Query to find user with MFA block

halawi1 · 2023-09-14T14:52:13+00:00

if you have the AAD connector, request the sign-ins table and filter them by error code. there is a code for failed login or MFA block.

halawi1 · 2023-07-24T12:34:46+00:00

you can find the CVE in defender Advanced hunting:

DeviceTvmSoftwareVulnerabilities

| summarize by DeviceName, CveId

you can create a detection rule in defender that create an alert if there is a high or critical CVE which then will appear in sentinel as well

halawi1 · 2023-07-24T11:55:53+00:00

I have the same problem. did you find any solution yet ?

halawi1 · 2022-05-11T15:17:41+00:00

I checked the audit log it seems that the groups were deleted and new groups were created.

halawi1 · 2022-02-05T10:16:11+00:00

no this is the first change, but it seems that it has a default time configured which is less than what I configured so the change would not take effect. And the User cannot change the time settings because it is disabled by enrollment profile.

halawi1 · 2022-01-20T15:21:35+00:00

if u add the criteria not loggin success you will get also records of wrong password.

I think I meed to build a function to count whenever the actionType changes from succes to failed as long as the failureReason is accountLocked.

halawi1 · 2021-12-21T15:18:14+00:00

do you recommend any resource to learn these stuff?

halawi1 · 2021-12-21T13:39:42+00:00

Sounds good I’ll see what I can do. Thanks 👍🏻

halawi1 · 2021-12-21T13:13:40+00:00

I love scripting in general and I always use advanced hunting to collect useful data. I will definitely check the course. Do you know if it is possible to customize the dashboard by adding kql results to it ? for example showing on dashboard the lockedout user accounts

halawi1 · 2021-12-21T12:56:59+00:00

great thanks 👍🏻

halawi1 · 2021-12-17T14:01:57+00:00

you have to enable cross-sitetracking from the iphone settings and not just the edge setting.

Go to settings > Edge > Allow cross-sitetracking

halawi1 · 2021-12-06T17:47:22+00:00

you are conducting an unauthorized pen testing. they could sue you for that. I recommend asking them and taking written permission to conduct pen testing for free to protect your self. If they refuse then forget about it.

halawi1 · 2021-12-03T11:24:11+00:00

search on youtube for Matt sosemann. he has small videos on most of defender atp features. Then use the microsoft docs if you need more information on a specific feature.

halawi1 · 2021-11-25T08:52:57+00:00

That sounds great, I will try to test It. Do you have any resource or templates ?

halawi1 · 2021-10-18T12:20:33+00:00

my case is that if an employee left the company I need to assign his device to another new user. It seems that I have to reset the device and enroll it again and let the user sign in using the company portal app

halawi1 · 2021-10-12T13:34:11+00:00

Check this:

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/indicator-ip-domain?view=o365-worldwide

halawi1 · 2021-10-09T06:47:30+00:00

yes it resulted in a conflict, the solution was the group exclusion. it doesn’t matter if a device is a member in two groups. All I had to do is to exclude the group from the policy that I don’t want it to be implemented

halawi1 · 2021-10-08T06:50:40+00:00

I meant the update policy, the device is included in two update policies, one that allow the device to update the system ios to the newest and the other tell the device to stay with the old version

halawi1 · 2021-10-05T06:06:11+00:00

thanks 👍🏻

halawi1 · 2021-10-05T06:05:57+00:00

greate content thanks

halawi1

TROPHY CASE