Had the great privilege and a lot of fun joining 🎙️#EntraChat together with my friend and MVP fellow @samilamppu.bsky.social!
🙏 Big thanks to @merill.net for having us - it was a pleasure to be part of the podcast. I hope everyone listening enjoyed it as much as we did recording it!
The availability of GraphApiAuditEvents in #MicrosoftDefender brings significant value to every environment, enhancing capabilities for detecting and hunting #MicrosoftGraph API calls. In my recent research, I’ve created a few resources that I’m happy to share with the community.
Speaking at #TROOPERS26 next week and I can't wait. Joining @martinsohn.dk to talk about attack paths to #PAW and real-world risks of tiered admin models with #IntuneRBAC. Plus something we've been working on for months... See you in Heidelberg!
www.troopers.de
#EntraOps #Bloodhound
1️⃣ 🤔 Comparison Deep Dive
What are the differences between GraphApiAuditEvents (XDR) and MicrosoftGraphActivityLogs (Diagnostic Logs in hashtag#MicrosoftSentinel)? I’ve built a comparison table outlining the differences in column availability and detail levels.
2️⃣ 🔍 Normalized schema for shared queries
Want to reuse existing queries or unify detection logic across both tables? I’ve published a #KQL function that normalizes the schema of GraphApiAuditEvents to match that of MicrosoftGraphActivityLogs.
🔗 github.com/Cloud-Archit...
Thomas Naunheim
3️⃣ 🛠️ Enhanced Enrichment Function
Recently, I've released a #KQL function integrating #ExposureManagement and #EntraOps data to identify sensitive callers, actions, and targets. Updated to support parameters like IP Address and Token Identifier.
🔗 github.com/Cloud-Archit...
[New blog post] Analyzing #MicrosoftEntra 🤖 Workload Identity Activity Through 🪙 Token-Based Hunting: I’ve published a #KQL function to hunt activities by tokens from non-human identities and share some experimental queries and insights in this article.
www.cloud-architekt.net/token-huntin...
#ConsentFix is a great way for attackers to work around some protective layers but not all. @naunheim.cloud , @cbrhh.bsky.social and I wrote a blog post on detection and mitigations. Hope you find it useful and can adapt it to your environment.
www.glueckkanja.com/de/posts/202...
