Fall 2025 Update

Author: alexverboon

docs/entraid.md

@@ -1761,6 +1761,9 @@
 
 ## Community Blogs
 
+- [Disable Entra Connect Seamless SSO – Step-by-Step Guide](https://www.cloudcoffee.ch/microsoft-azure/disable-entra-connect-seamless-sso/)
+- [Some policies I use in Conditional Access](https://conditionalaccess.uk/some-policies-i-use-in-conditional-access/)
+- [Token Theft to Account Takeover: How a Stolen Entra ID Token Can Bypass Two-Factor Authentication (MFA)](https://medium.com/@benj_774/token-theft-to-account-takeover-how-a-stolen-entra-id-token-can-bypass-two-factor-authentication-7d3e37311134)
 - [Detect threats using GraphAPIAuditEvents - Part 3](https://cloudbrothers.info/detect-threats-graphapiauditevents-part-3/)
 - [Detect threats using Microsoft Graph activity logs - Part 2](https://cloudbrothers.info/detect-threats-microsoft-graph-logs-part-2/)
 - [Detect threats using Microsoft Graph activity logs - Part 1](https://cloudbrothers.info/detect-threats-microsoft-graph-logs-part-1/)
@@ -1855,6 +1858,7 @@
 - [AAGUIDs](https://aaguid.nicolasuter.ch/)
 - [Microsoft 365 Message Center Archive](https://mc.merill.net/)
 - [Tier 0 Table](https://github.com/SpecterOps/TierZeroTable/)
+- [https://www.entradocumentation.com/](https://www.entradocumentation.com/)
 
 ## EntraOps Classification and Automation
 

docs/mdc.md

@@ -352,6 +352,7 @@
 
 ## Community Blogs
 
+- [Hunting Ransomware in Storage Accounts (When You Can't Afford Defender)](https://www.itprofessor.cloud/sentinel-storage-account-ransomware-hunting/)
 - [AI workload threat protection in Microsoft Defender for Cloud](https://jeffreyappel.nl/ai-workload-threat-protection-in-microsoft-defender-for-cloud/)
 - [AZURE PENTESTING — EXPLOITING THE ANONYMOUS ACCESS TO THE BLOB STORAGE — Draft Eng — Updated :)](https://braropad.medium.com/azure-pentesting-exploiting-the-anonymous-access-to-the-blob-storage-draft-english-d80f3831a590)
 - [Understanding Microsoft CNAPP: How Defender for Cloud Secures Your Multicloud Workloads](https://www.basevision.ch/understanding-microsoft-cnapp-how-defender-for-cloud-secures-your-multicloud-workloads/)

docs/mdca.md

@@ -34,6 +34,8 @@
 
 ## Community Blogs
 
+- [Mastering Policies in Defender for Cloud Apps: A Deep Dive for the SOC Trenches](https://www.itprofessor.cloud/defender-for-cloud-apps-policy-management-deep-dive/)
+- [A SOC Analyst's Introduction to Defender for Cloud Apps](https://www.itprofessor.cloud/defender-for-cloud-apps-shadow-it-guide/)
 - [How to check for OAuth apps with specific Graph permissions assigned](https://jeffreyappel.nl/how-to-check-for-oauth-apps-with-specific-graph-permissions-assigned/)
 - [How to secure OAuth apps with App Governance in Defender XDR](https://jeffreyappel.nl/how-to-secure-oauth-apps-with-app-governance-in-defender-xdr/)
 - [Block apps (discovered/ shadow IT) with Defender for Cloud Apps and Defender for Endpoint](https://jeffreyappel.nl/block-apps-discovered-shadow-it-with-defender-for-cloud-apps-and-defender-for-endpoint/)

docs/mde.md

@@ -263,6 +263,7 @@
 
 ## Community Blogs
 
+- [Guidance on how to manage products updates for Defender for Server on Linux distributions](https://vertho.tech/2025/08/27/guidance-on-how-to-manage-products-updates-for-defender-for-server-on-linux-distributions/)
 - [Tracking a device’s IP assignments with MDE’s DeviceNetworkInfo table](https://medium.com/@cybureauocracy/tracking-a-devices-ip-assignments-with-mde-s-devicenetworkinfo-table-430270ca539e)
 - [MDE’s DeviceNetworkEvents table [Part 2 — Connection* ActionTypes]](https://medium.com/@cybureauocracy/mdes-devicenetworkevents-table-part-2-connection-actiontypes-1c5ee20d2fc4)
 - [Understanding MDE’s DeviceNetworkEvents table for SOC analysts [Part 1 — Overview]](https://medium.com/@cybureauocracy/mdes-devicenetworkevents-table-for-soc-analysts-part-1-overview-094ca99b50c9)
@@ -365,3 +366,9 @@
 - [Powershell Digital Forensics & Incident Response](https://github.com/Bert-JanP/Incident-Response-Powershell)
 - [Defender for Endpoint docs](https://github.com/MicrosoftDocs/defender-docs/tree/public/defender-endpoint)
 - [Microsoft Vulnerable Driver Block Lists](https://github.com/Cyb3r-Monk/Microsoft-Vulnerable-Driver-Block-Lists)
+- [Deploying Defender for Endpoint for macOS using Microsoft Intune](https://github.com/yujiaoMSFT/Microsoft-Defender-For-Endpoint/blob/main/macOS/Deploy-MDE-macOS-with-Intune/readme.md)
+- [MDE Monitoring App](https://github.com/chlaplan/MDE-Monitoring-App)
+
+## Simulations
+
+- [Microsoft Defender for Endpoint - demonstration scenarios](https://learn.microsoft.com/en-us/defender-endpoint/defender-endpoint-demonstrations)

docs/mdi.md

@@ -7,6 +7,7 @@
 
 ## Microsoft Tech Community Blogs
 
+- [Announcing General Availability: Unified identity and endpoint sensor](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/announcing-general-availability-unified-identity-and-endpoint-sensor/4463585)
 - [Monthly news - October 2025](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/monthly-news---october-2025/4458349)
 - [How Microsoft Defender helps security teams detect prompt injection attacks in Microsoft 365 Copilot](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/how-microsoft-defender-helps-security-teams-detect-prompt-injection-attacks-in-m/4457047)
 - [Announcing General Availability: Unified identity and endpoint sensor](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/announcing-general-availability-unified-identity-and-endpoint-sensor/4463585)

docs/mdxdr.md

@@ -9,6 +9,8 @@
 
 ## Microsoft Tech Community Blogs
 
+- [Custom detections are now the unified experience for creating detections in Microsoft Defender](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/custom-detections-are-now-the-unified-experience-for-creating-detections-in-micr/4463875)
+- [How Microsoft Defender helps security teams detect prompt injection attacks in Microsoft 365 Copilot](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/how-microsoft-defender-helps-security-teams-detect-prompt-injection-attacks-in-m/4457047)
 - [Protect Copilot Studio AI Agents in Real Time with Microsoft Defender](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/protect-copilot-studio-ai-agents-in-real-time-with-microsoft-defender/4446560)
 - [Protect against OAuth Attacks in Salesforce with Microsoft Defender](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/protect-against-oauth-attacks-in-salesforce-with-microsoft-defender/4450584)
 - [Custom detection rules get a boost—explore what’s new in Microsoft Defender](https://techcommunity.microsoft.com/blog/microsoftthreatprotectionblog/custom-detection-rules-get-a-boost%E2%80%94explore-what%E2%80%99s-new-in-microsoft-defender/4443602)
@@ -103,6 +105,7 @@
 
 ## Community Blogs
 
+- [The ultimate Defender XDR RBAC visualization](https://vertho.tech/2025/09/29/the-ultimate-defender-xdr-rbac-visualization/)
 - [Remove old or orphaned Sentinels from the XDR Streaming API](https://cloudbrothers.info/remove-orphaned-sentinels-xdr-streaming-api/)
 - [Detect security policy changes](https://www.lousec.be/ad/detect-security-policy-changes/)
 - [Windows Defender: Threat Hunting Campaign Ideas](https://www.linkedin.com/pulse/windows-defender-threat-hunting-campaign-ideas-adair-collins-lefze/)
@@ -137,6 +140,7 @@
 - [EDR Telemetry](https://www.edr-telemetry.com/index.html)
 - [GraphWeaver: Billion-Scale Cybersecurity Incident Correlation](https://arxiv.org/abs/2406.01842)
 - [(Microsoft XDR table schema](https://xdrinternals.com/)
+- [Defender XDR RBAC](https://vertho.tech/rbac-xdr/)
 
 ## Attack Simulations & Testing
 

docs/sentinel.md

@@ -8,6 +8,7 @@
 
 ## Microsoft Tech Community Blogs
 
+- [Using Microsoft Sentinel MCP Server with GitHub Copilot for AI-Powered Threat Hunting](https://techcommunity.microsoft.com/blog/coreinfrastructureandsecurityblog/using-microsoft-sentinel-mcp-server-with-github-copilot-for-ai-powered-threat-hu/4464980)
 - [Introducing Microsoft Sentinel graph (Public Preview)](https://techcommunity.microsoft.com/blog/microsoft-security-blog/introducing-microsoft-sentinel-graph-public-preview/4456368)
 - [Microsoft Sentinel data lake is now generally available](https://techcommunity.microsoft.com/blog/microsoft-security-blog/microsoft-sentinel-data-lake-is-now-generally-available/4456342)
 - [New bi-directional export for TI in Microsoft Sentinel and strategic Cyware partnership](https://techcommunity.microsoft.com/blog/microsoftsentinelblog/new-bi-directional-export-for-ti-in-microsoft-sentinel-and-strategic-cyware-part/4457947)
@@ -579,6 +580,9 @@
 
 ## Community Blogs
 
+- [Boost Your TI: Integrating Free AlienVault OTX IOCs into Microsoft Sentinel](https://medium.com/@benj_774/boost-your-ti-integrating-free-alienvault-otx-iocs-into-microsoft-sentinel-02d6a743ddb9)
+- [Sentinel Watchlists: A Diamond in the rough](https://medium.com/@benj_774/sentinel-watchlists-a-diamond-in-the-rough-16f214f24416)
+- [The KQL User Audit Playbook: Your Template for Investigations](https://www.itprofessor.cloud/kql-user-audit-playbook/)
 - [Protecting Your Microsoft Sentinel Solution from Deletion or Corruption](https://cybermohr.ghost.io/2025/05/28/protecting-your-microsoft-sentinel-solution-from-deletion-or-corruption/)
 - [SentinelCodeGuard: A Journey from Concept to VS Code Plugin](https://sentinel.blog/sentinelcodeguard-a-journey-from-concept-to-vs-code-plugin/)
 - [SentinelCodeGuard: Revolutionising Microsoft Sentinel Rule Development](https://sentinel.blog/sentinelcodeguard-revolutionizing-microsoft-sentinel-rule-development/)

docs/social.md

@@ -91,11 +91,12 @@
 - [Ru Campell](https://twitter.com/rucam365)
 - [Sami Lamppu](https://twitter.com/samilamppu)
 - [Thijs](@thijslecomte)
+- [Thomas Kurth](https://twitter.com/ThomasKurth_ch)
 - [Thomas Naunheim](https://www.linkedin.com/in/thomasnaunheim/)
+- [Thomas Verheyden](https://x.com/ThomasVrhydn)
 - [Yiannis](https://twitter.com/Sec_GroundZero)
 - [Dylan 👾AttacktheSOC](https://twitter.com/dylaninfosec)
 - [Samik Roy](https://twitter.com/roy_samik)
-- [Thomas Kurth](https://twitter.com/ThomasKurth_ch)
 - [Kenneth van Surksum](https://x.com/kennethvs)
 - [Daniel Chronlund](https://twitter.com/DanielChronlund)
 - [Joe Stocker](https://twitter.com/ITguySoCal)