A dive into why email forwarding rules remain a major blind-spot in many security environments, and how shifts in how Microsoft Sentinel logs these actions have made detection harder than ever.
Read more →Erik's blogs page
I write about security and about detecting cyberattacks.
Here are my latest posts:
Attackers often cycle through password reset attempts to gain or maintain access to compromised accounts. This post walks through a KQL analytic rule that correlates Azure AD, Windows Security logs, and Unix syslog to detect suspicious clusters of password reset activity. By separating expected self-service flows, excluding noisy service accounts, and sessionizing events across hybrid identity sources, the rule highlights users exhibiting multiple reset attempts in a short timeframe, often a strong indicator of account takeover in progress.
Read more →Azure Lighthouse is the backbone of MSSP operations, and a quietly overlooked attack surface. This post walks through two complementary Sentinel analytic rules that detect delegation tampering, whether it's your own team making a change or an unknown party establishing a backdoor.
Read more →Attackers who have valid credentials use repeated MFA push prompts to pressure users into approving access. This post walks through a KQL analytic rule that builds a 30-day baseline of known IPs and authentication methods per user, then flags MFA denials that fall outside that established pattern, combining location and method anomalies to separate active attacks from everyday MFA noise.
Read more →About me
I'm a Principal Security Analyst who enjoys diving deep in security topics and writing about the process. This blog lives on GitHub Pages and contains blogs and KQL Query files free to be used.