Loris Ambrozzo

Check out my first blog post about "Insight on Azure Instance Metadata Service from an attacker and defender perspective"🛡️⚔️! lorisambrozzo.medium.com/insight-into-t… #MicrosoftAzure #IMDS #MicrosoftSentinel #MicrosoftDefenderXDR

Intune 2603 finally fixes RBAC scope tag pain with Scoped Permissions. I took a deep dive into how it works & which real‑world problems it solves 👇 @verboonjanic/a-deep-dive-into-the-new-intune-scoped-rbac-permissions-3ffb6a9cee74" target="_blank" rel="nofollow noopener">medium.com/@verboonjanic/…

Check out my blog post "Mastering (Orphan) API Connections in Microsoft Sentinel Playbooks" in which I demonstrate how to manage the API connections of your Microsoft Sentinel Playbooks and identify orphaned ones. blog.ambrozzo.ch/posts/masterin… #microsoftsentinel #LogicApps #IaC

Disabling a user account during a security incident removes them from all Microsoft Teams. Private channel membership is not automatically restored. This #KQL query lists all private channels the user was removed from. github.com/lorisAmbrozzo/…

I just published Automatically grant Display over other apps permissions on Zebra devices using Microsoft Intune medium.com/p/automaticall… #Intune #AndroidEnterprise

While diving into Defender XDR Attack Disruption with @nicolonsky, I noticed that the Enterprise App Microsoft Defender for Identity (formerly Radius Aad Syncer) is responsible for the response actions in Entra ID. The #KQL query lists these actions. github.com/lorisAmbrozzo/…

The minimum Sense Agent version required for the #Defender XDR Attack Disruption Contain User action to work is v10.8470. Use the following KQL query to identify endpoints with outdated sense versions: github.com/nicolonsky/ITD…

My little side project is slowly but surely coming together... stay tuned for more :) #Intune #IntuneSuite #EAM #Enterpriseapplicationmanegement

That's a simple one but could be quite useful also in combination with other #detections.💥Since a few days, it's possible to use #KQL to detect when a global admin elevates access to manage all subscriptions and management groups. github.com/lorisAmbrozzo/…

Get all Azure DevOps Security Code & Infrastructure as code recommendations with #KQL github.com/alexverboon/Hu… #AzureDevOpsSecurity #CodeAnalysis

#KQL query to identify logon events with the default local administrator on devices to see e.g. if the default local admin can be easily disabled and migrated to a LAPS managed local user account. github.com/lorisAmbrozzo/…

Pop quiz, which requirement providers can enforce MFA within Entra ID? #Azure Portal with 'request' & 'App requires MFA' will be next I guess (: #check-the-current-mfa-requirement-provider-for-portals" target="_blank" rel="nofollow noopener">github.com/nicolonsky/ITD…

Mitigations for CVE-2024-38124 - Implement monitoring for any suspicious renaming activities of computers within the network. #KQL when you use #MDE or #MDI github.com/alexverboon/Hu… #MicrosoftDefenderXDR #Detection

@FlorianSLZ @IntuneSuppTeam Yeah, it doesn't work for me either.

Anyone else unable to connect to #MSIntune? @IntuneSuppTeam

Over the past days, I've had several requests from customers to review and block the access from #Tor exit nodes to all portals. This #KQL Query retrieves all exit nodes from the official Tor project and correlates the IP address with the Sign In logs. github.com/lorisAmbrozzo/…

You are not affected by the current #CrowdStrike outage? Great, so you got time. You use #MDE? Then better have a look at the gradual rollout process for Microsoft Defender to avoid this in the future in your environment. cloudbrothers.info/en/gradual-rol…

➡️Learn how you can find lateral movement paths using #KQL Graph semantics in my latest blog post. Find an attack path to Domain Admin natively within #XDR by creating you own nodes and edges and the graph-match operator. #Security #MDE #Sentinel cloudbrothers.info/en/find-latera…

@_dirkjan Was a very cool & interesting session! Thanks for sharing💪🏻!

The recordings of @a41con are available! If you're interested in credential phishing, device code phishing, applying that to phish for PRTs and Windows Hello keys... Give it a watch! 😁 youtu.be/tNh_sYkmurI

@ChrisParadox1 Totally agree!

@LorisAmbrozzo @fabian_bader An unpatched device since 2021 doesn’t deserve to sign in…

#KQL Query to list devices which are still using the #KDFv1 algorithm to store the Primary Refresh Token which was addressed in CVE-2021-33781. Unpatched devices using the KDFv1 algorithm will no longer be able to sign in to Entra ID. github.com/lorisAmbrozzo/…

@nicolonsky Thanks for sharing and the inspiration! 💪

Happy to see another colleague sharing #KQL queries with the community 🎉