Jan Geisbauer |

Author Archives: Jan Geisbauer

MDE Hunting 101

Posted on March 27, 2022 by Jan Geisbauer One comment

People that start working with Defender for Endpoint (MDE) often ask the question “where should I start when I see an alert in MDE?”. There is lot of valuable information available in the portal to help judge if an alert is a real incident or a false positive. Additionally, you can query the raw telemetry via KQL. But there is still lot of room for interpretation. So, what should you do to get started? And what is even more important: how do I keep the overview?

Main Articles

Gundog 2

Posted on February 8, 2022 by Jan Geisbauer One comment

Version 2 of Gundog to hunt in Microsoft 365 Defender via PowerShell is now available. This article describes the new features.

Main Articles

Azure Sentinel Internals: Incidents

Posted on October 28, 2021 by Jan Geisbauer One comment

In my experience, people – due to a lack of knowledge or plain laziness (and I am one of them) sometimes mix-up terms like Events, Alerts, Alarms and Incidents in their conversations. In addition, different tools have different terms for the objects they are displaying in their GUIs. With this article, we will go through all those entities in Sentinel and take a deep dive into their correlations.

Main Articles

hunting phish

Posted on July 16, 2021 by Jan Geisbauer One comment

With Microsoft 365 Defender, we not only know that a phishing link was received but also that the user clicked on it – however, what we do not know is: if the user provided his credentials to the shady site he clicked on. How do we handle such alerts?

Main Articles

Pink Thumb

Posted on June 22, 2021 by Jan Geisbauer One comment

To help users to make better decisions, when to type a password / on which sites, I have created a very simple chrome extension (that also works on edge): PINKTHUMB – only type in your password when its pink!

Main Articles

Alertrule from github to Azure sentinel

Posted on March 19, 2021 by Jan Geisbauer 28 comments

The Azure Sentinel community is great. Many people contribute to the Azure Sentinel GitHub site. Rod Trent wrote an article on how to deploy analytic rules from GitHub to your Sentinel instance. This is great, however, the rules are written in YAML and can therefore easily be imported programmatically.

Garage Articles

gundog

Posted on February 25, 2021 by Jan Geisbauer 11 comments

Gundog provides you powershell based guided hunting for Microsoft 365 Defender.

Main Articles

privilege escalation in Azure AD

Posted on December 10, 2020 by Jan Geisbauer 5 comments

It should be clear that -effectively- a user has the same permissions as the object it has control of – but sometimes things are new or complex or both and then the simplest rules vaporize in our heads. This is where it gets dangerous …

Main Articles

FritzBox 2 Sentinel

Posted on November 13, 2020 by Jan Geisbauer Leave a comment

As part of a bigger blog post coming up here soon, I have created a PowerShell script that connects to your FritzBox, reads its event logs, extracts the event time, IP addresses and event messages and sends everything to Azure Sentinel for comfortable hunting and alerting and basically everything else Sentinel offers.