Mar 01, 24 | MDE | Security

MDE Get Healthy with MDfS Driven Migration

Nov 07, 23 | MDO | Security

QR Phishing with MDO

Feb 15, 23 | MDE | Security

How to map AAD Groups to MDE Device Groups

Recent Posts

Image for Post MDE Policy Migration
MDE Policy Migration

I have intentionally and reluctantly avoided this topic for a while, but enough customer experience has occurred, and I feel the benefits are balanced with or outweigh the negatives. So, over the last week I wrote and have made available My-MdeMigration a PowerShell Module to help with MDE Migrations.

Mar 27, 25 | MDE | Security | Read more...
Image for Post MDE Offline Update Container
MDE Offline Update Container

MDE Offline update provides the ability for organizations to locally source MDE Security Intelligence Updates rather than using the provided Microsoft SIU service. Considering the repeat scripting and static file web server requirements it seemed that this could conventiently be addressed by containerization.

Feb 07, 25 | MDE | Security | Read more...
Image for Post Export MDE Policies
Export MDE Policies

Customers frequently ask about moving Defender policies between various environment. This generally requires manual efforts of replicating settings from one portal to another. However, this manual process is painful and error prone which makes the migration less that optimal. Instead, a better way is to export the policy and push it to the other environment, but without portal capabilities how can this be accomplished. Enter the Device Configuration v2 API.

Aug 29, 24 | MDE | Security | Read more...
Image for Post MDE Get Healthy with MDfS Driven Migration
MDE Get Healthy with MDfS Driven Migration

“By failing to prepare, you are preparing to fail” -Benjamin Franklin Recently I’ve been working with several customers on migrations from a third party EPP-EDR to Microsoft Defender for Servers (MDfS), and have found there is an important pattern that should be followed to predict, control, and minimize performance and business impacts during the migration. While Arc may perform the onboarding for your organization, other factors like change management and maintenance windows may require additional steps or procedures to limit & control what and when Arc performs actions.

Mar 01, 24 | MDE | Security | Read more...
Image for Post MDE Linux Management from the Security Portal
MDE Linux Management from the Security Portal

Recently the MDE Attach capability was updated to include managing the MDE service on Linux, and MacOS, to provide a similar experience for configuring and managing the MDE service on these non-windows platforms. There are several questions that this new capability raises which I will attempt to address in this post.

Nov 21, 23 | MDE | Security | Read more...
Image for Post QR Phishing with MDO
QR Phishing with MDO

Previsouly, I wrote about QR Phishing and the many challenges it poses to current cyber awareness training, and defensive tools. As this is a growing trend it is important for companies to incorporate this type of phishing method into existing cyber training and awareness. Specifically, this post will detail how to use Microsoft Defender for Office to generate a QR Phishing campaign.

Nov 07, 23 | MDO | Security | Read more...
Image for Post QR Phishing
QR Phishing

Earlier this year some news outlets began to report about increased Phishing that utilized QR codes. This had been discussed as a new threat vector when the COVID pandemic moved restaurants, cafes, and other locations to replace physical menus with digital menus that could be easily accessed from a QR code sticker on your table. Recently, around August/September, more new stories, reports, and industry data have indicated that QR Phishing is becoming more prevalent.

Nov 03, 23 | MDO | Security | Read more...
Image for Post MDE Migration Script
MDE Migration Script

For the last 2-3 years I’ve been working with customers on migrating to Defender for Endpoint from other AV/FW/EDR solutions. One of the big issues I’ve seen is there are a lot of checks to see what could prevent Defender from successfully onboarding. In order to make these checks more consistent and faster I decided to create a script to help identify and flag potential migration issues.

Sep 20, 23 | Microsoft | MDE | Security | Read more...
Image for Post CVE-2023-28303 Detection
CVE-2023-28303 Detection

Recently I had a customer ask about an Advanced Hunting Query that could detect the Microsoft Screen Clipping vulnerability CVE-2023-28303. Some initial testing of the Threat and Vulnerability Management in Advanced Hunting tables this software is not being captured on my test machines. However, there are still some ways we can detect the potential of this vulnerability.

Mar 29, 23 | MDE | Security | Read more...
Image for Post MDE Tamper Protection Forced Values
MDE Tamper Protection Forced Values

Recently an issue was raised that a customer had configured their Defender AV policies and then applied Tamper Protection. When they checked the local machine’s settings they realized that some values in Defender AV were not consistent with their AV Policy which was unexpected. What was found is an undocumented/vaguely documented action by Tamper Protection.

Mar 07, 23 | MDE | Security | Read more...