RE: https://infosec.exchange/@franklesniak/115572191076370399
#ActiveDirectory #EntraID #IdentityManagement #AccessManagement #IdentitySecurity #ZeroTrust #GroupPolicy #ConditionalAccess #PrivilegedIdentity #PrivilegedIdentityManagement #PrivilegedAccessManagement #MicrosoftSecurity #PingCastle #PurpleKnight #Maester #DigitalIdentity
With Microsoft #Graph Activity Log now in public preview let's talk about reconnaissance detection.
📢In my latest blog post I dive deep into the logs and show how you can detect tools like #bloodhound and #PurpleKnight using this new log source.
#security #kql #msgraph #hunting
https://cloudbrothers.info/en/detect-threats-microsoft-graph-logs-part-1/
When working with Microsoft Entra there are many log sources you can use to detect usage and changes to the environment and the assets within it. Most of them can be forwarded using the diagnostic settings to different targets for better analysis capabilities or long term storage. In many cases a Microsoft Sentinel or Log Analytics workspace is the target of choice, but also other SIEM solutions can benefit from this stream of log data.
Frank Lesniak
Fabian Bader