for Identity (formerly Radius Aad Syncer) is responsible for the response actions in Entra ID. The #KQL query lists these actions.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
April 17, 2025 at 10:53 AM
While diving into Defender XDR Attack Disruption with x.com/nicolonsky, I noticed that the Enterprise App Microsoft Defender for Identity (formerly Radius Aad Syncer) is responsible for the response actions in Entra ID. The #KQL query lists these actions.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
That's a simple one but could be quite useful also in combination with other #detections. 💥Since a few days, it's possible to use #KQL to detect when a global admin elevates access to manage all subscriptions and management groups.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...
February 7, 2025 at 6:45 AM
That's a simple one but could be quite useful also in combination with other #detections. 💥Since a few days, it's possible to use #KQL to detect when a global admin elevates access to manage all subscriptions and management groups.
github.com/lorisAmbrozz...
github.com/lorisAmbrozz...