Forum Widgets
Latest Discussions
Hunting for MFA manipulations in Entra ID tenants using KQL
The following article, Hunting for MFA manipulations in Entra ID tenants using KQL proved to be an invaluable resource in my search for an automated way to notify users of MFA modifications. I've adapted the KQL query to function within Defender Advanced Hunting or Azure Entra, my objective is to establish an alert that directly E-Mails the affected user, informing them of the MFA change and advising them to contact security if they did not initiate it. While the query runs correctly under Defender Advanced Hunting, I'm currently unable to create a workable custom alert because no "ReportId" is being captured. Despite consulting with Copilot, Gemini, CDW Support, and Microsoft Support, no workable solution has been achieved. Any insight would be greatly appreciated - Thank You! //Advanced Hunting query to parse modified: //StrongAuthenticationUserDetails (SAUD) //StrongAuthenticationMethod (SAM) let SearchWindow = 1h; let AuthenticationMethods = dynamic(["TwoWayVoiceMobile","TwoWaySms","TwoWayVoiceOffice","TwoWayVoiceOtherMobile","TwoWaySmsOtherMobile","OneWaySms","PhoneAppNotification","PhoneAppOTP"]); let AuthenticationMethodChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationMethod" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | mv-expand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationMethod" | project Timestamp,Actor,Target,ModifiedProperties,RawEventData,ReportId; let OldValues = AuthenticationMethodChanges | extend OldValue = parse_json(tostring(ModifiedProperties.OldValue)) | mv-apply OldValue on (extend Old_MethodType=tostring(OldValue.MethodType),Old_Default=tostring(OldValue.Default) | sort by Old_MethodType); let NewValues = AuthenticationMethodChanges | extend NewValue = parse_json(tostring(ModifiedProperties.NewValue)) | mv-apply NewValue on (extend New_MethodType=tostring(NewValue.MethodType),New_Default=tostring(NewValue.Default) | sort by New_MethodType); let RemovedMethods = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=leftouter NewValues on ReportId,$left.Old_MethodType==$right.New_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Removed (" , AuthenticationMethods[toint(Old_MethodType)], ") from Authentication Methods.") | extend ChangedValue = "Method Removed"; let AddedMethods = AuthenticationMethodChanges | join kind=inner NewValues on ReportId | join kind=leftouter OldValues on ReportId,$left.New_MethodType==$right.Old_MethodType | where Old_MethodType != New_MethodType | extend Action = strcat("Added (" , AuthenticationMethods[toint(New_MethodType)], ") as Authentication Method.") | extend ChangedValue = "Method Added"; let DefaultMethodChanges = AuthenticationMethodChanges | join kind=inner OldValues on ReportId | join kind=inner NewValues on ReportId | where Old_Default != New_Default and Old_MethodType == New_MethodType and New_Default == "true" | join kind=inner OldValues on ReportId | where Old_Default1 == "true" and Old_MethodType1 != New_MethodType | extend Old_MethodType = Old_MethodType1 | extend Action = strcat("Default Authentication Method was changed to (" , AuthenticationMethods[toint(New_MethodType)], ").") | extend ChangedValue = "Default Method"; let AuthenticationMethodReport = union RemovedMethods,AddedMethods,DefaultMethodChanges | project Timestamp,Action,Actor,Target,ChangedValue,OldValue=case(isempty(Old_MethodType), "",strcat(Old_MethodType,": ", AuthenticationMethods[toint(Old_MethodType)])),NewValue=case(isempty( New_MethodType),"", strcat(New_MethodType,": ", AuthenticationMethods[toint(New_MethodType)])); let AuthenticationDetailsChanges = CloudAppEvents | where ActionType == "Update user." and RawEventData contains "StrongAuthenticationUserDetails" | extend Target = tostring(RawEventData.ObjectId) | extend Actor = tostring(RawEventData.UserId) | extend ReportId= tostring(RawEventData.ReportId) | mvexpand ModifiedProperties = parse_json(RawEventData.ModifiedProperties) | where ModifiedProperties.Name == "StrongAuthenticationUserDetails" | extend NewValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.NewValue),"[",""),"]","")) | extend OldValue = parse_json(replace_string(replace_string(tostring(ModifiedProperties.OldValue),"[",""),"]","")) | mv-expand NewValue | mv-expand OldValue | where (tostring( bag_keys(OldValue)) == tostring(bag_keys(NewValue))) or (isempty(OldValue) and tostring(NewValue) !contains ":null") or (isempty(NewValue) and tostring(OldValue) !contains ":null") | extend ChangedValue = tostring(bag_keys(NewValue)[0]) | extend OldValue = tostring(parse_json(OldValue)[ChangedValue]) | extend NewValue = tostring(parse_json(NewValue)[ChangedValue]) | extend OldValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(OldValue,dynamic([' ','(',')']), dynamic(['','',''])), OldValue ) | extend NewValue = case(ChangedValue == "PhoneNumber" or ChangedValue == "AlternativePhoneNumber", replace_strings(NewValue,dynamic([' ','(',')']), dynamic(['','',''])), NewValue ) | where tostring(OldValue) != tostring(NewValue) | extend Action = case(isempty(OldValue), strcat("Added new ",ChangedValue, " to Strong Authentication."),isempty(NewValue),strcat("Removed existing ",ChangedValue, " from Strong Authentication."),strcat("Changed ",ChangedValue," in Strong Authentication.")); union AuthenticationMethodReport, AuthenticationDetailsChanges | extend AccountUpn = Target | where Timestamp > ago(SearchWindow) //| summarize count() by Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | summarize arg_max(Timestamp, *) by Action | project Timestamp, Action, Actor, Target, ChangedValue, OldValue, NewValue, ReportId, AccountDisplayName, AccountId, AccountUpn | sort by Timestamp descHeyNikoJun 13, 2025Copper Contributor42Views0likes1Commentsecure score not improving: ensure all users can complete MFA
I have created a conditional access rule for all users + all cloud apps +any location to require MFA but the score hasn't increased in a week. I notice it says "You have 56 out of 183 users registered and protected with MFA." (which was the case before the conditional access policy). (FYI this is a messy tenant with lots of previous users that have sign-in blocked and lots of users converted to shared mailboxes. Does that mean that the score is actually evaluated on the % of users that complete the MFA registration? If so, the title of this item is misleading... it should just be called something like % of users registered for MFA and the remediation steps should make clear that creating the policy doesn't guarantee score improvement. please assist,jfinNZJun 10, 2025Copper Contributor16KViews0likes4CommentsCompromise from the first moment we open a browser
Internet Vs Local file Content Interference and Control Part 1 I started looking at this a while ago. I’d look something up online, go away, tell people about it or make a calendar appointment; only to return to the source material and find it somewhat different to my recollection. At first I thought I was going a bit forgetful, but the problem was the memory was very clear, I’d double check, it would still change. Over time it started seeping out further - progressing from time differences on the files saved in onedrive (desktop vs mobile view, not just my memory vs PC and this was the first clue); to lists rearranging them in excel, and data copied from one source to another showed alteration…. But seemingly only when I was being particularly boastful, or especially stressed. I remember I’d just started working at a new place, and keen to impress, made a spreadsheet that saved a LOT of manual reconciliation for the team. The first run and second went great, no major issues…. The third and on developed errors (and this was in a vlookup, it’s quite a standard easy to predict feature, shouldn’t change much between times). Whilst the saved file hadn’t been tampered with, I started to suspect that the data input may have been. This wasn’t the start of the issues, it’s just a good example of it interfering with life in a way that makes you doubt your skills and abilities. Electronic gaslighting. Background The actual code that allows such interference eluded me however, until I came across a website called string-functions.com. Here we could convert string characters from or to hex, decimal, binary, " String(Hello) = hex(48656c6c6f0d0a) = Dec(20377714673257738) = Binary(1001000011001010110110001101100011011110000110100001010) " … but oddly binary back to string gave me this: “?????” which I presume is down to how the software defines and executes each step. Do more than one and there’s a chance that, without standardisation between all elements, you can’t reverse the process, at least not by presuming output(step n) = input (step 1). The same is true when you translate languages when you think about it. Then I spotted character encoding. I’d largely forgotten that this was a thing, but it’s the second half of making sure what I type is what you see. The text is stored in this document as strings when you view it, and probably as binary somewhere further down the storage chain (ask Microsoft!) but to get from the building blocks back to the text we need to know how it’s encoded. Internet packet analysers often use terms like “Big5”, “ANSI”, “UTF-8”, “YAML”, “UTF-16” and etc. Vast lookup tables tell software that when a document opens with (X), it needs to read the data with encoder (Y). There’s no left to right or right to left when looking at a datafile. Just sequence. Here’s the clever bit. Some methods of encoding have visible character to tell the computer how to display the sequence of data. Some don’t. Either way, the data is still there and will be read, and in just about every single modern application, it will be executed in the order in which it is read. For example, I could add a “right to left” control character in the above paragraph between “clever and “bit”, with a “stop” and “left to right” control character between “the” and “order” (last paragraph) to make sure it will only ever be copied and pasted as “Here’s the clever order in which it is read”. The same applies to information received by your browser, and all the webpages that it prefetches every time you open the Bing search page on a fresh install of windows. These control characters can call every database function you can think of in addition to reordering text (which includes websites, IP addresses and search terms you put into that address bar, which thanks to convenience, if no longer just a locked down address bar). I think I'm on the right lines of thought here. My computer has a small fit every time I try to post about it or investigate further. Next time, I'll cover cookies, timestamping, and computer certificates.RichardDrozdaJun 10, 2025Copper Contributor2KViews0likes2CommentsMultiple CA on same domain
We're about to deploy a new two-tier Windows PKI in domain which already has a 1-tier Enterprise CA and wonder of possible impacts on the current configurations. Devices and Users are auto-enrolling with the current CA through GPO and what can be the impact of the new CA ? How will the users get the certificate from the old or the new CA selectively? Is it just managed by the template's security settings, which by default allow authenticated users/devices to enroll? What sort of impact can we expect ? thanksStefanoC66Jun 09, 2025Iron Contributor13Views0likes0CommentsConfusing content in several training modules
I have noticed the following content present in several training modules and I can only conclude that there are errors in the example URLs in the content. This slide is from the module called "Phishing website" but I have seen the same example in other modules. Note the following: the two example URLs in the slide are identical except for bold formatting, and this is confusing. Additionally, each example is confusing. In the section below Name, what point is served by the example URL? It seems as though the author wants the reader to understand the difference between URLs with replaced, additional, or missing characters. If we assume the reader believes their bank website may be mybanksite.net then a good example URL to illustrate an illegitimate site would be mybanksites.net, because this highlights the additional letter s in the address. But why highlight the other s in the address? And why include .135 in the example? In the section below Domain, it seems as though the author wants to teach the reader about domains (important parts of which one can find on both sides of the last period in a domain). If we assume the reader believes their bank website may be at my mybanksite.net then a good example URL to illustrate an illegitimate site would be mybanksite.135.net, because this highlights that 135.net is the part of the address that should receive the reader's focus. And what is the reader supposed to conclude from these two examples being identical? If the point is that the address is suspicious in two ways, then the slide should first introduce mybanksite.net as the correct URL. Most other slides in the training modules are excellent but I cannot feel good about assigning this misleading and confusing content to my users. Am I misunderstanding something?nrq3975309Jun 02, 2025Copper Contributor15Views0likes0CommentsAuthenticator not displaying numbers on MacOS
I'm have an issue with MFA on a Mac (all the latest versions). We have conditional access policies in place, so once a day I'm prompted for MFA (I work off-site) and the Office app (e.g. Outlook, Teams) will create the pop-up window that 'should' display a number that I then match on my phone. My phone see's the push notification, but the Mac never creates the numbers in the first place. The pop-up is there, just no number. The workaround is: Answer 'its not me' on the phone On the Mac, select 'I can't use Authenticator right now' Tell the Mac to send a new request This time it creates the number and I can authenticate on the phone. It only appears to happen for the installed Office applications i.e. if I'm accessing applications/admin-centre via the browser, then the pop-up is within the browser and everything works first time. Is this a known issue?Scott2000May 31, 2025Copper Contributor585Views2likes6CommentsMeet Your New Cybersecurity Sidekick - Microsoft Security Copilot Agents
Imagine if your security team had a super-smart assistant that never sleeps, learns from every task, and helps stop cyber threats before they become disasters. That’s exactly what Microsoft’s new Security Copilot Agents are designed to do. Why Do We Need Them? Cyberattacks are getting sneakier and faster many now use AI to trick people or break into systems. In fact, 67% of phishing attacks in 2024 used AI. Meanwhile, security teams are drowning in alerts 66 per day on average and 73% of experts admit they’ve missed important ones. That’s where Security Copilot comes in. It’s like having an AI-powered teammate that helps you investigate threats, fix issues, and stay ahead of attackers. What Are Security Copilot Agents? Think of these agents as mini digital coworkers. They’re not just chatbots they’re smart, adaptable tools that: Learn from your feedback Work with your existing Microsoft security tools Help you make faster, better decisions Keep you in control while they handle the heavy lifting They’re built to be flexible and smart unlike traditional automation that breaks when things change. Real-World Examples of What They Do Here are a few of the agents already available: Phishing Triage Agent: Automatically checks if a suspicious email is a real threat or just spam. It explains its reasoning in plain language and learns from your feedback. Alert Triage Agents (in Microsoft Purview): Helps prioritize which security alerts matter most, so your team can focus on the big stuff first. Conditional Access Optimization Agent (in Microsoft Entra): Keeps an eye on who has access to what and flags any gaps in your security policies. Vulnerability Remediation Agent (in Microsoft Intune): Spots the most urgent software vulnerabilities and tells you what to fix first. Threat Intelligence Briefing Agent: Gives you a quick, customized report on the latest threats that could affect your organization. Even More Help from Partners Microsoft is also teaming up with other companies to build even more agents. For example: OneTrust helps with privacy breach responses. Tanium helps analysts make faster decisions on alerts. Fletch helps reduce alert fatigue by showing what’s most important. Aviatrix helps diagnose network issues like VPN or gateway failures. BlueVoyant: helps to assess your SOC and recommends improvements. Why It Matters These agents don’t just save time they help your team stay ahead of threats, reduce stress, and focus on what really matters. They’re like having a team of AI-powered interns who never get tired and are always learning. Learn More 📢 Microsoft Security Blog: Security Copilot Agents Launch 🎥 https://aka.ms/SecurityCopilotAgentsVideoumamasurkar28May 21, 2025Microsoft75Views0likes0CommentsCopy and paste pictures to restricted service domains not blocked by DLP policy
i believe i've configured the DLP policy but i'm not sure if i missed something i've defined the restricted site in the restricted domain list and set to block i've also configured the DLP policy to block upload to restricted domains i tried 3 different methods to upload the pictures (.jpg & .png) to web.whatsapp.com 1. drag and drop - blocked 2. clicking upload on web.whatsapp.com - blocked 3. copy and paste - not blocked i'm not sure why copy and paste is not blocked while the rest is blockedViktorMalumMay 19, 2025Copper Contributor285Views0likes1CommentUse Endpoint DLP to block uploads
Hello, I am trying to block files from being uploaded to specific domains using Endpoint DLP. I have added several domains to the Service Domain section of DLP and set it to Block. I have also added a Service Domain Group with those same domains (not sure if this is required in this case). Then I have created a DLP policy scoped to Devices only. The rule conditions in the policy are set to any file over 1 byte in size should be blocked from upload to those service domains. I have also added the Service Domain Groups to this policy and set it to block. I turn on the policy and it is applied to the appropriate endpoints but when I test, the only files blocked from being uploaded to those domains are files tagged a sensitivity label. Can this DLP policy apply to all files instead of just labelled ones? We just want to block upload to specific domains outright. Any help is appreciated!PenTestPatrickMay 19, 2025Copper Contributor12KViews1like16CommentsOld Tenant Name visible in Outlook Desktop Client under Protect button
Hello I have a two accounts (two is a minimum to see Tenant Name in front of your email address) added to Outlook Dekstop client. When i create new email and try to Encrypt email using Options > Encrypt button i can see Old tanant name in front of my email address. Organization Settings in admin portal were changed, change is visible in azure portal as well but old tenant name is still visible in outlook. I've found PS command Get-AipServiceKeys which showed me AipServiceKey where old tenant name is visible. Contoso is an OldTenantName Tried to user Set-AipServiceKeyProperties with -RefreshSlcName switch on this key but even command completed succesfully, there is still old name visible under FriendlyName property when i run Get-AipServiceKeys Do you know how to generete new key with correct FriendlyName or how to refresh name in current AipServiceKey? Thanks for your help PS. Microsoft is trying to find answer for my issue since december and there is no any valuable feedback from them.paweldMay 19, 2025Copper Contributor947Views0likes2Comments
Resources
Tags
- cloud security981 Topics
- security762 Topics
- microsoft information protection516 Topics
- azure497 Topics
- information protection and governance481 Topics
- microsoft 365414 Topics
- microsoft sentinel337 Topics
- azure active directory240 Topics
- data loss prevention212 Topics
- microsoft 365 defender164 Topics