Connect WITH MODERN SECURITY
Stay in the Loop
security related articles
Read all articles
Microsoft Defender for Endpoint custom data collection: get the telemetry you need
If you’ve been working with Microsoft Defender for Endpoint (MDE) for any length of time, you’ve probably run into this situation: you’re hunting for a specific behavior, you know it happened on a device, but when you query Advanced Hunting, there’s nothing. The event simply isn’t there. This isn’t a bug. It’s by design. Until recently, your only real options were to deploy…
Getting started with OpenCTI: threat intelligence connected to Microsoft Sentinel
For the past few years, MISP has been my go-to for threat intelligence. It’s open source, flexible, and does exactly what it says on the tin. But MISP is also showing its age in some areas — the interface is not the most intuitive, and wiring it into a modern SOC stack takes a fair amount of glue code. So when I kept seeing OpenCTI come up, I figured it was time to actually…
Microsoft Defender for Identity sensor guide (v3.x)
In a previous post on modernsecurity.nl, I walked through the classic installation of Microsoft Defender for Identity (MDI) using the v2.x sensor — prerequisites, gMSA configuration, Windows event auditing, NTLM auditing, and the manual download-and-install process. If you’ve deployed MDI before, you’ll remember the overhead: downloading an installer package, running it on…
Defender XDR advanced hunting tables: ingest directly into Sentinel data lake
If you’ve read my Microsoft Sentinel data lake implementation guide, you know I covered a DCR-based workaround for storing Defender XDR Advanced Hunting data long-term without paying full analytics tier ingestion costs. The approach: enable the XDR connector and use a Workspace Transformation DCR to redirect data from the original XDR table into that custom table. It worked…
Manage your live response library directly in Microsoft Defender
If you’ve been using live response in Microsoft Defender for Endpoint for a while, you’ve probably felt the friction. A critical incident comes in, you initiate a session, and then the race begins — digging through folders, shared drives, and old Teams chats trying to locate the right PowerShell script before the attacker moves laterally to the next system. In DFIR scenarios…
UEBA behaviors layer in Microsoft Sentinel: from raw logs to behavioral intelligence
Every SOC analyst knows the feeling. An alert fires. You open the incident. And then the real work begins: correlating AWS CloudTrail API calls, translating firewall log schemas, joining tables across data sources you barely recognize — all to answer one question: what actually happened? Microsoft’s new UEBA behaviors layer in Microsoft Sentinel changes that. Instead of…
Microsoft Defender for Cloud Apps: AI agent monitoring and real-time protection
Low-code platforms like Microsoft Copilot Studio make it easy for business users to build and deploy AI agents without going through IT or security. That’s useful, but it also means agents are getting created outside of any centralized review — with access to data, external systems, and tool calls that security teams often know nothing about. Microsoft Defender for Cloud…
Proactively Block Cloud Apps (like AI) with Microsoft Defender for Cloud Apps and Defender for Endpoint
Shadow IT remains one of the biggest challenges for security teams. Users access cloud applications daily without IT awarenes, shady AI tooling, file sharing services, or apps that don’t meet compliance requirements like SOC 2 or ISO 27001. With the integration between Microsoft Defender for Cloud Apps and Microsoft Defender for Endpoint, you can proactively block apps on…
Microsoft Sentinel data lake: implementation guide
What is Microsoft Sentinel data lake Microsoft Sentinel data lake is a purpose-built, cloud-native security data platform that addresses the fundamental challenge organizations face between comprehensive security coverage and cost sustainability. The platform transforms how organizations manage and analyze security data through: The business challenge solved Traditional SIEM…
Automatic Attack Disruption in Microsoft Defender XDR
The reality of modern ransomware response Picture this: It’s 2 AM. Your on-call engineer gets an alert about suspicious activity. By the time they log in, investigate, and start containment procedures, the attackers have already pivoted through three critical servers and begun encrypting your file shares. Sound familiar? This scenario plays out in organizations worldwide…
Selective Isolation in Defender for Endpoint – Combining tools like Velociraptor for DFIR
With the introduction of Selective Isolation, Microsoft Defender for Endpoint has taken a significant step toward more flexible incident response. Instead of fully isolating an endpoint from the network, security teams can now allow specific outbound connections — enabling secure communication with approved services such as a forensic server or response platform. This…
Integrating Microsoft Defender EASM with Exposure Management
Microsoft has taken another step in closing the gap between internal risk and external exposure. With the June 2025 public preview release of Microsoft Defender External Attack Surface Management (EASM) integration into Defender Exposure Management, organizations can now analyze attacker pathways that begin outside the enterprise perimeter. This addition enables a more…
Automatically tagging MITRE techniques with AI in SOC Optimization
Mapping security detections to the MITRE ATT&CK framework is crucial for understanding adversary behavior and improving threat response. However, maintaining accurate and consistent MITRE mappings across all analytics rules in large environments can be challenging. To support this process, Microsoft introduced AI-powered MITRE tagging—a feature available in public preview…
Defender for Office 365 Auto‑Remediation (AIR) – the hidden capability
With the continuous evolution of Microsoft Defender for Office 365, a powerful automation feature has been introduced quietly called Auto‑Remediation. Shipped in May 2025, this capability allows Defender to automatically remove malicious emails identified within a cluster—without requiring human intervention. While Automated Investigation & Response (AIR) has long offered…
Stopping malicious Browser Extensions with Microsoft Defender TVM and Intune
Browser extensions have quietly evolved into one of the most dangerous and overlooked attack vectors in modern enterprise environments. What started as simple tools for productivity or convenience now often function as fully-fledged malware—capable of harvesting data, hijacking sessions, and persisting through identity tokens and cloud sync. We’ve seen a sharp rise in…
Case management in Microsoft Defender and Sentinel: streamline your SecOps
Managing complex security incidents has always been a challenge for Security Operations Centers (SOCs). From correlating alerts to assigning tasks and documenting steps, analysts often work across disparate tools, losing context and efficiency. To address this, Microsoft has introduced native Case Management within its unified security operations platform. This feature…
OAuth attacks: How to detect and mitigate with Microsoft App Governance (MDA)
OAuth (Open Authorization) has transformed enterprise security by enabling seamless authentication and authorization between cloud applications. However, it also presents significant security risks if improperly governed. Threat actors, particularly nation-state actors like Midnight Blizzard (APT29), increasingly exploit OAuth-based vulnerabilities to gain unauthorized…
Integrating T-pot Honeypot with Microsoft Sentinel using Data Collection Rules (DCR)
In the face of increasing cybersecurity threats, early detection and analysis of attack behaviors are essential for proactive defense. Honeypots are invaluable tools that simulate vulnerable systems, attracting malicious actors and enabling security teams to study real attack methods without risking production environments. T-pot is an advanced honeypot framework that…
Microsoft Defender External Attack Surface Management (EASM)
As organizations grow their digital footprint, managing the external attack surface has become critical for reducing risks and improving security posture. Public-facing assets such as domains, APIs, IP addresses, and cloud resources are often the entry points for attackers. Without comprehensive visibility and monitoring, these assets can become vulnerabilities. Microsoft…
Maester – Swiss army knife for M365 security testing
In today’s digital environment, security and compliance are vital for organizations to protect their assets and meet regulatory standards. While traditional frameworks like CIS Controls offer a solid foundation, they often lack the flexibility and specificity needed for dynamic, modern threats. Maester is an open-source PowerShell-based test automation framework designed to…