Lightnews — Scholar-powered news

Reposted by Sami Lamppu

Thomas Naunheim

@naunheim.cloud

Had the great privilege and a lot of fun joining 🎙️#EntraChat together with my friend and MVP fellow @samilamppu.bsky.social!

🙏 Big thanks to @merill.net for having us - it was a pleasure to be part of the podcast. I hope everyone listening enjoyed it as much as we did recording it!

Merill Fernando 💚 @merill.net · 20d

Thomas Naunheim and Sami Lamppu quietly built one of the most useful open projects for Entra ID defenders.

The Entra ID Attack & Defense Playbook

It’s free, community-driven, and packed with real detection logic and KQL queries.

🧵👇

November 2, 2025 at 10:15 AM

Sami Lamppu

@samilamppu.bsky.social

Great chat with Merill Fernando on Entra Chat! We (Thomas Naunheim & I) shared some favorite findings and stories from the past years working with Entra ID Attack & Defense Playbook. Link to the full episode below👇

Merill Fernando 💚 @merill.net · 20d

Thomas Naunheim and Sami Lamppu quietly built one of the most useful open projects for Entra ID defenders.

The Entra ID Attack & Defense Playbook

It’s free, community-driven, and packed with real detection logic and KQL queries.

🧵👇

November 1, 2025 at 3:07 PM

Reposted by Sami Lamppu

Merill Fernando 💚

@merill.net

Thomas Naunheim and Sami Lamppu quietly built one of the most useful open projects for Entra ID defenders.

The Entra ID Attack & Defense Playbook

It’s free, community-driven, and packed with real detection logic and KQL queries.

🧵👇

November 1, 2025 at 11:14 AM

Sami Lamppu

@samilamppu.bsky.social

Whoop!, Whoop 🎉 I've earned my 5th consecutive MVP award! Now is a great time to start my vacation and think about security and AI stuff next time in August!

July 11, 2025 at 5:08 AM

Sami Lamppu

@samilamppu.bsky.social

New in #DefenderXDR advanced hunting: Automatic Attack Disruption events are now in the DisruptionAndResponseEvents table! 🛡️

- Includes both block & policy-application events from disruption policies, plus auto-response actions across related workloads
- Boost visibility into complex attacks

July 4, 2025 at 2:21 PM

Sami Lamppu

@samilamppu.bsky.social

Spent the week test-driving the Microsoft Learn Docs MCP server with the Claude desktop. Fast, precise document look-ups make it easy to ground answers in official Microsoft content.

Links:
- github.com/microsoftdoc...
- techcommunity.microsoft.com/blog/azurede...

Building an MCP Server for Microsoft Learn | Microsoft Community Hub

So why Microsoft Learn? Well, it's a treasure trove of knowledge for developers and IT pros. Secondly, because it has search page with many filters, it lends...

techcommunity.microsoft.com

June 26, 2025 at 11:30 AM

Sami Lamppu

@samilamppu.bsky.social

I tried #Lokka MCP server made by @merill.net . Lokka bridges Claude to Entra/Azure via Microsoft Graph.

I exported Entra security settings through APIs, parsed CA policies, and drafted a report with the Claude desktop. Early days, but looks promising! #CloudSec #MCP

lokka.dev/docs/intro/

June 24, 2025 at 9:57 AM

Sami Lamppu

@samilamppu.bsky.social

Storm-2372 conducts a device code phishing campaign.

Update on Feb 14, 2025: 'Within the past 24 hours, MS has observed Storm-2372 shifting to using the specific client ID for MS AuthBroker in the device code sign-in flow. Read the full story below 👇

www.microsoft.com/en-us/securi...

Storm-2372 conducts device code phishing campaign | Microsoft Security Blog

Microsoft Threat Intelligence Center discovered an active and successful device code phishing campaign by a threat actor we track as Storm-2372. Our ongoing investigation indicates that this campaign ...

www.microsoft.com

February 17, 2025 at 7:07 AM

Sami Lamppu

@samilamppu.bsky.social

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation

www.microsoft.com/en-us/securi...

The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation | Microsoft Security Blog

Microsoft is publishing for the first time our research into a subgroup within the Russian state actor Seashell Blizzard and its multiyear initial access operation, tracked by Microsoft Threat Intelli...

www.microsoft.com

February 14, 2025 at 8:29 AM

Sami Lamppu

@samilamppu.bsky.social

Next-Gen Device Incident Investigation & Threat Hunting with Custom Plugins in #Securitycopilot

techcommunity.microsoft.com/blog/securit...

Next-Gen Device Incident Investigation & Threat Hunting with Custom Plugins | Microsoft Community Hub

          The Security Copilot custom plugin empowers you to extend Security Copilot functionalities beyond the preinstalled and...

techcommunity.microsoft.com

February 11, 2025 at 5:49 AM

Reposted by Sami Lamppu

Thomas Naunheim

@naunheim.cloud

EntraOps repository:
github.com/Cloud-Archit...

Learn more about XSPM and Graph:
Deep Dive blog post on XSPM by @samilamppu.bsky.social
samilamppu.com/2024/04/25/m...

Blog posts by @fabian.bader.cloud
cloudbrothers.info/en/workshop-...
cloudbrothers.info/en/find-late...

Kusto Graph rocks! (3/3)

This link will take you to a page that’s not on LinkedIn

lnkd.in

January 29, 2025 at 6:47 AM

Sami Lamppu

@samilamppu.bsky.social

Unified Device Timeline Experience in Microsoft SIEM + XDR

techcommunity.microsoft.com/blog/microso...

Introducing the Unified Device Timeline Experience in Microsoft SIEM + XDR | Microsoft Community Hub

We are thrilled to announce the launch of the Unified Device Timeline, a feature that integrates device activity timelines from Microsoft Sentinel and...

techcommunity.microsoft.com

February 5, 2025 at 7:17 AM

Sami Lamppu

@samilamppu.bsky.social

Sentinel Content Hub leverages AI technology in the new search capability. Check out below how

techcommunity.microsoft.com/blog/microso...

What’s new: Find the Sentinel content you need using AI search | Microsoft Community Hub

Overview Getting value from Microsoft Sentinel and the Microsoft Unified Security Operations Platform requires deploying the right solutions. Microsoft and...

techcommunity.microsoft.com

February 3, 2025 at 2:14 PM

Sami Lamppu

@samilamppu.bsky.social

Speed up incident triage with Security Copilot and Microsoft Sentinel

techcommunity.microsoft.com/blog/securit...

Boost SOC automation with AI: Speed up incident triage with Security Copilot and Microsoft Sentinel | Microsoft Community Hub

The Solution This solution leverages AI and automation to speed up incident triage by providing automated response to an incident while infusing AI reasoning...

techcommunity.microsoft.com

January 28, 2025 at 5:28 AM

Sami Lamppu

@samilamppu.bsky.social

Hunt for identity-based threats with Security Copilot and Microsoft Sentinel

techcommunity.microsoft.com/blog/securit...

Hunt for identity-based threats with Security Copilot and Microsoft Sentinel | Microsoft Community Hub

Enter Microsoft Sentinel and Security Copilot, a powerful duo that brings great value to your security operations. Microsoft Sentinel's User and Entity...

techcommunity.microsoft.com

January 23, 2025 at 5:11 AM

Sami Lamppu

@samilamppu.bsky.social

Blog summarizes the three takeaways from the Microsoft AI Red team white paper: 'Lessons from
red teaming 100 generative AI products'

www.microsoft.com/en-us/securi...

3 takeaways from red teaming 100 generative AI products | Microsoft Security Blog

The growing sophistication of AI systems and Microsoft’s increasing investment in AI have made red teaming more important than ever. Learn more.

www.microsoft.com

January 18, 2025 at 9:03 AM

Reposted by Sami Lamppu

Thomas Naunheim

@naunheim.cloud

#MicrosoftEntra Attack & Defense Playbook Update:
@samilamppu.bsky.social and I have updated some content:

🔃 #EntraConnect: New capabilities by MDI sensor & XSPM
🎯 #AiTM: Attack scenarios on MDA sessions
🛡️ #MITRE: Updated TTP coverage & map

Check out the latest version:
github.com/Cloud-Archit...

GitHub - Cloud-Architekt/AzureAD-Attack-Defense: This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can b...

This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can be mitigated or detected. - Cloud-Architekt/Azu...

github.com

January 9, 2025 at 8:00 AM

Sami Lamppu

@samilamppu.bsky.social

Together with @naunheim.cloud we did the following updates on Entra ID Attack & Defense Playbook:

Entra Connect: Added MDI enhancements and XSPM queries
AiTM: MDA section with Edge In-browser
MITRE: Updated heat map & TTPs

Check out the latest version 👉 github.com/Cloud-Archit...

GitHub - Cloud-Architekt/AzureAD-Attack-Defense: This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can b...

This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can be mitigated or detected. - Cloud-Architekt/Azu...

github.com

January 9, 2025 at 8:14 AM

Sami Lamppu

@samilamppu.bsky.social

Defender XDR monthly news - January 2025

techcommunity.microsoft.com/blog/microso...

Monthly news - January 2025 | Microsoft Community Hub

Microsoft Defender XDRMonthly newsJanuary 2025 Edition This is our monthly "What's new" blog post, summarizing product updates and various new...

techcommunity.microsoft.com

January 3, 2025 at 9:54 AM

Sami Lamppu

@samilamppu.bsky.social

KQL Migrator powered by Microsoft Security Copilot

techcommunity.microsoft.com/blog/securit...

KQL Migrator powered by Microsoft Security Copilot | Microsoft Community Hub

Overview A couple of weeks ago, Hesham and Hiten attended an internal Global Blackbelt summit in Redmond. Unfortunately, we encountered bad weather due to a...

techcommunity.microsoft.com

December 20, 2024 at 6:27 AM

Sami Lamppu

@samilamppu.bsky.social

Leveraging ASIM-based KQL plugins in Microsoft Security Copilot for investigation scenarios

techcommunity.microsoft.com/blog/securit...

Leveraging ASIM-based KQL plugins in Microsoft Security Copilot for investigation scenarios | Microsoft Community Hub

Microsoft Security Copilot enhances the capabilities of Microsoft Sentinel by providing an AI-driven assistant that can help interpret complex hunting query...

techcommunity.microsoft.com

December 20, 2024 at 6:27 AM

Sami Lamppu

@samilamppu.bsky.social

Looking for how to audit Security Copilot activities? Great Techcommunity blog explains how.

Monitor user activities & system events with Security Copilot and Sentinel 👇

techcommunity.microsoft.com/blog/securit...

Monitor User Activities and System Events with Security Copilot and Microsoft Sentinel | Microsoft Community Hub

We do recommend you read through the our Privacy and data security document to understand more about what data we are capturing Privacy and data security as...

techcommunity.microsoft.com

December 17, 2024 at 5:36 AM

Sami Lamppu

@samilamppu.bsky.social

Unified SOC Operations Platform latest enhancement: Use Sentinel Workbooks directly from the Defender XDR portal
techcommunity.microsoft.com/blog/microso...

What's New: View Microsoft Sentinel Workbooks Directly from Unified SOC Operations Platform | Microsoft Community Hub

  Key Benefits  Unified Viewing Experience:  Microsoft Sentinel workbook templates and saved workbooks can now be accessed directly within the...

techcommunity.microsoft.com

December 15, 2024 at 5:57 AM

Sami Lamppu

@samilamppu.bsky.social

#MSUGFI aka 'Microsoft Security User Group Finland' kokoontuu seuraavan kerran keskiviikkona 15.1.2024 klo 17:00, jolloin hostina toimii Arrow ECS.

Vielä olisi muutama paikka vapaana, jos event kiinnostaa nappaa itsellesi sisäänpääsy tapahtumaan linkin takaa 👇

www.meetup.com/microsoft-se...