diff --git a/docs/entraid.md b/docs/entraid.md index eea4da9..568b3a8 100644 --- a/docs/entraid.md +++ b/docs/entraid.md @@ -1742,6 +1742,7 @@ ## Community Blogs - [From Intune to EntraID – Add custom data to the Extension Attributes](https://ugurkoc.de/from-intune-to-entraid-add-custom-data-to-the-extension-attributes/) +- [Privilege escalation using Azure Service principal](https://laythchebbi.com/index.php/2024/09/01/privilege-escalation-using-azure-service-principal/) ### Conditional Access diff --git a/docs/learn.md b/docs/learn.md index a2f92c2..58908bc 100644 --- a/docs/learn.md +++ b/docs/learn.md @@ -6,6 +6,7 @@ - [Microsoft Cybersecurity Reference Architectures](https://learn.microsoft.com/en-us/security/adoption/mcra) - [The Chief Information Security Officer (CISO) Workshop Training](https://learn.microsoft.com/en-us/security/adoption/the-ciso-workshop) - [Zero Trust Lab](https://microsoft.github.io/ztlabguide/) +- [Zero Trust Workshop: Advance your knowledge with an online resource](https://www.microsoft.com/en-us/security/blog/2024/11/06/zero-trust-workshop-advance-your-knowledge-with-an-online-resource/) ## Ninja Trainings @@ -25,3 +26,7 @@ ## Microsoft Airlift - [Microsoft Airlift](https://airlift.microsoft.com/home_public) + +## Interactive Lab Simulations + +- [SC-200 Interactive Lab Simulations - Microsoft Security Operations Analyst](https://mslabs.cloudguides.com/guides/SC-200%20Lab%20Simulations%20-%20Microsoft%20Security%20Operations%20Analyst) diff --git a/docs/mdca.md b/docs/mdca.md index bf605de..b6da843 100644 --- a/docs/mdca.md +++ b/docs/mdca.md @@ -35,4 +35,10 @@ - [Detecting Ransonware with Defender for Cloud Apps](https://cyberdom.blog/2023/08/27/detecting-ransomware-with-defender-for-cloud-apps/) - [Deep Diver – Defender for Cloud Apps Malware Detection in Office 365 Workloads](https://samilamppu.com/2022/05/04/deep-diver-defender-for-cloud-apps-malware-detection-in-office-365-workloads/) - [Microsoft Sentinel – Insights of Defender for Cloud Apps Data Connector](https://samilamppu.com/2022/03/24/microsoft-sentinel-insights-of-defender-for-cloud-apps-data-connector/) -- [Integrate Microsoft Defendr for Endpoint with MCAS](https://www.eshlomo.us/integrate-microsoft-defender-for-endpoint-with-mcas/) \ No newline at end of file +- [Integrate Microsoft Defendr for Endpoint with MCAS](https://www.eshlomo.us/integrate-microsoft-defender-for-endpoint-with-mcas/) + +## GitHub + +- [Collection of useful resources for MDA/ Defender for Cloud Apps / DfCA / MCAS](https://github.com/jkerai1/SoftwareCertificates/tree/main/Bulk-IOC-CSVs/MDA#block-user-agents) +- [MCAS Toolbox](https://github.com/alexverboon/MCASToolbox) +- [MCAS Powershell Module [Unofficial]](https://github.com/microsoft/MCAS) diff --git a/docs/mde.md b/docs/mde.md index 3d360e8..859ec3c 100644 --- a/docs/mde.md +++ b/docs/mde.md @@ -12,6 +12,7 @@ ## Microsoft Tech Community Blogs +- [The unified agent now combines protection across endpoints, OT devices, identities, and DLP](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/the-unified-agent-now-combines-protection-across-endpoints-ot-devices-identities/4303805) - [Security settings management is available for multi-tenant environments in Microsoft Defender XDR](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/security-settings-management-is-available-for-multi-tenant/ba-p/4250996) - [Microsoft Defender for Endpoint’s Safe Deployment Practices](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-s-safe-deployment-practices/ba-p/4220342) - [Detect compromised RDP sessions with Microsoft Defender for Endpoint](https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/detect-compromised-rdp-sessions-with-microsoft-defender-for/ba-p/4201003) @@ -252,6 +253,10 @@ ## Community Blogs +- [Silencing Microsoft Defender for Endpoint using firewall rules](https://medium.com/csis-techblog/silencing-microsoft-defender-for-endpoint-using-firewall-rules-3839a8bf8d18) +- [EDR Silencers and Beyond: Exploring Methods to Block EDR Communication - Part 1](https://cloudbrothers.info/edr-silencers-exploring-methods-block-edr-communication-part-1/) +- [EDR Silencer and Beyond: Exploring Methods to Block EDR Communication - Part 2](https://academy.bluraven.io/blog/edr-silencer-and-beyond-exploring-methods-to-block-edr-communication-part-2) +- [Silencing the EDR Silencers](https://www.huntress.com/blog/silencing-the-edr-silencers) - [Unleash The Power Of DeviceTvmInfoGathering](https://kqlquery.com/posts/devicetvminfogathering/) - [Peeking Behind the Curtain: Finding Defender’s Exclusions](https://blog.fndsec.net/2024/10/04/uncovering-exclusion-paths-in-microsoft-defender-a-security-research-insight/) - [Manage Defender for Endpoint for Windows, macOS, and Linux via Security settings management](https://jeffreyappel.nl/manage-mde-for-windows-macos-and-linux-via-security-settings-management/) @@ -329,4 +334,5 @@ ## GitHub - [MDE_Signature_Update_Detection.ps](https://github.com/ugurkocde/Intune/blob/main/Defender%20for%20Endpoint/MDE_Signature_Update_Detection.ps1) -- [DefenderMAPS](https://github.com/alexverboon/DefenderMAPS) \ No newline at end of file +- [DefenderMAPS](https://github.com/alexverboon/DefenderMAPS) +- [Nuke It From Orbit](https://github.com/lkarlslund/nifo) diff --git a/docs/mdi.md b/docs/mdi.md index 921f50c..285948a 100644 --- a/docs/mdi.md +++ b/docs/mdi.md @@ -34,6 +34,7 @@ ## Community Blogs +- [Microsoft Defender for Identity Bulk Operation](https://thalpius.com/2024/11/13/microsoft-defender-for-identity-bulk-operation/) - [Microsoft Defender for Identity Access Key Vulnerability](https://thalpius.com/2024/07/18/microsoft-defender-for-identity-access-key-vulnerability/) - [Provoking Defender for Identity suspicious certificate usage alerts](https://tech.nicolonsky.ch/provoking-defender-for-identity-suspicious-certificate-usage-alerts/) - [Unmasking the shadows the art of threat hunting in Defender for Identity](https://cyberdom.blog/2023/12/09/unmasking-the-shadows-the-art-of-threat-hunting-in-defender-for-identity/) @@ -68,4 +69,4 @@ ## GitHub - [Raymond Roethof - Defender for Identity Tools](https://github.com/thalpius?tab=repositories) -- [Defender for Identity Sizing Tool](https://github.com/microsoft/Microsoft-Defender-for-Identity-Sizing-Tool) \ No newline at end of file +- [Defender for Identity Sizing Tool](https://github.com/microsoft/Microsoft-Defender-for-Identity-Sizing-Tool) diff --git a/docs/mdo.md b/docs/mdo.md index d8bae67..27745d8 100644 --- a/docs/mdo.md +++ b/docs/mdo.md @@ -7,6 +7,8 @@ ## Microsoft Tech Community Blogs +- [Microsoft Ignite: Redefining email security with LLMs to tackle a new era of social engineering](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/microsoft-ignite-redefining-email-security-with-llms-to-tackle-a-new-era-of-soci/4302421) +- [Create targeted attack simulation training campaigns with dynamic groups](https://techcommunity.microsoft.com/blog/microsoftdefenderforoffice365blog/create-targeted-attack-simulation-training-campaigns-with-dynamic-groups/4287637) - [Use community queries to hunt more effectively across email and collaboration threats](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/use-community-queries-to-hunt-more-effectively-across-email-and/ba-p/4254664) - [Improve end user resilience against QR code phishing](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/improve-end-user-resilience-against-qr-code-phishing/ba-p/4225742) - [How your submissions to Defender for Office 365 are processed behind-the-scenes](https://techcommunity.microsoft.com/t5/microsoft-defender-for-office/how-your-submissions-to-defender-for-office-365-are-processed/ba-p/4231551) diff --git a/docs/mdtvm.md b/docs/mdtvm.md index 907f4ce..12fbb1e 100644 --- a/docs/mdtvm.md +++ b/docs/mdtvm.md @@ -6,6 +6,7 @@ ## Microsoft Tech Community Blogs +- [The unified agent now combines protection across endpoints, OT devices, identities, and DLP](https://techcommunity.microsoft.com/blog/microsoftdefenderatpblog/the-unified-agent-now-combines-protection-across-endpoints-ot-devices-identities/4303805) - [Research Analysis and Guidance: Ensuring Android Security Update Adoption](https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/research-analysis-and-guidance-ensuring-android-security-update/ba-p/4216714) - [Enhancing vulnerability prioritization with asset context and EPSS - Now in Public Preview.](https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/enhancing-vulnerability-prioritization-with-asset-context-and/ba-p/4212480) - [Using Export API with Defender Vulnerability Management](https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/using-export-api-with-defender-vulnerability-management/ba-p/4191046) @@ -45,9 +46,10 @@ ## Community Blogs & Videos +- [Microsoft Defender Vulnerability Management, exploring the add-on superpowers (part 1)](https://www.michalos.net/2024/10/20/microsoft-defender-vulnerability-management-exploring-the-add-on-superpowers-part-1/) - [Assessment and Control of Browser Extensions](https://www.verboon.info/2022/06/assessment-and-control-of-browser-extensions/) - [Using Defender Vulnerability Management to patch vulnerabilities](https://medium.com/@andrecamillo/using-defender-vulnerability-management-to-patch-vulnerabilities-4e59ebc944bb) - [Defender TVM: Configuration Benchmark Management](https://www.bluevoyant.com/blog/defender-tvm-configuration-benchmark-management/) - [How to generate a monthly Defender ATP Threat and Vulnerability Report](https://www.verboon.info/2019/11/how-to-generate-a-monthly-defender-atp-threat-and-vulnerability-report/) - [Threat & Vulnerability Management – improve client security with MDATP](https://chrisonsecurity.net/2020/05/08/threat-vulnerability-management-improve-client-security-with-mdatp/) -- [Vulnerability management | Microsoft 365 Defender](https://www.youtube.com/watch?v=G54f7IqUFMU) \ No newline at end of file +- [Vulnerability management | Microsoft 365 Defender](https://www.youtube.com/watch?v=G54f7IqUFMU) diff --git a/docs/mdxdr.md b/docs/mdxdr.md index 5bf7a7d..f0901f9 100644 --- a/docs/mdxdr.md +++ b/docs/mdxdr.md @@ -9,6 +9,7 @@ ## Microsoft Tech Community Blogs +- [Ignite news: What's new in Microsoft Defender XDR?](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/ignite-news-whats-new-in-microsoft-defender-xdr/4303104) - [Host Microsoft Defender data locally in India](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/host-microsoft-defender-data-locally-in-india/ba-p/4215053) - [Cybersecurity incident correlation in the unified security operations platform](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/cybersecurity-incident-correlation-in-the-unified-security/ba-p/4214394) - [Host Microsoft Defender data locally in Switzerland](https://techcommunity.microsoft.com/t5/microsoft-defender-xdr-blog/host-microsoft-defender-data-locally-in-switzerland/ba-p/4141490) @@ -76,6 +77,7 @@ ## Community Blogs +- [Unlimited Advanced Hunting for Microsoft 365 Defender with Azure Data Explorer](https://github.com/TheCloudScout/m365defender-adx) - [Audit Defender XDR Activities](https://kqlquery.com/posts/audit-defender-xdr/) - [Enhancing Your Entity Timelines: Sentinel Activities in the Unified Microsoft Defender XDR Portal](https://attackthesoc.com/posts/enhancing-entity-timelines/) - [Automatic attack disruption in Microsoft Defender XDR and containing users during Human-operated Attacks](https://jeffreyappel.nl/automatic-attack-disruption-in-microsoft-365-xdr-and-containing-users-during-human-operated-attacks/) @@ -88,4 +90,4 @@ ## Documentation -- [Details and results of an automatic attack disruption action](https://learn.microsoft.com/en-us/defender-xdr/autoad-results#hunt-for-disable-user-account-actions) \ No newline at end of file +- [Details and results of an automatic attack disruption action](https://learn.microsoft.com/en-us/defender-xdr/autoad-results#hunt-for-disable-user-account-actions) diff --git a/docs/sentinel.md b/docs/sentinel.md index 4106ecc..519b584 100644 --- a/docs/sentinel.md +++ b/docs/sentinel.md @@ -7,6 +7,10 @@ ## Microsoft Tech Community Blogs +- [How Microsoft’s leading SIEM is getting even better](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/how-microsoft%E2%80%99s-leading-siem-is-getting-even-better/4304327) +- [Leave no data behind: Using summary rules to store data cost effectively in Microsoft Sentinel](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/leave-no-data-behind-using-summary-rules-to-store-data-cost-effectively-in-micro/4296785) +- [What’s New: Exciting new Microsoft Sentinel Connectors Announcement - Ignite 2024](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/what%E2%80%99s-new-exciting-new-microsoft-sentinel-connectors-announcement---ignite-2024/4294146) +- [Deploy Microsoft Sentinel using Bicep](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/deploy-microsoft-sentinel-using-bicep/4270970) - [Save money on your Sentinel ingestion costs with Data Collection Rules](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/save-money-on-your-sentinel-ingestion-costs-with-data-collection/ba-p/4270256) - [What to do if your Sentinel Data Connector shows as [DEPRECATED]](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/what-to-do-if-your-sentinel-data-connector-shows-as-deprecated/ba-p/4270346) - [Cowrie honeypot and its Integration with Microsoft Sentinel.](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/cowrie-honeypot-and-its-integration-with-microsoft-sentinel/ba-p/4258349) @@ -537,6 +541,10 @@ ## Community Blogs +- [Restricting Deletions of Incidents in Sentinel](https://www.linkedin.com/pulse/restricting-deletions-incidents-sentinel-jay-kerai-da9te/) +- [Monitoring your DevOps platform](https://jamescook.dev/connect-azure-devops-sentinel) +- [Azure DevOps Auditing with Sentinel](https://cyberdom.blog/azure-devops-auditing-with-microsoft-sentinel/) +- [Azure DevOps Service security monitoring using Azure Sentinel](https://www.criticalstart.com/azure-devops-service-security-monitoring-using-azure-sentinel/) - [Use Cases For Sentinel Summary Rules](https://kqlquery.com/posts/sentinel-summary-rules/) - [Microsoft Sentinel Summary KQL deep dive (From Beginner to Advanced KQL)](https://modernsecops.com/p/microsoft-sentinel-summary-kql-deep-dive?utm_source=linkedin&utm_medium=organic_post&utm_campaign=summary_kql) - [Sentinel Automation Part 2: Automate CISA Known Exploited Vulnerability Notifications](https://kqlquery.com/posts/automatic-cisa-vulnerability-notifications/) @@ -582,8 +590,9 @@ - [Microsoft Sentinel Triage AssistanT (STAT)](https://github.com/briandelmsft/SentinelAutomationModules) - [Microsoft Sentinel - SEC Operations](https://github.com/eshlomo1/Microsoft-Sentinel-SecOps) - [Log Splitr](https://github.com/TheCloudScout/log-splitr) +- [Azure DevOps detection rules](https://github.com/alexverboon/Hunting-Queries-Detection-Rules/tree/main/AzureDevOps) ## Learning and Training - [Optimizing Your Security Operations: Manage Your Data, Costs and Protections with SOC Optimizations](https://www.youtube.com/watch?v=Uk9x60grT-o) -- [Optimizing your SOC's threat coverage and data value](https://www.youtube.com/watch?v=b0rbPZwBuc0) \ No newline at end of file +- [Optimizing your SOC's threat coverage and data value](https://www.youtube.com/watch?v=b0rbPZwBuc0)