Mark Sewell

@Olexio1 @BowenBoxing So washed

@BowenBoxing Was Haye washed when they fought?

David Haye on commentary, reminds me of the day he got destroyed…

@lucky_tunchi @Mobolaji_Abdul1 Madrid created chances for sure, but the xG for Bayern is much higher as they created better chances. Hence my comment.

@MarkSewe @Mobolaji_Abdul1 You watched this, and you are still saying Bayern a lot of chances. What about Madrid

Real Madrid vs Bayern Munich UCL match highlights

@GelosSnake @UK_Daniel_Card @mthcht2 It’s not in E5, you need the VM management addon which is an E5 bolt on…

@UK_Daniel_Card @mthcht2 not that many actually use E5 which you need for this feature. But ye its cool and working.

In every incident I work, browser extensions are the last thing anyone checks. They're not in your EDR. Not in your SIEM. And they update themselves before anyone notices. @mthcht2 built the tool to fix this. 🧵

@IAMERICAbooted Can you find a partner in crime, someone like minded from a team that also likes to get stuff done? I’ve found that works, also raising issues to your CISOs or boss, if it’s a niche no one is owning can you claim it and drive resolution?

I miss doing IR. I get invigorated during the hunt. I never get bored with looking at logs. My cloud skills are well suited in that space. My love will always be IAM, but finding another opportunity like my last job will be near impossible. I love my current job. My boss is amazing. My CISOs (yes, plural) are amazing. But I just feel underutilized and pigeon-holed into a small enclave, albeit a very important one. I dont want to leave my company or anything, I just want more diversity in my activities. How does one achieve that?

@UK_Daniel_Card @akses_0x00 Turn off all the automated summaries in settings / copilot. We had it summarising everything for all SOC analysts every time someone entered an incident.. thankfully they fixed it.

@akses_0x00 LOL

Using Security CoPilot.... I can't even investigate a single alert without hitting the CAP.... a chocolate teapot #Security #Cyber #CoPilot #Microsoft

@ainp0t @NathanMcNulty @IAMERICAbooted How are you monitoring this via entra idp or XDR? I think they gave some options to suppress lower fidelity detections within XDR. Which could explain what you are seeing.

@NathanMcNulty , @IAMERICAbooted or anyone. Does Entra ID Protection work properly in your environments? I have reviewed two environments where SecurityAlerts(IPC) events have dropped to 0 end of January and looking at history, this is not normal

@NathanMcNulty @duosec @IceSolst @CRXaminer It's a real shame that Microsoft paywall the browser extension controls, behind the VM addon...

This has been a decades long fight with helpful tools, like @duosec's now defunct CRXcavator and @IceSolst's @CRXaminer If you aren't aware of the risks posed, both Ben's blog and solst's thread below are great reads to understand the threats these pose x.com/IceSolst/statu…

If you aren't enforcing a browser extension allowlist, the time to change that was yesterday :( It's not that creating malicious extensions was hard before, the volume was lower @byteben has an excellent guide to inventory and lock down extensions here: msendpointmgr.com/2025/10/04/tam…

@UnitedStandMUFC I wonder how much hinges on a top 4 finish..

🚨 Man Utd could be in BIG TROUBLE 🚨 What are your thoughts on this? 👇

@_xDeJesus @NathanMcNulty @merill @fabian_bader Feels like a step in the right direction, sadly its too broad and captures all app consent granted within the tenant. I struggled to see any identifier that highlighted the consent came from Implicit grant flow :-s

Just tested this with an emulated implicit grant flow. I could be wrong but Entra ID sign-in logs didn't capture anything to distinguish it was an implicit consent grant flow. Could be subjective to my testing tenant too. The relevant fields in sign-in logs all show none: - authenticationProtocol: none - clientCredentialType: none - incomingTokenType: none Audit logs seem to be a good start? ``` AuditLogs | where OperationName == "Consent to application" ``` #audit-logs" target="_blank" rel="nofollow noopener">learn.microsoft.com/en-us/entra/id…

I'm trying to determine how widespread usage of Implicit Grant flow is, has anyone determined a good way to identify this from the entra portal / KQL? @NathanMcNulty @merill @fabian_bader any ideas?

@Vincent_Teoh Sony are broke I guess 🤷‍♂️

Wow! Sony's restructuring its TV business by forming a joint venture company with TCL (TCL 51%; Sony 49%), which will then take over Sony's home entertainment business (including BRAVIA TV). I'm still wrapping my head around this deal, but what do you think of this seismic news?

@Kostastsale Totally get it, my point was more collecting data is great. But it’s only useful if insightful and usable. Ticking a collection box is one thing, it leading to a detection, response action or supporting an investigation are somewhat different.

Thank you Mark. I get the point, but those examples are really symptoms of a larger issue. The underlying problem is that EDR comparisons today are inconsistent and ambiguous, which makes it hard to understand real differences between products. This service exists to remove that ambiguity by standardizing the feature set across vendors, applying the same definitions everywhere, and using a simple scoring model backed by written justification. The focus is on documenting how capabilities are exposed and under what conditions, not on walking through specific investigation scenarios. The end result is a vendor-neutral comparison that teams can actually use to compare products side by side and defend their decisions without relying on demos or marketing narratives. I think what you’re describing is better covered by MITRE ATT&CK and MITRE Engenuity Evaluations, which focus on attack flows and detection performance rather than feature-level comparison.

𝗪𝗲’𝗿𝗲 𝗲𝘅𝗽𝗮𝗻𝗱𝗶𝗻𝗴 𝘁𝗵𝗲 𝗘𝗗𝗥 𝗖𝗼𝗺𝗽𝗮𝗿𝗶𝘀𝗼𝗻 𝗣𝗿𝗼𝗷𝗲𝗰𝘁 𝗶𝗻 𝗮 𝗯𝗶𝗴 𝘄𝗮𝘆 𝘀𝘁𝗮𝗿𝘁𝗶𝗻𝗴 𝗻𝗲𝘅𝘁 𝘄𝗲𝗲𝗸! A new Advanced tier will expose our analysis, justification, and expert opinion for every feature across all EDR vendors. A new Enterprise tier will also introduce highly requested additions, including dedicated assistance with EDR selection and time allocated for focused research. We’re also integrating MITRE ATT&CK evaluation into our data, dashboards, and scoring engine for a more complete EDR comparison. Pricing will change for new Basic and Advanced tiers. Early adopters are grandfathered into Basic and will get a limited-time, heavily discounted upgrade to Advanced. This year, we’ve helped hundreds of people better understand how EDRs actually work through the EDR Telemetry Project and the EDR Comparison Service, and supported multiple enterprises in finding the right EDR for their needs. We’re here for the long run, with big plans for the new year and what’s ahead. 🔗 edr-comparison.com

@Mister_MDM @itlararenJesper what about MDE-Attach managed devices, any experience with policy updates there?

@itlararenJesper It is... and when the "fast lane" is there.. things will become even better

The 8 Hour Intune Sync Myth: What Really Happens When You Change a Policy Everyone believes Intune policies only sync every eight hours… what if I told you that isn’t true? The moment you change a policy, Intune contacts the Windows Notification Service to send a push that tells the device to check in. But as always, there’s a catch. A quiet throttle decides when the next push is allowed to proceed. Want to know more? Read the full story: P.S: Big changes are coming!!! The new fast lane will make those pushes even quicker. #Intune #MSIntune #Windows #Windows11 #WindowsAutopilot patchmypc.com/blog/intune-po…

@techspence Needs buy in from top down. Passwordless w/ Authenticator and WhfB super simple and a rare win.. for both usability and security. Level set it’s less passwords initially with passwordless the destination

Help me out with this.. How easy is it currently to fully deploy passwordless authentication across an org? Bonus points for those who have done or are doing this currently.

@IAMERICAbooted APT just goes to the file server and picks up someone’s password from the password.txt they shared on the drive to EVERYONE

Responder :P MITM6 Overprivileged NAA accounts on every machine on the network managed by SCCM. Coerce machine authentications due to webdav and lack of smb signing enforcement. Take control of a machine and dump SAM, SYSTEM, and SECURITY hives. Pass hashes to move laterally. Downgrade machine hashes to NetNLMv1 or NetNTLMv1-SSP and generate the cleartext password. Credentials in local files, scripts, and software. Tokens!! 😈 Tickets!! Authentication Cookies Cached Credentials Certs with client authn Certificate Template and Authority vulns ... still! Write permissions on objects allowing addition of SPN for cracking passwords offline. Kerberoasting Unprotected credentials on shares and in cloud services. Plant malicious files on writable shares to coerce and harvest hashes. Oh wait ... that's pentesters :P

@techspence Totally, however inspection is becoming harder and harder with TLS1.3. Also devices are less frequently on corp networks due to hybrid working. Of course you still need to have inspections there too

@MarkSewe The times I’ve seen it in place, I have no info about how it was configured. I will say, it’s extremely important to have non-endpoint detections Identity, network & deception

I’ve had multiple internal pentests this year where the first security tool to detect my activity was an NDR product. I also had a convo just last week with a company that had ransomware and the first product to detect it (& subsequently block further spread) was their NDR. They have what I’d consider a top 3 EDR product with their “full package.” Is 2026 the year of NDR?

@NathanMcNulty I’d like Authenticator to support backup to od4b or intune to be able to allow only Authenticator access to iCloud

One simple change would fix Microsoft Authenticator migration while still keeping device-bound security On the new phone, you shoud be able to pick the account, log in, answser MFA on the old phone, and done But no, we have to delete the accounts and re-add them all by finger