Thomas Naunheim
@naunheim.cloud
#Microsoft MVP | #CloudSecurity Architect ☁️ | #Entra #AzureAD 🔑 + #AzureSecurity 🛡️ | #CommunityRocks | #Schaengel
1️⃣ 🤔 Comparison Deep Dive
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? I’ve built a comparison table outlining the differences in column availability and detail levels.
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? I’ve built a comparison table outlining the differences in column availability and detail levels.
July 30, 2025 at 6:47 AM
1️⃣ 🤔 Comparison Deep Dive
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? I’ve built a comparison table outlining the differences in column availability and detail levels.
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? I’ve built a comparison table outlining the differences in column availability and detail levels.
🚀🔎 Track Sensitive Graph API Calls with my new #KQL Function for #MicrosoftDefenderXDR
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
July 17, 2025 at 6:43 AM
🚀🔎 Track Sensitive Graph API Calls with my new #KQL Function for #MicrosoftDefenderXDR
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
Microsoft has released the new advanced hunting table "GraphAPIAuditEvents" which offers great opportunities to investigate activities based on #MicrosoftGraph API calls.
I have integrated the classification model of #EntraOps to identify sensitive roles in #MicrosoftEntra, #MicrosoftGraph, and #AzureRBAC. This function offers a holistic view and report on SPs including details such as ownership and assigned Azure Roles (enriched by CSPM data). (2/2)
April 9, 2025 at 11:51 AM
I have integrated the classification model of #EntraOps to identify sensitive roles in #MicrosoftEntra, #MicrosoftGraph, and #AzureRBAC. This function offers a holistic view and report on SPs including details such as ownership and assigned Azure Roles (enriched by CSPM data). (2/2)
I've published a #KQL function ("WorkloadIdentityInfoXDR") for #MicrosoftDefender to enhance details of #MicrosoftEntra #WorkloadID from various sources, incl. the new table "OAuthAppInfo" but also IdentityInfo table and #ExposureManagement. (1/2)
🔗 github.com/Cloud-Archit...
🔗 github.com/Cloud-Archit...
April 9, 2025 at 11:51 AM
I've published a #KQL function ("WorkloadIdentityInfoXDR") for #MicrosoftDefender to enhance details of #MicrosoftEntra #WorkloadID from various sources, incl. the new table "OAuthAppInfo" but also IdentityInfo table and #ExposureManagement. (1/2)
🔗 github.com/Cloud-Archit...
🔗 github.com/Cloud-Archit...
Cloud #IdentitySummit 2025 is back!
Save the date and join this community event with #IdentitySecurity, #MicrosoftEntra, and #CloudIdentity deep dive sessions in Dortmund, Germany.
Call for Papers is open now:
sessionize.com/cloud-identi...
Stay tuned for more details:
www.identitysummit.cloud
Save the date and join this community event with #IdentitySecurity, #MicrosoftEntra, and #CloudIdentity deep dive sessions in Dortmund, Germany.
Call for Papers is open now:
sessionize.com/cloud-identi...
Stay tuned for more details:
www.identitysummit.cloud
April 8, 2025 at 5:23 AM
Cloud #IdentitySummit 2025 is back!
Save the date and join this community event with #IdentitySecurity, #MicrosoftEntra, and #CloudIdentity deep dive sessions in Dortmund, Germany.
Call for Papers is open now:
sessionize.com/cloud-identi...
Stay tuned for more details:
www.identitysummit.cloud
Save the date and join this community event with #IdentitySecurity, #MicrosoftEntra, and #CloudIdentity deep dive sessions in Dortmund, Germany.
Call for Papers is open now:
sessionize.com/cloud-identi...
Stay tuned for more details:
www.identitysummit.cloud
IdentityInfo table in #MicrosoftDefender has been expanded to include eligible roles from #MicrosoftEntra. I’ve developed a #KQL function to get a summarized overview of all directory role assignments, enriched with details from my #EntraOps classification:
github.com/Cloud-Archit...
github.com/Cloud-Archit...
March 17, 2025 at 6:12 AM
IdentityInfo table in #MicrosoftDefender has been expanded to include eligible roles from #MicrosoftEntra. I’ve developed a #KQL function to get a summarized overview of all directory role assignments, enriched with details from my #EntraOps classification:
github.com/Cloud-Archit...
github.com/Cloud-Archit...
I had the great pleasure of speaking about #MicrosoftEntra Token Hunting 🍪🔎 at #YellowHat 🚧👷♂️. You can find the slides from my session here:
📄 github.com/Cloud-Archit...
All #KQL sample queries are available in my repo:
👨💻 github.com/Cloud-Archit...
📄 github.com/Cloud-Archit...
All #KQL sample queries are available in my repo:
👨💻 github.com/Cloud-Archit...
March 8, 2025 at 9:31 AM
I had the great pleasure of speaking about #MicrosoftEntra Token Hunting 🍪🔎 at #YellowHat 🚧👷♂️. You can find the slides from my session here:
📄 github.com/Cloud-Archit...
All #KQL sample queries are available in my repo:
👨💻 github.com/Cloud-Archit...
📄 github.com/Cloud-Archit...
All #KQL sample queries are available in my repo:
👨💻 github.com/Cloud-Archit...
I have the great pleasure of joining a shared session with @samilamppu.bsky.social at the M365 Security & Compliance User Group tonight. Last preparations are now in full swing... You can find more details about the meetup and register for this free online event here:
www.meetup.com/m365sandcug/...
www.meetup.com/m365sandcug/...
February 26, 2025 at 12:51 PM
I have the great pleasure of joining a shared session with @samilamppu.bsky.social at the M365 Security & Compliance User Group tonight. Last preparations are now in full swing... You can find more details about the meetup and register for this free online event here:
www.meetup.com/m365sandcug/...
www.meetup.com/m365sandcug/...
Enhancements in #MicrosoftEntra (diagnostic) logs: Several interesting sign-in properties (including Session ID, status for Token Protection, or GSA traffic) have been added to the sign-in logs and available in #MicrosoftSentinel. (1/3)
February 11, 2025 at 5:31 PM
Enhancements in #MicrosoftEntra (diagnostic) logs: Several interesting sign-in properties (including Session ID, status for Token Protection, or GSA traffic) have been added to the sign-in logs and available in #MicrosoftSentinel. (1/3)
Final touches and rehearsal for my #TECTalk on #TokenSecurity in #MicrosoftEntra tonight. I'll be discussing attack scenarios on various token types and how TPM, Token Protection, CAE & Global Secure Access can help prevent token theft. Register for the free webinar:
www.quest.com/event/the-ex...
www.quest.com/event/the-ex...
January 23, 2025 at 8:23 AM
Final touches and rehearsal for my #TECTalk on #TokenSecurity in #MicrosoftEntra tonight. I'll be discussing attack scenarios on various token types and how TPM, Token Protection, CAE & Global Secure Access can help prevent token theft. Register for the free webinar:
www.quest.com/event/the-ex...
www.quest.com/event/the-ex...
Am 11.04.2025 findet die #ExpertsLiveDE in Leipzig statt, mit vielen spannenden Vorträgen zu Cloud, Workplace, AI und Security. Ich freue mich sehr, dieses Jahr dabei sein zu dürfen und über #TokenTheft in #MicrosoftEntra sprechen zu dürfen. Weitere Infos sowie Tickets: www.expertslive.de
December 17, 2024 at 6:07 AM
Am 11.04.2025 findet die #ExpertsLiveDE in Leipzig statt, mit vielen spannenden Vorträgen zu Cloud, Workplace, AI und Security. Ich freue mich sehr, dieses Jahr dabei sein zu dürfen und über #TokenTheft in #MicrosoftEntra sprechen zu dürfen. Weitere Infos sowie Tickets: www.expertslive.de
Do you like to learn more about tokens and ways to protect them in #MicrosoftEntra? Join my #TECTalk on January 23rd to explore the various kind of token artifacts, post authentication attacks and mitigations to prevent #TokenTheft. Register for free at www.quest.com/event/the-ex...
November 27, 2024 at 6:55 PM
Do you like to learn more about tokens and ways to protect them in #MicrosoftEntra? Join my #TECTalk on January 23rd to explore the various kind of token artifacts, post authentication attacks and mitigations to prevent #TokenTheft. Register for free at www.quest.com/event/the-ex...
New Release: #EntraOps 0.3.3! 🚀 This update includes bug fixes and enhancements to #MicrosoftSentinel workbooks and nested #MicrosoftEntra PIM for Groups. Get the latest version from the GitHub repository: github.com/Cloud-Archit...
November 27, 2024 at 6:06 AM
New Release: #EntraOps 0.3.3! 🚀 This update includes bug fixes and enhancements to #MicrosoftSentinel workbooks and nested #MicrosoftEntra PIM for Groups. Get the latest version from the GitHub repository: github.com/Cloud-Archit...
Next week, I have the great pleasure to speak together with @gregorreimling.bsky.social at APE XXL in Apenheul, NL. We'll be sharing best practices in various design areas of #Azure #EnterpriseScale. Get your tickets for a day full of #Azure breakout sessions and workshops: xxl.azure-ape.nl
November 25, 2024 at 12:52 PM
Next week, I have the great pleasure to speak together with @gregorreimling.bsky.social at APE XXL in Apenheul, NL. We'll be sharing best practices in various design areas of #Azure #EnterpriseScale. Get your tickets for a day full of #Azure breakout sessions and workshops: xxl.azure-ape.nl
November 23, 2024 at 1:41 AM
Day two of #MSIgnite: Delving into the latest announcements and features for #MicrosoftEntra has been a focus today for me, and I’ve enjoyed the following sessions.
November 20, 2024 at 11:57 PM
Day two of #MSIgnite: Delving into the latest announcements and features for #MicrosoftEntra has been a focus today for me, and I’ve enjoyed the following sessions.
First day at my very first #MSIgnite: Excited to dive into the latest announcements, connect with experts from around the globe, catch up with my fellow MVPs. It was great to start the day with my colleagues and meet Raymond and Sander. Feel free to say hi 👋 and have a chat if you are around.
November 20, 2024 at 12:00 AM
First day at my very first #MSIgnite: Excited to dive into the latest announcements, connect with experts from around the globe, catch up with my fellow MVPs. It was great to start the day with my colleagues and meet Raymond and Sander. Feel free to say hi 👋 and have a chat if you are around.
I had the great pleasure to speak and attend #HIPConf in New Orleans! I’ve seen many fantastic sessions and very interesting discussions. I had a great time and opportunity to meet @drazuread.bsky.social, Eric Woodruff, Karl Fosaaen and many other identity experts from the community.
November 16, 2024 at 12:50 PM
I had the great pleasure to speak and attend #HIPConf in New Orleans! I’ve seen many fantastic sessions and very interesting discussions. I had a great time and opportunity to meet @drazuread.bsky.social, Eric Woodruff, Karl Fosaaen and many other identity experts from the community.
Kicking off day 2 at #HIPConf with a deep-dive session on token-based authentication and attacks by @drazuread.bsky.social.
November 14, 2024 at 4:53 PM
Kicking off day 2 at #HIPConf with a deep-dive session on token-based authentication and attacks by @drazuread.bsky.social.