XELANED
DE|EN
Get in touch

Use Cases

Practical scenarios

Typical scenarios and suitable solution approaches from the perspective of controls, architecture, and operations. We consider not only features, but also dependencies, operability, and feasibility in an enterprise context.

Identity & Access

Enforce MFA and block legacy protocols

Password spraying, Basic Auth, overly broad exceptions
Conditional AccessMFAPIM

SCENARIO

Phishing and password spraying lead to account takeover—especially where legacy authentication (POP/IMAP/SMTP AUTH) is still enabled or Conditional Access exceptions are too broad.
  • Risk
    Bypassing modern controls, persistence via refresh tokens, and lateral movement in M365.
  • Typical causes
    Break-glass accounts without governance, “temporary” exceptions, and missing named locations.
  • Signal
    Anomalous sign-ins, MFA fatigue, recurring failed logins from changing ASN/geographies.

RESPONSE

Target state: “No legacy auth” plus risk-based authentication as a mandatory identity baseline.
  • Conditional‑Access‑Policies
    standardize by role/risk (user, admin, workload).
  • Legacy‑Auth
    disable tenant-wide and systematically phase out exceptions (sunset plan).
  • Break‑Glass
    as a controlled emergency procedure (separate, monitored, tested).
  • Admin roles
    only just-in-time via PIM (MFA, approval, ticket reference).
  • Session Controls & Token‑Lifetimes
    review (token theft resilience, sign-in frequency).

MICROSOFT STACK

  • Entra ID
    Conditional Access, Authentication Methods, Identity Protection
  • Entra PIM
    Just-in-time privileges, approval, alerts
  • Defender for Office 365
    Phishing protection (if M365 is in use)

Operate privileged access properly

Role sprawl, missing reviews, unclear break-glass strategy
PIMZero TrustLogging

SCENARIO

Privileged accounts remain permanently active, roles grow historically (“role sprawl”), reviews are missing, and changes are not traceable.
  • Risk
    Privilege escalation, uncontrolled admin path creation, audit findings (“who had access when and why?”).
  • Typical gaps
    No separate admin identities, no approval flow, no periodic reviews.
  • Signal
    Permanent memberships in highly privileged roles, rarely used but still active rights.

RESPONSE

  • PIM activation for roles
    MFA, approval, activation window, justification, and ticket reference.
  • Break‑Glass
    defined usage criteria, strong authentication, monitoring, and regular tests.

MICROSOFT STACK

  • Entra ID
    Identity provider, SSO, Conditional Access
  • Entra PIM
    Just-in-Time, Approval, Privileged Role Management
  • Entra Access Reviews
    Regular access reviews and recertification
  • Purview Audit
    for evidence

Endpoint & Workplace

Standardized device onboarding (zero-touch)

Inconsistent images, slow rollouts, audit gaps
IntuneAutopilotZero Trust

SCENARIO

Devices are rolled out heterogeneously and manually. Configurations drift, baseline security is inconsistent, and new devices take too long to become productive.
  • Risk
    Misconfigurations, shadow IT, unpatched clients, unclear compliance status.
  • Typical causes
    No standardized enrollment, no golden config, no lifecycle process.
  • Signal
    High variance in policies, many “not compliant” states, long onboarding times.

RESPONSE

  • Lifecycle process
    Joiner/mover/leaver, device replacement, lost-device runbook.

MICROSOFT STACK

  • Intune
    Device management, policies, compliance
  • Windows Autopilot
    Zero-touch provisioning and enrollment
  • Defender for Endpoint
    EDR, ASR rules, device risk signals
  • Entra ID
    Device Join/CA

Ransomware resilience on endpoints

Local admin rights, unclear recovery capability, limited telemetry
Defender for EndpointBackup/RestorePatch Management

SCENARIO

Ransomware risk on endpoints: macro/phishing ingress, local admin rights, poor patch hygiene, and missing recovery processes.
  • Risk
    Encryption plus exfiltration, lateral movement, and downtime of critical processes.
  • Typical gaps
    No attack surface reduction, no app control, unclear backup/restore tests.
  • Signal
    Exploit alerts, suspicious process chains, mass file renames, credential dumping.

RESPONSE

  • Hardening
    ASR‑Regeln, Controlled Folder Access, Makro‑Policies, lokale Adminrechte minimieren.
  • EDR‑Tuning
    Defender telemetry, minimize exclusions, alert handling via SOC runbooks.
  • Patch and update discipline
    Update rings, quality KPIs (e.g., “patch compliance > 95%”).
  • Recovery
    Recovery runbooks, regular restore tests (RTO/RPO), and lessons learned.

MICROSOFT STACK

  • Defender for Endpoint
    ASR/EDR
  • Intune
    Policy Rollout
  • Sentinel
    Correlation/Playbooks
  • Purview Audit
    Evidence

SOC & Detection Engineering

SIEM implementation with a measurable use case

“Collect logs” without a detection backlog, costs escalate

SCENARIO

A SIEM is “purchased” without prioritized use cases, a data strategy, or an operating model. Result: many logs, little impact.
  • Risk
    Alert fatigue, high costs, insufficient coverage of relevant tactics/techniques.
  • Typical causes
    No MITRE mapping, no content lifecycle, unclear responsibilities.
  • Signal
    High false-positive rate, low mean time to detect, poorly maintained rules.

RESPONSE

  • Data strategy
    which sources, what normalization, and what retention model (cost/benefit).
  • Content Engineering
    Version analytic rules, watchlists, UEBA signals, and playbooks (SOAR).
  • Operating Model
    On-call, triage SLAs, escalation, regular tuning (monthly detection review).
  • KPIs
    MTTD/MTTR, false-positive rate, MITRE coverage, incident quality.

MICROSOFT STACK

  • Sentinel
    KQL, Analytic Rules, SOAR
  • Defender XDR
    Incident‑Hub
  • Azure Monitor/Log Analytics
    Telemetry, KQL queries, alerts

AD-Attack-Path-Detection (Hybrid)

Kerberoasting, DCSync, Lateral movement, veraltete Tiering-Modelle

SCENARIO

Hybrid identity with classic AD: attackers exploit weak paths (delegations, outdated DCs, unprotected admin sessions) for privilege escalation up to Domain Admin.
  • Risk
    Complete domain compromise, ticket theft, golden/silver tickets.
  • Typical gaps
    Unclear tiering models, missing LAPS, insufficient DC hardening.
  • Signal
    Suspicious Kerberos events, unusual privilege assignments, LDAP anomalies.

RESPONSE

  • Monitoring
    MDI Alerts + Sentinel Korrelation, feste Triage‑Playbooks.

MICROSOFT STACK

  • Defender for Identity
    MDI
  • Defender for Endpoint
    EDR, ASR rules, device risk signals
  • Sentinel
    Correlation
  • Entra ID
    Hybrid Identity Controls

Data & Compliance

Data classification and DLP in M365

Unclear protection requirements, shadow sharing, missing audit trails
PurviewDLPeDiscovery

SCENARIO

Business data resides in M365 but is not classified consistently. DLP is selective, shadow copies and “share-by-default” increase exfiltration risk.
  • Risk
    Data exfiltration (email/Teams/SharePoint/OneDrive), regulatory findings, reputational damage.
  • Typical causes
    No taxonomy, no owner processes, DLP without piloting and exceptions.
  • Signal
    External shares, untagged sensitive files, recurring policy bypasses.

RESPONSE

  • Evidence management
    Audit reports, policy changes, exception rules with approval workflow.

MICROSOFT STACK

  • Purview
    Labels, DLP, Audit, eDiscovery
  • Entra ID
    B2B, CA
  • Defender for Cloud Apps
    CASB, app governance, shadow IT

Workload governance in Azure (Landing Zones)

Sprawl, missing RBAC boundaries, non-auditable policies
Landing ZoneAzure PolicyRBAC

SCENARIO

Azure workloads grow quickly, but without guardrails. Subscriptions, RBAC, networking, and policies are inconsistent—security is added “after the fact.”
  • Risk
    Open endpoints, over-privileged roles, missing segregation, unclear cost and ownership responsibilities.
  • Typical causes
    No landing zone, no policy-as-code, no operating model.
  • Signal
    Drift across subscriptions, recurring Defender findings, manual exceptions.

RESPONSE

  • RBAC standard
    Role models, PIM for Azure, break-glass, regular reviews.
  • Security operations
    Defender for Cloud, continuous export, Sentinel integration, regular posture reviews.

MICROSOFT STACK

  • Azure Policy
    Policy-as-code and compliance
  • Azure Monitor/Log Analytics
    Telemetry, KQL queries, alerts
  • Defender for Cloud
    CSPM, recommendations, secure score
  • Entra ID
    RBAC, PIM
  • Arc for hybrid (if applicable)
    Hybrid onboarding and policy enforcement

Delivery blueprint per use case

So that use cases do not stop at PowerPoint, each implementation is translated into a standardized delivery model: scope, artifacts, operational handover, and evidence.

Design & decision foundations

  • Current-state assessment (tenant/AD/client/logs) and risk/gap analysis
  • Architecture decisions (ADR): options, assumptions, trade-offs
  • Backlog with prioritization (quick wins vs. structural measures)
GovernanceLanding ZoneZero Trust

Implementation

  • Policies/baselines as code (where appropriate) + change windows
  • Pilot → wave rollout → checkpoints (KPIs/acceptance)
  • Exceptions with justification and expiry date (exception register)
Azure PolicyLanding ZoneIntune

Operations & evidence

  • Runbooks, monitoring/alert set, on-call handover
  • Evidence chain: policy/config → log/report → repository → review
  • Exercises: tabletop/IR exercise, restore test, access reviews
Azure MonitorSentinelPurview

Metrics (examples)

  • Identity
    MFA rate, CA coverage, PIM activations, risky sign-ins
  • Endpoint
    Compliance rate, baseline drift, EDR coverage, TVM backlog
  • SOC
    MTTD/MTTR, incident volume, false-positive rate, use-case coverage
  • Compliance
    Evidence completeness, review cadence, exception aging
Azure MonitorSentinelDefender for Cloud

Typical pitfalls

  • Too many exception rules in Conditional Access without an expiry date
  • Incomplete log sources (e.g., M365 Audit, Entra, endpoint) → gaps in evidence
  • Missing role model (RACI) → unclear ownership, slow remediation
  • Security controls without a change/release process → drift and “policy erosion”
Conditional AccessLoggingRBAC

What would you like to do now?

XELANED specialists are available at any time for the next steps. Together, we prioritize topics, clarify dependencies, and choose an approach that fits your environment both technically and organizationally.

Project planning

We discuss scope and dependencies and create a reliable implementation plan.
Get in touch