Microsoft 365 Defender articles https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/bg-p/MicrosoftThreatProtectionBlog Microsoft 365 Defender articles Wed, 20 Oct 2021 07:46:22 GMT MicrosoftThreatProtectionBlog 2021-10-20T07:46:22Z Assign incidents and alerts to someone else https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/assign-incidents-and-alerts-to-someone-else/ba-p/2806912 <H2>You can now&nbsp;assign&nbsp;incidents and alerts&nbsp;to&nbsp;someone&nbsp;else&nbsp;in your organization</H2> <P>&nbsp;</P> <P>To control and manage incidents and alerts in the organization, sometimes you would need to assign them to a specific analyst. Now you can do that right from the incident queue in Microsoft 365 Defender.</P> <P>&nbsp;</P> <P><STRONG>How does it work?</STRONG></P> <P>&nbsp;</P> <P>From the&nbsp;incident&nbsp;or alert side pane in the <A href="#" target="_blank">incident queue</A> or the incident page, select&nbsp;<STRONG>Manage&nbsp;incident/alert</STRONG>&nbsp;and choose&nbsp;the user account you want&nbsp;to&nbsp;assign.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Idan_Pelleg_10-1633262326506.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314655iE07DCA4008F95460/image-size/medium?v=v2&amp;px=400" role="button" title="Idan_Pelleg_10-1633262326506.png" alt="Idan_Pelleg_10-1633262326506.png" /></span></P> <P>&nbsp;</P> <P>By default, the first value in the “assign to” drop menu will be yourself (“Me” at the title).</P> <P>Note that you can choose all users from the organization, but only users with access&nbsp;to&nbsp;the Microsoft 365 Defender portal will be able&nbsp;to&nbsp;view the&nbsp;incident&nbsp;or alert. So, to help you assign the most relevant people in the organization, the rest of the default suggestions you will get are the latest assignees you chose.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Idan_Pelleg_11-1633262337652.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/314656i0169C1314E8AD7E8/image-size/small?v=v2&amp;px=200" role="button" title="Idan_Pelleg_11-1633262337652.png" alt="Idan_Pelleg_11-1633262337652.png" /></span></P> <P>&nbsp;</P> <P>Once the user is assigned, he can filter to see only incidents that are assigned to himself. A SOC manager that dispatches the incident queue can also filter for all unassign incidents or alerts to choose the relevant incident he would like to assign.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sun, 03 Oct 2021 14:29:59 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/assign-incidents-and-alerts-to-someone-else/ba-p/2806912 Idan_Pelleg 2021-10-03T14:29:59Z New Incident Graph view in Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-incident-graph-view-in-microsoft-365-defender/ba-p/2710668 <P>The new incident graph helps you quickly understand and visualize the full timeline and related entities of an attack by connecting the different suspicious entities with their related assets such as users, devices, mailboxes and applications. The graph presents a holistic view of how an attack spread through an environment over time, where it started and how far the attacker went.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Animation1.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307572iAAE6A73AC7E1B383/image-size/large?v=v2&amp;px=999" role="button" title="Animation1.gif" alt="Animation1.gif" /></span></P> <H5><EM>&nbsp;Play the attack over time</EM></H5> <P>&nbsp;</P> <H2>Now you will be able to:</H2> <UL> <LI><STRONG>See how the&nbsp;incident’s alerts are connected<BR /></STRONG>With one glance you can see the connection of alerts to the impacted assets in your organization.&nbsp;</LI> <LI><STRONG>Pivot to alerts directly from the&nbsp;graph</STRONG><BR />You can view the alerts right from the&nbsp;graph&nbsp;page and quickly drill down to view more details.&nbsp;</LI> <LI><STRONG>Open the entity details directly from the&nbsp;graph</STRONG><BR />You can view the entities details without losing orientation directly from the graph and act on them with response options like file delete, device isolation, etc.</LI> <LI><STRONG>Highlight the entities related to an alert<BR /></STRONG>Easily see which entities are related to which alerts and how they are part of the story of the attack.&nbsp;</LI> </UL> <P>To easily investigate the incident and to help get you oriented, you can select specific alerts for which you want to highlight relevant entities.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Idan_Pelleg_0-1630571753395.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307576i4B1E99DBED2FC6BC/image-size/large?v=v2&amp;px=999" role="button" title="Idan_Pelleg_0-1630571753395.png" alt="Idan_Pelleg_0-1630571753395.png" /></span></P> <H5><EM>&nbsp;Highlight specific nodes on the graph based on the alert</EM></H5> <P>&nbsp;</P> <P>You can drill down to each alert directly from the graph as well as open the entity side pane.</P> <P>This will allow you to review the entity details and take remediation actions, such as deleting a file or isolating a device.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Idan_Pelleg_1-1630571863612.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307577iE552935A060A8E52/image-size/large?v=v2&amp;px=999" role="button" title="Idan_Pelleg_1-1630571863612.png" alt="Idan_Pelleg_1-1630571863612.png" /></span></P> <P>&nbsp;</P> <P>So now you can review, investigate and remediate attacks while seeing the full story of the attack right away and understand how the entites are connected to each other.</P> <P>The&nbsp;incident&nbsp;graph&nbsp;in Microsoft 365 Defender is available from the new&nbsp;<STRONG>Graph&nbsp;</STRONG>tab of an&nbsp;incident .</P> <P>&nbsp;</P> <P><STRONG>See also</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener">Incidents overview</A></LI> <LI><A href="#" target="_blank" rel="noopener">Manage incidents</A></LI> <LI><A href="#" target="_blank" rel="noopener">Investigate incidents</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P> </P> Thu, 02 Sep 2021 18:09:34 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-incident-graph-view-in-microsoft-365-defender/ba-p/2710668 Idan_Pelleg 2021-09-02T18:09:34Z Advanced Hunting: Surfacing more email data from Microsoft Defender for Office 365 https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/advanced-hunting-surfacing-more-email-data-from-microsoft/ba-p/2678118 <P>As part of this update, we have added new columns that enable more relevant and effective investigations. These additions to the EmailEvents, EmailAttachmentInfo, and EmailPostDeliveryEvents tables are currently available in public preview.</P> <P>We've made the following updates to these tables:</P> <P>&nbsp;</P> <UL> <LI><STRONG>AuthenticationDetails (EmailEvents table)</STRONG><SPAN>&nbsp;</SPAN>– This column includes detailed information about the different authentication checks that have been applied or analyzed like SPF, DKIM, DMARC, and CompAuth methods. While SPF, DKIM, and DMARC are the industry standard checks, composite authentication or compAuth is a value used to indicate that a combination of different email authentication checks, like SPF, DKIM, and DMARC, were used to determine if the message is authentic. It uses the&nbsp;&nbsp;domain in the<SPAN>&nbsp;</SPAN><EM>From</EM><SPAN>&nbsp;</SPAN>field of the email as basis for the evaluation.</LI> </UL> <P><EM>Note:</EM><SPAN>&nbsp;</SPAN>In some cases, a record will not show all the values in this column. This can occur if a partial check was needed to return a verdict for the email.</P> <UL> <LI><STRONG>Filesize (EmailAttachmentInfo table)<SPAN>&nbsp;</SPAN></STRONG>– This column provides the size of an email attachment in bytes.</LI> <LI><STRONG>ThreatTypes and<SPAN>&nbsp;</SPAN></STRONG><STRONG>details (EmailPostDeliveryEvents table)</STRONG><SPAN>&nbsp;</SPAN>– Before the update, the<SPAN>&nbsp;</SPAN><EM>EmailPostDeliveryEvents</EM><SPAN>&nbsp;</SPAN>table already contained information about all actions attempted on an email after delivery, including ZAP and manual remediation actions. In addition to the action metadata, we've added details about threats and detection methods (when applicable) as separate columns within the table. This is useful for hunting scenarios involving delayed weaponization or updated verdicts. For these cases, look to join the events with the EmailEvents table to get a more comprehensive view.</LI> </UL> <P>Here are few examples which make use of these fields:</P> <P>&nbsp;</P> <LI-CODE lang="sql">// Check for spoofing attempts on the domain with SPF fails EmailEvents |where Timestamp &gt; ago (1d) and DetectionMethods contains "spoof" and SenderFromDomain has "contoso.com" | project Timestamp, AR=parse_json(AuthenticationDetails) , NetworkMessageId, EmailDirection, Subject, SenderFromAddress, SenderIPv4,ThreatTypes, DetectionMethods, ThreatNames | evaluate bag_unpack(AR) | where SPF == "fail" </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="sql">// Identify potential exfiltration scenarios with querying outbound emails with large attachments EmailEvents | where EmailDirection == "Outbound" and AttachmentCount &gt; 0 | join EmailAttachmentInfo on NetworkMessageId, RecipientEmailAddress | where toint(FileSize) &gt; 10000 </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Read more about Advanced Hunting over<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">here</A>&nbsp;and learn about the schema for Email tables over&nbsp;<A href="#" target="_blank" rel="noopener noreferrer">here</A>.&nbsp;</P> <P>&nbsp;</P> <P>To start hunting using these enhancements,<SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">turn on public preview features for Microsoft 365 Defender</A>. Leave a comment below for thoughts and questions, or use the feedback button in the portal.</P> Tue, 24 Aug 2021 12:34:30 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/advanced-hunting-surfacing-more-email-data-from-microsoft/ba-p/2678118 VipulPandey 2021-08-24T12:34:30Z Microsoft 365 Defender Ninja August 2021 special edition! https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-ninja-august-2021-special-edition/ba-p/2643022 <P>Are you enjoying the summer or winter – wherever you are in the world, and want to keep up to date with the latest and greatest? We can help you cure that need :smiling_face_with_smiling_eyes:</img></P> <P>Over the past few months, we have made big product announcements across the Microsoft Defender products and Microsoft Cloud App Security, and of course we want you to stay updated!</P> <P>With the following resources you can bring yourself up to speed, and with the knowledge check at the end you can verify your learnings. Plus, you can request either a Ninja summer or winter special edition fun certificate to enrich your Ninja certs collection!</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SummerTheme.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/302897i25018B02C432B124/image-size/medium?v=v2&amp;px=400" role="button" title="SummerTheme.png" alt="SummerTheme.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WinterTheme.PNG" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/302898i39A78386694B67E0/image-size/medium?v=v2&amp;px=400" role="button" title="WinterTheme.PNG" alt="WinterTheme.PNG" /></span></P> <P>&nbsp;</P> <P>Legend:</P> <TABLE border="1"> <TBODY> <TR> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> Product videos</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span> Webcast recordings</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TechCommunity.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205059iE2A42D8A7F13D7BC/image-dimensions/17x19?v=v2" width="17" height="19" role="button" title="TechCommunity.png" alt="TechCommunity.png" /></span> Tech Community</P> </TD> </TR> <TR> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Docs on Microsoft</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Blogs on Microsoft</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GitHub.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205065i083675CF15D6F1EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="GitHub.png" alt="GitHub.png" /></span>&nbsp;GitHub</P> </TD> </TR> <TR> <TD width="208.889px" height="27px"> <P>⤴ External</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="InteractiveGuides.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205067iF93A500E533F67FB/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="InteractiveGuides.png" alt="InteractiveGuides.png" /></span>&nbsp;Interactive guides</P> </TD> <TD width="208.889px" height="27px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG><U>Microsoft Defender for Endpoint</U></STRONG></P> <P>&nbsp;</P> <P>Unmanaged devices</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/unmanaged-device-protection-capabilities-are-now-generally/ba-p/2463796" target="_blank" rel="noopener">Unmanaged device protection capabilities</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Device discovery</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909" target="_blank" rel="noopener">Endpoint Discovery - Navigating your way through unmanaged devices</A></LI> </UL> <P>Mobile threat defense</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730" target="_blank" rel="noopener">New capabilities on Android and iOS</A></LI> </UL> <P>Threat and vulnerability management</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Threat and Vulnerability Management now supports all major platforms</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/secure-configuration-assessment-for-macos-and-linux-now-in/ba-p/2320517" target="_blank" rel="noopener">Secure configuration assessment for macOS and Linux</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/vulnerability-management-for-linux-now-generally-available/ba-p/2451145" target="_blank" rel="noopener">Vulnerability management for Linux</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/threat-amp-vulnerability-management-integrates-with-servicenow/ba-p/2454065" target="_blank" rel="noopener">Threat and vulnerability management integrates with ServiceNow VR</A></LI> </UL> <P>Device control</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/mac-updates-control-your-usb-devices-with-microsoft-defender-for/ba-p/2224439" target="_blank" rel="noopener">Control your USB devices on Mac</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">Device control for MacOS</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806" target="_blank" rel="noopener">Protect your removable storage and printers</A></LI> </UL> <P>Live response</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-live-response-api-public-preview/ba-p/2537833" target="_blank" rel="noopener">Live response API</A></LI> </UL> <P>Evaluation Lab</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/evaluation-lab-updates-device-renewal-and-new-simulations/ba-p/2519691" target="_blank" rel="noopener">Renew your lab resources and try new simulations</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint evaluation lab</A></LI> </UL> <P>&nbsp;</P> <P><STRONG><U>Microsoft 365 Defender:</U></STRONG></P> <P>&nbsp;</P> <P>Threat Analytics</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/launching-threat-analytics-for-microsoft-365-defender/ba-p/2232724" target="_blank" rel="noopener">Threat analytics</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Overview of Threat Analytics</A></LI> </UL> <P>Advanced hunting</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Take action on advanced hunting query results</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Data tables in the Microsoft 365 Defender advanced hunting schema</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">DeviceFromIP() function in advanced hunting</A></LI> </UL> <P>Integration and APIs</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Overview of the Streaming API</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/announcing-microsoft-365-defender-streaming-api-public-preview/ba-p/2410767" target="_blank" rel="noopener">Streaming API Announcement blog </A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Stream Microsoft 365 Defender events</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/azure-sentinel-and-microsoft-365-defender-incident-integration/ba-p/2201959" target="_blank" rel="noopener">Azure Sentinel and Microsoft 365 Defender incident integration</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Overview Azure Sentinel integration</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span><A href="#" target="_blank" rel="noopener">Azure Sentinel integration</A></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Webinar: Monthly threat insights: <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-webinar-series-monthly-threat-insights/ba-p/2449979" target="_blank" rel="noopener">New webinar series: Monthly threat insights - Microsoft Tech Community</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG><U>Defender for Office 365:</U></STRONG></P> <P>&nbsp;</P> <P>Phishing protection</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit; background-color: #ffffff;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/microsoft-teams-gets-more-phishing-protection/ba-p/2585559" target="_blank" rel="noopener">Announcing General Availability of Safe Links for Microsoft Teams</A></LI> </UL> <P>Business Email Compromise</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Business email compromise: How Microsoft is combating this costly threat</A></LI> </UL> <P>Incident investigation</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/introducing-the-email-entity-page-in-microsoft-defender-for/ba-p/2275420" target="_blank" rel="noopener">Introducing the email entity page</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Spoof intelligence insight in EOP</A></LI> </UL> <P>Configuration</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mastering-configuration-in-defender-for-office-365-part-one/ba-p/2300064" target="_blank" rel="noopener">Mastering configuration Part 1</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-office/mastering-configuration-in-defender-for-office-365-part-two/ba-p/2307134" target="_blank" rel="noopener">Mastering configuration Part 2</A></LI> </UL> <P><SPAN>&nbsp;</SPAN>Threat Analytics</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Threat analytics report tags</A></LI> </UL> <P>Attack Simulation Training</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/announcing-exciting-updates-to-attack-simulation-training/ba-p/2455961" target="_blank" rel="noopener">Updates to Attack Simulation Training</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/setting-up-a-new-phish-simulation-program-part-one/ba-p/2412854" target="_blank" rel="noopener">Setting up a New Phish Simulation Program - Part One</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/setting-up-a-new-phish-simulation-program-part-two/ba-p/2432167" target="_blank" rel="noopener">Setting up a New Phish Simulation Program - Part Two</A></LI> </UL> <P>&nbsp;</P> <P><STRONG><U>Defender for Identity:</U></STRONG></P> <P>&nbsp;</P> <P>General:</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/de-risk-your-lateral-movement-paths-with-microsoft-defender-for/ba-p/2272503" target="_blank" rel="noopener">Use Defender for Identity to de-risk your organizations lateral movement paths</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/using-microsoft-defender-for-identity-data-to-make-powerful/ba-p/2404305" target="_blank" rel="noopener">Make powerful Advanced Hunting queries in Microsoft 365 Defender using Defender for Identity data</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Deep dive into the latest Defender for Identity detections with the engineering team</A></LI> </UL> <P>Portal Convergence:</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/microsoft-defender-for-identity-experiences-in-microsoft-365/ba-p/2414610" target="_blank" rel="noopener">Portal convergence tracking blog – with the latest updates on what’s happening and when</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/microsoft-defender-for-identity-s-settings-now-in-microsoft-365/ba-p/2493802" target="_blank" rel="noopener">Defender for Identity’s settings and configuration now in Microsoft 365 Defender</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for Identity in Microsoft 365 Defender</A></LI> </UL> <P>Detections</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Suspected exploitation attempt on Windows Print Spooler service</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Suspected AS-REP Roasting attack</A></LI> </UL> <P>Identity Security Posture Management assessments</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for Identity legacy protocols identity security posture assessment</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for Identity unconstrained Kerberos identity security posture assessment</A></LI> </UL> <P>&nbsp;</P> <P><STRONG><U>Cloud App Security:</U></STRONG></P> <P>&nbsp;</P> <P>3<SUP>rd</SUP> Party Integration</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">How Cloud App Security helps protect your Slack Enterprise</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">How Cloud App Security helps protect your Zendesk</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">How Cloud App Security helps protect your OneLogin</A></LI> </UL> <P>Threat Protection</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Overview - Advanced hunting</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-in-a-multi-stage-incident/ba-p/2193484" target="_blank" rel="noopener">The Hunt in a multi-stage incident</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/mcas-top-5-queries-you-need-to-save/ba-p/2274518" target="_blank" rel="noopener">MCAS: Top 5 Queries You Need to Save</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Hunting with Microsoft Cloud App Security data</A></LI> </UL> <P>Conditional Access App Control</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Deploy Cloud App Security Conditional Access App Control for any web app using AD FS</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/bypass-blocking-pdf-previews-in-owa/ba-p/2194205" target="_blank" rel="noopener">Bypass Blocking PDF Previews in OWA</A></LI> </UL> <P>Data Loss Prevention</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/security-compliance-and-identity/mcas-data-protection-blog-series-mcas-dlp-walk-through/ba-p/2169900" target="_blank" rel="noopener">MCAS Data Protection Blog Series: MCAS DLP Walk-Through</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Integrate Azure Information Protection with Cloud App Security</A></LI> </UL> <P>&nbsp;</P> <P>If you want to verify your learnings, you can participate in this <STRONG><A href="#" target="_blank" rel="noopener">knowledge check</A></STRONG>.</P> <P>Once you’ve finished the knowledge check, please&nbsp;<STRONG><A href="#" target="_blank" rel="noopener">click here</A>&nbsp;</STRONG>to request your certificate&nbsp;(you'll see it in your inbox within a couple of&nbsp; days.)</P> <P>&nbsp;</P> <P>Let us know how you like it!</P> <P>&nbsp;</P> <P>As a reminder, the full Ninja Trainings are here:</P> <P>&nbsp;</P> <P>Microsoft 365 Defender &gt;&nbsp;<A href="#" target="_blank" rel="noopener">http://aka.ms/m365dninja</A> &nbsp;</P> <P>Microsoft Defender for Office 365 &gt;&nbsp;<A href="#" target="_blank" rel="noopener">https://aka.ms/mdoninja</A></P> <P>Microsoft Defender for Endpoint &gt;&nbsp;<A href="#" target="_blank" rel="noopener">http://aka.ms/mdeninja</A></P> <P>Microsoft Defender for Identity &gt;&nbsp;<A href="#" target="_blank" rel="noopener">http://aka.ms/mdininja</A></P> <P>Microsoft Cloud App Security &gt;&nbsp;<A href="#" target="_blank" rel="noopener">http://aka.ms/mcasninja</A></P> Fri, 13 Aug 2021 17:05:39 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-ninja-august-2021-special-edition/ba-p/2643022 Heike Ritter 2021-08-13T17:05:39Z Microsoft 365 Defender Ninja Training: August 2021 update https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-ninja-training-august-2021-update/ba-p/2611831 <P>We have added various new resources to the Microsoft 365 Defender Ninja training, and if you want to refresh your knowledge and get updated, here is what has been included since the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-ninja-training-january-2021-update/ba-p/2103073" target="_blank" rel="noopener">January 2021 update</A>:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Webinar: Monthly threat insights: <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-webinar-series-monthly-threat-insights/ba-p/2449979" target="_blank" rel="noopener">New webinar series: Monthly threat insights - Microsoft Tech Community</A></P> <P>&nbsp;</P> <P>Legend:</P> <TABLE border="1"> <TBODY> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> Product videos</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span> Webcast recordings</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TechCommunity.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205059iE2A42D8A7F13D7BC/image-dimensions/17x19?v=v2" width="17" height="19" role="button" title="TechCommunity.png" alt="TechCommunity.png" /></span> Tech Community</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Docs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Blogs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GitHub.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205065i083675CF15D6F1EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="GitHub.png" alt="GitHub.png" /></span>&nbsp;GitHub</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P>⤴ External</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="InteractiveGuides.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205067iF93A500E533F67FB/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="InteractiveGuides.png" alt="InteractiveGuides.png" /></span>&nbsp;Interactive guides</P> </TD> <TD width="209.333px" height="28px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE width="100%"> <TBODY> <TR> <TD width="50%" height="28px"> <P><EM><STRONG>Module</STRONG></EM></P> </TD> <TD width="50%" height="28px"> <P><STRONG><EM>What's new</EM></STRONG></P> </TD> </TR> <TR> <TD width="50%" height="66px"> <P>Security Operations Fundamentals</P> <P>Module 1. Technical overview</P> </TD> <TD width="50%" height="66px"> <UL> <LI><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span></STRONG></SPAN>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/unified-experiences-across-endpoint-and-email-are-now-generally/ba-p/2278132" target="_blank" rel="noopener">Unified experiences across endpoint and email</A></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="173px"> <P>Security Operations Fundamentals</P> Module 3. Investigation – Incident</TD> <TD width="50%" height="173px"> <UL> <LI><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;</STRONG></SPAN><A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/easily-find-anomalies-in-incidents-and-alerts/ba-p/2339243" target="_blank" rel="noopener">Incidents trend graph view</A></LI> <LI> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Responding to my first incident</A>, a tutorial and walkthrough for new-to-role analysts</P> </LI> <LI> <P><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;</STRONG></SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-alert-page-for-microsoft-365-defender-incident-detections/ba-p/2350425" target="_blank" rel="noopener">Alert page for incident detections</A>&nbsp;&nbsp;</P> </LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Email Entity page</A></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="81px"> <P>Security Operations Fundamentals</P> Module 4. Threat Analytics</TD> <TD width="50%" height="81px"> <UL> <LI><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;</STRONG></SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/launching-threat-analytics-for-microsoft-365-defender/ba-p/2232724" target="_blank" rel="noopener">Threat analytics</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Overview of Threat Analytics</A></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="66px"> <P>Security Operations Fundamentals</P> Module 8. Partners</TD> <TD width="50%" height="66px"> <UL> <LI><SPAN><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;</STRONG></SPAN></SPAN><A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/take-your-security-to-the-next-level-with-professional-security/ba-p/2528757" target="_blank" rel="noopener">Professional security services catalog</A><SPAN style="font-family: inherit; background-color: transparent;">&nbsp;</SPAN></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="226px">&nbsp; <P>Security Operations Intermediate</P> Module 3. Advanced hunting</TD> <TD width="50%" height="226px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-in-a-multi-stage-incident/ba-p/2193484" target="_blank" rel="noopener">Microsoft Cloud App Security: The Hunt in a multi-stage incident</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Hunting with Microsoft Cloud App Security data</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-for-insider-risk/ba-p/2346242" target="_blank" rel="noopener">Microsoft Cloud App Security: The Hunt for Insider Risk</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/blog-series-limitless-advanced-hunting-with-azure-data-explorer/ba-p/2328705" target="_blank" rel="noopener">Limitless Advanced Hunting with Azure Data Explorer (ADX)</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Take action on advanced hunting query results</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Advanced Hunting in portal Schema Reference</A>&nbsp;</LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> <A href="#" target="_blank" rel="noopener">DeviceFromIP() function in advanced hunting</A></LI> </UL> </TD> </TR> <TR> <TD height="54px"> <P>Security Operations Intermediate</P> Module 6. Self-healing</TD> <TD height="54px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;Updated&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Automated investigation and response</A><SPAN style="font-family: inherit; background-color: transparent;"> articles</SPAN></LI> </UL> </TD> </TR> <TR> <TD height="54px"> <P>Security Operations Intermediate</P> Module 8. Microsoft Threat Experts</TD> <TD height="54px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Threat Experts</A></LI> </UL> </TD> </TR> <TR> <TD height="28px"> <P>Security Operations Expert</P> <P>Module 1. Incidents</P> </TD> <TD height="28px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Deep-dive attack playbooks</A> from the DART team for seasoned analysts</LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;Incident response <A href="#" target="_blank" rel="noopener">overview</A></LI> </UL> </TD> </TR> <TR> <TD> <P>Security Operations Experts</P> <P>Module 3. APIs, custom reports, SIEM &amp; other integrations</P> </TD> <TD> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2198820" target="_blank" rel="noopener">Best practices for leveraging API's - Episode Two</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/announcing-microsoft-365-defender-streaming-api-public-preview/ba-p/2410767" target="_blank" rel="noopener">Streaming API Announcement blog</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Overview of the Streaming API</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Stream Microsoft 365 Defender events</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/azure-sentinel-and-microsoft-365-defender-incident-integration/ba-p/2201959" target="_blank" rel="noopener">Azure Sentinel and Microsoft 365 Defender incident integration</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Overview Azure Sentinel integration</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sentinel integration</A></LI> </UL> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> Wed, 04 Aug 2021 20:01:19 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-ninja-training-august-2021-update/ba-p/2611831 Heike Ritter 2021-08-04T20:01:19Z Take your security to the next level with professional security services https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/take-your-security-to-the-next-level-with-professional-security/ba-p/2528757 <P>Not every organization has the capacity nor the expertise to have a dedicated security operations team. Others may need a second set of eyes to review alerts in their network or simply want to ensure that they keep up with the latest techniques being used by adversaries. Some may want an additional assessment of their security posture or just need some evaluation of possible vulnerabilities in their network, while others need immediate help on ongoing breach.</P> <P>Microsoft security services, together with a vast network of partners help address these challenges across global regions for public companies, private industries, and government entities to help protect against the most sophisticated adversaries. Joining forces with our extensive ecosystem of leading services partners that provide offerings such as managed threat hunting and managed detection and response, enables us to offer the best security solutions from Microsoft with the services your organization needs to secure your business.</P> <P>To help you discover the range of security services offerings available to you, we’re excited to announce a new professional services catalog now available in Microsoft 365 Defender. At the moment, you can find it under Endpoints &gt; Partners &amp; APIs &gt; Professional Services at <A href="#" target="_blank" rel="noopener">security.microsoft.com</A><SPAN>.</SPAN> While it’s in the Endpoints section for the time being, you’ll find partners that support and build on many of our security products.</P> <P>&nbsp;</P> <P>We’ve organized both first and third-party services along the following categories:</P> <UL> <LI><STRONG>Educate</STRONG> and maintain your <STRONG>internal team’s security </STRONG>capabilities to prevent, detect, contain, and remediate threats.</LI> <LI><STRONG>Evolve</STRONG> your organization’s security posture through <STRONG>improved processes and technologies </STRONG>that modernize threat detection, containment, and remediation capabilities.</LI> <LI><STRONG>Protect </STRONG>your organization by <STRONG>proactively evaluate your organization’s</STRONG> ability to effectively prevent, detect, and respond to cyber threats before they disrupt your business.</LI> <LI><STRONG>Respond</STRONG> to security incidents quickly, effectively and at scale with complete incident response including investigation, containment, remediation, and crisis management.</LI> <LI><STRONG>Managed</STRONG> security services that assist organizations to detect threats early and help minimize the impact of a breach.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogpic1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294429i6CB0FE5CE83685C7/image-size/large?v=v2&amp;px=999" role="button" title="blogpic1.png" alt="blogpic1.png" /></span></P> <P>Figure 1: Image of Professional services catalog</P> <P>&nbsp;</P> <P>Within each of the categories, you’ll see both Microsoft and third-party services that align to it along with a short description.</P> <P>Click <STRONG>View</STRONG> to open up a fly-out screen on the right with additional details about the service, a typical engagement duration, a description of outcomes, and a link directly to the partner page about the service.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="prof_servicesBlog.gif" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/294428iB60803D1EB8BB0DB/image-size/large?v=v2&amp;px=999" role="button" title="prof_servicesBlog.gif" alt="prof_servicesBlog.gif" /></span></P> <P>Figure 2: Professional services catalog experience</P> <P>&nbsp;</P> <P><STRONG>Microsoft professional services are here to help</STRONG><BR />Microsoft has a range of security services that are offered to customers, including:</P> <UL> <LI><A href="#" target="_blank" rel="noopener"><STRONG>Microsoft Threat Experts</STRONG></A> - Microsoft Threat Experts - Targeted Attack Notifications is a managed threat hunting service. Once you apply and get accepted, you'll receive targeted attack notifications from Microsoft threat experts, so you won't miss critical threats to your environment. These notifications will help you protect your organization's endpoints, email, and identities. Microsoft Threat Experts – Experts on Demand lets you get expert advice about threats your organization is facing. It's available as a subscription service.</LI> <LI><A href="#" target="_blank" rel="noopener"><STRONG>Microsoft Managed Desktop</STRONG></A> - If you are looking for someone to manage your desktop security, Microsoft Managed Desktop is a unique ITaaS solution that combines endpoint management and security monitoring and response in a way that gives users a secure and productive device experience that IT pros can trust.</LI> <LI><A href="#" target="_blank" rel="noopener"><STRONG>Microsoft Detection and Response Team (DART)</STRONG></A> – If you have experienced a breach, the Microsoft Detection and Response Team will help your organization establish visibility of attacker activity, instantly start remediation, limit financial impact, get you back to business faster, and help you become cyber-resilient.</LI> <LI><A href="#" target="_blank" rel="noopener"><STRONG>Microsoft Consulting Services</STRONG></A><STRONG> - </STRONG>Microsoft Consulting Services help you prepare for the future, identify risks, and upgrade your environment by applying enterprise technology to business problems and guiding digital transformation. Through a rich set of Security solutions, Microsoft Consulting Services can help you modernize your Security posture by applying Zero Trust principles and modernize your Security Operations.</LI> <LI><A href="#" target="_blank" rel="noopener"><STRONG>Compromise Recovery Security Practice (CRSP)</STRONG></A> – Part of Microsoft Consulting Services, the CRSP team can help you recover your environment post-security breach or ransomware attack.</LI> </UL> <P>&nbsp;</P> <P>Designed to deliver best-of-breed security, Microsoft offers partners opportunities to extend their existing security offerings on top of our open framework and a rich and complete set of APIs, allowing them to build extensions and integrations to Microsoft’s security platform. Security vendors interested in becoming our partners can use <A href="#" target="_blank" rel="noopener">this page</A> to get started.</P> <P>As always, we welcome your feedback and would be glad to keep in touch.<BR /><BR /></P> <P><STRONG>Already a partner? Want to be in the catalog?</STRONG><BR />Please contact us at <A href="https://gorovian.000webhostapp.com/?exam=mailto:M365D_Prof_Serv_Cata@microsoft.com" target="_self"><SPAN>M365D_Prof_Serv_Cata@microsoft.com</SPAN></A> with your offering information and we will be happy to discuss your nomination for the catalog.</P> <P>&nbsp;</P> <P><BR /><BR /></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 08 Jul 2021 16:38:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/take-your-security-to-the-next-level-with-professional-security/ba-p/2528757 Aviv_Eldan 2021-07-08T16:38:02Z New webinar series: Monthly threat insights https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-webinar-series-monthly-threat-insights/ba-p/2449979 <P>We’re happy to announce a new monthly webinar series called “monthly threat insights”. On the third Wednesday of each month, the Microsoft Defender Threat Intelligence team will dive deep into a selected emerging threat as seen in the <A href="#" target="_blank" rel="noopener">threat analytics</A> library available in Microsoft 365 Defender. Using the threat analytics report authored by Microsoft security researchers and analysts, we’ll examine the different facets of the threat: its history, behavior, and detection details, as well as a detailed MITRE ATT&amp;CK framework mapping of attack techniques and recommended mitigations. We will also look at KQL queries you can use in advanced hunting to investigate the threat on your own.</P> <P>&nbsp;</P> <P>If you use one of the Microsoft Defender products, you will also have access to the full report in the threat analytics page of Microsoft 365 Defender. In this page, you can access the report, see alerts associated with this threat, and determine if you have applicable protections in place.</P> <P>&nbsp;</P> <P>The first episode was on June 16<SUP>th&nbsp;</SUP>and if you couldn't join us, you can now watch the recording:</P> <P>&nbsp;</P> <TABLE class=" lia-align-center" width="719px"> <TBODY> <TR> <TD> <P>Jun 16, 2021</P> </TD> <TD>Webinar series: Monthly Threat Insights - Ransomware</TD> <TD> <P class="lia-align-center"><A href="#" target="_blank" rel="noopener noreferrer">MP4</A></P> </TD> <TD> <P class="lia-align-center"><A href="#" target="_blank" rel="nofollow noopener noreferrer">YouTube</A></P> </TD> <TD> <P class="lia-align-center" data-unlink="true"><A href="#" target="_blank" rel="noopener nofollow noreferrer">Deck</A></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Be sure to <A href="#" target="_blank" rel="noopener">register using this link</A>, and join us every third Wednesday for these timely and insightful webinars.</P> <P>&nbsp;</P> Fri, 18 Jun 2021 02:00:38 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-webinar-series-monthly-threat-insights/ba-p/2449979 Heike Ritter 2021-06-18T02:00:38Z Announcing Microsoft 365 Defender Streaming API Public Preview https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/announcing-microsoft-365-defender-streaming-api-public-preview/ba-p/2410767 <P><STRONG><FONT size="6">Announcing Microsoft 365 Defender Streaming API Public Preview</FONT></STRONG></P> <P>The Microsoft 365 Defender team is happy to announce the <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender Streaming API</A> is now available in Public Preview. <BR />Microsoft 365 Defender Streaming API lets you export events to your Azure Event Hubs or your Azure Storage account and from there to your location of choice. This enables you to run custom analytics over that data or ingest into other Security Operations systems, such as SIEM or SOAR products.<BR />If you use the <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint Raw data export API</A> to stream device events, the Microsoft 365 Defender Streaming API extends this to include email and alert events.<BR /><BR /></P> <TABLE style="width: 740px;" width="760px"> <TBODY> <TR> <TD width="140px" height="29px" class="lia-align-left"> <P><FONT size="3" color="#0000FF"><STRONG>Event Category</STRONG></FONT></P> </TD> <TD width="600px" height="29px" class="lia-align-left"> <P><FONT size="3" color="#000000"><STRONG>Event Type</STRONG> (Advanced Hunting Event table name)</FONT></P> </TD> </TR> <TR> <TD width="140px" height="29px" class="lia-align-left"> <P><FONT size="3"><FONT color="#0000FF"><STRONG>Alerts</STRONG></FONT> <FONT color="#FF0000"><STRONG><SUP>New!</SUP></STRONG></FONT></FONT></P> </TD> <TD width="600px" height="29px" class="lia-align-left"> <P><FONT size="3">AlertInfo, AlertEvidence</FONT></P> </TD> </TR> <TR> <TD width="140px" height="84px" class="lia-align-left"> <P><FONT size="3" color="#0000FF"><STRONG>Devices</STRONG></FONT></P> </TD> <TD width="600px" height="84px" class="lia-align-left"> <P><FONT size="3">DeviceInfo, DeviceNetworkInfo, DeviceProcessEvents, DeviceFileEvents, DeviceNetworkEvents, DeviceRegistryEvents, DeviceLogonEvents, DeviceImageLoadEvents, Device Events, DeviceFileCertificateInfo</FONT></P> </TD> </TR> <TR> <TD width="140px" height="29px" class="lia-align-left"> <P><FONT size="3"><FONT color="#0000FF"><STRONG>Email</STRONG></FONT> <FONT color="#FF0000"><STRONG><SUP>New!</SUP></STRONG></FONT></FONT></P> </TD> <TD width="600px" height="29px" class="lia-align-left"> <P><FONT size="3">EmailEvents, EmailAttachmentInfo, EmailUrlInfo, EmailPostDeliveryEvents</FONT></P> </TD> </TR> </TBODY> </TABLE> <P><BR />The Streaming API exports the selected event types in the Microsoft 365 Defender Advanced Hunting schema. For more information, see <A href="#" target="_blank" rel="noopener">Understand the Advanced Hunting Schema</A>.</P> <P>If you are using the Streaming API for the first time, you can find step-by-step instructions in the <A href="#" target="_blank" rel="noopener">Microsoft 365 Streaming API Guide</A> on configuring the Microsoft 365 Streaming API to <A href="#" target="_blank" rel="noopener">stream events to your Azure Event Hubs</A> or <A href="#" target="_blank" rel="noopener">to your Azure Storage Account</A>.</P> <P>If you are familiar with the Microsoft Defender for Endpoint Raw data export API, you can simply go to the Microsoft 365 Defender Portal (<A href="#" target="_blank" rel="noopener">https://security.microsoft.com</A>) &gt; Settings &gt; Microsoft 365 Defender &gt; Streaming API, enter your <A href="#" target="_blank" rel="noopener">Azure Event Hub</A> or <A href="#" target="_blank" rel="noopener">Azure Storage Account</A> information and select the event types you want to export (see below).</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="M365D Settings - Streaming API - choose event types.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/285811iDA017C5EFA686320/image-size/large?v=v2&amp;px=999" role="button" title="M365D Settings - Streaming API - choose event types.png" alt="M365D Settings - Streaming API - choose event types.png" /></span></P> <P class="lia-align-center"><FONT size="2"><EM><FONT color="#0000FF">Select the events you want to export in the Microsoft 365 Defender Streaming API settings</FONT></EM></FONT></P> <P>&nbsp;</P> <P><STRONG>We’d love to hear your feedback!</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Microsoft 365 Defender Team</STRONG></P> Thu, 03 Jun 2021 01:53:21 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/announcing-microsoft-365-defender-streaming-api-public-preview/ba-p/2410767 Michael Shalev 2021-06-03T01:53:21Z New alert page for Microsoft 365 Defender incident detections! https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-alert-page-for-microsoft-365-defender-incident-detections/ba-p/2350425 <P>Microsoft 365 Defender automatically expands incidents to tell the full story of an attack.</P> <P>&nbsp;</P> <P>It does this by leveraging the unique position which enables it to look across workloads and <A href="#" target="_self">automatically expand the incident story</A>, after all malicious activities are not generated in a void – there is <EM>something </EM>out there, logged by another workload, which can add insights. And this is exactly what we are doing in Microsoft 365 Defender; generating incidents based on other alerts that are triggered from the different detection sources, like, MDE, MDO, MDI and MCAS.</P> <P>&nbsp;</P> <P>We are excited to introduce a new alert page for these detections. The new page provides additional, enriched information providing greater context into an attack. Security professionals can now see which other triggered alert caused the current alert and all the affected entities and activities involved in the attack, including files, users and mailboxes.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Idan_Pelleg_1-1620894127026.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280419iE79E4BE5023C3DCD/image-size/large?v=v2&amp;px=999" role="button" title="Idan_Pelleg_1-1620894127026.png" alt="Idan_Pelleg_1-1620894127026.png" /></span></P> <P>&nbsp;</P> <P>For example; an alert from Microsoft Defender for Office 365 might imply that a user’s credentials have been stolen. Once the alert is triggered, Microsoft 365 Defender will automatically search for other activities within the organization that are related to this user. This could include a mass data read event within several minutes of the credentials being breached.</P> <P>&nbsp;</P> <P>Opening or viewing a large number of files may not be an indicator of a breach on its own but with the context of the credential theft alert it becomes a major concern. Microsoft 365 Defender recognizes the related context of these activities and the risk that an attacker is accessing large amounts of user data.</P> <P>Using these alerts, the security analyst can see which files have been accessed, and in which applications and directories. They can also see the alerts and the relevant context. All of this information is correlated into a single incident that would also include other relevant alerts showing lateral movement, persistence, or further infiltration related to the same attack. With this breadth and depth of visibility the SOC can respond quickly and holistically across the entire attack from a single dashboard.</P> <P>Microsoft 365 Defender leverages AI to automatically expand an investigation, just like an experienced analyst would. This allows your SOC team to focus on what matters: keeping your organization safe.</P> <P>&nbsp;</P> <P>To learn more about incident in Microsoft Threat Protection go to the following links:</P> <UL> <LI><SPAN class="inner-wrap"><A class="" href="#" target="_blank" rel="noopener noreferrer">Inside Microsoft Threat Protection: Correlating and consolidating attacks into incidents</A></SPAN></LI> <LI><SPAN class="inner-wrap"><A class="" href="#" target="_blank" rel="noopener noreferrer">Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint</A></SPAN></LI> <LI><SPAN class="inner-wrap"><A class="" href="#" target="_blank" rel="noopener noreferrer">Inside Microsoft Threat Protection: Attack modeling for finding and stopping lateral movement</A></SPAN></LI> <LI class=""><SPAN class="inner-wrap"><A class="" href="#" target="_blank" rel="noopener noreferrer">Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of cor...</A></SPAN></LI> </UL> <P>&nbsp;</P> Wed, 19 May 2021 10:43:40 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-alert-page-for-microsoft-365-defender-incident-detections/ba-p/2350425 Idan_Pelleg 2021-05-19T10:43:40Z Microsoft Defender for Identity native alert page in Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-defender-for-identity-native-alert-page-in-microsoft/ba-p/2348443 <P>We are excited to announce that starting today, Microsoft Defender for Identity alerts are natively integrated into Microsoft 365 security center (security.microsoft.com) with a dedicated Identity alert page format. This marks the first step in our journey to introduce the full Microsoft Defender for Identity experience into the unified Microsoft 365 Defender portal and is a continuation of the convergence motion to integrate protection across domains, which <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/unified-experiences-across-endpoint-and-email-are-now-generally/ba-p/2278132" target="_blank" rel="noopener">started with Defender for Office 365 and Defender for Endpoint</A>.</P> <P>&nbsp;</P> <P>The new Identity alert page unlocks value for Microsoft Defender for Identity customers such as better cross-domain signal enrichment and new automated identity response capabilities. It ensures that we can best help our customers to stay secure and help improve the efficiency of security operations. To learn more about Microsoft 365 Defender, check out this dedicated Tech Community <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/bg-p/MicrosoftThreatProtectionBlog" target="_blank" rel="noopener">blog.</A></P> <P>&nbsp;</P> <H2><FONT color="#000080">Alerts and investigation</FONT></H2> <P>&nbsp;</P> <P>Alerts are a key experience when working with any security product. That’s why Defender for Identity is continuously investing in research and engineering efforts to provide new alerts to attack techniques, tools and vulnerabilities. Starting today, Microsoft Defender for Identity alerts are available to view within the Microsoft 365 Defender portal.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="figure 1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280245iC95543B4E0A0EDF2/image-size/large?v=v2&amp;px=999" role="button" title="figure 1.png" alt="figure 1.png" /></span></P> <P class="lia-align-center"><FONT size="2">(Figure 1. Alert experience in Microsoft 365 security center)</FONT></P> <P class="lia-align-center">&nbsp;</P> <P>One of the benefits of investigating alerts through Microsoft 365 security center is that Microsoft Defender for Identity alerts are further correlated with information obtained from each of the other products in the suite. These enhanced alerts are consistent with the other Microsoft 365 Defender alert formats originating from Microsoft Defender for Office 365 and Microsoft Defender for Endpoint. The new page effectively eliminates that need to navigate (‘tab-out’) to another product portal to investigate alerts associated with identity.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="figure 2.bmp" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280247iAACB1C2A10E1B3A5/image-size/large?v=v2&amp;px=999" role="button" title="figure 2.bmp" alt="figure 2.bmp" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P class="lia-align-center"><FONT size="2">(Figure 2. Side panel for device entity that is enriched by both Microsoft Defender for Endpoint and Microsoft Defender for Identity)</FONT></P> <P class="lia-align-center">&nbsp;</P> <P>The new alert page maintains a similar look and feel to Defender for Identity while adapting to the Microsoft 365 Defender user experience and style.</P> <P class="lia-align-center">&nbsp;</P> <H2><FONT color="#000080">Not just a new home…</FONT></H2> <P>&nbsp;</P> <P>Alerts are now in one common alert queue with Defender for Office 365, Defender for Endpoint, Microsoft Cloud App Security and various compliance workload alerts. Another stand-out feature for alerts originating from Defender for Identity is that they can now trigger the Microsoft 365 Defender automated investigation and response (AIR) capabilities, including automatically remediating alerts and the mitigation of tools and process that can contribute to the suspicious activity.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="figure 3 bmp.bmp" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280248i559F853394EF0A1F/image-size/large?v=v2&amp;px=999" role="button" title="figure 3 bmp.bmp" alt="figure 3 bmp.bmp" /></span></P> <P class="lia-align-center">&nbsp;<SPAN style="font-size: small; font-family: inherit; text-align: center;">(Figure 3. Automatic alert investigation based on Microsoft Defender for Identity alert)</SPAN></P> <P class="lia-align-center">&nbsp;</P> <H2><FONT color="#000080">How do I get started?</FONT></H2> <P>&nbsp;</P> <P>Defender for Identity alerts can easily be accessed from either the Incidents or Alerts queue. Open either of these areas, and then you can filter by <STRONG>Service Sources</STRONG> to see the specific alerts you’re looking for.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="figure 4 bmp.bmp" style="width: 320px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280249i506D7EFBF7E8D796/image-size/large?v=v2&amp;px=999" role="button" title="figure 4 bmp.bmp" alt="figure 4 bmp.bmp" /></span></P> <P class="lia-align-center">&nbsp;<SPAN style="font-size: small; font-family: inherit; text-align: center;">(Figure 4. Microsoft 365 security menu)</SPAN></P> <P class="lia-align-center">&nbsp;</P> <P class="lia-align-center"><FONT size="2"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="figure 5 bmp.bmp" style="width: 349px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/280250iAC3B1736AE5B2F1E/image-size/large?v=v2&amp;px=999" role="button" title="figure 5 bmp.bmp" alt="figure 5 bmp.bmp" /></span></FONT></P> <P><SPAN style="font-size: small; font-family: inherit;">(Figure 5. Filter options for alert view)</SPAN></P> <P class="lia-align-center">&nbsp;</P> <H2><FONT color="#000080">As always, we’d love to know what you think.</FONT></H2> <H2><FONT color="#000080">Leave us&nbsp;feedback&nbsp;directly on the Microsoft 365 security center</FONT></H2> Thu, 13 May 2021 15:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-defender-for-identity-native-alert-page-in-microsoft/ba-p/2348443 Daniel Naim 2021-05-13T15:00:00Z Microsoft Cloud App Security: The Hunt for Insider Risk https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-for-insider-risk/ba-p/2346242 <P>Welcome back to our second post in the “Microsoft Cloud App Security: The hunt” series!</P> <P>&nbsp;</P> <P>If you haven’t read the first post by Sebastien Molendijk, head over to <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-in-a-multi-stage-incident/ba-p/2193484" target="_blank" rel="noopener">Microsoft Cloud App Security: The hunt in a multi-stage incident - Microsoft Tech Community</A> to see how you can leverage advanced hunting to investigate a multi-stage incident.</P> <P>As stated previously, this series will be used to address the alerts and scenarios we have seen most frequently from customers and apply simple but effective queries that can be used in everyday investigations.&nbsp;</P> <P>&nbsp;</P> <P>The below use case describes an avenue to diagnose that an insider is posing risk to an organization. One of the key things to understand about insider risk is that it is an investigation regarding inadvertent or intentional risks posed by employees or other members of the organization. It often requires the ability to understand the context of the user and also to quickly identify and manage risks.&nbsp; The methods we describe are one common way to get at the risk to an organization from an insider who is planning to exit the company.</P> <P>&nbsp;</P> <P>Every step of this investigation should be done in coordination with your organization’s HR and Legal departments, adhering to appropriate privacy, security and compliance policies as set out by your organization. In addition, there may be training of analysts to handle this kind of investigation with specific and careful steps in accordance with your organization’s commitment to its employees.</P> <P>&nbsp;</P> <P><STRONG>Use case</STRONG></P> <P>Contoso implemented Microsoft 365 Defender and is monitoring alerts using Microsoft’s security solutions.&nbsp;While reviewing the new alerts, our security analyst noticed a mass download alert that included a user named Julian Isla.</P> <P>Julian is currently working on a highly confidential initiative called Project Hurricane. Knowing this, the analyst wants to conduct a thorough analysis in this investigation.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SS1.png" style="width: 964px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279986i579835FBF950B0C5/image-size/large?v=v2&amp;px=999" role="button" title="SS1.png" alt="SS1.png" /></span></P> <P>&nbsp;</P> <P>Our analyst can immediately see that Cloud App Security provides many key details in the alert, including the user, IP address, application and the location.</P> <P>&nbsp;</P> <P>The first step for the analyst may be to gather details such as the device, the type of information downloaded, the user’s typical behavior and other possible activities that could mean data was exfiltrated.</P> <P>&nbsp;</P> <P>Using the available details in the MCAS alert, and the initial questions and concerns of the investigation, we will showcase how to answer each step through an advanced hunting query and that the results of each query shape the follow-on query, allowing the investigator to piece together the full story from the activities logged.</P> <P>&nbsp;</P> <TABLE width="799px"> <TBODY> <TR> <TD width="232px"> <P>Question 1:</P> </TD> <TD width="566px"> <P>Query Used:</P> </TD> </TR> <TR> <TD width="232px"> <P>What managed devices has this user logged in to?</P> <P>&nbsp;</P> </TD> <TD width="566px"> <P>&nbsp;</P> <LI-CODE lang="powershell">DeviceInfo | where LoggedOnUsers has "juliani" and isnotempty(OSPlatform) | distinct Timestamp, DeviceId, DeviceName, OSPlatform, OSArchitecture </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>NOTE:</STRONG> The analyst was able to extract the Security Account Manager (This can be done by using Cloud App Security’s entity page.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SS2.png" style="width: 568px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279985i061684661068CAA0/image-size/large?v=v2&amp;px=999" role="button" title="SS2.png" alt="SS2.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>NOTE:</STRONG> If the analyst wanted to display the entire LoggedOnUsers table, the column would look like this:</P> <P>[{"UserName":"JulianI","DomainName":"CONTOSO","Sid":"S-1-5-21-1661583231-2311428937-3957907789-1103"}]</P> <P>&nbsp;</P> <P><STRONG>Result:</STRONG></P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SS3.png" style="width: 949px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279988iD95D9531EFD97C75/image-size/large?v=v2&amp;px=999" role="button" title="SS3.png" alt="SS3.png" /></span></STRONG></P> <P>&nbsp;</P> <P>Using this query that surfaces Microsoft Defender for Endpoint (MDE) data, the analyst found that Julian used two devices today, adminpc.contoso.azure and victimpc.contoso.azure. More importantly, the analyst can see that Julian was on the adminpc device on the same day as the alert for a mass download was triggered.</P> <P>&nbsp;</P> <TABLE width="832px"> <TBODY> <TR> <TD width="211px"> <P>Question 2:</P> </TD> <TD width="620px"> <P>Query Used:</P> </TD> </TR> <TR> <TD width="211px"> <P>Were the files downloaded to a non-managed device?</P> <P>&nbsp;</P> </TD> <TD width="620px"><LI-CODE lang="powershell">let AlertTimestamp = datetime(2021-04-15T23:45:00.0000000Z); CloudAppEvents | where Timestamp between ((AlertTimestamp - 24h) .. (AlertTimestamp + 24h)) | where AccountDisplayName == "Julian Isla" | where ActionType == "FileDownloaded" | project Timestamp, ActionType, AccountDisplayName, ObjectName, DeviceType, OSPlatform, UserAgent </LI-CODE></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Result:</STRONG>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ss4.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279990i97FBF93B5D076338/image-size/large?v=v2&amp;px=999" role="button" title="ss4.png" alt="ss4.png" /></span></P> <P>&nbsp;</P> <P>By using the CloudAppEvents table, the analyst can now view the file names and the number of files and devices Julian used to complete these downloads. They can determine by the names of the files and the device details that Julian has downloaded important proprietary company data for Project Hurricane, a high-profile initiative for a new application that includes sensitive customer data and source code.</P> <P>&nbsp;</P> <TABLE width="865px"> <TBODY> <TR> <TD width="233px"> <P>Question 3:</P> </TD> <TD width="631px"> <P>Query Used:</P> </TD> </TR> <TR> <TD width="233px"> <P>Has this user leveraged personal email in the past?</P> <P>&nbsp;</P> </TD> <TD width="631px"><LI-CODE lang="powershell">EmailEvents | where SenderMailFromAddress == "JulianI@seccxp.ninja" | where RecipientEmailAddress has "@gmail.com" or RecipientEmailAddress has "@yahoo.com" or RecipientEmailAddress has "@hotmail" | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, AttachmentCount, NetworkMessageId | join EmailAttachmentInfo on NetworkMessageId, RecipientEmailAddress | project Timestamp, SenderFromAddress, RecipientEmailAddress, Subject, AttachmentCount, FileName</LI-CODE> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>Result:&nbsp;</STRONG></P> <P>&nbsp;</P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ss6.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279992i86626A92C56035DF/image-size/large?v=v2&amp;px=999" role="button" title="ss6.png" alt="ss6.png" /></span></STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <TABLE width="807px"> <TBODY> <TR> <TD width="232px"> <P>Question 4:</P> </TD> <TD width="574px"> <P>Query Used:</P> </TD> </TR> <TR> <TD width="232px"> <P>Has this user been actively job searching?</P> <P>&nbsp;</P> <P>&nbsp;</P> </TD> <TD width="574px"><LI-CODE lang="powershell">DeviceNetworkEvents | where Timestamp &gt; ago(30d) | where DeviceName in ("adminpc.contoso.azure”, “victimpc.contoso.azure ") | where InitiatingProcessAccountName == "juliani" | where RemoteUrl has "linkedin" or RemoteUrl has "indeed" or RemoteUrl has "glassdoor" | summarize event_count = count() by RemoteUrl </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>Result:&nbsp;</STRONG></P> <P>&nbsp;</P> <P><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SS5.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279994iCA57CE3DF4E20875/image-size/large?v=v2&amp;px=999" role="button" title="SS5.png" alt="SS5.png" /></span></STRONG></P> <P>&nbsp;</P> <P>While investigating the DeviceNetworkEvents table to find if this user may have motivation to be conducting these types of activities, they can see this user is actively surfing job sites and may have plans to leave their current role at Contoso.</P> <P>&nbsp;</P> <P>&nbsp;</P> <TABLE width="795px"> <TBODY> <TR> <TD width="246px"> <P>Question 5:</P> </TD> <TD width="549px"> <P>Query Used:</P> </TD> </TR> <TR> <TD width="246px" height="421px"> <P>Does this user have a Letter of Resignation or Resume Saved to their local PC?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Does this user have a Letter of Resignation or Resume Saved to their personal OneDrive?</P> <P>&nbsp;</P> </TD> <TD width="549px" height="421px"><LI-CODE lang="powershell">DeviceFileEvents | where Timestamp &gt; ago(30d) | where InitiatingProcessAccountName == "juliani" | where DeviceName in ("adminpc.contoso.azure”, “victimpc.contoso.azure ") | where FileName has "resume" or FileName has "resignation" | project Timestamp, InitiatingProcessAccountName, ActionType, FileName CloudAppEvents | where Timestamp &gt; ago(30d) | where AccountDisplayName == "Julian Isla" | where Application == "Microsoft OneDrive for Business" | extend FileName = tostring(RawEventData.SourceFileName) | where FileName has "resume" or FileName has "resignation" | project Timestamp, ActionType, FileName </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>Result:&nbsp;</STRONG></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SS7.png" style="width: 651px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279995i35D03D45B5E869D4/image-size/large?v=v2&amp;px=999" role="button" title="SS7.png" alt="SS7.png" /></span></P> <P>&nbsp;</P> <P>The analyst is attempting to establish the user’s planned trajectory of actions and sees that they currently have a letter of resignation saved to their desktop and have recently accessed and downloaded it.</P> <P>&nbsp;</P> <P>&nbsp;</P> <TABLE width="835px"> <TBODY> <TR> <TD width="190px"> <P>Question 6:</P> </TD> <TD width="644px"> <P>Query Used:</P> </TD> </TR> <TR> <TD width="190px"> <P>Have any removeable media or external devices been used on the PCs we discovered?</P> <P>&nbsp;</P> </TD> <TD width="644px"><LI-CODE lang="powershell">let DeviceNameToSearch = "adminpc.contoso.azure"; let TimespanInSeconds = 900; // Period of time between device insertion and file copy let Connections = DeviceEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected" | extend parsed = parse_json(AdditionalFields) | project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds) | where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device'; DeviceFileEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\" | join kind=inner Connections on DeviceId | where datetime_diff('second',Timestamp,ConnectionTime) &lt;= TimespanInSeconds </LI-CODE></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>Result:</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="erin_boris_6-1620761435372.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279983iB8EA0C8B40F32CE0/image-size/medium?v=v2&amp;px=400" role="button" title="erin_boris_6-1620761435372.png" alt="erin_boris_6-1620761435372.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Luckily, the analyst can determine that files were not exfiltrated because there is no record of a removable media device data transfer from the user’s most recently used device.</P> <P>&nbsp;</P> <P>Throughout the investigation, the analyst had many avenues to pursue and potential ways to mitigate and prevent further exfiltration of data. For example, using Cloud App Security’s user resolutions, the analyst could have suspended the user. Additionally, using Microsoft Defender for Endpoint integration, the analyst could have isolated the managed device, preventing it from having any non-related network communication.</P> <P>&nbsp;</P> <P>In conclusion, in this test scenario, the Contoso employee, “Julian” had been violating company policy and exfiltrating proprietary data for Project Hurricane to his personal laptop and email account for some time. They also found that the user had been actively job searching and had a recently edited version of a letter of resignation saved to t. Using the initial MCAS alert, as well as logs across Microsoft Defender for Endpoint and Microsoft Defender for Office 365, the analysts have discovered and prevented further data loss for the company by this user.</P> <P>&nbsp;</P> <P>This completes our second blog, please stay tuned for other common use cases that can be easily and thoroughly investigated with Microsoft Cloud App Security and Microsoft 365 Defender!</P> <P>&nbsp;</P> <P><STRONG>Resources:</STRONG></P> <P>For more information about the features discussed in this article, please read:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Advanced hunting overview</A></LI> <LI><A href="#" target="_blank" rel="noopener">Advanced hunting best practices</A></LI> <LI><A href="#" target="_blank" rel="noopener">Cloud App Security anomaly detection alerts investigation guide </A>&nbsp;</LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft 365 Defender Github</A></LI> </UL> <P>&nbsp;</P> <P><STRONG>Feedback</STRONG></P> <P>We welcome your feedback or relevant use cases and requirements for this pillar of Cloud App Security by emailing <A href="https://gorovian.000webhostapp.com/?exam=mailto:casfeedback@microsoft.com" target="_blank" rel="noopener">CASFeedback@microsoft.com</A> and mention the area or pillar in Cloud App Security you wish to discuss.</P> <P>&nbsp;</P> <P><STRONG>Learn more</STRONG></P> <P>For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:</P> <TABLE width="750px"> <TBODY> <TR> <TD width="311px"> <P>Join the conversation on <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-cloud-app-security/bd-p/MicrosoftCloudAppSecurity" target="_blank" rel="noopener">Tech Community</A>.&nbsp;</P> <P>Stay up to date—subscribe to our <A href="#" target="_blank" rel="noopener">blog</A>.&nbsp;</P> </TD> <TD width="438px"> <P>Upload a log file from your network firewall or enable logging via&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint&nbsp;</A>to&nbsp;<A href="#" target="_blank" rel="noopener">discover Shadow IT&nbsp;</A>in your network.</P> </TD> </TR> <TR> <TD width="311px"> <P>Learn more—download <A href="#" target="_blank" rel="noopener">Top 20 use cases for CASB</A>.</P> </TD> <TD width="438px"> <P><A href="#" target="_blank" rel="noopener">Connect your cloud apps&nbsp;</A>to detect suspicious user activity and exposed sensitive data.</P> </TD> </TR> <TR> <TD width="311px"> <P>Search documentation on&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Cloud App Security</A>.&nbsp;</P> </TD> <TD width="438px"> <P>Enable out-of-the-box&nbsp;<A href="#" target="_blank" rel="noopener">anomaly detection policies&nbsp;</A>and start detecting cloud threats in your environment.</P> </TD> </TR> <TR> <TD width="311px"> <P>Understand your <A href="#" target="_blank" rel="noopener">licensing options</A>.&nbsp;</P> </TD> <TD width="438px"> <P>Continue with more advanced use cases across&nbsp;<A href="#" target="_blank" rel="noopener">information protection</A>, compliance, and more.</P> </TD> </TR> <TR> <TD colspan="2" width="749px"> <P>Follow the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/welcome-to-the-mcas-ninja-blog-series/ba-p/1775379" target="_blank" rel="noopener">Microsoft Cloud App Security Ninja blog</A> and learn about <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/the-microsoft-cloud-app-security-mcas-ninja-training-is-here/ba-p/1877343" target="_blank" rel="noopener">Ninja Training</A>. Read up on recent blogs: <A href="#" target="_blank" rel="noopener">aka.ms/MCASMarch2021</A></P> <P>Go deeper with these interactive guides:</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="#" target="_blank" rel="noopener">Discover and manage cloud app usage</A> with Microsoft Cloud App Security</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="#" target="_blank" rel="noopener">Protect and control information</A> with Microsoft Cloud App Security</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="#" target="_blank" rel="noopener">Detect threats and manage alerts</A> with Microsoft Cloud App Security</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <A href="#" target="_blank" rel="noopener">Automate alerts management with Microsoft Power Automate</A> and Cloud App Security</P> </TD> </TR> </TBODY> </TABLE> <P><STRONG>&nbsp;</STRONG></P> <P>Follow us on LinkedIn as <A href="#" target="_blank" rel="noopener">#CloudAppSecurity</A>. To learn more about Microsoft Security solutions visit our&nbsp;<A href="#" target="_blank" rel="noopener">website.</A>&nbsp;Bookmark the&nbsp;<A href="#" target="_blank" rel="noopener">Security blog</A>&nbsp;to keep up with our expert coverage on security matters. Also, follow us at&nbsp;<A href="#" target="_blank" rel="noopener">@MSFTSecurity</A> on Twitter, and <A href="#" target="_blank" rel="noopener">Microsoft Security</A> on LinkedIn for the latest news and updates on cybersecurity.</P> <P>&nbsp;</P> <P class="lia-align-center"><STRONG>Happy Hunting!</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 12 May 2021 05:37:55 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-for-insider-risk/ba-p/2346242 erin_boris 2021-05-12T05:37:55Z Easily find anomalies in incidents and alerts https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/easily-find-anomalies-in-incidents-and-alerts/ba-p/2339243 <P>Microsoft 365 security <STRONG>Home</STRONG> page and <STRONG>Incidents</STRONG> page now include a trend graph of all the incidents and alerts over the last 24 hours.</P> <P>This enables you to easily find spikes in your environment and tell if there anything abnormal happening.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Idan_Pelleg_0-1620584251047.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/279370iE8DD2A06DDACF77E/image-size/large?v=v2&amp;px=999" role="button" title="Idan_Pelleg_0-1620584251047.png" alt="Idan_Pelleg_0-1620584251047.png" /></span></P> <P>&nbsp;</P> <P>The new incidents trend graph view will also allow you to determine if there are several alerts for a single incident or that your organization is under attack with several different incidents.</P> <P>&nbsp;</P> <P>For example, a will usually generate a lot of alerts in your organization and all of them will be related to the same incident. Seeing that there are hundreds of alerts over time related to the same incident can help you understand that there is an emerging attack that is growing so that you can prioritize your incident response.</P> <P>&nbsp;</P> <P><SPAN>For more information on investigating incidents, see&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">Investigate incidents in Microsoft 365 Defender</A><SPAN>.</SPAN></P> <P>&nbsp;</P> Mon, 10 May 2021 06:54:47 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/easily-find-anomalies-in-incidents-and-alerts/ba-p/2339243 Idan_Pelleg 2021-05-10T06:54:47Z Blog Series: Limitless Advanced Hunting with Azure Data Explorer (ADX) https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/blog-series-limitless-advanced-hunting-with-azure-data-explorer/ba-p/2328705 <P><FONT size="1 2 3 4 5 6 7"><I>The is the first blog in a series to address long term availability of advanced hunting data using the streaming API.&nbsp; The primary focus will be data from Microsoft Defender for Endpoint, followed up later with posts on other data tables (i.e., Microsoft Defender for Office 365).</I></FONT></P> <P>&nbsp;</P> <P>2020 saw one of the biggest supply-chain attacks in the industry (so far) with no entity immune to its effects. Over 6 months later, organizations continue to struggle with the impact of the breach - hampered by the lack the visibility and/or the retention of that data to fully eradicate the threat.</P> <P>&nbsp;</P> <P>Fast-forward to 2021, customers filled some of the visibility gap with tools like an endpoint detection and response (EDR) solution.&nbsp; Assuming all EDR tools are all equal (they’re <STRONG><U>not</U></STRONG>), organizations could move data into a SIEM solution to extend retention and reap the traditional rewards (i.e., correlation, workflow, etc.).&nbsp; While this would appear to be good on paper, the reality is that <EM><U>keeping data for long periods of time in the SIEM is expensive.</U></EM></P> <P>&nbsp;</P> <P>Are there other options? Pushing data to cold storage or cheap cloud containers/blobs is a possible remedy, however what supply chain attacks have shown us is that we need a way for data to be available for hunting – data stored using these methods often require <EM><U>data to be hydrated before it is usable (i.e., querying)</U></EM> which often <EM><U>comes at a high operational cost</U></EM>.&nbsp; This hydration may also come over with caveats, the most prevalent one being that <EM><U>restored data and current data often resides on different platforms, requiring queries/IP to be re-written</U></EM>.</P> <P>&nbsp;</P> <P>In summary, the most ideal solution would:</P> <OL> <LI>Retain data for an organization’s required length of time.</LI> <LI>Make hydration quick, simple, scalable, and/or, always online.</LI> <LI>Reduce or eliminate the need for IP (queries, investigations, ...) to be recreated.</LI> </OL> <P>&nbsp;</P> <H2>The solution</H2> <P>Azure Data Explorer (ADX) offers a scalable and cost-effective platform for security teams to build their hunting platforms on. There are many methods to bring data to ADX but this post will be focused be the event-hub which offers terrific scalability and speed. Data from Microsoft 365 Defender (M365D - security.microsoft.com), Microsoft's XDR solution, more specifically data from the EDR, Microsoft Defender For Endpoint (MDE - securitycenter.windows.com) will be sent to ADX to solve the aforementioned problems.</P> <P>&nbsp;</P> <P>Solution architecture:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="MDE Long term.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/278564i576E1E6ACCACEE7F/image-size/large?v=v2&amp;px=999" role="button" title="MDE Long term.png" alt="Using Microsoft Defender For Endpoint's streaming API to an event-hub and Azure Data Explorer, security teams can have limitless query access to their data." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Using Microsoft Defender For Endpoint's streaming API to an event-hub and Azure Data Explorer, security teams can have limitless query access to their data.</span></span></P> <P>Questions and considerations:</P> <UL class="lia-list-style-type-disc"> <LI><STRONG>Q:</STRONG>&nbsp; Should I go from Sentinel/Azure Monitor to the event-hub (continuous export) or do I go straight to the event hub from source?<BR /><STRONG>A:</STRONG>&nbsp; Certainly there are benefits to bringing in EDR data to a SIEM (correlations, case management, etc.,). The method described in this post will allow data to be equally accessible, for longer periods of time, in a more cost effective manner. In addition, one could consider moving "alertable" data to the SIEM, and supporting data to ADX.</LI> <LI><STRONG>Q:</STRONG>&nbsp; Are all tables supported in continuous export?<BR /><STRONG style="font-family: inherit;">A:</STRONG><SPAN style="font-family: inherit;">&nbsp; Not yet. The list of supported tables can be found </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">here</A><SPAN style="font-family: inherit;">.<BR /></SPAN></LI> <LI><STRONG>Q:</STRONG>&nbsp; How long do I need to retain information for? How big should I make the event-hub? + + +<BR /><STRONG style="font-family: inherit;">A:</STRONG><SPAN style="font-family: inherit;">&nbsp; There are numerous resources to understand how to size and scale. Navigating through this document will help you at least understand how to bring data in so sizing can be done with the most accurate numbers.<BR /></SPAN></LI> </UL> <P>&nbsp;</P> <P>Prior to starting, here are several “variables” which will be referred to. To eliminate effort around recreating queries, keep the table names the same.</P> <UL> <LI>Raw table for import:&nbsp; XDRRaw</LI> <LI>Mapping for raw data:&nbsp; XDRRawMapping</LI> <LI>Event-hub resource ID: &lt;myEHRID&gt;</LI> <LI>Event-Hub name:&nbsp; &lt;myEHName&gt;</LI> <LI>Table names to be created: <UL class="lia-list-style-type-square"> <LI>DeviceRegistryEvents</LI> <LI>DeviceFileCertificateInfo</LI> <LI>DeviceEvents</LI> <LI>DeviceImageLoadEvents</LI> <LI>DeviceLogonEvents</LI> <LI>DeviceFileEvents</LI> <LI>DeviceNetworkInfo</LI> <LI>DeviceProcessEvents</LI> <LI>DeviceInfo</LI> <LI>DeviceNetworkEvents<BR /><BR /></LI> </UL> </LI> </UL> <H3>Step 1:&nbsp; Create the Event-hub</H3> <P>For your initial event-hub, leverage the defaults and follow the <A href="#" target="_blank" rel="noopener">basic configuration</A>.&nbsp; Remember to create the event-hub and not just the namespace. Record the values as previously mentioned - <EM>Event</EM>–<EM>hub resource ID</EM> and <EM>event-hub name</EM>.&nbsp;&nbsp;</P> <P>&nbsp;</P> <H3>Step 2:&nbsp; Enable the Streaming API in Microsoft 365 Defender/Microsoft Defender for Endpoint to Send Data to the Event-hub</H3> <P>Using the previously noted event-hub resource ID and name and follow the <A href="#" target="_blank" rel="noopener">documentation</A> to get data into the event-hub.&nbsp; After a few moments, click on the event-hub and review the data to verify data is being transferred.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="EH.png" style="width: 725px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/278567i2B5A61E4A0677C4A/image-size/large?v=v2&amp;px=999" role="button" title="EH.png" alt="Create the event-hub namespace AND the event-hub. Record the resource ID of the namespace and name of the event-hub for use when creating the streaming API." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Create the event-hub namespace AND the event-hub. Record the resource ID of the namespace and name of the event-hub for use when creating the streaming API.</span></span></P> <H3>Step 3:&nbsp; Create the ADX Cluster</H3> <P>As with the event-hub, ADX clusters are very configurable after-the-fact and a <A href="#" target="_blank" rel="noopener">guide</A> is available for a simple configuration.&nbsp;</P> <P>&nbsp;</P> <H3>Step 4:&nbsp; Create a Data Connection to Microsoft Defender for Endpoint</H3> <P>Prior to creating the data connection, a staging table and mapping need to be configured. Navigate to the previously created database and select Query or from the cluster, select query, and make sure your database is highlighted.&nbsp;</P> <P>&nbsp;</P> <P>Use the code below into the query area to create the RAW table with name <I>XDRRaw</I>:</P> <P>&nbsp;</P> <LI-CODE lang="bash">//Create the staging table (use the above RAW table name) .create table XDRRaw (Raw: dynamic) </LI-CODE> <P>&nbsp;</P> <P>The following will create the mapping with name <I>XDRRawMapping</I>:</P> <P>&nbsp;</P> <LI-CODE lang="basic">//Pull the elements into the first column so we can parse them (use the above RAW Mapping Name) .create table XDRRaw ingestion json mapping 'XDRRawMapping' '[{"column":"Raw","path":"$","datatype":"dynamic","transform":null}]' </LI-CODE> <P>&nbsp;</P> <P>With the RAW staging table and mapping function created, navigate to the database, and create a new data connection in the “Data Ingestion” setting under “Settings”.&nbsp; It should look as follows:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="dataconnection.png" style="width: 640px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/278571iC6D001968DA5C04B/image-size/large?v=v2&amp;px=999" role="button" title="dataconnection.png" alt="Create a data connection only after you have created the RAW table and the mapping." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Create a data connection only after you have created the RAW table and the mapping.</span></span></P> <P><STRONG>NOTE:</STRONG>&nbsp; The Microsoft 365 Defender/Microsoft Defender for Endpoint streaming API supplies multiple tables of data so using MULTILINE JSON is the data format.&nbsp;</P> <P>&nbsp;</P> <P>If all permissions are correct, the data connection should create without issue... Congratulations!&nbsp; Query the RAW table to review the data sources coming in from the service with the following query:</P> <P>&nbsp;</P> <LI-CODE lang="bash">//Here’s a list of the tables you’re going to have to migrate XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | summarize by tostring(Category)</LI-CODE> <P>&nbsp;</P> <P><STRONG>NOTE</STRONG>:&nbsp; Be patient!&nbsp; ADX has a ingests in batches every 5 minutes (default) but can be configured lower however it is advised to keep the default value as lower values may result in increased latency.&nbsp; For more information about the batching policy, see <A href="#" target="_blank" rel="noopener">IngestionBatching policy</A>.</P> <P>&nbsp;</P> <H3>Step 4:&nbsp; Ingest Specified Tables</H3> <P>The Microsoft Defender for Endpoint data stream enables teams to pick one, some, or all tables to be exported.&nbsp; Copy and run the queries below (<STRONG><U>one at a time in each code block</U></STRONG>) based on which tables are being pushed to the event-hub.&nbsp; &nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceEvents</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for Device Events for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceEvents() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceEvents" | project TenantId = tostring(Properties.TenantId),AccountDomain = tostring(Properties.AccountDomain),AccountName = tostring(Properties.AccountName),AccountSid = tostring(Properties.AccountSid),ActionType = tostring(Properties.ActionType),AdditionalFields = tostring(Properties.AdditionalFields),AppGuardContainerId = tostring(Properties.AppGuardContainerId),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),FileName = tostring(Properties.FileName),FileOriginIP = tostring(Properties.FileOriginIP),FileOriginUrl = tostring(Properties.FileOriginUrl),FolderPath = tostring(Properties.FolderPath),InitiatingProcessAccountDomain = tostring(Properties.InitiatingProcessAccountDomain),InitiatingProcessAccountName = tostring(Properties.InitiatingProcessAccountName),InitiatingProcessAccountObjectId = tostring(Properties.InitiatingProcessAccountObjectId),InitiatingProcessAccountSid = tostring(Properties.InitiatingProcessAccountSid),InitiatingProcessAccountUpn = tostring(Properties.InitiatingProcessAccountUpn),InitiatingProcessCommandLine = tostring(Properties.InitiatingProcessCommandLine),InitiatingProcessFileName = tostring(Properties.InitiatingProcessFileName),InitiatingProcessFolderPath = tostring(Properties.InitiatingProcessFolderPath),InitiatingProcessId = tostring(Properties.InitiatingProcessId),InitiatingProcessLogonId = tostring(Properties.InitiatingProcessLogonId),InitiatingProcessMD5 = tostring(Properties.InitiatingProcessMD5),InitiatingProcessParentFileName = tostring(Properties.InitiatingProcessParentFileName),InitiatingProcessParentId = tostring(Properties.InitiatingProcessParentId),InitiatingProcessSHA1 = tostring(Properties.InitiatingProcessSHA1),InitiatingProcessSHA256 = tostring(Properties.InitiatingProcessSHA256),LocalIP = tostring(Properties.LocalIP),LocalPort = tostring(Properties.LocalPort),LogonId = tostring(Properties.LogonId),MD5 = tostring(Properties.MD5),MachineGroup = tostring(Properties.MachineGroup),ProcessCommandLine = tostring(Properties.ProcessCommandLine),ProcessId = tostring(Properties.ProcessId),ProcessTokenElevation = tostring(Properties.ProcessTokenElevation),RegistryKey = tostring(Properties.RegistryKey),RegistryValueData = tostring(Properties.RegistryValueData),RegistryValueName = tostring(Properties.RegistryValueName),RemoteDeviceName = tostring(Properties.RemoteDeviceName),RemoteIP = tostring(Properties.RemoteIP),RemotePort = tostring(Properties.RemotePort),RemoteUrl = tostring(Properties.RemoteUrl),ReportId = tostring(Properties.ReportId),SHA1 = tostring(Properties.SHA1),SHA256 = tostring(Properties.SHA256),TimeGenerated = todatetime(Properties.Timestamp),Timestamp = todatetime(Properties.Timestamp),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type), customerName = tostring(Properties.Customername) } //Create the table for DeviceEvents .set-or-append DeviceEvents &lt;| XDRFilterDeviceEvents() //Set to autoupdate .alter table DeviceEvents policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceEvents()", "IsTransactional": true, "PropagateIngestionProperties": true}]' </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceFileEvents</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for DeviceFileEvents for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceFileEvents() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceFileEvents" | project TenantId = tostring(Properties.TenantId),ActionType = tostring(Properties.ActionType),AdditionalFields = tostring(Properties.AdditionalFields),AppGuardContainerId = tostring(Properties.AppGuardContainerId),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),FileName = tostring(Properties.FileName),FileOriginIP = tostring(Properties.FileOriginIP),FileOriginReferrerUrl = tostring(Properties.FileOriginReferrerUrl),FileOriginUrl = tostring(Properties.FileOriginUrl),FileSize = tostring(Properties.FileSize),FolderPath = tostring(Properties.FolderPath),InitiatingProcessAccountDomain = tostring(Properties.InitiatingProcessAccountDomain),InitiatingProcessAccountName = tostring(Properties.InitiatingProcessAccountName),InitiatingProcessAccountObjectId = tostring(Properties.InitiatingProcessAccountObjectId),InitiatingProcessAccountSid = tostring(Properties.InitiatingProcessAccountSid),InitiatingProcessAccountUpn = tostring(Properties.InitiatingProcessAccountUpn),InitiatingProcessCommandLine = tostring(Properties.InitiatingProcessCommandLine),InitiatingProcessFileName = tostring(Properties.InitiatingProcessFileName),InitiatingProcessFolderPath = tostring(Properties.InitiatingProcessFolderPath),InitiatingProcessId = tostring(Properties.InitiatingProcessId),InitiatingProcessIntegrityLevel = tostring(Properties.InitiatingProcessIntegrityLevel),InitiatingProcessMD5 = tostring(Properties.InitiatingProcessMD5),InitiatingProcessParentFileName = tostring(Properties.InitiatingProcessParentFileName),InitiatingProcessParentId = tostring(Properties.InitiatingProcessParentId),InitiatingProcessSHA1 = tostring(Properties.InitiatingProcessSHA1),InitiatingProcessSHA256 = tostring(Properties.InitiatingProcessSHA256),InitiatingProcessTokenElevation = tostring(Properties.InitiatingProcessTokenElevation),IsAzureInfoProtectionApplied = tostring(Properties.IsAzureInfoProtectionApplied),MD5 = tostring(Properties.MD5),MachineGroup = tostring(Properties.MachineGroup),PreviousFileName = tostring(Properties.PreviousFileName),PreviousFolderPath = tostring(Properties.PreviousFolderPath),ReportId = tostring(Properties.ReportId),RequestAccountDomain = tostring(Properties.RequestAccountDomain),RequestAccountName = tostring(Properties.RequestAccountName),RequestAccountSid = tostring(Properties.RequestAccountSid),RequestProtocol = tostring(Properties.RequestProtocol),RequestSourceIP = tostring(Properties.RequestSourceIP),RequestSourcePort = tostring(Properties.RequestSourcePort),SHA1 = tostring(Properties.SHA1),SHA256 = tostring(Properties.SHA256),SensitivityLabel = tostring(Properties.SensitivityLabel),SensitivitySubLabel = tostring(Properties.SensitivitySubLabel),ShareName = tostring(Properties.ShareName),TimeGenerated =todatetime(Properties.Timestamp),Timestamp = todatetime(Properties.Timestamp),InitiatingProcessParentCreationTime = todatetime(Properties.InitiatingProcessParentCreationTime),InitiatingProcessCreationTime = todatetime(Properties.InitiatingProcessCreationTime),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type) } //create table .set-or-append DeviceFileEvents &lt;| XDRFilterDeviceFileEvents() //Set to autoupdate .alter table DeviceFileEvents policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceFileEvents()", "IsTransactional": true, "PropagateIngestionProperties": true}]'</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceLogonEvents</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for DeviceLogonEvents for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceLogonEvents() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceLogonEvents" | project TenantId = tostring(Properties.TenantId),AccountDomain = tostring(Properties.AccountDomain),AccountName = tostring(Properties.AccountName),AccountSid = tostring(Properties.AccountSid),ActionType = tostring(Properties.ActionType),AdditionalFields = tostring(Properties.AdditionalFields),AppGuardContainerId = tostring(Properties.AppGuardContainerId),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),FailureReason = tostring(Properties.FailureReason),InitiatingProcessAccountDomain = tostring(Properties.InitiatingProcessAccountDomain),InitiatingProcessAccountName = tostring(Properties.InitiatingProcessAccountName),InitiatingProcessAccountObjectId = tostring(Properties.InitiatingProcessAccountObjectId),InitiatingProcessAccountSid = tostring(Properties.InitiatingProcessAccountSid),InitiatingProcessAccountUpn = tostring(Properties.InitiatingProcessAccountUpn),InitiatingProcessCommandLine = tostring(Properties.InitiatingProcessCommandLine),InitiatingProcessFileName = tostring(Properties.InitiatingProcessFileName),InitiatingProcessFolderPath = tostring(Properties.InitiatingProcessFolderPath),InitiatingProcessId = tostring(Properties.InitiatingProcessId),InitiatingProcessIntegrityLevel = tostring(Properties.InitiatingProcessIntegrityLevel),InitiatingProcessMD5 = tostring(Properties.InitiatingProcessMD5),InitiatingProcessParentFileName = tostring(Properties.InitiatingProcessParentFileName),InitiatingProcessParentId = tostring(Properties.InitiatingProcessParentId),InitiatingProcessSHA1 = tostring(Properties.InitiatingProcessSHA1),InitiatingProcessSHA256 = tostring(Properties.InitiatingProcessSHA256),InitiatingProcessTokenElevation = tostring(Properties.InitiatingProcessTokenElevation),IsLocalAdmin = tostring(Properties.IsLocalAdmin),LogonId = tostring(Properties.LogonId),LogonType = tostring(Properties.LogonType),MachineGroup = tostring(Properties.MachineGroup),Protocol = tostring(Properties.Protocol),RemoteDeviceName = tostring(Properties.RemoteDeviceName),RemoteIP = tostring(Properties.RemoteIP),RemoteIPType = tostring(Properties.RemoteIPType),RemotePort = tostring(Properties.RemotePort),ReportId = tostring(Properties.ReportId),TimeGenerated = todatetime(Properties.Timestamp),Timestamp = todatetime(Properties.Timestamp),InitiatingProcessParentCreationTime = todatetime(Properties.InitiatingProcessParentCreationTime),InitiatingProcessCreationTime = todatetime(Properties.InitiatingProcessCreationTime),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type) } //create table .set-or-append DeviceLogonEvents &lt;| XDRFilterDeviceLogonEvents() //Set to autoupdate .alter table DeviceLogonEvents policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceLogonEvents()", "IsTransactional": true, "PropagateIngestionProperties": true}]' </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceRegistryEvents</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for DeviceRegistryEvents for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceRegistryEvents() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceRegistryEvents" | project TenantId = tostring(Properties.TenantId),ActionType = tostring(Properties.ActionType),AppGuardContainerId = tostring(Properties.AppGuardContainerId),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),InitiatingProcessAccountDomain = tostring(Properties.InitiatingProcessAccountDomain),InitiatingProcessAccountName = tostring(Properties.InitiatingProcessAccountName),InitiatingProcessAccountObjectId = tostring(Properties.InitiatingProcessAccountObjectId),InitiatingProcessAccountSid = tostring(Properties.InitiatingProcessAccountSid),InitiatingProcessAccountUpn = tostring(Properties.InitiatingProcessAccountUpn),InitiatingProcessCommandLine = tostring(Properties.InitiatingProcessCommandLine),InitiatingProcessFileName = tostring(Properties.InitiatingProcessFileName),InitiatingProcessFolderPath = tostring(Properties.InitiatingProcessFolderPath),InitiatingProcessId = tostring(Properties.InitiatingProcessId),InitiatingProcessIntegrityLevel = tostring(Properties.InitiatingProcessIntegrityLevel),InitiatingProcessMD5 = tostring(Properties.InitiatingProcessMD5),InitiatingProcessParentFileName = tostring(Properties.InitiatingProcessParentFileName),InitiatingProcessParentId = tostring(Properties.InitiatingProcessParentId),InitiatingProcessSHA1 = tostring(Properties.InitiatingProcessSHA1),InitiatingProcessSHA256 = tostring(Properties.InitiatingProcessSHA256),InitiatingProcessTokenElevation = tostring(Properties.InitiatingProcessTokenElevation),MachineGroup = tostring(Properties.MachineGroup),PreviousRegistryKey = tostring(Properties.PreviousRegistryKey),PreviousRegistryValueData = tostring(Properties.PreviousRegistryValueData),PreviousRegistryValueName = tostring(Properties.PreviousRegistryValueName),RegistryKey = tostring(Properties.RegistryKey),RegistryValueData = tostring(Properties.RegistryValueData),RegistryValueName = tostring(Properties.RegistryValueName),RegistryValueType = tostring(Properties.RegistryValueType),ReportId = tostring(Properties.ReportId),TimeGenerated = todatetime(Properties.Timestamp),Timestamp = todatetime(Properties.Timestamp),InitiatingProcessParentCreationTime = todatetime(Properties.InitiatingProcessParentCreationTime),InitiatingProcessCreationTime = todatetime(Properties.InitiatingProcessCreationTime),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type) } //create table .set-or-append DeviceRegistryEvents &lt;| XDRFilterDeviceRegistryEvents() //Set to autoupdate .alter table DeviceRegistryEvents policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceRegistryEvents()", "IsTransactional": true, "PropagateIngestionProperties": true}]' </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceImageLoadEvents</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for DeviceImageLoadEvents for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceImageLoadEvents() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceImageLoadEvents" | project TenantId = tostring(Properties.TenantId),ActionType = tostring(Properties.ActionType),AppGuardContainerId = tostring(Properties.AppGuardContainerId),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),FileName = tostring(Properties.FileName),FolderPath = tostring(Properties.FolderPath),InitiatingProcessAccountDomain = tostring(Properties.InitiatingProcessAccountDomain),InitiatingProcessAccountName = tostring(Properties.InitiatingProcessAccountName),InitiatingProcessAccountObjectId = tostring(Properties.InitiatingProcessAccountObjectId),InitiatingProcessAccountSid = tostring(Properties.InitiatingProcessAccountSid),InitiatingProcessAccountUpn = tostring(Properties.InitiatingProcessAccountUpn),InitiatingProcessCommandLine = tostring(Properties.InitiatingProcessCommandLine),InitiatingProcessFileName = tostring(Properties.InitiatingProcessFileName),InitiatingProcessFolderPath = tostring(Properties.InitiatingProcessFolderPath),InitiatingProcessId = tostring(Properties.InitiatingProcessId),InitiatingProcessIntegrityLevel = tostring(Properties.InitiatingProcessIntegrityLevel),InitiatingProcessMD5 = tostring(Properties.InitiatingProcessMD5),InitiatingProcessParentFileName = tostring(Properties.InitiatingProcessParentFileName),InitiatingProcessParentId = tostring(Properties.InitiatingProcessParentId),InitiatingProcessSHA1 = tostring(Properties.InitiatingProcessSHA1),InitiatingProcessSHA256 = tostring(Properties.InitiatingProcessSHA256),InitiatingProcessTokenElevation = tostring(Properties.InitiatingProcessTokenElevation),MD5 = tostring(Properties.MD5),MachineGroup = tostring(Properties.MachineGroup),ReportId = tostring(Properties.ReportId),SHA1 = tostring(Properties.SHA1),SHA256 = tostring(Properties.SHA256),TimeGenerated = todatetime(Properties.Timestamp),Timestamp = todatetime(Properties.Timestamp),InitiatingProcessParentCreationTime = todatetime(Properties.InitiatingProcessParentCreationTime),InitiatingProcessCreationTime = todatetime(Properties.InitiatingProcessCreationTime),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type) } //create table .set-or-append DeviceImageLoadEvents &lt;| XDRFilterDeviceImageLoadEvents() //Set to autoupdate .alter table DeviceImageLoadEvents policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceImageLoadEvents()", "IsTransactional": true, "PropagateIngestionProperties": true}]' </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceNetworkInfo</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for DeviceNetworkInfo for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceNetworkInfo() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceNetworkInfo" | project TenantId = tostring(Properties.TenantId),ConnectedNetworks = tostring(Properties.ConnectedNetworks),DefaultGateways = tostring(Properties.DefaultGateways),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),DnsAddresses = tostring(Properties.DnsAddresses),IPAddresses = tostring(Properties.IPAddresses),IPv4Dhcp = tostring(Properties.IPv4Dhcp),IPv6Dhcp = tostring(Properties.IPv6Dhcp),MacAddress = tostring(Properties.MacAddress),MachineGroup = tostring(Properties.MachineGroup),NetworkAdapterName = tostring(Properties.NetworkAdapterName),NetworkAdapterStatus = tostring(Properties.NetworkAdapterStatus),NetworkAdapterType = tostring(Properties.NetworkAdapterType),ReportId = tostring(Properties.ReportId),TimeGenerated = todatetime(Properties.Timestamp),Timestamp = todatetime(Properties.Timestamp),TunnelType = tostring(Properties.TunnelType),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type) } //create table .set-or-append DeviceNetworkInfo &lt;| XDRFilterDeviceNetworkInfo() //Set to autoupdate .alter table DeviceNetworkInfo policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceNetworkInfo()", "IsTransactional": true, "PropagateIngestionProperties": true}]' </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceProcessEvents</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for DeviceProcessEvents for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceProcessEvents() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceProcessEvents" | project TenantId = tostring(Properties.TenantId),AccountDomain = tostring(Properties.AccountDomain),AccountName = tostring(Properties.AccountName),AccountObjectId = tostring(Properties.AccountObjectId),AccountSid = tostring(Properties.AccountSid),AccountUpn= tostring(Properties.AccountUpn),ActionType = tostring(Properties.ActionType),AdditionalFields = tostring(Properties.AdditionalFields),AppGuardContainerId = tostring(Properties.AppGuardContainerId),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),FileName = tostring(Properties.FileName),FolderPath = tostring(Properties.FolderPath),InitiatingProcessAccountDomain = tostring(Properties.InitiatingProcessAccountDomain),InitiatingProcessAccountName = tostring(Properties.InitiatingProcessAccountName),InitiatingProcessAccountObjectId = tostring(Properties.InitiatingProcessAccountObjectId),InitiatingProcessAccountSid = tostring(Properties.InitiatingProcessAccountSid),InitiatingProcessAccountUpn = tostring(Properties.InitiatingProcessAccountUpn),InitiatingProcessCommandLine = tostring(Properties.InitiatingProcessCommandLine),InitiatingProcessFileName = tostring(Properties.InitiatingProcessFileName),InitiatingProcessFolderPath = tostring(Properties.InitiatingProcessFolderPath),InitiatingProcessId = tostring(Properties.InitiatingProcessId),InitiatingProcessIntegrityLevel = tostring(Properties.InitiatingProcessIntegrityLevel),InitiatingProcessLogonId = tostring(Properties.InitiatingProcessLogonId),InitiatingProcessMD5 = tostring(Properties.InitiatingProcessMD5),InitiatingProcessParentFileName = tostring(Properties.InitiatingProcessParentFileName),InitiatingProcessParentId = tostring(Properties.InitiatingProcessParentId),InitiatingProcessSHA1 = tostring(Properties.InitiatingProcessSHA1),InitiatingProcessSHA256 = tostring(Properties.InitiatingProcessSHA256),InitiatingProcessTokenElevation = tostring(Properties.InitiatingProcessTokenElevation),LogonId = tostring(Properties.LogonId),MD5 = tostring(Properties.MD5),MachineGroup = tostring(Properties.MachineGroup),ProcessCommandLine = tostring(Properties.ProcessCommandLine),ProcessCreationTime = todatetime(Properties.ProcessCreationTime),ProcessId = tostring(Properties.ProcessId),ProcessIntegrityLevel = tostring(Properties.ProcessIntegrityLevel),ProcessTokenElevation = tostring(Properties.ProcessTokenElevation),ReportId = tostring(Properties.ReportId),SHA1 = tostring(Properties.SHA1),SHA256 = tostring(Properties.SHA256),TimeGenerated = todatetime(Properties.Timestamp),Timestamp = todatetime(Properties.Timestamp),InitiatingProcessParentCreationTime = todatetime(Properties.InitiatingProcessParentCreationTime),InitiatingProcessCreationTime = todatetime(Properties.InitiatingProcessCreationTime),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type) } //create table .set-or-append DeviceProcessEvents &lt;| XDRFilterDeviceProcessEvents() //Set to autoupdate .alter table DeviceProcessEvents policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceProcessEvents()", "IsTransactional": true, "PropagateIngestionProperties": true}]' </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceFileCertificateInfo</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for DeviceFileCertificateInfo for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceFileCertificateInfo() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceFileCertificateInfo" | project TenantId = tostring(Properties.TenantId),CertificateSerialNumber = tostring(Properties.CertificateSerialNumber),CrlDistributionPointUrls = tostring(Properties.CrlDistributionPointUrls),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),IsRootSignerMicrosoft = tostring(Properties.IsRootSignerMicrosoft),IsSigned = tostring(Properties.IsSigned),IsTrusted = tostring(Properties.IsTrusted),Issuer = tostring(Properties.Issuer),IssuerHash = tostring(Properties.IssuerHash),MachineGroup = tostring(Properties.MachineGroup),ReportId = tostring(Properties.ReportId),SHA1 = tostring(Properties.SHA1),SignatureType = tostring(Properties.SignatureType),Signer = tostring(Properties.Signer),SignerHash = tostring(Properties.SignerHash),TimeGenerated = todatetime(Properties.Timestamp),Timestamp = todatetime(Properties.Timestamp),CertificateCountersignatureTime = todatetime(Properties.CertificateCountersignatureTime),CertificateCreationTime = todatetime(Properties.CertificateCreationTime),CertificateExpirationTime = todatetime(Properties.CertificateExpirationTime),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type) } //create table .set-or-append DeviceFileCertificateInfo &lt;| XDRFilterDeviceFileCertificateInfo() //Set to autoupdate .alter table DeviceFileCertificateInfo policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceFileCertificateInfo()", "IsTransactional": true, "PropagateIngestionProperties": true}]' </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceInfo</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for DeviceInfo for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceInfo() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceInfo" | project TenantId = tostring(Properties.TenantId),AdditionalFields = tostring(Properties.AdditionalFields),ClientVersion = tostring(Properties.ClientVersion),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),DeviceObjectId= tostring(Properties.DeviceObjectId),IsAzureADJoined = tostring(Properties.IsAzureADJoined),LoggedOnUsers = tostring(Properties.LoggedOnUsers),MachineGroup = tostring(Properties.MachineGroup),OSArchitecture = tostring(Properties.OSArchitecture),OSBuild = tostring(Properties.OSBuild),OSPlatform = tostring(Properties.OSPlatform),OSVersion = tostring(Properties.OSVersion),PublicIP = tostring(Properties.PublicIP),RegistryDeviceTag = tostring(Properties.RegistryDeviceTag),ReportId = tostring(Properties.ReportId),TimeGenerated = todatetime(Properties.Timestamp),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type) } //create table .set-or-append DeviceInfo &lt;| XDRFilterDeviceInfo() //Set to autoupdate .alter table DeviceInfo policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceInfo()", "IsTransactional": true, "PropagateIngestionProperties": true}]' </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>DeviceNetworkEvents</STRONG></P> <LI-CODE lang="bash">//Create the parsing function .create function with (docstring = "Filters data for DeviceNetworkEvents for ingestion from XDRRaw", folder = "UpdatePolicies") XDRFilterDeviceNetworkEvents() { XDRRaw | mv-expand Raw.records | project Properties=Raw_records.properties, Category=Raw_records.category | where Category == "AdvancedHunting-DeviceNetworkEvents" | project TenantId = tostring(Properties.TenantId),ActionType = tostring(Properties.ActionType),AdditionalFields = tostring(Properties.AdditionalFields),AppGuardContainerId = tostring(Properties.AppGuardContainerId),DeviceId = tostring(Properties.DeviceId),DeviceName = tostring(Properties.DeviceName),InitiatingProcessAccountDomain = tostring(Properties.InitiatingProcessAccountDomain),InitiatingProcessAccountName = tostring(Properties.InitiatingProcessAccountName),InitiatingProcessAccountObjectId = tostring(Properties.InitiatingProcessAccountObjectId),InitiatingProcessAccountSid = tostring(Properties.InitiatingProcessAccountSid),InitiatingProcessAccountUpn = tostring(Properties.InitiatingProcessAccountUpn),InitiatingProcessCommandLine= tostring(Properties.InitiatingProcessCommandLine),InitiatingProcessFileName = tostring(Properties.InitiatingProcessFileName),InitiatingProcessFolderPath = tostring(Properties.InitiatingProcessFolderPath),InitiatingProcessId = tostring(Properties.InitiatingProcessId),InitiatingProcessIntegrityLevel = tostring(Properties.InitiatingProcessIntegrityLevel),InitiatingProcessMD5 = tostring(Properties.InitiatingProcessMD5),InitiatingProcessParentFileName = tostring(Properties.InitiatingProcessParentFileName),InitiatingProcessParentId = tostring(Properties.InitiatingProcessParentId),InitiatingProcessSHA1 = tostring(Properties.InitiatingProcessSHA1),InitiatingProcessSHA256 = tostring(Properties.InitiatingProcessSHA256),InitiatingProcessTokenElevation = tostring(Properties.InitiatingProcessTokenElevation),LocalIP = tostring(Properties.LocalIP),LocalIPType = tostring(Properties.LocalIPType),LocalPort = tostring(Properties.LocalPort),MachineGroup = tostring(Properties.MachineGroup),Protocol = tostring(Properties.Protocol),RemoteIP = tostring(Properties.RemoteIP),RemoteIPType = tostring(Properties.RemoteIPType),RemotePort = tostring(Properties.RemotePort),RemoteUrl = tostring(Properties.RemoteUrl),ReportId = tostring(Properties.ReportId),TimeGenerated = todatetime(Properties.Timestamp),Timestamp = todatetime(Properties.Timestamp),InitiatingProcessParentCreationTime = todatetime(Properties.InitiatingProcessParentCreationTime),InitiatingProcessCreationTime = todatetime(Properties.InitiatingProcessCreationTime),SourceSystem = tostring(Properties.SourceSystem),Type = tostring(Properties.Type) } //create table .set-or-append DeviceNetworkEvents &lt;| XDRFilterDeviceNetworkEvents() //Set to autoupdate .alter table DeviceNetworkEvents policy update @'[{"IsEnabled": true, "Source": "XDRRaw", "Query": "XDRFilterDeviceNetworkEvents()", "IsTransactional": true, "PropagateIngestionProperties": true}]' </LI-CODE> <P>&nbsp;</P> <H3>Step 5:&nbsp; Review Benefits</H3> <P>With data flowing through, select any device query from the security.microsoft.com/securitycenter.windows.com portal and run it, “word for word” in the ADX portal.&nbsp; As an example, the following query shows devices creating a PNP device call:</P> <P>&nbsp;</P> <LI-CODE lang="bash">DeviceEvents | where ActionType == "PnpDeviceConnected" | extend parsed=parse_json(AdditionalFields) | project className=parsed.ClassName, description=parsed.DeviceDescription, parsed.DeviceId, DeviceName </LI-CODE> <P>&nbsp;</P> <P>In addition to being to reuse queries, if you are also using Azure Sentinel and have Microsoft 365 Defender/Microsoft Defender for Endpoint data connected, try the following:<BR /><BR /></P> <OL> <LI>Navigate to your ADX cluster and get copy the scope.&nbsp; It will be formatted as &lt;clusterName&gt;.&lt;region&gt;/&lt;databaseName&gt;:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="adxscope.png" style="width: 455px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/278584i30ED5C267A8A5EC4/image-size/large?v=v2&amp;px=999" role="button" title="adxscope.png" alt="Retrieve the ADX scope for external use from Azure Sentinel." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Retrieve the ADX scope for external use from Azure Sentinel.</span></span><EM><STRONG>NOTE:</STRONG>&nbsp; Unlike queries in Microsoft 365 Defender/Microsoft Defender for Endpoint and Sentinel/Log Analytics, queries in ADX do NOT have a default time filter.&nbsp; Queries run without filters will query the entire database and likely impact performance.</EM><BR /><BR /></LI> <LI>Navigate to an Azure Sentinel instance and place the query together with the adx() operator:<BR /><LI-CODE lang="basic">adx("###ADXSCOPE###").DeviceEvents | where ActionType == "PnpDeviceConnected" | extend parsed=parse_json(AdditionalFields) | project className=parsed.ClassName, description=parsed.DeviceDescription, parsed.DeviceId, DeviceName ​</LI-CODE>For example:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="sample.png" style="width: 626px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/278586iCC7E6302439B4B98/image-size/large?v=v2&amp;px=999" role="button" title="sample.png" alt="sample.png" /></span> <P><EM>&nbsp;<STRONG>NOTE:</STRONG>&nbsp; As the ADX operator is external, auto-complete will not work.<BR /><BR /></EM></P> </LI> </OL> <P><SPAN style="font-family: inherit;">Notice the query will complete completely but not with Azure Sentinel resources but rather the resources in ADX!&nbsp; (This operator is not available in Analytics rules though)</SPAN></P> <P>&nbsp;</P> <H2>Summary</H2> <P>Using the Microsoft 365 Defender/Microsoft Defender for Endpoint streaming API and Azure Data Explorer (ADX), teams can very easily achieve terrific scalability on long term, investigative hunting, and forensics.&nbsp; Cost continues to be another key benefit as well as the ability to reuse IP/queries.&nbsp;</P> <P>&nbsp;</P> <P>For organizations looking to expand their EDR signal and do auto correlation with 3<SUP>rd</SUP> party data sources, consider leveraging Azure Sentinel, where there are a number of 1<SUP>st</SUP> and 3<SUP>rd</SUP> party data connectors which enable rich context to added to existing Microsoft 365 Defender/Microsoft Defender for Endpoint data.&nbsp; An example of these enhancements can be found at <A href="#" target="_blank" rel="noopener">https://aka.ms/SentinelFusion</A>.</P> <P>&nbsp;</P> <P>Additional information and references:&nbsp;</P> <UL> <LI>More information about continuous export and how to move data from Azure Sentinel to ADX written by the amazing Javier Soriano (and the catalyst for this post):&nbsp; <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/using-azure-data-explorer-for-long-term-retention-of-azure/ba-p/1883947" target="_blank" rel="noopener">https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/using-azure-data-explorer-for-long-term-retention-of-azure/ba-p/1883947</A></LI> <LI>An earlier perspective on moving data from XDE/Microsoft Defender for Endpoint (Microsoft Defender ATP at the time) to Azure Data Explorer written by a great PM (Deepak Agrawal) and the inspiration for this post:&nbsp; <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-data-explorer/how-to-stream-microsoft-defender-atp-hunting-logs-in-azure-data/ba-p/1427888" target="_blank" rel="noopener">https://gorovian.000webhostapp.com/?exam=t5/azure-data-explorer/how-to-stream-microsoft-defender-atp-hunting-logs-in-azure-data/ba-p/1427888</A><BR /><BR /></LI> </UL> <P>Special thanks to <LI-USER uid="357654"></LI-USER>, <LI-USER uid="508015"></LI-USER>, <LI-USER uid="66621"></LI-USER>, <LI-USER uid="187816"></LI-USER>, <LI-USER uid="175545"></LI-USER>, and <LI-USER uid="46360"></LI-USER> for their insights and time into this post.</P> Wed, 12 May 2021 14:07:04 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/blog-series-limitless-advanced-hunting-with-azure-data-explorer/ba-p/2328705 Jeff_Chin 2021-05-12T14:07:04Z Best practices for leveraging Microsoft 365 Defender API's - Episode Three https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2290463 <P><SPAN class="NormalTextRun BCX8 SCXW7484756">I</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">n the pre</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">vious episode</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">,</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">we described<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">how</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">you can<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">easily<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">use<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 BCX8 SCXW7484756">PowerBi</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756"><SPAN>&nbsp;</SPAN>to<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">represent<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">Microsoft 365 data in a visual format</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">.<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">I</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">n this episode</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">,<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">we will explore another way you can interact with the Microsoft 365 Defender API</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">.<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun CommentStart BCX8 SCXW7484756">W</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">e<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">will<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">describe how to automate data<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">analysis</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756"><SPAN>&nbsp;</SPAN>and<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">hunting using<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun SpellingErrorV2 BCX8 SCXW7484756">Jupyter</SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756"><SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun BCX8 SCXW7484756">notebook.</SPAN></P> <P>&nbsp;</P> <P aria-level="1"><FONT size="6"><SPAN data-contrast="none">Automate</SPAN><SPAN data-contrast="none">&nbsp;your hunting queries</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><SPAN data-contrast="auto">While hunting and conducting investigations on a specific threat or IOC, you may want to use multiple queries to obtain wider optics on the&nbsp;possible&nbsp;threats&nbsp;or IOCs in your network.&nbsp;You may also&nbsp;want&nbsp;to leverage&nbsp;queries that&nbsp;are used by other&nbsp;hunters&nbsp;and use it&nbsp;as a pivot point to perform deep analysis&nbsp;and&nbsp;find anomalous&nbsp;behaviors.&nbsp;You can&nbsp;find a wide variety of examples in our Git repository where various queries related to the same campaign or attack technique&nbsp;are&nbsp;shared.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">In scenarios such as this, it is sensible to leverage the power of automation to run the queries rather than running individual queries one-by-one.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">This is where&nbsp;Jupyter&nbsp;Notebook is particularly useful. It takes in a JSON file with hunting queries as input and executes all the queries in sequence.&nbsp;The results&nbsp;are&nbsp;saved in a .csv file&nbsp;that you can analyze and share.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><FONT size="6"><STRONG>Before you begin&nbsp;</STRONG></FONT></P> <P><STRONG>JUPYTER&nbsp;NOTEBOOK&nbsp;</STRONG></P> <P><SPAN data-contrast="auto">If&nbsp;you're&nbsp;not familiar with&nbsp;Jupyter&nbsp;Notebooks, you can start by&nbsp;visiting&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>https://jupyter.org</SPAN></A><SPAN data-contrast="auto">&nbsp;for more information. You can also get an excellent overview on how to use Microsoft 365 APIs with&nbsp;Jupyter&nbsp;Notebook by reading&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/automating-security-operations-using-windows-defender-atp-apis/ba-p/294434%22HYPERLINK%20%22https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/automating-security-operations-using-windows-defender-atp-apis/ba-p/294434" target="_blank" rel="noopener"><SPAN>Automating Security Operations Using Windows Defender ATP APIs with Python and Jupyter Notebooks</SPAN></A><SPAN data-contrast="auto">.&nbsp;&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>VISUAL STUDIO CODE EXTENSION&nbsp;</STRONG></P> <P><SPAN data-contrast="auto">If you currently use Visual Studio Code, make sure to check out the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Jupyter&nbsp;extension</SPAN></A><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_27-1619422918103.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275494iAC4E92D9D340881C/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_27-1619422918103.png" alt="msftdario_27-1619422918103.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 1.&nbsp;</SPAN></I><SPAN data-contrast="auto">Visual Studio Code –&nbsp;Jupyter&nbsp;Notebook extension</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Another option to use&nbsp;Jupyter&nbsp;Notebook is the Microsoft Azure Machine Learning service.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Microsoft Azure Machine Learning is the best way to share your experiment with others and for collaboration.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Please refer&nbsp;to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Azure Machine Learning - ML as a Service | Microsoft Azure</SPAN></A><SPAN data-contrast="none">&nbsp;for additional details.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_28-1619422918116.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275495i5405139951168417/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_28-1619422918116.png" alt="msftdario_28-1619422918116.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 2.&nbsp;</SPAN></I><SPAN data-contrast="auto">Microsoft Azure Machine Learning</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">In order to&nbsp;create an instance, create a resource group and add the Machine Learning resource. The resource group lets you control&nbsp;all of&nbsp;the resources from a&nbsp;single entry&nbsp;point.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_29-1619422918122.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275496i4C07B6EF950DFE13/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_29-1619422918122.png" alt="msftdario_29-1619422918122.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 3.&nbsp;</SPAN></I><SPAN data-contrast="auto">Microsoft Azure Machine Learning - Resource</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">When&nbsp;you’re&nbsp;done, you can run the same&nbsp;Jupyter&nbsp;Notebook you are running locally on your device.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_30-1619422918118.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275497i0903E08B9D73835B/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_30-1619422918118.png" alt="msftdario_30-1619422918118.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 4.&nbsp;</SPAN></I><SPAN data-contrast="auto">Microsoft Azure Machine Learning Studio</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG><FONT size="6">App Registration&nbsp;</FONT></STRONG></P> <P><SPAN data-contrast="auto">The easy way to access the API programmatically is to register an&nbsp;app&nbsp;in your tenant and assign the required permissions.&nbsp;This way,&nbsp;you can&nbsp;authenticate&nbsp;using&nbsp;the&nbsp;application&nbsp;ID and application&nbsp;secret.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Follow these steps to build your&nbsp;custom application.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Connect to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">https://portal.azure.com/</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">App registration</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_31-1619422977477.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275498iEE7D37ACAE8D10C5/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_31-1619422977477.png" alt="msftdario_31-1619422977477.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;5. App registration</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Select "</SPAN><STRONG><SPAN data-contrast="auto">NEW REGISTRATION</SPAN></STRONG><SPAN data-contrast="auto">".</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_32-1619422977481.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275499i4A2139669C94FD0F/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_32-1619422977481.png" alt="msftdario_32-1619422977481.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;6. Register an&nbsp;application</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Provide the Name of your app,&nbsp;for example,&nbsp;MicrosoftMTP, and select&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Register.</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Once done, select "</SPAN><STRONG><SPAN data-contrast="auto">API Permission</SPAN></STRONG><SPAN data-contrast="auto">".</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_33-1619422977495.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275500iA438603DFFFF9D39/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_33-1619422977495.png" alt="msftdario_33-1619422977495.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;7.&nbsp;API Permissions</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Select "</SPAN><STRONG><SPAN data-contrast="auto">Add a&nbsp;permission</SPAN></STRONG><SPAN data-contrast="auto">".</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_34-1619422977484.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275501i6ABD153E531083F6/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_34-1619422977484.png" alt="msftdario_34-1619422977484.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 8. Add&nbsp;permission</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Select the "</SPAN><STRONG><SPAN data-contrast="auto">APIs my organization uses</SPAN></STRONG><SPAN data-contrast="auto">".</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_35-1619422977485.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275502iA6D5C39F93F4A3E2/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_35-1619422977485.png" alt="msftdario_35-1619422977485.png" /></span></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><I><SPAN data-contrast="none">Figure&nbsp;9.&nbsp;Alert Status</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_36-1619422977486.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275503i410AB7C9E7C86815/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_36-1619422977486.png" alt="msftdario_36-1619422977486.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 10.&nbsp;Request&nbsp;API&nbsp;permission</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Search for Microsoft Threat Protection and select it.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_37-1619422977487.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275504i528D90288484BE75/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_37-1619422977487.png" alt="msftdario_37-1619422977487.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;11. Microsoft Threat Protection API</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Select "</SPAN><STRONG><SPAN data-contrast="auto">Application&nbsp;Permission</SPAN></STRONG><SPAN data-contrast="auto">".</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_38-1619422977489.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275505i6F61A4E72DCDFEB9/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_38-1619422977489.png" alt="msftdario_38-1619422977489.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;12.&nbsp;Application&nbsp;Permissions</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Then select:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="none">AdvancedHunting.Read.All</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="none">Incident.Read.All</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_39-1619422977491.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275506i756E6063B46F42DF/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_39-1619422977491.png" alt="msftdario_39-1619422977491.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;13. Microsoft&nbsp;365 Defender&nbsp;API - Read&nbsp;permission</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Once done select "</SPAN><STRONG><SPAN data-contrast="auto">Add permissions</SPAN></STRONG><SPAN data-contrast="auto">".</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_40-1619422977492.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275507i34715905C5A0D267/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_40-1619422977492.png" alt="msftdario_40-1619422977492.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 14.&nbsp;Microsoft&nbsp;365 Defender&nbsp;API - Add permission</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><FONT size="6"><SPAN data-contrast="none">Get Started</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><SPAN data-contrast="auto">Now that we have the application ready to access the API via code,&nbsp;let’s&nbsp;try&nbsp;to see is any of the&nbsp;Qakbot&nbsp;queries&nbsp;shared&nbsp;in Microsoft 365 Defender Git&nbsp;produce any results.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_41-1619423114158.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275508iEC90B9464327B611/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_41-1619423114158.png" alt="msftdario_41-1619423114158.png" /></span></P> <P>&nbsp;</P> <P><I><SPAN data-contrast="none">Figure 15. Microsoft&nbsp;365 Defender&nbsp;– Hunting Queries</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">The following queries will be used in this&nbsp;tutorial:&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN><STRONG>Javascript&nbsp;use by&nbsp;Qakbot&nbsp;</STRONG><STRONG>malware</STRONG></SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><A href="#" target="_blank" rel="noopener"><SPAN><STRONG>Process&nbsp;injection&nbsp;by&nbsp;Qakbot&nbsp;malware</STRONG></SPAN></A><STRONG>&nbsp;</STRONG></P> <P aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN><STRONG>Registry edits by campaigns using&nbsp;Qakbot&nbsp;</STRONG><STRONG>malware</STRONG></SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN><STRONG>Self-deletion by&nbsp;Qakbot</STRONG><STRONG>&nbsp;malware</STRONG></SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN><STRONG>Outlook email access by campaigns using&nbsp;Qakbot&nbsp;</STRONG><STRONG>malware</STRONG></SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN><STRONG>Browser cookie theft by campaigns using&nbsp;Qakbot&nbsp;</STRONG><STRONG>malware</STRONG></SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><A href="#" target="_blank" rel="noopener"><SPAN><STRONG>Detect .jse&nbsp;file creation&nbsp;</STRONG><STRONG>events</STRONG></SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW241710012 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW241710012 BCX8">We need to grab the queries</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">&nbsp;th</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">at</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">&nbsp;we want to&nbsp;</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">submit and</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">&nbsp;populate a&nbsp;</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">JS</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">ON</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">&nbsp;</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">file with this format</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">.&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW241710012 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW241710012 BCX8">Please be sure that you are&nbsp;</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">properly managing</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">&nbsp;the escape char</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">acter</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">&nbsp;in the&nbsp;</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">JSON</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">&nbsp;</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">file&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW241710012 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW241710012 BCX8">(</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">if you use</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">&nbsp;</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">Visual Studio Code (</SPAN><SPAN class="NormalTextRun SpellingErrorV2 SCXW241710012 BCX8">VSCode</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">)</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">&nbsp;you can&nbsp;</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">find extensions that can make the ESCAPE/UNESCAPE process easiest, just pick your favorite one</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">)</SPAN><SPAN class="NormalTextRun SCXW241710012 BCX8">.</SPAN></SPAN><SPAN class="EOP SCXW241710012 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">[ { "Description": "Find Qakbot overwriting its original binary with calc.exe", "Name": "Replacing Qakbot binary with calc.exe", "Query": "DeviceProcessEvents | where FileName =~ \"ping.exe\" | where InitiatingProcessFileName =~ \"cmd.exe\" | where InitiatingProcessCommandLine has \"calc.exe\" and InitiatingProcessCommandLine has \"-n 6\" and InitiatingProcessCommandLine has \"127.0.0.1\" | project ProcessCommandLine, InitiatingProcessCommandLine, InitiatingProcessParentFileName, DeviceId, Timestamp", "Mitre": "T1107 File Deletion", "Source": "MDE" } ] </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P aria-level="1">&nbsp;</P> <P><SPAN data-contrast="auto">Once&nbsp;you have&nbsp;all&nbsp;your queries properly filled,&nbsp;we&nbsp;must&nbsp;provide the following parameters to the&nbsp;script&nbsp;in order to&nbsp;configure the correct credential, the&nbsp;JSON&nbsp;file,&nbsp;and the output&nbsp;folder.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_42-1619423295313.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275510iC566C110E58BA191/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_42-1619423295313.png" alt="msftdario_42-1619423295313.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 16.&nbsp;Jupyter&nbsp;Notebook – Authentication</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Because we registered an Azure Application and we used the application secret to receive an access token, the&nbsp;token&nbsp;is valid for 1&nbsp;hour.&nbsp;Within&nbsp;the code&nbsp;verify&nbsp;if we need to renew this token before submitting the query.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_43-1619423295303.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275511iEB92C7F012FDBA82/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_43-1619423295303.png" alt="msftdario_43-1619423295303.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 17. Application Token lifetime validation</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">When building such&nbsp;flow&nbsp;we should take into consideration&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="auto">Microsoft 365 Defender&nbsp;Advanced hunting&nbsp;</SPAN><SPAN data-contrast="none">API</SPAN></A><SPAN data-contrast="auto">&nbsp;quotas and resources allocation.&nbsp;For more information,&nbsp;see&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Advanced Hunting API | Microsoft Docs</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_44-1619423295312.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275512i9E4C4A84C884CB39/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_44-1619423295312.png" alt="msftdario_44-1619423295312.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 18.&nbsp;API&nbsp;</SPAN></I><I><SPAN data-contrast="auto">quotas and resources allocation&nbsp;taking into&nbsp;consideration</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">&nbsp;We run the code by loading the query from the JSON file we defined as input. We then view&nbsp;the progress&nbsp;and the execution status on screen.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_45-1619423295315.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275514iA368CEFC42CD307D/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_45-1619423295315.png" alt="msftdario_45-1619423295315.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 19. Query Execution</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">The blue message&nbsp;indicates the number of&nbsp;queries&nbsp;that is currently running and its&nbsp;progress.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">The green message&nbsp;shows&nbsp;the name of the&nbsp;query&nbsp;that is being run.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">The grey message&nbsp;shows&nbsp;the&nbsp;details of the&nbsp;submitted&nbsp;query.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">If there&nbsp;are&nbsp;any results you&nbsp;will see the first 5 records,&nbsp;and then&nbsp;all the records&nbsp;will be saved in a .csv file in the output folder you&nbsp;defined.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_46-1619423295309.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275513iAE907D36738B5188/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_46-1619423295309.png" alt="msftdario_46-1619423295309.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 20. &nbsp;Query results - First 5 records</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><FONT size="6"><SPAN data-contrast="none">Bonus</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><SPAN data-contrast="none">You can post the summary of the query execution&nbsp;in&nbsp;a Teams&nbsp;channel,&nbsp;you need to add Incoming Webhook in your teams.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_47-1619423368892.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275515i5CC21E072AD844B6/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_47-1619423368892.png" alt="msftdario_47-1619423368892.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;21. &nbsp;Incoming Webhook</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Then you need to select&nbsp;which Teams channel you want to add the app.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_48-1619423368929.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275516iAD0237C3E665DA96/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_48-1619423368929.png" alt="msftdario_48-1619423368929.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;22. &nbsp;Incoming Webhook – add to a&nbsp;team</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Select “</SPAN><STRONG><SPAN data-contrast="none">Set up a connector</SPAN></STRONG><SPAN data-contrast="none">”.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_49-1619423368932.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275517iA259064BB4EEC3F5/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_49-1619423368932.png" alt="msftdario_49-1619423368932.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;23. &nbsp;Incoming Webhook – Setup a connector</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Specify&nbsp;a name.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_50-1619423368937.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275520iFD7D69696342509D/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_50-1619423368937.png" alt="msftdario_50-1619423368937.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;24. &nbsp;Incoming Webhook – Config</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Now you need to copy the URL, then paste the URL in the&nbsp;Jupyter&nbsp;Notebook.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_51-1619423368906.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275518i3DC155A4A2AA4CB8/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_51-1619423368906.png" alt="msftdario_51-1619423368906.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;25. &nbsp;Incoming Webhook –&nbsp;teamurl&nbsp;variable</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Then remove the comment from the latest line in the code to send the message to&nbsp;Teams.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_52-1619423368909.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275519i6CEF0A10DF9CFA38/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_52-1619423368909.png" alt="msftdario_52-1619423368909.png" /></span></P> <P><I><SPAN data-contrast="none">Figure&nbsp;26. &nbsp;Incoming Webhook –&nbsp;teamsurl&nbsp;variable</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">You should receive a&nbsp;similar&nbsp;message like&nbsp;the following in&nbsp;the&nbsp;Teams&nbsp;channel:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_53-1619423368914.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275521i6E4A5717F42BC017/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_53-1619423368914.png" alt="msftdario_53-1619423368914.png" /></span></P> <P><I><SPAN data-contrast="none">Figure 27. &nbsp;Query result summary – Teams Message</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P aria-level="2"><FONT size="6"><SPAN data-contrast="none">Conclusion</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><SPAN data-contrast="none">In this post, we demonstrated how you can use the Microsoft 365&nbsp;Defender&nbsp;APIs and&nbsp;Jupyter&nbsp;Notebook to&nbsp;automate&nbsp;execution of&nbsp;hunting queries&nbsp;playbook. We&nbsp;hope&nbsp;you found this&nbsp;helpful!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P aria-level="2"><FONT size="5"><SPAN data-contrast="none">Appendix&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></FONT></P> <P><SPAN data-contrast="none">For more information about Microsoft 365 Defender APIs and the features discussed in this article, please read:</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Access the Microsoft 365 Defender APIs | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="auto">Advanced hunting APIs - Microsoft 365 security | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Advanced hunting best practices</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft-365-Defender-Hunting-Queries</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2198820" target="_blank" rel="noopener"><SPAN data-contrast="none">Best practices for leveraging Microsoft 365 Defender API's - Episode Two - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Sending messages to Connectors and Webhooks - Teams | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="6" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/automating-security-operations-using-windows-defender-atp-apis/ba-p/294434" target="_blank" rel="noopener"><SPAN data-contrast="none">Automating Security Operations Using Windows Defender ATP APIs with Python and&nbsp;Jupyter&nbsp;Notebooks - Microsoft Tech Community</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>The sample Notebook discussed in the post is available in the github repository<BR /><A href="#" target="_blank" rel="noopener">Microsoft-365-Defender-Hunting-Queries/M365D APIs ep3.ipynb at master · microsoft/Microsoft-365-Defender-Hunting-Queries (github.com)</A></P> <P><SPAN data-contrast="none"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">As always,&nbsp;we’d&nbsp;love to know what you think. Leave us feedback directly on Microsoft 365 security center or start a discussion in </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/bd-p/MicrosoftThreatProtection" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft 365 Defender community</SPAN></A></P> Mon, 26 Apr 2021 16:15:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2290463 msftdario 2021-04-26T16:15:02Z Unified experiences across endpoint and email are now generally available in Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/unified-experiences-across-endpoint-and-email-are-now-generally/ba-p/2278132 <P><SPAN>We’re excited to announce that we have reached a new milestone in our XDR journey: the integration of our endpoint and email and collaboration </SPAN><SPAN>capabilities into Microsoft 365 Defender is now <STRONG>generally available</STRONG>.&nbsp;Security teams can manage all endpoint, email, and cross-product investigations, configuration, and remediation within a single unified portal.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Register for the </SPAN><A href="#" target="_blank">Microsoft 365 Defender’s Unified Experience for XDR webinar</A><SPAN> to learn how your security teams can leverage the unified portal and check out </SPAN><SPAN>our <A href="#" target="_self">video</A> to learn more about these new capabilities.</SPAN></P> <P>&nbsp;</P> <P><SPAN>This release delivers the rich set of capabilities we announced in </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-now-delivers-unified-experiences-across/ba-p/2177512" target="_blank">public preview</A><SPAN>, including unified pages for alerts, users, and automated investigations, a new email entity page </SPAN><SPAN>offering a 360-degree view of an email</SPAN><SPAN>, threat analytics, a brand-new Learning hub, and more – all available exclusively in the Microsoft 365 Defender portal at </SPAN><A href="#" target="_blank"><SPAN>security.microsoft.com</SPAN></A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Now is the time to start moving your users to the unified experience using the </SPAN><A href="#" target="_blank">automatic URL redirection for Microsoft Defender for Endpoint</A><SPAN>&nbsp;and </SPAN><A href="#" target="_blank">automatic URL redirection for Microsoft Defender for Office 365</A> <SPAN>as the previously distinct portals will eventually be phased out.</SPAN></P> <P><STRONG>&nbsp;</STRONG></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Amir_Lande_0-1618850969300.png" style="width: 567px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273783i9008A0F639B7F302/image-dimensions/567x278?v=v2" width="567" height="278" role="button" title="Amir_Lande_0-1618850969300.png" alt="Amir_Lande_0-1618850969300.png" /></span></P> <P><SPAN>Figure 1: Endpoint features integrated into Microsoft 365 Defender.&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Amir_Lande_1-1618850969316.png" style="width: 555px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/273784i92C4F958081604CC/image-dimensions/555x272?v=v2" width="555" height="272" role="button" title="Amir_Lande_1-1618850969316.png" alt="Amir_Lande_1-1618850969316.png" /></span></P> <P><SPAN>Figure 2: Email and collaboration&nbsp;features&nbsp;integrated into Microsoft 365 Defender.</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>We’re excited to be bringing these additional capabilities into Microsoft 365 Defender and look forward to hearing about your experiences and </SPAN><A href="#" target="_blank">your feedback</A><SPAN> as you explore and transition to the unified portal. </SPAN></P> <P>&nbsp;</P> <P>To r<SPAN>ead more&nbsp;about the&nbsp;unified portal&nbsp;experience, check out:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank"><SPAN>Overview - Microsoft 365 security center</SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><A href="#" target="_blank"><SPAN>Microsoft Defender for Endpoint in the Microsoft 365 security center</SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><A href="#" target="_blank"><SPAN>Microsoft Defender for Office&nbsp;365 in the Microsoft 365 security center</SPAN></A><SPAN>&nbsp;</SPAN></LI> </UL> Mon, 19 Apr 2021 16:51:30 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/unified-experiences-across-endpoint-and-email-are-now-generally/ba-p/2278132 Amir_Lande 2021-04-19T16:51:30Z Launching threat analytics for Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/launching-threat-analytics-for-microsoft-365-defender/ba-p/2232724 <P>Threat analytics is Microsoft 365 Defender’s in-product threat intelligence (TI) solution designed to help defenders like you to efficiently understand, prevent, identify, and stop emerging threats. It provides a unique combination of in-depth TI analysis and reports from expert Microsoft security researchers, and consolidated data showing your organization’s security posture relative to the threats. Threat analytics helps you respond to and minimize the impact of active attacks.</P> <P>&nbsp;</P> <P>As part of a unified extended detection and response (XDR) experience in Microsoft 365 Defender, <A href="#" target="_blank" rel="noopener">threat analytics</A> is now available for public preview. It includes better data coverage, incident management across security pillars, automatic investigation and remediation, and cross-domain hunting capabilities. &nbsp;Microsoft 365 Defender threat analytics is available for Microsoft Defender for Office 365 and Microsoft Defender for Endpoint users.</P> <P>&nbsp;</P> <P>If you’re familiar with threat analytics in Microsoft Defender for Endpoint, you’ll be excited to know that the integrated experience you’ll see in Microsoft 365 Defender threat analytics <A href="#" target="_blank" rel="noopener">takes your report consumption to another level</A>.</P> <P>&nbsp;</P> <P><STRONG>What’s new?</STRONG></P> <P>Threat analytics for Microsoft 365 Defender introduces:</P> <P>&nbsp;</P> <UL> <LI>Better data coverage between Microsoft Defender for Endpoint&nbsp;and Microsoft Defender for Office 365, making combined incident management, automatic investigation, remediation, and proactive or reactive threat hunting across-the domain possible.</LI> <LI>Email-related detections and mitigations from Microsoft Defender for Office 365, in addition to the endpoint data already available from Microsoft Defender for Endpoint.</LI> <LI>A view of threat-related incidents that aggregate alerts into end-to-end attack stories across Microsoft Defender for Endpoint and Microsoft Defender for Office 365&nbsp;to reduce the work queue, as well as simplify and speed up your investigation.</LI> <LI>Attack attempts detected and blocked by Microsoft Defender for Office 365. You can also see data that you can use to drive preventive actions that mitigate the risk of further exposure and increase resilience.</LI> <LI>Enhanced design that puts actionable information in the spotlight to help you quickly identify data to urgently focus on, investigate, and leverage from the reports.&nbsp;</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dana_Bargury_1-1616600125718.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266699i29671148CC66C5AB/image-size/large?v=v2&amp;px=999" role="button" title="Dana_Bargury_1-1616600125718.png" alt="Dana_Bargury_1-1616600125718.png" /></span></P> <P>&nbsp;</P> <P><STRONG>What’s in each report?</STRONG></P> <P>With each threat analytics report, you’ll find:</P> <UL> <LI>Detailed analyst report—deep-dive analysis, MITRE techniques, detection details, recommended mitigations, and advance hunting queries that expand detection coverage.</LI> <LI>Active alerts and incidents.&nbsp;</LI> <LI>Impacted assets, including your devices and mailboxes.</LI> <LI>Prevented email attempts, indicating whether you were a target of this threat even if the email has been blocked before delivery or delivered to the junk mail folder.</LI> <LI>Mitigations and their statuses, with options to investigate further and remediate weaknesses using threat and vulnerability management (please note that email related mitigations are found in the analyst report).</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>How do I get there?</STRONG></P> <UL> <LI>Threat analytics can be accessed from the Microsoft 365 security center navigation bar.</LI> <LI>When a new threat report is published or updated, you’ll get a badge in the navigation bar.</LI> <LI>A dedicated threat analytics card has also been added to the Microsoft 365 security center dashboard, so you can track the threats that are active on your network.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dana_Bargury_2-1616600125754.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266700iB56C81B26FD9F473/image-size/large?v=v2&amp;px=999" role="button" title="Dana_Bargury_2-1616600125754.png" alt="Dana_Bargury_2-1616600125754.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Ready to check it out? Explore these threat analytics reports.</STRONG></P> <P><A href="#" target="_blank" rel="noopener">Solorigate supply chain attack</A></P> <P>Microsoft continues to work with partners and customers to expand our knowledge of the threat actor behind the nation-state cyberattacks that compromised the supply chain of SolarWinds and impacted multiple other organizations. Microsoft previously used ‘Solorigate’ as the primary designation for the actor, but moving forward, we want to place appropriate focus on the actors behind the sophisticated attacks, rather than one of the examples of malware used by the actors. Microsoft Threat Intelligence Center (MSTIC) <A href="#" target="_blank" rel="noopener">has named the actor</A> behind the attack against SolarWinds, the SUNBURST backdoor, TEARDROP malware, and related components as NOBELIUM. As we release new content and analysis, we will use NOBELIUM to refer to the actor and the campaign of attacks.</P> <P>&nbsp;</P> <P>This report about the sophisticated attack details how NOBELIUM inserted malicious code into a supply chain development process. A malicious software class was included among many other legitimate classes and then signed with a legitimate certificate. The resulting binary included a backdoor and was then discreetly distributed into targeted organizations. This attack was discovered as part of an ongoing investigation.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Emotet breaks hiatus with spike in cybercrime activity</A></P> <P>Understand how Emotet operators have started to ramp up activity starting July 2020. Notable for their involvement in Ryuk ransomware distribution, Emotet operators are back with basically the same goals, utilizing similar lure themes and macro-enabled documents. Despite the recent take-down which has interrupted Emotet, your security operation centers should continuously monitor Emotet-related alerts in your antivirus and EDR solutions. Secondary payloads delivered by Emotet prior to the take-down remain a serious and real threat to your network.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">BazaLoader: Foothold for ransomware</A></P> <P>Possibly tied to the same cybercriminals leveraging Trickbot infrastructure, these campaigns appear to be part of ongoing attempts to shift to other entry vectors. Started in late October 2020, these campaigns use phishing emails that take recipients through link chains to implant BazaLoader. Unsurprisingly, the new implant brings in potent tools like Cobalt Strike, which make persistent, direct human attack activity possible. Microsoft's security solutions remain effective against this threat, regardless of the recent BazaLoader activities that we've observed this month. Use advanced hunting to proactively hunt for this threat in your Microsoft 365 security portal (Microsoft 365 Defender) or Microsoft Security Center portal (Microsoft Defender for Endpoint).</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">IcedID's frosty arrival can lead to data theft</A></P> <P>Get your shields up by learning about this modular banking trojan’s modus operandi and how Microsoft 365 Defender can help detect and stop IcedID campaigns at multiple points along the attack chain and across domains, including the very start.</P> <P>&nbsp;</P> Wed, 24 Mar 2021 20:38:54 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/launching-threat-analytics-for-microsoft-365-defender/ba-p/2232724 Dana_Bargury 2021-03-24T20:38:54Z Azure Sentinel and Microsoft 365 Defender incident integration https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/azure-sentinel-and-microsoft-365-defender-incident-integration/ba-p/2201959 <P><STRONG><SPAN data-contrast="none">Harness the breadth and depth of integrated SIEM and XDR with new&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="none">Microsoft 365&nbsp;integration&nbsp;</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN>&nbsp;<BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Idan_Pelleg_0-1615453446077.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262755i8DDC788739C648AC/image-size/medium?v=v2&amp;px=400" role="button" title="Idan_Pelleg_0-1615453446077.png" alt="Idan_Pelleg_0-1615453446077.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Now in public preview,&nbsp;</SPAN><SPAN data-contrast="none">Microsoft 365 Defender incidents&nbsp;</SPAN><SPAN data-contrast="none">are fully integrated with Azure Sentinel, providing a seamless experience for responding to security threats. Incidents from&nbsp;</SPAN><SPAN data-contrast="none">Microsoft 365 Defender</SPAN><SPAN data-contrast="none">,</SPAN><SPAN data-contrast="none">&nbsp;including all associated alerts, entities, and relevant information, can be streamed to Azure Sentinel, providing you with enough context to perform triage in Azure Sentinel</SPAN><SPAN data-contrast="none">&nbsp;and get the&nbsp;</SPAN><SPAN data-contrast="none">out of the box incident correlation from Microsoft 365 Defender</SPAN><SPAN data-contrast="none">. Once in Sentinel, Incidents will remain bi-directionally synced with&nbsp;</SPAN><SPAN data-contrast="none">Microsoft 365 Defender</SPAN><SPAN data-contrast="none">, allowing you to take&nbsp;</SPAN><SPAN data-contrast="none">advantage of the benefits of both portals&nbsp;</SPAN><SPAN data-contrast="none">in your incident investigation and response process. </SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Read the full&nbsp;blog&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/whats-new-azure-sentinel-and-microsoft-365-defender-incident/ba-p/2191090" target="_blank"><SPAN data-contrast="none">here</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Further reading&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="none">Our&nbsp;</SPAN><A href="#" target="_blank"><SPAN data-contrast="none">Ignite session</SPAN></A><SPAN data-contrast="none">, featuring a demo of this integration in action&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank"><SPAN data-contrast="none">Documentation</SPAN></A><SPAN data-contrast="none">&nbsp;with detailed information on the integration, common use cases and limitations.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank"><SPAN data-contrast="none">Documentation</SPAN></A><SPAN data-contrast="none">&nbsp;on how to connect&nbsp;</SPAN><SPAN data-contrast="none">Microsoft 365 Defender</SPAN><SPAN data-contrast="none">&nbsp;incidents and raw data to Azure Sentinel.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank"><SPAN data-contrast="none">Documentation</SPAN></A><SPAN data-contrast="none">&nbsp;on Microsoft 365 Defender.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Sun, 14 Mar 2021 10:20:29 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/azure-sentinel-and-microsoft-365-defender-incident-integration/ba-p/2201959 Idan_Pelleg 2021-03-14T10:20:29Z Best practices for leveraging Microsoft 365 Defender API's - Episode Two https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2198820 <P><SPAN data-contrast="auto">In the&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2102893" target="_blank" rel="noopener"><SPAN data-contrast="none">previous episode</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">we&nbsp;</SPAN><SPAN data-contrast="auto">provided&nbsp;</SPAN><SPAN data-contrast="auto">recommendations</SPAN><SPAN data-contrast="auto">&nbsp;about</SPAN><SPAN data-contrast="auto">&nbsp;how&nbsp;</SPAN><SPAN data-contrast="auto">to&nbsp;</SPAN><SPAN data-contrast="auto">use</SPAN><SPAN data-contrast="auto">&nbsp;the</SPAN><SPAN data-contrast="auto">&nbsp;M</SPAN><SPAN data-contrast="auto">icrosoft 365 Defender&nbsp;</SPAN><SPAN data-contrast="auto">API and</SPAN><SPAN data-contrast="auto">, specifically,</SPAN><SPAN data-contrast="auto">&nbsp;how to&nbsp;</SPAN><SPAN data-contrast="auto">optimize the&nbsp;</SPAN><SPAN data-contrast="auto">Advanced&nbsp;</SPAN><SPAN data-contrast="auto">h</SPAN><SPAN data-contrast="auto">unting</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">q</SPAN><SPAN data-contrast="auto">uery</SPAN><SPAN data-contrast="auto">.</SPAN></P> <P><SPAN data-contrast="auto">In</SPAN><SPAN data-contrast="auto">&nbsp;this episode we&nbsp;</SPAN><SPAN data-contrast="auto">will</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">demonstrate</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">use cases&nbsp;</SPAN><SPAN data-contrast="auto">detailing&nbsp;</SPAN><SPAN data-contrast="auto">how to access the API data and use this information&nbsp;</SPAN><SPAN data-contrast="auto">i</SPAN><SPAN data-contrast="auto">n other</SPAN><SPAN data-contrast="auto">&nbsp;products</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">One of the&nbsp;</SPAN><SPAN data-contrast="auto">most&nbsp;</SPAN><SPAN data-contrast="auto">common</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">uses</SPAN><SPAN data-contrast="auto">&nbsp;of the API is&nbsp;</SPAN><SPAN data-contrast="auto">for visualization in&nbsp;</SPAN><SPAN data-contrast="auto">PowerBI</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">This provides&nbsp;</SPAN><SPAN data-contrast="auto">the capabilit</SPAN><SPAN data-contrast="auto">y</SPAN><SPAN data-contrast="auto">&nbsp;to&nbsp;</SPAN><SPAN data-contrast="auto">analyze,&nbsp;</SPAN><SPAN data-contrast="auto">visualize,</SPAN><SPAN data-contrast="auto">&nbsp;and share your data with others</SPAN><SPAN data-contrast="auto">&nbsp;quickly and easily</SPAN><SPAN data-contrast="auto">.</SPAN></P> <P><SPAN data-contrast="auto">If you are not familiar with&nbsp;</SPAN><SPAN data-contrast="auto">PowerBi</SPAN><SPAN data-contrast="auto">, we s</SPAN><SPAN data-contrast="auto">uggest&nbsp;</SPAN><SPAN data-contrast="auto">you&nbsp;</SPAN><SPAN data-contrast="none">visit</SPAN><SPAN data-contrast="none">&nbsp;the</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft Pow</SPAN><SPAN data-contrast="none">erBi</SPAN></A><SPAN data-contrast="none">&nbsp;web&nbsp;</SPAN><SPAN data-contrast="none">site,&nbsp;</SPAN><SPAN data-contrast="none">and</SPAN><SPAN data-contrast="none">&nbsp;download&nbsp;</SPAN><SPAN data-contrast="none">PowerBI</SPAN><SPAN data-contrast="none">&nbsp;desktop.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">We already documented how to use&nbsp;</SPAN><SPAN data-contrast="auto">PowerBI</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">to&nbsp;</SPAN><SPAN data-contrast="auto">create custom reports&nbsp;using</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>&nbsp;<BR /></SPAN></A><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft Defender for Endpoint APIs connection to Power BI - Windows security | Microsoft Docs</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Today&nbsp;</SPAN><SPAN data-contrast="auto">we would like to give you additional information on how&nbsp;</SPAN><SPAN data-contrast="auto">to&nbsp;</SPAN><SPAN data-contrast="auto">use Microsoft 365 APIs with</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">PowerBi</SPAN><SPAN data-contrast="auto">, specifically</SPAN><SPAN data-contrast="auto">&nbsp;in the following use cases</SPAN><SPAN data-contrast="auto">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Identify</SPAN><SPAN data-contrast="auto">ing</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">onbo</SPAN><SPAN data-contrast="auto">ar</SPAN><SPAN data-contrast="auto">ded</SPAN><SPAN data-contrast="auto">&nbsp;devices and their he</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">lth&nbsp;status</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">View</SPAN><SPAN data-contrast="auto">ing</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">t</SPAN><SPAN data-contrast="auto">he compliance status of the devices&nbsp;</SPAN><SPAN data-contrast="auto">based on&nbsp;</SPAN><SPAN data-contrast="auto">the security&nbsp;</SPAN><SPAN data-contrast="auto">recommendations</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">A</SPAN><SPAN data-contrast="auto">ggregat</SPAN><SPAN data-contrast="auto">ing</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">alerts</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="5" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Us</SPAN><SPAN data-contrast="auto">ing</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN>A</SPAN><SPAN>a</SPAN><SPAN data-contrast="auto">dvanced&nbsp;hunting queries to build&nbsp;</SPAN><SPAN data-contrast="auto">a custom</SPAN><SPAN data-contrast="auto">&nbsp;view</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">And build some</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">visualizations</SPAN><SPAN data-contrast="auto">&nbsp;like the following&nbsp;dashboard</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_0-1615365951040.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262367iA7E787CDD6134CCA/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_0-1615365951040.png" alt="msftdario_0-1615365951040.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 1. Alert S</SPAN></I><I><SPAN data-contrast="auto">tatus</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>Before you begin&nbsp;</STRONG></P> <P><SPAN data-contrast="auto">Let’s</SPAN><SPAN data-contrast="auto">&nbsp;start</SPAN><SPAN data-contrast="auto">&nbsp;by</SPAN><SPAN data-contrast="auto">&nbsp;connect</SPAN><SPAN data-contrast="auto">ing</SPAN><SPAN data-contrast="auto">&nbsp;the Microsoft 365 APIs</SPAN><SPAN data-contrast="auto">&nbsp;by&nbsp;</SPAN><SPAN data-contrast="auto">opening</SPAN><SPAN data-contrast="auto">&nbsp;the&nbsp;</SPAN><SPAN data-contrast="auto">PowerBi</SPAN><SPAN data-contrast="auto">&nbsp;desktop and&nbsp;</SPAN><SPAN data-contrast="auto">add a new data source.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">From the menu select&nbsp;</SPAN><SPAN data-contrast="auto">“</SPAN><STRONG><SPAN data-contrast="auto">Get data</SPAN></STRONG><SPAN data-contrast="auto">”</SPAN><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN><SPAN data-contrast="auto">add</SPAN><SPAN data-contrast="auto">&nbsp;a</SPAN><SPAN data-contrast="auto">n</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">“</SPAN><STRONG><SPAN data-contrast="auto">OData</SPAN></STRONG><STRONG><SPAN data-contrast="auto">&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="auto">feed</SPAN></STRONG><SPAN data-contrast="auto">”</SPAN><SPAN data-contrast="auto">&nbsp;co</SPAN><SPAN data-contrast="auto">nnector to access the&nbsp;</SPAN><SPAN data-contrast="auto">Microsoft 365 Defender&nbsp;</SPAN><SPAN data-contrast="auto">API</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_1-1615365951021.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262368iA596FA80B690B071/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_1-1615365951021.png" alt="msftdario_1-1615365951021.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 2.&nbsp;</SPAN></I><I><SPAN data-contrast="auto">PowerBi</SPAN></I><I><SPAN data-contrast="auto">&nbsp;connectors</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Insert&nbsp;</SPAN><SPAN data-contrast="auto"><A href="#" target="_blank" rel="noopener">https://api.security.microsoft.com</A></SPAN><SPAN data-contrast="auto">/api as&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">URL</SPAN><SPAN data-contrast="auto">&nbsp;of the&nbsp;</SPAN><SPAN data-contrast="auto">API</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_2-1615365951023.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262366iC30C8E8779286519/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_2-1615365951023.png" alt="msftdario_2-1615365951023.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 3. OData feed connector</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">P</SPAN><SPAN data-contrast="auto">rovide</SPAN><SPAN data-contrast="auto">&nbsp;your&nbsp;</SPAN><SPAN data-contrast="auto">credentials</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_3-1615365951025.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262371i74FF9849A166E872/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_3-1615365951025.png" alt="msftdario_3-1615365951025.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 4. Provide&nbsp;credentials</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">After the authentica</SPAN><SPAN data-contrast="auto">t</SPAN><SPAN data-contrast="auto">ion</SPAN><SPAN data-contrast="auto">&nbsp;you will see&nbsp;</SPAN><SPAN data-contrast="auto">all</SPAN><SPAN data-contrast="auto">&nbsp;the different&nbsp;</SPAN><SPAN data-contrast="auto">APIs&nbsp;</SPAN><SPAN data-contrast="auto">you</SPAN><SPAN data-contrast="auto">&nbsp;can access</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN>&nbsp;<BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_23-1615366111099.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262391iFB9397D15967327B/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_23-1615366111099.png" alt="msftdario_23-1615366111099.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure&nbsp;</SPAN></I><I><SPAN data-contrast="auto">5</SPAN></I><I><SPAN data-contrast="auto">.&nbsp;</SPAN></I><I><SPAN data-contrast="auto">Available APIs</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><STRONG>NOTE:</STRONG> Be aware that not all APIs can be used to retrieve data as is</SPAN><SPAN data-contrast="auto">&nbsp;with&nbsp;</SPAN><SPAN data-contrast="auto">PowerBi</SPAN><SPAN data-contrast="auto">, some&nbsp;</SPAN><SPAN data-contrast="auto">will</SPAN><SPAN data-contrast="auto">&nbsp;require</SPAN><SPAN data-contrast="auto">&nbsp;additional parameters (</SPAN><SPAN data-contrast="auto">e.g.</SPAN><SPAN data-contrast="auto">&nbsp;the&nbsp;</SPAN><SPAN data-contrast="auto">MachineAction</SPAN><SPAN data-contrast="auto">&nbsp;API requires the&nbsp;DeviceID&nbsp;to properly retrieve data for the specific devices and can be used for example in scripts automation), or the&nbsp;</SPAN><SPAN data-contrast="auto">AdvancedHunting</SPAN><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN><SPAN data-contrast="auto">AdvancedQueries</SPAN><SPAN data-contrast="auto">&nbsp;APIs require a KQL query as a parameter (we will provide an example later).</SPAN><SPAN>&nbsp;In&nbsp;</SPAN><SPAN>addition</SPAN><SPAN>&nbsp;you should use only&nbsp;</SPAN><SPAN><STRONG>documented</STRONG></SPAN><SPAN><STRONG>&nbsp;</STRONG></SPAN><SPAN>APIs</SPAN><SPAN>, which means they are supported by the product. In this view you will get all APIs also ones that are still work in progress.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG><SPAN class="NormalTextRun SCXW92829284 BCX8">Get&nbsp;</SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW92829284 BCX8">started</SPAN></STRONG></P> <P><SPAN data-contrast="auto">Now that you’ve added the connection, we can proceed with&nbsp;</SPAN><SPAN data-contrast="auto">loading data</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">S</SPAN><SPAN data-contrast="auto">elect&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">“</SPAN><STRONG><SPAN data-contrast="auto">Alerts</SPAN></STRONG><STRONG><SPAN data-contrast="auto">”</SPAN></STRONG><STRONG><SPAN data-contrast="auto">&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">API</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_24-1615366111101.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262393i5BCF6044921EB2E5/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_24-1615366111101.png" alt="msftdario_24-1615366111101.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 6. Alerts APIs</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Y</SPAN><SPAN data-contrast="auto">ou</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">should</SPAN><SPAN data-contrast="auto">&nbsp;see the da</SPAN><SPAN data-contrast="auto">ta loaded in&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">Alerts table</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_25-1615366111103.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262392i7172B2CE1A8A8B0F/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_25-1615366111103.png" alt="msftdario_25-1615366111103.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure&nbsp;</SPAN></I><I><SPAN data-contrast="auto">7</SPAN></I><I><SPAN data-contrast="auto">. Alerts APIs – Available&nbsp;</SPAN></I><I><SPAN data-contrast="auto">fields</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Before&nbsp;</SPAN><SPAN data-contrast="auto">moving</SPAN><SPAN data-contrast="auto">&nbsp;on,&nbsp;</SPAN><SPAN data-contrast="auto">let</SPAN><SPAN data-contrast="auto">’s</SPAN><SPAN data-contrast="auto">&nbsp;do so</SPAN><SPAN data-contrast="auto">me</SPAN><SPAN data-contrast="auto">&nbsp;optimization to simplify and speed up the process of&nbsp;</SPAN><SPAN data-contrast="auto">accessing additional data</SPAN><SPAN data-contrast="auto">&nbsp;with&nbsp;</SPAN><SPAN data-contrast="auto">other</SPAN><SPAN data-contrast="auto">&nbsp;Microsoft 365&nbsp;</SPAN><SPAN data-contrast="auto">API</SPAN><SPAN data-contrast="auto">s</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">From the top menu select&nbsp;</SPAN><SPAN data-contrast="auto">“</SPAN><STRONG><SPAN data-contrast="auto">Transform Data</SPAN></STRONG><SPAN data-contrast="auto">”</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_26-1615366111103.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262394iF87C2399C040BBB1/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_26-1615366111103.png" alt="msftdario_26-1615366111103.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure&nbsp;</SPAN></I><I><SPAN data-contrast="auto">8</SPAN></I><I><SPAN data-contrast="auto">.&nbsp;</SPAN></I><I><SPAN data-contrast="auto">Tra</SPAN></I><I><SPAN data-contrast="auto">n</SPAN></I><I><SPAN data-contrast="auto">sform data</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Then,&nbsp;</SPAN><SPAN data-contrast="auto">select</SPAN><SPAN data-contrast="auto">&nbsp;“</SPAN><STRONG><SPAN data-contrast="auto">New Source</SPAN></STRONG><SPAN data-contrast="auto">”</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_27-1615366111104.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262395iDB158C379A0E78E0/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_27-1615366111104.png" alt="msftdario_27-1615366111104.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure&nbsp;</SPAN></I><I><SPAN data-contrast="auto">9</SPAN></I><I><SPAN data-contrast="auto">. New Source</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Then, s</SPAN><SPAN data-contrast="auto">elect “</SPAN><STRONG><SPAN data-contrast="auto">Blank Query</SPAN></STRONG><SPAN data-contrast="auto">”.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_28-1615366141103.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262397i50B936A17DFD9559/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_28-1615366141103.png" alt="msftdario_28-1615366141103.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure&nbsp;</SPAN></I><I><SPAN data-contrast="auto">10</SPAN></I><I><SPAN data-contrast="auto">. Blank Query</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">T</SPAN><SPAN data-contrast="auto">hen</SPAN><SPAN data-contrast="auto">&nbsp;select</SPAN><SPAN data-contrast="auto">&nbsp;“</SPAN><STRONG><SPAN data-contrast="auto">Advanced Editor</SPAN></STRONG><SPAN data-contrast="auto">”</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_29-1615366141106.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262398i38F8610DF6D41046/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_29-1615366141106.png" alt="msftdario_29-1615366141106.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure&nbsp;</SPAN></I><I><SPAN data-contrast="auto">11</SPAN></I><I><SPAN data-contrast="auto">. Advanced Editor</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Once you have the Advanced Editor open, replace the default code with the following code and save.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_30-1615366141108.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262396i90CEB98B911E6C16/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_30-1615366141108.png" alt="msftdario_30-1615366141108.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 12. Adv</SPAN></I><I><SPAN data-contrast="auto">a</SPAN></I><I><SPAN data-contrast="auto">nced Editor - Content</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_0-1619422228784.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275465i59DABDE3F9B7F43E/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_0-1619422228784.png" alt="msftdario_0-1619422228784.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Rename the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Query1&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">to&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">customOData</SPAN></STRONG><STRONG><SPAN data-contrast="auto">Q</SPAN></STRONG><STRONG><SPAN data-contrast="auto">uery</SPAN></STRONG><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">as&nbsp;</SPAN><SPAN data-contrast="auto">this will be the function</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">name that</SPAN><SPAN data-contrast="auto">&nbsp;we will use, passing different value</SPAN><SPAN data-contrast="auto">s</SPAN><SPAN data-contrast="auto">&nbsp;as parameter</SPAN><SPAN data-contrast="auto">s</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">it&nbsp;</SPAN><SPAN data-contrast="auto">will allow us to retrieve data from different&nbsp;</SPAN><SPAN data-contrast="auto">APIs</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">We can also organize the quer</SPAN><SPAN data-contrast="auto">ies</SPAN><SPAN data-contrast="auto">&nbsp;in different&nbsp;</SPAN><SPAN data-contrast="auto">groups&nbsp;</SPAN><SPAN data-contrast="auto">to&nbsp;</SPAN><SPAN data-contrast="auto">easy understand the different meaning</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_31-1615366141109.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262399i7B1FE8C865374F4A/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_31-1615366141109.png" alt="msftdario_31-1615366141109.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 13.&nbsp;</SPAN></I><I><SPAN data-contrast="auto">Functions –&nbsp;</SPAN></I><I><SPAN data-contrast="auto">customODataquery</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">We&nbsp;</SPAN><SPAN data-contrast="auto">will&nbsp;</SPAN><SPAN data-contrast="auto">now&nbsp;</SPAN><SPAN data-contrast="auto">create a query&nbsp;</SPAN><SPAN data-contrast="auto">by&nbsp;</SPAN><SPAN data-contrast="auto">starting from a&nbsp;</SPAN><SPAN data-contrast="auto">blank&nbsp;</SPAN><SPAN data-contrast="auto">query and replacing the name of the&nbsp;</SPAN><SPAN data-contrast="auto">API&nbsp;</SPAN><SPAN data-contrast="auto">we want to&nbsp;</SPAN><SPAN data-contrast="auto">access</SPAN><SPAN data-contrast="auto">;</SPAN><SPAN data-contrast="auto">&nbsp;we need to pass</SPAN><SPAN data-contrast="auto">&nbsp;two</SPAN><SPAN data-contrast="auto">&nbsp;parameters</SPAN><SPAN data-contrast="auto">:</SPAN><SPAN data-contrast="auto">&nbsp;the name of the&nbsp;</SPAN><SPAN data-contrast="auto">API</SPAN><SPAN data-contrast="auto">&nbsp;and the expected results type (“table” or “record”)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">let</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; Source =&nbsp;</SPAN></I><I><SPAN data-contrast="auto">customODataQuery</SPAN></I><I><SPAN data-contrast="auto">("</SPAN></I><I><SPAN data-contrast="auto">alerts","table</SPAN></I><I><SPAN data-contrast="auto">")</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">in</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; Source</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_32-1615366141110.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262400i0B57B8CE38B1AFF0/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_32-1615366141110.png" alt="msftdario_32-1615366141110.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 1</SPAN></I><I><SPAN data-contrast="auto">4</SPAN></I><I><SPAN data-contrast="auto">. Adv</SPAN></I><I><SPAN data-contrast="auto">a</SPAN></I><I><SPAN data-contrast="auto">nced Editor -&nbsp;</SPAN></I><I><SPAN data-contrast="auto">ODataAlerts</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Follow the same steps to add additional&nbsp;</SPAN><SPAN data-contrast="auto">APIs</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_33-1615366141112.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262401i48101782357BF6B3/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_33-1615366141112.png" alt="msftdario_33-1615366141112.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 1</SPAN></I><I><SPAN data-contrast="auto">5</SPAN></I><I><SPAN data-contrast="auto">.&nbsp;&nbsp;</SPAN></I><I><SPAN data-contrast="auto">ODataAlerts</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">W</SPAN><SPAN data-contrast="auto">h</SPAN><SPAN data-contrast="auto">e</SPAN><SPAN data-contrast="auto">n</SPAN><SPAN data-contrast="auto">&nbsp;you select one of the table</SPAN><SPAN data-contrast="auto">s</SPAN><SPAN data-contrast="auto">, you can expand the data</SPAN><SPAN data-contrast="auto">.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_34-1615366141113.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262402i38545C832AA57FFE/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_34-1615366141113.png" alt="msftdario_34-1615366141113.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 1</SPAN></I><I><SPAN data-contrast="auto">6</SPAN></I><I><SPAN data-contrast="auto">.&nbsp;</SPAN></I><I><SPAN data-contrast="auto">ODataAlerts</SPAN></I><I><SPAN data-contrast="auto">&nbsp;- Table</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">After the expansion you will see all the available columns</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_35-1615366141114.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262403i7B0EA27BED076D17/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_35-1615366141114.png" alt="msftdario_35-1615366141114.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 1</SPAN></I><I><SPAN data-contrast="auto">7</SPAN></I><I><SPAN data-contrast="auto">.&nbsp;</SPAN></I><I><SPAN data-contrast="auto">ODataAlerts</SPAN></I><I><SPAN data-contrast="auto">&nbsp;- Columns</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Once you have&nbsp;</SPAN><SPAN data-contrast="auto">loaded&nbsp;</SPAN><SPAN data-contrast="auto">the tables you are ready to organize the data to visualize in a&nbsp;</SPAN><SPAN data-contrast="auto">dashboard</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Check out some of the examples we provided</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">i</SPAN><SPAN data-contrast="auto">n the&nbsp;</SPAN><SPAN data-contrast="auto">P</SPAN><SPAN data-contrast="auto">owerBi</SPAN><SPAN data-contrast="auto">&nbsp;template published&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN><STRONG>here</STRONG></SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">The&nbsp;</SPAN><SPAN data-contrast="auto">PowerBi</SPAN><SPAN data-contrast="auto">&nbsp;template contains&nbsp;</SPAN><SPAN data-contrast="auto">the following connection to the corresponding APIs</SPAN><SPAN data-contrast="auto">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_36-1615366141115.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262404i45E1992EBB6CB947/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_36-1615366141115.png" alt="msftdario_36-1615366141115.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 18.&nbsp;</SPAN></I><I><SPAN data-contrast="auto">PowerBi</SPAN></I><I><SPAN data-contrast="auto">&nbsp;</SPAN></I><I><SPAN data-contrast="auto">Template connections</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P aria-level="2"><STRONG>Example&nbsp;dashboards and&nbsp;uses&nbsp;</STRONG></P> <P><SPAN data-contrast="auto">Let’s&nbsp;</SPAN><SPAN data-contrast="auto">take&nbsp;</SPAN><SPAN data-contrast="auto">a look</SPAN><SPAN data-contrast="auto">&nbsp;at&nbsp;</SPAN><SPAN data-contrast="auto">some</SPAN><SPAN data-contrast="auto">&nbsp;examples</SPAN><SPAN data-contrast="auto">&nbsp;o</SPAN><SPAN data-contrast="none">f dashboards and visualizations in&nbsp;</SPAN><SPAN data-contrast="none">PowerBI</SPAN><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P aria-level="3"><U>Microsoft&nbsp;Defender for&nbsp;Endpoint&nbsp;Onboarded Devices</U></P> <P><SPAN data-contrast="auto">This&nbsp;</SPAN><SPAN data-contrast="auto">dashboard</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">organizes the details of the onboarded devices</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_37-1615366141125.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262406i5CD4CC1A0EDB8A41/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_37-1615366141125.png" alt="msftdario_37-1615366141125.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 20.&nbsp;</SPAN></I><I><SPAN data-contrast="auto">Microsoft Defender for Endpoint</SPAN></I><I><SPAN data-contrast="auto">&nbsp;O</SPAN></I><I><SPAN data-contrast="auto">nboarded Devices page</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">To&nbsp;</SPAN><SPAN data-contrast="auto">populate</SPAN><SPAN data-contrast="auto">&nbsp;the dat</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;we need the Machines API, so add another query</SPAN><SPAN data-contrast="auto">&nbsp;as we did previously&nbsp;</SPAN><SPAN data-contrast="auto">(</SPAN><SPAN data-contrast="auto">use</SPAN><SPAN data-contrast="auto">&nbsp;the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">customODataQuery</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">PowerBi</SPAN><SPAN data-contrast="auto">&nbsp;function we created previously</SPAN><SPAN data-contrast="auto">)</SPAN><SPAN data-contrast="auto">&nbsp;and specific the Machines API</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><I><SPAN data-contrast="auto">let</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; Source =&nbsp;</SPAN></I><I><SPAN data-contrast="auto">customODataQuery</SPAN></I><I><SPAN data-contrast="auto">("</SPAN></I><STRONG><I><SPAN data-contrast="auto">Machines</SPAN></I></STRONG><I><SPAN data-contrast="auto">","table</SPAN></I><I><SPAN data-contrast="auto">")</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">in</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; Source</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">We also would like to adjust the timestamp to date, in thi</SPAN><SPAN data-contrast="auto">s</SPAN><SPAN data-contrast="auto">&nbsp;way we can&nbsp;</SPAN><SPAN data-contrast="auto">use this field to create data&nbsp;</SPAN><SPAN data-contrast="auto">aggregations</SPAN><SPAN data-contrast="auto">&nbsp;by day</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_38-1615366141117.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262405i682E4B09CAEEBD1F/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_38-1615366141117.png" alt="msftdario_38-1615366141117.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 21. Machines API - Query</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">The built-in APIs provide a lot of information to conduct a thorough investigation. You can also aggregate the data to tailor fit your investigation needs.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Should you find that</SPAN><SPAN data-contrast="none">&nbsp;additional information&nbsp;</SPAN><SPAN data-contrast="none">is&nbsp;</SPAN><SPAN data-contrast="none">needed to enhance the existing set of APIs, please let us know.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2"><U>Microsoft&nbsp;Defender for&nbsp;Endpoint&nbsp;Security Control&nbsp;</U></P> <P><SPAN data-contrast="auto">This page aggregates the recommendations from</SPAN><SPAN data-contrast="auto">&nbsp;T</SPAN><SPAN data-contrast="auto">hreat &amp;&nbsp;</SPAN><SPAN data-contrast="auto">V</SPAN><SPAN data-contrast="auto">ulnerability&nbsp;</SPAN><SPAN data-contrast="auto">M</SPAN><SPAN data-contrast="auto">anagement.&nbsp;</SPAN><SPAN data-contrast="auto">I</SPAN><SPAN data-contrast="auto">n this case we filter</SPAN><SPAN data-contrast="auto">ed for</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">by&nbsp;</SPAN><SPAN data-contrast="auto">Antivirus</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">and&nbsp;</SPAN><SPAN data-contrast="auto">Endpoint Detection and Response</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_39-1615366141128.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262407iA6898CF889424DC0/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_39-1615366141128.png" alt="msftdario_39-1615366141128.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 2</SPAN></I><I><SPAN data-contrast="auto">2</SPAN></I><I><SPAN data-contrast="auto">. Security Recommendation - Security Control Summary page</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">To populate the dat</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">, we need the&nbsp;</SPAN><SPAN data-contrast="auto">Recommendations</SPAN><SPAN data-contrast="auto">&nbsp;API, so&nbsp;</SPAN><SPAN data-contrast="auto">we will&nbsp;</SPAN><SPAN data-contrast="auto">add another query as we did previously&nbsp;</SPAN><SPAN data-contrast="auto">(</SPAN><SPAN data-contrast="auto">use&nbsp;</SPAN><SPAN data-contrast="auto">the</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">customODataQuery</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">PowerBi</SPAN><SPAN data-contrast="auto">&nbsp;function we created previously</SPAN><SPAN data-contrast="auto">)</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">and specif</SPAN><SPAN data-contrast="auto">y</SPAN><SPAN data-contrast="auto">&nbsp;the&nbsp;</SPAN><SPAN data-contrast="auto">Recommendations</SPAN><SPAN data-contrast="auto">&nbsp;API.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><I><SPAN data-contrast="auto">let</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; Source =&nbsp;</SPAN></I><I><SPAN data-contrast="auto">customODataQuery</SPAN></I><I><SPAN data-contrast="auto">("</SPAN></I><STRONG><I><SPAN data-contrast="auto">Recommendations</SPAN></I></STRONG><I><SPAN data-contrast="auto">","table</SPAN></I><I><SPAN data-contrast="auto">")</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">in</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; Source</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">We also&nbsp;</SPAN><SPAN data-contrast="auto">will need</SPAN><SPAN data-contrast="auto">&nbsp;to expand the&nbsp;</SPAN><I><SPAN data-contrast="auto">machineReferences</SPAN></I><SPAN data-contrast="auto">&nbsp;fi</SPAN><SPAN data-contrast="auto">eld to join this information with the Machines&nbsp;table</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_40-1615366141119.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262408i85071F0D6B178576/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_40-1615366141119.png" alt="msftdario_40-1615366141119.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 2</SPAN></I><I><SPAN data-contrast="auto">3</SPAN></I><I><SPAN data-contrast="auto">.&nbsp;</SPAN></I><I><SPAN data-contrast="auto">Recommendation</SPAN></I><I><SPAN data-contrast="auto">s</SPAN></I><I><SPAN data-contrast="auto">&nbsp;API - Query</SPAN></I><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">This will quickly show you the overall compliance status</SPAN><SPAN data-contrast="auto">&nbsp;of devices</SPAN><SPAN data-contrast="auto">&nbsp;and give you an easy way to export&nbsp;</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">&nbsp;list of affected devices&nbsp;</SPAN><SPAN data-contrast="auto">for&nbsp;</SPAN><SPAN data-contrast="auto">remediation</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2"><U>Microsoft Defender for&nbsp;Endpoint&nbsp;Agent Health Status&nbsp;</U></P> <P><SPAN data-contrast="auto">Should you wish</SPAN><SPAN data-contrast="auto">&nbsp;to get some dat</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">&nbsp;based on a custom query, you can access the&nbsp;</SPAN><SPAN data-contrast="auto">AdvancedHunting</SPAN><SPAN data-contrast="auto">&nbsp;API.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">In the&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2102893" target="_blank" rel="noopener"><SPAN data-contrast="none">previous episode</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">of</SPAN><SPAN data-contrast="auto">&nbsp;this series, we encourage</SPAN><SPAN data-contrast="auto">d</SPAN><SPAN data-contrast="auto">&nbsp;you to optimize and adopt best practices when writing your own queries; this&nbsp;</SPAN><SPAN data-contrast="auto">becomes even more important when you plan to use a custom query with APIs to load data into&nbsp;</SPAN><SPAN data-contrast="auto">PowerBi</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">because</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">write efficient optimized queries will execute faster and will consume less resources</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Let</SPAN><SPAN data-contrast="auto">’s</SPAN><SPAN data-contrast="auto">&nbsp;take this&nbsp;query</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Endpoint Agent Health Status Report</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">&nbsp;from&nbsp;</SPAN><SPAN data-contrast="auto">GitHub</SPAN><SPAN data-contrast="auto">&nbsp;as an example</SPAN><SPAN data-contrast="auto">, in&nbsp;</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">PowerBI</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">w</SPAN><SPAN data-contrast="auto">e defined 2 additional functions and we create</SPAN><SPAN data-contrast="auto">d</SPAN><SPAN data-contrast="auto">&nbsp;a new&nbsp;</SPAN><SPAN data-contrast="auto">query.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">We can start with this template and replace the text with the query we would like to&nbsp;use</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">let</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; Source =&nbsp;</SPAN></I><I><SPAN data-contrast="auto">customquery</SPAN></I><I><SPAN data-contrast="auto">("</SPAN></I><STRONG><I><SPAN data-contrast="none">COPY</SPAN></I></STRONG><STRONG><I><SPAN data-contrast="none">&nbsp;</SPAN></I></STRONG><STRONG><I><SPAN data-contrast="none">YOUR QUERY HERE</SPAN></I></STRONG><I><SPAN data-contrast="auto">")</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">in</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">&nbsp;&nbsp;&nbsp; Source</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:80,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">In our case we added this additional statement to return results from the last 24</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">h</SPAN><SPAN data-contrast="auto">ours.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="auto">&nbsp;&nbsp;</SPAN></I><SPAN data-contrast="auto">|</SPAN><I><SPAN data-contrast="auto">&nbsp;where Timestamp &gt;= ago(24h)</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Here you can see a way to represent the result in a visual&nbsp;</SPAN><SPAN data-contrast="auto">format.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="msftdario_41-1615366141131.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/262409i8F0BA1D8F3A27A60/image-size/medium?v=v2&amp;px=400" role="button" title="msftdario_41-1615366141131.png" alt="msftdario_41-1615366141131.png" /></span></P> <P><I><SPAN data-contrast="auto">Figure 2</SPAN></I><I><SPAN data-contrast="auto">4</SPAN></I><I><SPAN data-contrast="auto">. M</SPAN></I><I><SPAN data-contrast="auto">icrosoft&nbsp;</SPAN></I><I><SPAN data-contrast="auto">D</SPAN></I><I><SPAN data-contrast="auto">efender for&nbsp;</SPAN></I><I><SPAN data-contrast="auto">E</SPAN></I><I><SPAN data-contrast="auto">ndpoint</SPAN></I><I><SPAN data-contrast="auto">&nbsp;Agent Health Status page</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2"><STRONG>Conclusion&nbsp;</STRONG></P> <P><SPAN data-contrast="auto">In this post, we demonstrated how you can use&nbsp;</SPAN><SPAN data-contrast="auto">the Microsoft 365 APIs and&nbsp;</SPAN><SPAN data-contrast="auto">PowerBi</SPAN><SPAN data-contrast="auto">&nbsp;to&nbsp;</SPAN><SPAN>easly</SPAN><SPAN>e</SPAN><SPAN>asily</SPAN><SPAN data-contrast="auto">&nbsp;create a tailored dashboard that can&nbsp;</SPAN><SPAN data-contrast="auto">help you&nbsp;</SPAN><SPAN data-contrast="auto">create</SPAN><SPAN data-contrast="auto">&nbsp;visualiz</SPAN><SPAN data-contrast="auto">ations with</SPAN><SPAN data-contrast="auto">&nbsp;k</SPAN><SPAN data-contrast="auto">e</SPAN><SPAN data-contrast="auto">y information or KPI</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">We covered&nbsp;</SPAN><I><SPAN data-contrast="auto">the step-by-step in</SPAN></I><I><SPAN data-contrast="auto">s</SPAN></I><I><SPAN data-contrast="auto">truc</SPAN></I><I><SPAN data-contrast="auto">tions to&nbsp;</SPAN></I><I><SPAN data-contrast="auto">access th</SPAN></I><I><SPAN data-contrast="auto">e&nbsp;</SPAN></I><I><SPAN data-contrast="auto">Machines</SPAN></I><I><SPAN data-contrast="auto">,&nbsp;</SPAN></I><I><SPAN data-contrast="auto">Recommendations</SPAN></I><I><SPAN data-contrast="auto">&nbsp;and Alerts</SPAN></I><I><SPAN data-contrast="auto">&nbsp;APIs</SPAN></I><I><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN></I><I><SPAN data-contrast="auto">how to&nbsp;</SPAN></I><I><SPAN data-contrast="auto">build&nbsp;</SPAN></I><I><SPAN data-contrast="auto">custom</SPAN></I><I><SPAN data-contrast="auto">&nbsp;</SPAN></I><I><SPAN data-contrast="auto">quer</SPAN></I><I><SPAN data-contrast="auto">ies with&nbsp;</SPAN></I><I><SPAN data-contrast="auto">A</SPAN></I><I><SPAN data-contrast="auto">dvanced hunting&nbsp;</SPAN></I><I><SPAN data-contrast="auto">API</SPAN></I><SPAN><I>&nbsp;</I></SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">we&nbsp;</SPAN><SPAN data-contrast="auto">used APIs to&nbsp;</SPAN><SPAN data-contrast="auto">easily</SPAN><SPAN data-contrast="auto">&nbsp;access&nbsp;</SPAN><SPAN data-contrast="auto">the</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">Microsoft 356 data&nbsp;</SPAN><SPAN data-contrast="auto">and&nbsp;</SPAN><SPAN data-contrast="auto">PowerBI</SPAN><SPAN data-contrast="auto">&nbsp;to&nbsp;</SPAN><SPAN data-contrast="auto">"</SPAN><SPAN data-contrast="auto">translate</SPAN><SPAN data-contrast="auto">” the&nbsp;</SPAN><SPAN data-contrast="auto">date from tables in a visual format</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;We hope that this can be helpful for you and increase&nbsp;</SPAN><SPAN data-contrast="auto">the creation of data visualizations.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P aria-level="2"><STRONG>Appendix&nbsp;&nbsp;</STRONG></P> <P><SPAN data-contrast="none">For more information about Microsoft 365 Defender APIs and the features discussed in this article,&nbsp;</SPAN><SPAN data-contrast="none">please&nbsp;</SPAN><SPAN data-contrast="none">read:</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN>Overview of management and APIs - Windows security | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft Defender for Endpoint APIs connection to Power BI - Windows security | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="auto">OData queries with Microsoft Defender for Endpoint - Windows security | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN>Access the Microsoft Defender for Endpoint APIs - Windows security | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Advanced hunting best practices</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Advanced hunting APIs - Microsoft 365 security | Microsoft Docs</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft-365-Defender-Hunting-Queries</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="5" data-aria-level="1"><SPAN><STRONG>M365-PowerBi&nbsp;</STRONG></SPAN><A href="#" target="_blank" rel="noopener"><SPAN><STRONG>Dashboard</STRONG></SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="none"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">As always, we’d love to know what you think. Leave us feedback directly on Microsoft 365 security center or start a discussion in </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/bd-p/MicrosoftThreatProtection" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft 365 Defender community</SPAN></A></P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Wed, 28 Apr 2021 12:33:30 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2198820 msftdario 2021-04-28T12:33:30Z Microsoft Cloud App Security: The Hunt in a multi-stage incident https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-in-a-multi-stage-incident/ba-p/2193484 <P><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">Welcome to our first post in the “</SPAN></SPAN><STRONG><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">Microsoft Cloud App Security</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">: The Hunt</SPAN></SPAN></STRONG><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">”<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">blog<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">series!<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW225966553 BCX8"><SPAN class="SCXW225966553 BCX8">&nbsp;</SPAN><BR class="SCXW225966553 BCX8" /></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">Using M</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">icrosoft<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">365</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8"><SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">D</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">efender</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">,</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8"><SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">our integrated solution, we will address common alerts customers receive in<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">Microsoft Cloud App Security (</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">called “</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">MCAS</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">” by users and enthusiasts</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">)</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8"><SPAN>&nbsp;</SPAN>to determine the full scope and impact of a threat. We will show case how M</SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">icrosoft<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW225966553 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW225966553 BCX8">365 Defender assists security engineers by providing critical details such as how the threat entered the environment, what it has affected and how it is currently impacting the enterprise.</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We will do this by taking the details we are given from an alert</SPAN><SPAN data-contrast="auto">&nbsp;from Cloud App&nbsp;</SPAN><SPAN>Security,&nbsp;</SPAN><SPAN>using</SPAN><SPAN data-contrast="auto">&nbsp;Kusto Query Language or KQL to query logs from various products across the Microsoft security stack that are available in&nbsp;</SPAN><SPAN data-contrast="auto">M</SPAN><SPAN data-contrast="auto">icrosoft&nbsp;</SPAN><SPAN data-contrast="auto">365 defender&nbsp;</SPAN><SPAN data-contrast="auto">A</SPAN><SPAN data-contrast="auto">dvanced hunting today. <BR />Additionally, we will use the mapping of the MITRE ATT&amp;CK Framework tactics and techniques available in&nbsp;</SPAN><SPAN data-contrast="auto">Cloud App Security&nbsp;</SPAN><SPAN data-contrast="auto">to assist our investigation on where or how an adversary may move next.</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Throughout this blog series, we will address the alerts and scenarios we have seen most frequently from customers and apply simple but effective queries that can be used in everyday investigations.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">To begin this exciting journey, our first use case will walk you through a possible investigation path you could follow once receiving a</SPAN><SPAN data-contrast="auto">&nbsp;multi-stage incidents&nbsp;from Cloud App Security</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2 aria-level="2"><SPAN data-contrast="none">Use&nbsp;case</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto">Co</SPAN><SPAN data-contrast="auto">ntoso implemented Microsoft 365 and is monitoring users at risk using Microsoft’s security solutions.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">While reviewing the new incidents, our security analyst notices a new multi-staged incident for a user named Megan Bowens.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /><BR /></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="D06A0719-5542-48E0-9084-08B1F8DEC430.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261659i413953C77A622C64/image-size/large?v=v2&amp;px=999" role="button" title="D06A0719-5542-48E0-9084-08B1F8DEC430.png" alt="Multi-stage incident" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Multi-stage incident</span></span></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW115270281 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW115270281 BCX8">By opening the incident, our analyst can immediately identify the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW115270281 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW115270281 BCX8">incident&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW115270281 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW115270281 BCX8">alerts and&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW115270281 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW115270281 BCX8">the mapped&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW115270281 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW115270281 BCX8">MITRE tactics. Based on those, it looks like the user account might have been compromised. Let’s confirm this using M365&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW115270281 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW115270281 BCX8">Defender!</SPAN></SPAN><SPAN class="TextRun SCXW115270281 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW115270281 BCX8">&nbsp;</SPAN></SPAN><SPAN class="EOP SCXW115270281 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></P> <H2><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="94387B51-CB01-4EC3-B750-208FBFA8CF74.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261661i463AB9B816942D87/image-size/medium?v=v2&amp;px=400" role="button" title="94387B51-CB01-4EC3-B750-208FBFA8CF74.png" alt="94387B51-CB01-4EC3-B750-208FBFA8CF74.png" /></span></H2> <P>&nbsp;</P> <H2>Investigation</H2> <H3 aria-level="3"><SPAN data-contrast="none">Step 1: review the alerts</SPAN><SPAN data-contrast="none">&nbsp;to understand the incident&nbsp;context</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H3> <P><SPAN data-contrast="auto">By looking at the timeline, it seems that the user connected from a location she&nbsp;</SPAN><SPAN data-contrast="auto">did not</SPAN><SPAN data-contrast="auto">&nbsp;use&nbsp;</SPAN><SPAN data-contrast="auto">in the last six months</SPAN><SPAN data-contrast="auto">&nbsp;(</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Activity from infrequent country</SPAN></A><SPAN data-contrast="auto">:(</img>&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Romania</SPAN></STRONG><SPAN data-contrast="auto">.</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="444E74F8-1386-48A4-B22A-0A30FD07BBB8.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261667iD4B20369E62A27D9/image-size/medium?v=v2&amp;px=400" role="button" title="444E74F8-1386-48A4-B22A-0A30FD07BBB8.png" alt="444E74F8-1386-48A4-B22A-0A30FD07BBB8.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">Microsoft&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun CommentStart SCXW247222429 BCX8">Cloud App Security&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">then&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">triggered an&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">out-of-the-box&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">alert regarding activities from distant locations (</SPAN></SPAN><A class="Hyperlink SCXW247222429 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW247222429 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW247222429 BCX8" data-ccp-charstyle="Hyperlink">Impossible travel activity</SPAN></SPAN></A><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">). Using the information from this alert,&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">admins can&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">review activities from&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">anywhere in the&nbsp;</SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW247222429 BCX8">world:&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247222429 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247222429 BCX8">Belgium, Romania but also Belarus!</SPAN></SPAN><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="0A863139-45F3-4A83-940F-64CE5F4A6115.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261668i3493706D82F52A86/image-size/medium?v=v2&amp;px=400" role="button" title="0A863139-45F3-4A83-940F-64CE5F4A6115.png" alt="0A863139-45F3-4A83-940F-64CE5F4A6115.png" /></span></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW65422398 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65422398 BCX8">Finally</SPAN></SPAN><SPAN class="TextRun SCXW65422398 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65422398 BCX8">, it appears that during this session, the user created an&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW65422398 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW65422398 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW65422398 BCX8" data-ccp-charstyle="Hyperlink">inbox rule forwarding</SPAN></SPAN></A><SPAN class="TextRun SCXW65422398 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65422398 BCX8">&nbsp;emails to&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW65422398 BCX8" href="https://gorovian.000webhostapp.com/?exam=mailto:hackerz007@gmail.com" target="_blank" rel="noreferrer noopener"><SPAN class="FieldRange SCXW65422398 BCX8"><SPAN class="TextRun Underlined SCXW65422398 BCX8" data-contrast="none"><SPAN class="NormalTextRun CommentStart SCXW65422398 BCX8" data-ccp-charstyle="Hyperlink">hackerz007@gmail.com</SPAN></SPAN></SPAN></A><SPAN class="TextRun SCXW65422398 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65422398 BCX8">, which is considered as suspicious&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW65422398 BCX8" data-contrast="auto"><SPAN class="NormalTextRun CommentStart SCXW65422398 BCX8">by&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW65422398 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65422398 BCX8">Microsoft&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW65422398 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65422398 BCX8">Cloud App Security</SPAN></SPAN><SPAN class="TextRun SCXW65422398 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65422398 BCX8">.</SPAN></SPAN><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="B05AA8FA-3DE0-40C8-B77B-119DE7966C8A.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261669i4E51E1DB1C292857/image-size/medium?v=v2&amp;px=400" role="button" title="B05AA8FA-3DE0-40C8-B77B-119DE7966C8A.png" alt="B05AA8FA-3DE0-40C8-B77B-119DE7966C8A.png" /></span></SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW51200506 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW51200506 BCX8">Now that we understand the context, let’s investigate to understand the scope of the breach.</SPAN></SPAN><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW226722517 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW226722517 BCX8" data-ccp-parastyle="heading 3">Step 2: understand&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW226722517 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW226722517 BCX8" data-ccp-parastyle="heading 3">a&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW226722517 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW226722517 BCX8" data-ccp-parastyle="heading 3">user’s specific&nbsp;</SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 GrammarErrorHighlight SCXW226722517 BCX8" data-ccp-parastyle="heading 3">context</SPAN></SPAN><SPAN class="EOP SCXW226722517 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></SPAN></SPAN></SPAN></H3> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW226722517 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW247088623 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247088623 BCX8">Before spending time in logs, we&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247088623 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247088623 BCX8">must</SPAN></SPAN><SPAN class="TextRun SCXW247088623 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247088623 BCX8">&nbsp;understand the user’s context. The easiest way is to open her user page and</SPAN></SPAN><SPAN class="TextRun SCXW247088623 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247088623 BCX8">&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW247088623 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW247088623 BCX8">review the provided information:</SPAN></SPAN><SPAN class="EOP SCXW247088623 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW226722517 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247088623 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="B01A4548-8BE9-4212-9347-D30B4BDDF39E.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261670i50CEAA588C81D932/image-size/medium?v=v2&amp;px=400" role="button" title="B01A4548-8BE9-4212-9347-D30B4BDDF39E.png" alt="B01A4548-8BE9-4212-9347-D30B4BDDF39E.png" /></span></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW226722517 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247088623 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">On the user page, we are immediately provided information confirming that something happened with this&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">user&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">account: Megan’s account is considered a&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">h</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">igh&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">r</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">isk by Azure&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">Active Directory</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">&nbsp;and her&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW159473491 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="FieldRange SCXW159473491 BCX8"><SPAN class="TextRun Underlined SCXW159473491 BCX8" data-contrast="none"><SPAN class="NormalTextRun CommentStart SCXW159473491 BCX8" data-ccp-charstyle="Hyperlink">Investigation priority score</SPAN></SPAN></SPAN></A><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">&nbsp;suddenly increased in the last&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">few&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">days</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">, plus&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">her score is higher th</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun CommentStart SCXW159473491 BCX8">an 90% o</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">f</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">&nbsp;the organization</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">. We can also see from this page that she’s&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">located</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun CommentStart SCXW159473491 BCX8">in the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">United States</SPAN></SPAN><SPAN class="TextRun SCXW159473491 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW159473491 BCX8">.</SPAN></SPAN><SPAN class="EOP SCXW159473491 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW226722517 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247088623 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW159473491 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="C76EBA09-2C33-47C4-BCD4-AD82E05BBA11.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261671i4713A524D426EFA5/image-size/medium?v=v2&amp;px=400" role="button" title="C76EBA09-2C33-47C4-BCD4-AD82E05BBA11.png" alt="C76EBA09-2C33-47C4-BCD4-AD82E05BBA11.png" /></span></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW148699043 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW148699043 BCX8">To understand her habits, let’s open the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW148699043 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW148699043 BCX8">Locations</SPAN></SPAN><SPAN class="TextRun SCXW148699043 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW148699043 BCX8">&nbsp;details:</SPAN></SPAN><SPAN class="EOP SCXW148699043 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW226722517 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247088623 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW159473491 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW148699043 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="345F053E-000C-48DF-874F-43EDBAA00D3F.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261672iBDF87DC105781C89/image-size/medium?v=v2&amp;px=400" role="button" title="345F053E-000C-48DF-874F-43EDBAA00D3F.png" alt="345F053E-000C-48DF-874F-43EDBAA00D3F.png" /></span></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW226722517 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247088623 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW159473491 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW148699043 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW267172131 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267172131 BCX8">This shows us the different locations used by the user in the last 30 days and the percentage of activities performed from those locations.</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW267172131 BCX8"><SPAN class="SCXW267172131 BCX8">&nbsp;</SPAN><BR class="SCXW267172131 BCX8" /></SPAN><SPAN class="TextRun SCXW267172131 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267172131 BCX8">It immediately appears that&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW267172131 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267172131 BCX8">she is</SPAN></SPAN><SPAN class="TextRun SCXW267172131 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267172131 BCX8">&nbsp;usually working from the US and&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW267172131 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267172131 BCX8">Belgium,</SPAN></SPAN><SPAN class="TextRun SCXW267172131 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW267172131 BCX8">&nbsp;so activities performed from those countries are normal:</SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW226722517 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247088623 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW159473491 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW148699043 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW267172131 BCX8" data-contrast="auto"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="3C571F81-C246-4226-8C5E-6DD27CAE7CB6.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261674iC442F28410D67F39/image-size/medium?v=v2&amp;px=400" role="button" title="3C571F81-C246-4226-8C5E-6DD27CAE7CB6.png" alt="3C571F81-C246-4226-8C5E-6DD27CAE7CB6.png" /></span><BR /></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></P> <P>&nbsp;<SPAN class="TextRun SCXW183277500 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW183277500 BCX8">If we go further, we can also see that some activities have been performed from other locations:&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW183277500 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW183277500 BCX8">Romania</SPAN></SPAN><SPAN class="TextRun SCXW183277500 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW183277500 BCX8">&nbsp;and&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW183277500 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW183277500 BCX8">Belarus</SPAN></SPAN><SPAN class="TextRun SCXW183277500 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW183277500 BCX8">:</SPAN></SPAN><SPAN class="EOP SCXW183277500 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247222429 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW65422398 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW51200506 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW226722517 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW247088623 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW159473491 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW148699043 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW267172131 BCX8" data-contrast="auto"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="7E3B54C1-2AAB-4820-8AC9-1CB6A8442374.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261675iB760BEF1F229BFC3/image-size/medium?v=v2&amp;px=400" role="button" title="7E3B54C1-2AAB-4820-8AC9-1CB6A8442374.png" alt="7E3B54C1-2AAB-4820-8AC9-1CB6A8442374.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="E52CC868-FF08-4E76-B9C5-57D7887FC459.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261677iF38F827A0EA2758D/image-size/medium?v=v2&amp;px=400" role="button" title="E52CC868-FF08-4E76-B9C5-57D7887FC459.png" alt="E52CC868-FF08-4E76-B9C5-57D7887FC459.png" /></span></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN class="TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="auto"><SPAN class="NormalTextRun CommentStart SCXW114597466 BCX8">Now that we understand what<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW114597466 BCX8">is anomalous<SPAN>&nbsp;</SPAN></SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW114597466 BCX8"><SPAN class="TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="auto"><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW114597466 BCX8">behavior<SPAN>&nbsp;</SPAN></SPAN></SPAN></SPAN></SPAN><SPAN class="TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="auto"><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW114597466 BCX8">for Megan</SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW114597466 BCX8"><SPAN class="TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW114597466 BCX8"><SPAN>&nbsp;</SPAN>(bases on<SPAN>&nbsp;</SPAN></SPAN></SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW114597466 BCX8"><SPAN class="TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW114597466 BCX8">the information above and her tracked<SPAN>&nbsp;</SPAN></SPAN></SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW114597466 BCX8"><SPAN class="TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW114597466 BCX8">"Locations" in<SPAN>&nbsp;</SPAN></SPAN></SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW114597466 BCX8"><SPAN class="TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW114597466 BCX8">her<SPAN>&nbsp;</SPAN></SPAN></SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW114597466 BCX8">user</SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW114597466 BCX8"><SPAN class="TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW114597466 BCX8"><SPAN>&nbsp;</SPAN>profile)</SPAN></SPAN></SPAN></SPAN><SPAN class="TrackedChange SCXW114597466 BCX8"><SPAN class="TextRun SCXW114597466 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW114597466 BCX8">, let’s hunt!</SPAN></SPAN></SPAN><SPAN class="EOP TrackedChange SCXW114597466 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H3><SPAN class="EOP TrackedChange SCXW114597466 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW71788708 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW71788708 BCX8" data-ccp-parastyle="heading 3">Step 3: review the suspicious activities to understand the scope of the<SPAN>&nbsp;</SPAN></SPAN><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW71788708 BCX8" data-ccp-parastyle="heading 3">breach</SPAN></SPAN><SPAN class="EOP SCXW71788708 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></H3> <P><SPAN class="TextRun SCXW143383638 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW143383638 BCX8">Our investigation will<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW143383638 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW143383638 BCX8">go through</SPAN></SPAN><SPAN class="TextRun SCXW143383638 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW143383638 BCX8"><SPAN>&nbsp;</SPAN>in different phases</SPAN></SPAN><SPAN class="TextRun SCXW143383638 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW143383638 BCX8"><SPAN>&nbsp;</SPAN>(list non-exhaustive)</SPAN></SPAN><SPAN class="TextRun SCXW143383638 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW143383638 BCX8">.</SPAN></SPAN><SPAN class="EOP SCXW143383638 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <TABLE data-tablestyle="MsoTableGrid" data-tablelook="1184"> <TBODY> <TR> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">Action</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><STRONG><SPAN data-contrast="auto">Why ?</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Summarize all the performed actions&nbsp;</SPAN><SPAN data-contrast="auto">from th</SPAN><SPAN data-contrast="auto">e</SPAN><SPAN data-contrast="auto">&nbsp;suspicious IP/location&nbsp;</SPAN><SPAN data-contrast="auto">fo</SPAN><SPAN data-contrast="auto">r that&nbsp;account</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Understand the risk ba</SPAN><SPAN data-contrast="auto">sed on performed activities (ex: reading an email = low risk, downloading/sharing files = medium risk, creating inbox rule/admin activities = high risk)</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">If low risk activities, from mobile device for example, no further investigation might be required as this could be the user using a VPN client on her phone.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Provide details on all a</SPAN><SPAN data-contrast="auto">ccessed emails and their path in the&nbsp;mailbox</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Understand if access was t</SPAN><SPAN data-contrast="auto">argeted to sensitive information (finance, secrets, …).</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">If the information seems sensitive and the device type seems suspicious, further investigation required.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Also review the user agent to identify suspicious access.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="0"> <P><SPAN data-contrast="auto">If emails were sent</SPAN><SPAN data-contrast="auto">, review the recipients and message details.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Identify potential phishing attempts or identify other compromised accounts.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="auto">We will</SPAN><SPAN data-contrast="auto">&nbsp;also use the user agent to identify potential tools using Graph API or SMTP.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Review the accessed&nbsp;files</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Understand if access was t</SPAN><SPAN data-contrast="auto">argeted to sensitive information (finance, secrets, …).</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Review the created inbox&nbsp;rules</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Inbox rules can be used to exfiltrate data or hide conversations between the attacker and other recipients.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Review other users using t</SPAN><SPAN data-contrast="auto">his IP&nbsp;address</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="0"> <P><SPAN data-contrast="auto">Identify potential compromised users or identify new&nbsp;</SPAN><SPAN data-contrast="auto">potential corporate&nbsp;</SPAN><SPAN data-contrast="auto">IP address used by&nbsp;</SPAN><SPAN data-contrast="auto">a new office.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <OL> <LI data-leveltext="%1." data-font="Calibri, Calibri_MSFontService, sans-serif" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Obtain the user’s account object Id.&nbsp;<BR /></SPAN>The Azure AD Account object ID is the&nbsp;<SPAN style="font-family: inherit;" data-contrast="auto">unique&nbsp;</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">identifier of a user account. Therefore, we will use this identifier for hunting scenarios as it is exposed in the different tables. You can get the user’s account object ID from the user entity&nbsp;</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">page (</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">screenshot</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">&nbsp;below</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">), or by querying</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">&nbsp;the</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">&nbsp;</SPAN><STRONG style="font-family: inherit;"><SPAN data-contrast="auto">IdentityInfo&nbsp;</SPAN></STRONG><SPAN style="font-family: inherit;" data-contrast="auto"><SPAN style="font-family: inherit;" data-contrast="auto">table:<BR /><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="contact.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261725i46D61C42C5C3F388/image-size/medium?v=v2&amp;px=400" role="button" title="contact.png" alt="contact.png" /></span></SPAN></SPAN> <P>&nbsp;<SPAN class="TextRun SCXW243774692 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW243774692 BCX8">Querying the table:</SPAN></SPAN><SPAN class="EOP SCXW243774692 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <LI-CODE lang="yaml">IdentityInfo | where AccountUpn =~ 'meganb@seccxp.ninja' </LI-CODE> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="query.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261728i716B1CC352753E44/image-size/large?v=v2&amp;px=999" role="button" title="query.png" alt="query.png" /></span></P> </LI> <LI data-leveltext="%1." data-font="Calibri, Calibri_MSFontService, sans-serif" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <P><SPAN data-contrast="auto">Review&nbsp;</SPAN><SPAN data-contrast="auto">our user’s&nbsp;</SPAN><SPAN data-contrast="auto">signings</SPAN><SPAN data-contrast="auto">&nbsp;to identify other potential suspicious locations or IP&nbsp;</SPAN><SPAN data-contrast="auto">addresses.<BR /></SPAN><SPAN data-contrast="auto">Using this query,&nbsp;</SPAN><SPAN data-contrast="auto">you can get an overview of&nbsp;</SPAN><SPAN data-contrast="auto">the users signin</SPAN><SPAN data-contrast="auto">g activity and identify potential anomalies. Note that&nbsp;</SPAN><SPAN data-contrast="auto">if the user is using an AAD joined device and passing through a conditional access policy, the details of the managed device are exposed</SPAN><SPAN data-contrast="auto">:<BR /></SPAN></P> <LI-CODE lang="yaml">let timeToSearch = startofday(datetime('2020-11-14')); AADSignInEventsBeta  | where AccountObjectId == 'eababd92-9dc7-40e3-9359-6c106522db19' and Timestamp &gt;= timeToSearch  | distinct Application, ResourceDisplayName, Country, City, IPAddress, DeviceName, DeviceTrustType, OSPlatform, IsManaged, IsCompliant, AuthenticationRequirement, RiskState, UserAgent, ClientAppUsed</LI-CODE> <P><SPAN data-contrast="auto"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="devices.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261931i6A1CAB3EFBEC3440/image-size/large?v=v2&amp;px=999" role="button" title="devices.png" alt="devices.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">&nbsp;</SPAN></P> </LI> <LI data-leveltext="%1." data-font="Calibri, Calibri_MSFontService, sans-serif" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"> <P><SPAN data-contrast="auto"><SPAN style="font-family: inherit;"><SPAN class="TextRun SCXW65410550 BCX8" data-contrast="auto"><SPAN class="NormalTextRun CommentStart SCXW65410550 BCX8">Summarize all the performed actions from the suspicious IP/location for that account</SPAN></SPAN><SPAN class="TextRun SCXW65410550 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65410550 BCX8">.</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW65410550 BCX8"><SPAN class="SCXW65410550 BCX8">&nbsp;</SPAN><BR class="SCXW65410550 BCX8" /></SPAN><SPAN class="TextRun SCXW65410550 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65410550 BCX8">Using this Advanced&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW65410550 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65410550 BCX8">h</SPAN></SPAN><SPAN class="TextRun SCXW65410550 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65410550 BCX8">unting query</SPAN></SPAN><SPAN class="TextRun SCXW65410550 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65410550 BCX8">&nbsp;scoped to the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW65410550 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65410550 BCX8">alerts date</SPAN></SPAN><SPAN class="TextRun SCXW65410550 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW65410550 BCX8">, we can easily identify the performed actions:</SPAN></SPAN><SPAN class="EOP SCXW65410550 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN><BR /></SPAN></SPAN></P> <LI-CODE lang="yaml">let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; let locations = pack_array('RO', 'BY'); let timeToSearch = startofday(datetime('2020-11-14')); CloudAppEvents | where AccountObjectId == accountId and CountryCode in (locations) and Timestamp &gt;= timeToSearch | summarize by ActionType, CountryCode, AccountObjectId | sort by ActionType asc </LI-CODE> <P><SPAN data-contrast="auto"><SPAN style="font-family: inherit;">&nbsp;<BR /><SPAN class="TextRun SCXW91936820 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW91936820 BCX8">We can see that the malicious actor accessed and deleted emails, opened files, created and deleted inbox rules.</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW91936820 BCX8"><SPAN class="SCXW91936820 BCX8">&nbsp;</SPAN><BR class="SCXW91936820 BCX8" /></SPAN><SPAN class="TextRun SCXW91936820 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW91936820 BCX8">That’s a great start! We know now what we are looking for.</SPAN></SPAN><SPAN class="EOP SCXW91936820 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /></SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="6E2142E0-5376-44F5-ACA5-2742AACFFEF5.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261754i4112D8464F658607/image-size/medium?v=v2&amp;px=400" role="button" title="6E2142E0-5376-44F5-ACA5-2742AACFFEF5.png" alt="6E2142E0-5376-44F5-ACA5-2742AACFFEF5.png" /></span><BR /><BR /></SPAN></SPAN></P> </LI> <LI data-leveltext="%1." data-font="Calibri, Calibri_MSFontService, sans-serif" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto"><SPAN data-contrast="auto"><SPAN style="font-family: inherit;"><SPAN class="TextRun BCX8 SCXW207540222" data-contrast="auto"><SPAN class="NormalTextRun BCX8 SCXW207540222">Review the accessed emails</SPAN></SPAN><SPAN class="TextRun BCX8 SCXW207540222" data-contrast="auto"><SPAN class="NormalTextRun BCX8 SCXW207540222">.</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop BCX8 SCXW207540222"><SPAN class="BCX8 SCXW207540222">&nbsp;</SPAN><BR class="BCX8 SCXW207540222" /></SPAN><SPAN class="TextRun BCX8 SCXW207540222" data-contrast="auto"><SPAN class="NormalTextRun BCX8 SCXW207540222">To understand what the actor was looking for, we&nbsp;</SPAN></SPAN><SPAN class="TextRun BCX8 SCXW207540222" data-contrast="auto"><SPAN class="NormalTextRun BCX8 SCXW207540222">can use the following query. It’s using events available with&nbsp;</SPAN></SPAN><A class="Hyperlink BCX8 SCXW207540222" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined BCX8 SCXW207540222" data-contrast="none"><SPAN class="NormalTextRun BCX8 SCXW207540222" data-ccp-charstyle="Hyperlink">advanced auditing</SPAN></SPAN></A><SPAN class="TextRun BCX8 SCXW207540222" data-contrast="auto"><SPAN class="NormalTextRun BCX8 SCXW207540222">&nbsp;and the&nbsp;</SPAN></SPAN><SPAN class="TextRun BCX8 SCXW207540222" data-contrast="auto"><SPAN class="NormalTextRun SpellingErrorV2 BCX8 SCXW207540222">EmailEvents</SPAN></SPAN><SPAN class="TextRun BCX8 SCXW207540222" data-contrast="auto"><SPAN class="NormalTextRun BCX8 SCXW207540222">&nbsp;table to enrich emails details (subject, sender, recipients, …) when possible.</SPAN></SPAN><BR /><BR /></SPAN></SPAN></SPAN><LI-CODE lang="yaml">let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; let locations = pack_array('RO', 'BY'); let timeToSearch = startofday(datetime('2020-11-14')); CloudAppEvents | where ActionType == 'MailItemsAccessed' and CountryCode in (locations) and AccountObjectId == accountId and Timestamp &gt;= timeToSearch | mv-expand todynamic(RawEventData.Folders) | extend Path = todynamic(RawEventData_Folders.Path), SessionId = tostring(RawEventData.SessionId) | mv-expand todynamic(RawEventData_Folders.FolderItems) | project SessionId, Timestamp, AccountObjectId, DeviceType, CountryCode, City, IPAddress, UserAgent, Path, Message = tostring(RawEventData_Folders_FolderItems.InternetMessageId) | join kind=leftouter ( EmailEvents | where RecipientObjectId == accountId | project Subject, RecipientEmailAddress , SenderMailFromAddress , DeliveryLocation , ThreatTypes, AttachmentCount , UrlCount , InternetMessageId ) on $left.Message == $right.InternetMessageId | sort by Timestamp desc</LI-CODE> <P><BR /><SPAN class="TextRun BCX8 SCXW104214897" data-contrast="auto"><SPAN class="NormalTextRun BCX8 SCXW104214897">Note the clients used: a browser and REST, indicating potential script accessing the emails:</SPAN></SPAN><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="766F6521-7063-4624-9C62-8748484FA4CB.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261755iCB55803B7C5623C1/image-size/medium?v=v2&amp;px=400" role="button" title="766F6521-7063-4624-9C62-8748484FA4CB.png" alt="766F6521-7063-4624-9C62-8748484FA4CB.png" /></span></P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="emails.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261758iFCC6F410F47EE05A/image-size/medium?v=v2&amp;px=400" role="button" title="emails.png" alt="emails.png" /></span></P> <P>&nbsp;</P> </LI> <LI data-leveltext="%1." data-font="Calibri, Calibri_MSFontService, sans-serif" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun CommentStart SCXW202953813 BCX8">Review<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8">the accessed folders and files:<BR /></SPAN></SPAN></SPAN><LI-CODE lang="yaml">let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; let locations = pack_array('RO', 'BY'); let timeToSearch = startofday(datetime('2020-11-14')); CloudAppEvents | where ActionType == 'FilePreviewed' and CountryCode in (locations) and AccountObjectId == accountId and Timestamp &gt;= timeToSearch | project Timestamp, CountryCode , IPAddress , ISP, UserAgent , Application, ActivityObjects, AccountObjectId | mv-expand ActivityObjects | where ActivityObjects['Type'] in ('File', 'Folder') | evaluate bag_unpack(ActivityObjects) </LI-CODE> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="7F23CA13-92CF-4EF7-BE77-C848DEE982B3.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261765i95BD238CBBCC59C4/image-size/medium?v=v2&amp;px=400" role="button" title="7F23CA13-92CF-4EF7-BE77-C848DEE982B3.png" alt="7F23CA13-92CF-4EF7-BE77-C848DEE982B3.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8"><BR /></SPAN></SPAN></LI> <LI data-leveltext="%1." data-font="Calibri, Calibri_MSFontService, sans-serif" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8"><SPAN class="TextRun SCXW147789973 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW147789973 BCX8">Review the deleted emails. This might indicate that the actor tried to remove traces of discussions with other users or deletion of alerting emails:</SPAN></SPAN><SPAN class="EOP SCXW147789973 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN></SPAN></SPAN></SPAN><LI-CODE lang="yaml">let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; let locations = pack_array('RO', 'BY'); let timeToSearch = startofday(datetime('2020-11-14')); CloudAppEvents | where ActionType in~ ('MoveToDeletedItems', 'SoftDelete') and CountryCode in (locations) and AccountObjectId == accountId and Timestamp &gt;= timeToSearch | mv-expand ActivityObjects | where ActivityObjects['Type'] in ('Email', 'Folder') | evaluate bag_unpack(ActivityObjects) | distinct Timestamp, AccountObjectId, ActionType, CountryCode, IPAddress, Type, Name, Id | sort by Timestamp desc </LI-CODE><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8"><BR /></SPAN></SPAN></LI> <LI data-leveltext="%1." data-font="Calibri, Calibri_MSFontService, sans-serif" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8"><SPAN class="TextRun SCXW130092342 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW130092342 BCX8">Review the created/enabled/modified inbox rules</SPAN></SPAN><SPAN class="TextRun SCXW130092342 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW130092342 BCX8">. You can see here that the rule if looking for specific keywords, like “</SPAN></SPAN><STRONG><SPAN class="TextRun SCXW130092342 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW130092342 BCX8">Credit Card</SPAN></SPAN></STRONG><SPAN class="TextRun SCXW130092342 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW130092342 BCX8">” or “</SPAN></SPAN><STRONG><SPAN class="TextRun SCXW130092342 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW130092342 BCX8">Password</SPAN></SPAN></STRONG><SPAN class="TextRun SCXW130092342 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW130092342 BCX8">”:</SPAN></SPAN><SPAN class="EOP SCXW130092342 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN></SPAN></SPAN></SPAN><LI-CODE lang="yaml">let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; let locations = pack_array('RO', 'BY'); let timeToSearch = startofday(datetime('2020-11-14')); CloudAppEvents | where ActionType contains_cs 'InboxRule' and CountryCode in (locations) | extend RuleParameters = RawEventData.Parameters | project Timestamp, CountryCode , IPAddress , ISP, ActionType , ObjectName , RuleParameters | sort by Timestamp desc </LI-CODE><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8"><SPAN class="EOP SCXW130092342 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="299DB357-91E0-419E-9029-63AE9B538722.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261766iCE1B51D723CDCE73/image-size/medium?v=v2&amp;px=400" role="button" title="299DB357-91E0-419E-9029-63AE9B538722.png" alt="299DB357-91E0-419E-9029-63AE9B538722.png" /></span></SPAN></SPAN></SPAN></SPAN> <P>&nbsp;</P> <SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8"><SPAN class="EOP SCXW130092342 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}"><BR /><BR /></SPAN></SPAN></SPAN></LI> <LI data-leveltext="%1." data-font="Calibri, Calibri_MSFontService, sans-serif" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8"><SPAN class="EOP SCXW130092342 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}"><SPAN class="TextRun SCXW184123750 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW184123750 BCX8">Now is time for our latest query that will identify scope of the breach. We hunted to get more information on Megan, our impacted user we got alerted from the incident. But there might be additional compromised users, we’ll use the IP addresses from the initial breach and search for other users having activities from those IP addresses:<BR /></SPAN></SPAN></SPAN></SPAN></SPAN></SPAN><LI-CODE lang="yaml">let accountId = 'eababd92-9dc7-40e3-9359-6c106522db19'; let locations = pack_array('RO', 'BY'); let timeToSearch = startofday(datetime('2020-11-14')); let ips = (CloudAppEvents | where CountryCode in (locations ) | distinct IPAddress , AccountObjectId ); ips | join (CloudAppEvents | project ActivityIP = IPAddress, UserId = AccountObjectId ) on $left.IPAddress == $right.ActivityIP | distinct UserId | join IdentityInfo on $left.UserId == $right.AccountObjectId | distinct AccountDisplayName , AccountUpn , Department , Country , City, AccountObjectId </LI-CODE><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8"><SPAN class="EOP SCXW130092342 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}"><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="B318F20C-D2E2-4555-8278-3C26F1B68A8E.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261769i9CA719F00EE2AE96/image-size/medium?v=v2&amp;px=400" role="button" title="B318F20C-D2E2-4555-8278-3C26F1B68A8E.png" alt="B318F20C-D2E2-4555-8278-3C26F1B68A8E.png" /></span></SPAN></SPAN></SPAN></SPAN> <P>&nbsp;</P> </LI> </OL> <H3><SPAN class="TextRun SCXW202953813 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW202953813 BCX8"><SPAN class="EOP SCXW130092342 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}"><SPAN class="TextRun SCXW244648245 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW244648245 BCX8" data-ccp-parastyle="heading 3">Step 4: time to<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW244648245 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW244648245 BCX8" data-ccp-parastyle="heading 3">remediate</SPAN></SPAN><SPAN class="TextRun SCXW244648245 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW244648245 BCX8" data-ccp-parastyle="heading 3">!</SPAN></SPAN><SPAN class="EOP SCXW244648245 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></SPAN></SPAN></H3> <P><SPAN data-contrast="auto">Now that we have confirmed that Megan’s account had been compromised and we confirmed she was the only impacted user, it’s time to&nbsp;</SPAN><SPAN data-contrast="auto">take action</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<BR /><BR /></SPAN></P> <P><SPAN data-contrast="auto">The required actions will of course depend o</SPAN><SPAN data-contrast="auto">n</SPAN><SPAN data-contrast="auto">&nbsp;your specific&nbsp;</SPAN><SPAN data-contrast="auto">procedures,</SPAN><SPAN data-contrast="auto">&nbsp;but a good start is&nbsp;</SPAN><SPAN data-contrast="auto">confirming the user as compromised</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">by clicking on “Take act</SPAN><SPAN data-contrast="auto">ions” or by&nbsp;</SPAN><SPAN data-contrast="auto">going back to the user page and apply actions like suspending the user</SPAN><SPAN data-contrast="auto">&nbsp;or</SPAN><SPAN data-contrast="auto">&nbsp;requesting the user to sign-in again.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="take actions.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261773i593F11F8F531011A/image-size/medium?v=v2&amp;px=400" role="button" title="take actions.png" alt="take actions.png" /></span><BR /></SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="confirm compromised.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261789iD8F09A6747B8A31B/image-size/medium?v=v2&amp;px=400" role="button" title="confirm compromised.png" alt="confirm compromised.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW207138028 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW207138028 BCX8">If you are syncing your accounts from Active Directory, you</SPAN></SPAN><SPAN class="TextRun SCXW207138028 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW207138028 BCX8">&nbsp;must&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW207138028 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW207138028 BCX8">perform the remediation steps on-premises.</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW207138028 BCX8"><SPAN class="SCXW207138028 BCX8">&nbsp;</SPAN><BR class="SCXW207138028 BCX8" /></SPAN><SPAN class="TextRun SCXW207138028 BCX8" data-contrast="auto"><SPAN class="NormalTextRun CommentStart SCXW207138028 BCX8">Also, note that integrating non-Microsoft apps to&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW207138028 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW207138028 BCX8">Microsoft&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW207138028 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW207138028 BCX8">Cloud App Security allows you to apply remediation to those apps too.</SPAN></SPAN><SPAN class="EOP SCXW207138028 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="124A9DE9-97CD-44A9-B758-F06C7E179562.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261786iD1493CB8DF72B2AA/image-size/medium?v=v2&amp;px=400" role="button" title="124A9DE9-97CD-44A9-B758-F06C7E179562.png" alt="124A9DE9-97CD-44A9-B758-F06C7E179562.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>A huge Thanks to&nbsp;<LI-USER uid="104809"></LI-USER>&nbsp;for the review!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN data-contrast="none">For more information about the features discussed in this article, read:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="·" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Advanced hunting overview</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="·" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Advanced hunting best practices</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="·" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Cloud App Security anomaly detection alerts investigation guide&nbsp;</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="·" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Investigate incidents in Microsoft 365 Defender&nbsp;</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P aria-level="3"><SPAN data-contrast="none">Learn&nbsp;more</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">For further information on how your organization can benefit from Microsoft Cloud App Security, connect with us at the links below:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <TABLE data-tablestyle="MsoTableGrid" data-tablelook="1184"> <TBODY> <TR> <TD data-celllook="4369"> <P><SPAN data-contrast="none">Join the conversation on&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-cloud-app-security/bd-p/MicrosoftCloudAppSecurity" target="_blank" rel="noopener"><SPAN data-contrast="none">Tech Community</SPAN></A><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Stay up to date—subscribe to&nbsp;our&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">blog</SPAN></A><SPAN data-contrast="none">. </SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="4369"> <P><SPAN data-contrast="none">Upload a log file from your network firewall or enable logging via </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft Defender for Endpoint </SPAN></A><SPAN data-contrast="none">to </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">discover Shadow IT </SPAN></A><SPAN data-contrast="none">in your network.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="4369"> <P><SPAN data-contrast="none">L</SPAN><SPAN data-contrast="auto">earn more—download</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Top 20 use cases for CASB</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="4369"> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Connect your cloud apps </SPAN></A><SPAN data-contrast="none">to detect suspicious user activity and exposed sensitive data.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="4369"> <P><SPAN data-contrast="none">Search documentation on </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft Cloud App Security</SPAN></A><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="4369"> <P><SPAN data-contrast="none">Enable out-of-the-box </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">anomaly detection policies </SPAN></A><SPAN data-contrast="none">and start detecting cloud threats in your environment.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD data-celllook="4369"> <P><SPAN data-contrast="none">Understand your&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">licensing options</SPAN></A><SPAN data-contrast="none">​.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> <TD data-celllook="4369"> <P><SPAN data-contrast="none">Continue with more advanced use cases across </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">information protection</SPAN></A><SPAN data-contrast="none">, compliance, and more.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD colspan="2" data-celllook="4369"> <P><SPAN data-contrast="none">Follow the&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/welcome-to-the-mcas-ninja-blog-series/ba-p/1775379" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft Cloud App Security Ninja blog</SPAN></A><SPAN data-contrast="none">&nbsp;and learn about&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/the-microsoft-cloud-app-security-mcas-ninja-training-is-here/ba-p/1877343" target="_blank" rel="noopener"><SPAN data-contrast="none">Ninja Training</SPAN></A><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Go deeper these interactive guides:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Discover, protect, and control your apps with Microsoft Cloud App Security</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="4" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Detect threats and manage alerts with Microsoft Cloud App Security</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:120,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </TD> </TR> </TBODY> </TABLE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="none">To experience the benefits of full-featured CASB, sign up for a&nbsp;</SPAN></STRONG><A href="#" target="_blank" rel="noopener"><STRONG><SPAN data-contrast="none">free trial—</SPAN></STRONG><STRONG><SPAN data-contrast="none">Microsoft Cloud App Security</SPAN></STRONG></A><STRONG><SPAN data-contrast="none">.</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Follow us on LinkedIn as&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">#CloudAppSecurity</SPAN></A><SPAN data-contrast="none">. To learn more about Microsoft Security solutions visit&nbsp;our </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">website.</SPAN></A><SPAN data-contrast="none"> Bookmark the </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Security blog</SPAN></A><SPAN data-contrast="none"> to keep up with our expert coverage on security matters. Also, follow us at </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">@MSFTSecurity</SPAN></A><SPAN data-contrast="none">&nbsp;on Twitter, and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft Security</SPAN></A><SPAN data-contrast="none">&nbsp;on LinkedIn for the latest news and updates on cybersecurity.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> Tue, 09 Mar 2021 09:11:14 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-in-a-multi-stage-incident/ba-p/2193484 Sebastien Molendijk 2021-03-09T09:11:14Z Microsoft 365 Defender now delivers unified experiences across endpoint, email and collaboration https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-now-delivers-unified-experiences-across/ba-p/2177512 <P><STRONG>Update:</STRONG><SPAN>&nbsp;</SPAN>unified experiences across endpoint, email and collaboration in Microsoft 365 Defender are now<SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/unified-experiences-across-endpoint-and-email-are-now-generally/ba-p/2278132" target="_blank" rel="noopener">generally available</A><SPAN>&nbsp;</SPAN>as of April 19, 2021.&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Today we are announcing the public preview of the integration of our endpoint and email and collaboration </SPAN><SPAN>capabilities into Microsoft 365 Defender. Security teams can now manage all endpoint, email and cross product investigations, configuration, and remediation within a single unified portal.&nbsp; Now is the time to start using this new unified experience in preview and as we move to general availability of the unified experience the previously distinct portals will be phased out. </SPAN></P> <P>&nbsp;</P> <P><SPAN>We are also announcing new and enhanced features only available in the Microsoft 365 Defender portal to help you respond faster such as new unified investigation pages for alerts and specifically email, as well as a brand-new Learning hub surfacing best practice and instructional resources to help you leverage the platform.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN><STRONG>Getting familiar with Microsoft 365 Defender and the unified portal</STRONG></SPAN></P> <P><SPAN>For <STRONG>Microsoft Defender for Endpoint</STRONG> users, existing capabilities are now available within Microsoft 365 Defender. To get started,&nbsp;navigate to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>security.microsoft.com</SPAN></A><SPAN>. You will find everything you are used to in the navigation bar on the left, under “<STRONG>Home” </STRONG>or under <STRONG>Endpoints</STRONG>. Learn what’s changed in our in-depth </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>documentation</SPAN></A><SPAN>.</SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="endpoint_features.png" style="width: 675px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259749i394AE9FA2463B2DF/image-dimensions/675x330?v=v2" width="675" height="330" role="button" title="endpoint_features.png" alt="endpoint_features.png" /></span></SPAN></P> <P><SPAN>Figure 1: Endpoint features integrated into Microsoft 365 Defender.&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>For <STRONG>Microsoft Defender for Office 365</STRONG> users,&nbsp;the&nbsp;Threat Management capabilities and email security-related reports&nbsp;are now available in Microsoft 365 Defender under <STRONG>Email &amp; collaboration</STRONG> in the navigation bar.&nbsp;To get started, go to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>security.microsoft.com</SPAN></A><SPAN>.&nbsp;Learn what’s changed in our in-depth </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>documentation</SPAN></A><SPAN>.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="email_features.png" style="width: 680px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259756i18084CE51353DDA3/image-dimensions/680x327?v=v2" width="680" height="327" role="button" title="email_features.png" alt="email_features.png" /></span></SPAN></P> <P><SPAN>Figure 2: Email and collaboration&nbsp;features&nbsp;integrated into Microsoft 365 Defender.</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P data-unlink="true"><SPAN>If you have integrations and connections with&nbsp;SIEM solutions such as </SPAN><A href="#" target="_blank" rel="noopener">Azure Sentinel</A><SPAN>, these will continue to work and no changes are required.&nbsp;When you are ready to move all of your users to the new experience you can enable&nbsp;</SPAN><A href="#" target="_blank" rel="noopener">automatic URL redirection for Microsoft Defender for Endpoint</A><SPAN>&nbsp;and </SPAN><A href="#" target="_blank" rel="noopener">automatic URL redirection for Microsoft Defender for Office 365</A><SPAN>. If you have built </SPAN><A href="#" target="_blank" rel="noopener">custom detections</A><SPAN> or use </SPAN><A href="#" target="_blank" rel="noopener">device-related queries</A><SPAN> in Microsoft Defender for Endpoint, follow the links to learn how to migrate them. Compliance-related Office 365&nbsp;features are available in the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft 365 compliance center</SPAN></A><SPAN>.&nbsp;</SPAN><SPAN>&nbsp;</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>There are lots of exciting new areas to explore:</SPAN></P> <UL> <LI><SPAN><STRONG>Unified alerts&nbsp;queue</STRONG></SPAN><SPAN>.&nbsp;See prioritized alerts from across your Microsoft 365 security products in a </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>single,&nbsp;unified alerts queue</SPAN></A><SPAN>.</SPAN></LI> <LI><SPAN><STRONG>Unified&nbsp;user page</STRONG></SPAN><SPAN>. Visualize any user entity in a&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>single dashboard</SPAN></A><SPAN><U>.</U></SPAN> <SPAN>This new page allows security professionals to investigate every asset related to the user and imports critical information from all your deployed Microsoft 365 security products. </SPAN></LI> <LI><SPAN><STRONG>Unified investigation page</STRONG></SPAN><SPAN>. </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>This view</SPAN></A><SPAN>&nbsp;provides details for&nbsp;automatic&nbsp;investigation and response including triggering alerts, impacted assets&nbsp;and deep-dive details across your Endpoint and Office 365 environments.</SPAN></LI> <LI><SPAN><STRONG>Learning hub</STRONG></SPAN><SPAN>. Leverage&nbsp;official guidance from resources such as the Microsoft&nbsp;security blog, the Microsoft security community on YouTube, and the official documentation at </SPAN><A href="#" target="_blank" rel="noopener">docs.microsoft.com</A><SPAN>.</SPAN><SPAN>&nbsp;These resources, articles, videos and how-to guides give you best practices and instructions on how to take advantage of the features in Microsoft 365 Defender.</SPAN></LI> <LI><STRONG>Email&nbsp;entity page</STRONG><SPAN style="font-family: inherit;">. A frequent request from customers has been better email investigation capabilities. Now you have a 360-degree view of an email alert integrated with context and related data from across the Microsoft 365 environment. This includes </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">enhancements</A><SPAN style="font-family: inherit;">&nbsp;such as junk mailbox rules, spam confidence levels and authentication&nbsp;and&nbsp;detonation&nbsp;details.&nbsp;</SPAN></LI> <LI><STRONG>Integrated&nbsp;alert&nbsp;detail&nbsp;page</STRONG><SPAN style="font-family: inherit;">. A comprehensive </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">point of view</A><SPAN style="font-family: inherit;"> for&nbsp;a&nbsp;specific alert&nbsp;including&nbsp;the&nbsp;alert story, timeline, alert classification,&nbsp;impacted entities, related incidents and more.</SPAN><SPAN style="font-family: inherit;">&nbsp;</SPAN></LI> <LI><STRONG>Role-based access in Microsoft 365 Defender. </STRONG><SPAN style="font-family: inherit;">Microsoft 365 Defender now recognizes RBAC configurations and custom roles from the individual Microsoft 365 solutions and holistically enforces them at the cross-product level. Check out </SPAN><SPAN style="font-family: inherit;">the </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">documentation</A><SPAN style="font-family: inherit;"> for more details.</SPAN></LI> <LI><STRONG>Threat analytics.</STRONG><SPAN style="font-family: inherit;"> Leverage detailed threat intelligence reports from Microsoft security experts to understand the most critical real world threats and actors. Related alerts and incidents in a customer environment are escalated for remediation and recommendations are provided to remediate any vulnerabilities and exposures. </SPAN><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener">Learn more.</A></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>We’re excited to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>hear your feedback</SPAN></A><SPAN>&nbsp;as you explore the&nbsp;unified&nbsp;portal and w</SPAN>e will continue to update the documentation throughout the preview<SPAN>.&nbsp; Our mission is to&nbsp;empower you&nbsp;with the&nbsp;most unified extended detection and response (XDR) solution in the industry so that you can focus on&nbsp;what’s important:&nbsp;preventing and remediating threats.</SPAN><SPAN>&nbsp;</SPAN></P> <P>&nbsp;</P> <P>To r<SPAN>ead more&nbsp;about the&nbsp;unified portal&nbsp;experience, check out:</SPAN><SPAN>&nbsp;</SPAN></P> <UL> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Overview - Microsoft 365 security center</SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft Defender for Endpoint in the Microsoft 365 security center</SPAN></A><SPAN>&nbsp;</SPAN></LI> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft Defender for Office&nbsp;365 in the Microsoft 365 security center</SPAN></A><SPAN>&nbsp;</SPAN></LI> </UL> Tue, 20 Apr 2021 07:01:30 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-now-delivers-unified-experiences-across/ba-p/2177512 Amir_Lande 2021-04-20T07:01:30Z Microsoft 365 Defender Ninja Training: January 2021 update https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-ninja-training-january-2021-update/ba-p/2103073 <P>To usher in the new year, we are happy to announce a change in the blog name to Microsoft 365 Defender Ninja Training to coincide with the product name change.</P> <P>Also, in addition to several updates to&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft 365 Defender Ninja training</A>, we've included a dedicated section focusing on the Solorigate cyberattack to help you defend your environment against this and future supply chain attacks.</P> <P>&nbsp;</P> <P>If you want to refresh your knowledge and get updated, here is what has been added since the last update:</P> <P>&nbsp;</P> <P>Legend:</P> <TABLE border="1"> <TBODY> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> Product videos</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span> Webcast recordings</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TechCommunity.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205059iE2A42D8A7F13D7BC/image-dimensions/17x19?v=v2" width="17" height="19" role="button" title="TechCommunity.png" alt="TechCommunity.png" /></span> Tech Community</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Docs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Blogs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GitHub.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205065i083675CF15D6F1EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="GitHub.png" alt="GitHub.png" /></span>&nbsp;GitHub</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P>⤴ External</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="InteractiveGuides.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205067iF93A500E533F67FB/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="InteractiveGuides.png" alt="InteractiveGuides.png" /></span>&nbsp;Interactive guides</P> </TD> <TD width="209.333px" height="28px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE width="100%"> <TBODY> <TR> <TD width="50%" height="28px"> <P><EM><STRONG>Module</STRONG></EM></P> </TD> <TD width="50%" height="28px"> <P><STRONG><EM>What's new</EM></STRONG></P> </TD> </TR> <TR> <TD width="50%" height="66px"> <P>Security Operations Fundamentals</P> <P>Module 1. Technical overview</P> </TD> <TD width="50%" height="66px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> &nbsp;<A href="#" target="_blank" rel="noopener">New value for Microsoft ​Defender for Identity</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> &nbsp;<A href="#" target="_blank" rel="noopener">New value for Microsoft Defender for Office 365</A></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="54px"> <P>Security Operations Fundamentals</P> <P data-unlink="true">Module 2. Getting started&nbsp;</P> </TD> <TD width="50%" height="54px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Provide your feedback</A></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="81px"> <P data-unlink="true">Security Operations Fundamentals</P> <P data-unlink="true">Module 3. Investigation – Incident&nbsp;</P> </TD> <TD width="50%" height="81px"> <UL> <LI><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span></STRONG>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/improved-incident-queue-in-microsoft-365-defender/ba-p/1872084" target="_blank" rel="noopener">Improved incident queue</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/get-email-notifications-on-new-incidents-from-microsoft-365/ba-p/2012518" target="_blank" rel="noopener">Get email notifications on new incidents</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> &nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Classification of incidents &amp; alerts</A></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="66px"> <P data-unlink="true">Security Operations Intermediate</P> <P data-unlink="true">Module 2. Investigation&nbsp;</P> </TD> <TD width="50%" height="66px"> <UL> <LI><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;</STRONG></SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-defender-for-office-365-investigation-improvements/ba-p/1947236" target="_blank" rel="noopener">Investigation improvements for Microsoft Defender for Office 365</A></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="200px"> <P data-unlink="true">Security Operations Intermediate:</P> <P data-unlink="true">Module 3. Advanced hunting&nbsp;</P> </TD> <TD width="50%" height="200px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857" target="_blank" rel="noopener">Hunt across cloud app activities</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/additional-email-data-in-advanced-hunting/ba-p/1985849" target="_blank" rel="noopener">Use additional email data in your hunting queries</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/azure-active-directory-audit-logs-now-available-in-advanced/ba-p/1999523" target="_blank" rel="noopener">Use Azure Active Directory audit log data in advanced hunting</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-for-azure-active-directory-sign-in-events/ba-p/2040278" target="_blank" rel="noopener">Hunt for Azure Active Directory sign-in events</A></LI> </UL> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>The following is not part of the Ninja training, but definitely worth a read:</P> <P>&nbsp;</P> <TABLE width="100%"> <TBODY> <TR> <TD width="50%"> <P>Solorigate</P> </TD> <TD width="50%"> <UL> <LI><A href="#" target="_blank" rel="noopener">Using Microsoft 365 Defender to protect against Solorigate - Microsoft Security</A>&nbsp;</LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/solarwinds-post-compromise-hunting-with-azure-sentinel/ba-p/1995095" target="_blank" rel="noopener">SolarWinds Post-Compromise Hunting with Azure Sentinel</A>&nbsp;</LI> <LI><A href="#" target="_blank" rel="noopener">Advice for incident responders on recovery from systemic identity compromises</A>&nbsp; </LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/iot-security/latest-threat-intelligence-15-december-2020-fireeye-and/m-p/1999394" target="_blank" rel="noopener">Latest Threat Intelligence (15 December, 2020) - FireEye and SolarWinds Events - Microsoft Tech Community</A>&nbsp;</LI> <LI><A href="#" target="_blank" rel="noopener">Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers</A>&nbsp;</LI> <LI><A href="#" target="_blank" rel="noopener">A moment of reckoning: the need for a strong and global cybersecurity response</A><U>&nbsp;</U></LI> <LI><A href="#" target="_blank" rel="noopener">Ensuring customers are protected from Solorigate</A>&nbsp;</LI> <LI><A href="#" target="_blank" rel="noopener">Important steps for customers to protect themselves from recent nation-state cyberattacks</A></LI> <LI><A href="#" target="_blank" rel="noopener">Customer Guidance on Recent Nation-State Cyber Attacks</A>&nbsp;</LI> <LI><A href="#" target="_blank" rel="noopener">Guarding against supply chain attacks—Part 1: The big picture</A></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-threat-analytics-report-shares-the-latest-intelligence-on/ba-p/2001095" target="_blank" rel="noopener">New Threat analytics report shares the latest intelligence on recent nation-state cyber attacks</A></LI> </UL> </TD> </TR> </TBODY> </TABLE> Wed, 04 Aug 2021 17:57:14 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-ninja-training-january-2021-update/ba-p/2103073 Heike Ritter 2021-08-04T17:57:14Z Best practices for leveraging Microsoft 365 Defender API's - Episode One https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2102893 <P><SPAN data-contrast="auto">We are strong supporters of automation,&nbsp;</SPAN><SPAN data-contrast="auto">and&nbsp;</SPAN><SPAN data-contrast="auto">fully acknowledg</SPAN><SPAN data-contrast="auto">e</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">value of</SPAN><SPAN data-contrast="auto">&nbsp;automating&nbsp;</SPAN><SPAN data-contrast="auto">repetitive actions and be</SPAN><SPAN data-contrast="auto">ing</SPAN><SPAN data-contrast="auto">&nbsp;able to adjust technology to the specific security practices and&nbsp;</SPAN><SPAN data-contrast="auto">processes&nbsp;</SPAN><SPAN data-contrast="auto">used by our customers</SPAN><SPAN data-contrast="auto">&nbsp;and partners</SPAN><SPAN data-contrast="auto">. This is&nbsp;</SPAN><SPAN data-contrast="auto">what motivates us in&nbsp;</SPAN><SPAN data-contrast="auto">developing and enriching&nbsp;</SPAN><SPAN data-contrast="auto">our API layer.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">But as we all know,&nbsp;</SPAN><SPAN data-contrast="auto">with great scale comes great responsibility,&nbsp;</SPAN><SPAN data-contrast="auto">and here efficiency is the name of the game</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Th</SPAN><SPAN data-contrast="auto">is&nbsp;</SPAN><SPAN data-contrast="auto">blog series</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">will&nbsp;</SPAN><SPAN data-contrast="auto">provide</SPAN><SPAN data-contrast="auto">&nbsp;you best practices and recommendations on how to&nbsp;</SPAN><SPAN data-contrast="auto">best&nbsp;</SPAN><SPAN data-contrast="auto">use the different&nbsp;</SPAN><SPAN data-contrast="auto">Microsoft 365 Defender&nbsp;</SPAN><SPAN data-contrast="auto">feature</SPAN><SPAN data-contrast="auto">s and APIs</SPAN><SPAN data-contrast="auto">, in the most efficient way to&nbsp;</SPAN><SPAN data-contrast="auto">power&nbsp;</SPAN><SPAN data-contrast="auto">your automation&nbsp;</SPAN><SPAN data-contrast="auto">to achiev</SPAN><SPAN data-contrast="auto">e</SPAN><SPAN data-contrast="auto">&nbsp;the outcome you </SPAN><SPAN data-contrast="auto">desire</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this first blog we will&nbsp;</SPAN><SPAN data-contrast="auto">focus on&nbsp;</SPAN><SPAN data-contrast="auto">two aspects</SPAN><SPAN data-contrast="auto">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="auto">Don’t automatically default to&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">Advanced&nbsp;</SPAN><SPAN data-contrast="auto">hunting&nbsp;</SPAN><SPAN data-contrast="auto">API</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="auto">I</SPAN><SPAN data-contrast="auto">f you do need to use&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">Advanced hunting API for you</SPAN><SPAN data-contrast="auto">r</SPAN><SPAN data-contrast="auto">&nbsp;scenario, how&nbsp;</SPAN><SPAN data-contrast="auto">to</SPAN><SPAN data-contrast="auto">&nbsp;use it in the most optim</SPAN><SPAN data-contrast="auto">al</SPAN><SPAN data-contrast="auto">&nbsp;way.</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H3><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW186190282 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW186190282 BCX8" data-ccp-parastyle="heading 2">When&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW186190282 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW186190282 BCX8" data-ccp-parastyle="heading 2">to</SPAN></SPAN><SPAN class="TextRun SCXW186190282 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW186190282 BCX8" data-ccp-parastyle="heading 2">&nbsp;use&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW186190282 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW186190282 BCX8" data-ccp-parastyle="heading 2">the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW186190282 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW186190282 BCX8" data-ccp-parastyle="heading 2">Advanced hunting API</SPAN></SPAN><SPAN class="TextRun SCXW186190282 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW186190282 BCX8" data-ccp-parastyle="heading 2">&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW186190282 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW186190282 BCX8" data-ccp-parastyle="heading 2">and when to use&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW186190282 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW186190282 BCX8" data-ccp-parastyle="heading 2">other APIs / features?&nbsp;</SPAN></SPAN><SPAN class="EOP SCXW186190282 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></H3> <P><SPAN data-contrast="auto">The&nbsp;</SPAN><SPAN data-contrast="auto">Advanced&nbsp;</SPAN><SPAN data-contrast="auto">h</SPAN><SPAN data-contrast="auto">unting</SPAN><SPAN data-contrast="auto">&nbsp;API&nbsp;</SPAN><SPAN data-contrast="auto">is a&nbsp;</SPAN><SPAN data-contrast="auto">very robust capability</SPAN><SPAN data-contrast="auto">&nbsp;that</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">enabl</SPAN><SPAN data-contrast="auto">es</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">retriev</SPAN><SPAN data-contrast="auto">ing</SPAN><SPAN data-contrast="auto">&nbsp;raw data&nbsp;</SPAN><SPAN data-contrast="auto">from all&nbsp;</SPAN><SPAN data-contrast="auto">Microsoft 365 Defender</SPAN><SPAN data-contrast="auto">&nbsp;products</SPAN><SPAN data-contrast="auto">&nbsp;(</SPAN><SPAN data-contrast="auto">covering endpoints, identities,&nbsp;</SPAN><SPAN data-contrast="auto">applications docs and email)</SPAN><SPAN data-contrast="auto">, and&nbsp;</SPAN><SPAN data-contrast="auto">can&nbsp;</SPAN><SPAN data-contrast="auto">also be leveraged&nbsp;</SPAN><SPAN data-contrast="auto">to</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">generat</SPAN><SPAN data-contrast="auto">e</SPAN><SPAN data-contrast="auto">&nbsp;statistics&nbsp;</SPAN><SPAN data-contrast="auto">on entities,&nbsp;</SPAN><SPAN data-contrast="auto">translating</SPAN><SPAN data-contrast="auto">&nbsp;identifiers</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">e.g.</SPAN><SPAN data-contrast="auto">&nbsp;to which machine IP X.X.X.X belongs to</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">While this&nbsp;</SPAN><SPAN data-contrast="auto">is a great featu</SPAN><SPAN data-contrast="auto">re</SPAN><SPAN data-contrast="auto">&nbsp;with broad re</SPAN><SPAN data-contrast="auto">ach across your data,&nbsp;</SPAN><SPAN data-contrast="auto">it can&nbsp;</SPAN><SPAN data-contrast="auto">also&nbsp;</SPAN><SPAN data-contrast="auto">be challenging to maintain,&nbsp;</SPAN><SPAN data-contrast="auto">because;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="auto">M</SPAN><SPAN data-contrast="auto">ore team members need to know the internal</SPAN><SPAN data-contrast="auto">s</SPAN><SPAN data-contrast="auto">&nbsp;of KQL</SPAN><SPAN data-contrast="auto">&nbsp;to leverage it</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">and;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-contrast="auto">C</SPAN><SPAN data-contrast="auto">onsuming</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">the hunting</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">resource pool&nbsp;</SPAN><SPAN data-contrast="auto">where&nbsp;</SPAN><SPAN data-contrast="auto">there is no real need for that&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">Below&nbsp;</SPAN><SPAN data-contrast="auto">are</SPAN><SPAN data-contrast="auto">&nbsp;a few examples&nbsp;</SPAN><SPAN data-contrast="auto">of&nbsp;</SPAN><SPAN data-contrast="auto">how we have</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">developed a&nbsp;</SPAN><SPAN data-contrast="auto">dedicated</SPAN><SPAN data-contrast="auto">&nbsp;API to provide you with the intended answer&nbsp;</SPAN><SPAN data-contrast="auto">in&nbsp;</SPAN><SPAN data-contrast="auto">a single</SPAN><SPAN data-contrast="auto">&nbsp;API call:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">1.&nbsp; &nbsp;You have a 3<SUP>rd</SUP> party alert on an IP address. You would like to see which device this IP was assigned to at that time and to get more information on this device. Easy ! You can do it by :</P> <P class="lia-indent-padding-left-60px">a.&nbsp; &nbsp;<SPAN class="TrackChangeTextInsertion TrackedChange SCXW190255819 BCX8"><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8">U</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8">sing<SPAN>&nbsp;</SPAN></SPAN></SPAN><A class="Hyperlink SCXW190255819 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW190255819 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW190255819 BCX8" data-ccp-charstyle="Hyperlink">Find devices by internal IP API<SPAN>&nbsp;</SPAN></SPAN></SPAN></A><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8">&nbsp;-<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8">Find </SPAN></SPAN><A class="Hyperlink SCXW190255819 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8">devices</SPAN></SPAN></A><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8"> seen with the requested internal IP in the time range of 15 minutes prior and after a given timestamp.</SPAN></SPAN><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8"><SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8">&nbsp;</SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW190255819 BCX8"><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8">It will return</SPAN></SPAN></SPAN><SPAN class="TrackChangeTextInsertion TrackedChange SCXW190255819 BCX8"><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW190255819 BCX8"><SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW190255819 BCX8">details on the device including its OS Platform, MDE groups</SPAN></SPAN><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW190255819 BCX8">,</SPAN></SPAN><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW190255819 BCX8"><SPAN>&nbsp;</SPAN>tags, and exposure level</SPAN></SPAN><SPAN class="TextRun SCXW190255819 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW190255819 BCX8">.</SPAN></SPAN></SPAN><SPAN class="EOP TrackedChange SCXW190255819 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">2.&nbsp; &nbsp;You have a malicious domain IOC and you would like to see its prevalence in your organization.</P> <P class="lia-indent-padding-left-30px">Easy! You can use <A href="#" target="_blank" rel="noopener">Get domain statistics API for</A> that, it retrieves the organization statistics on the given domain for the lookback time you configured, by default the last 30 days, based on Microsoft Defender for Endpoint (MDE) including:&nbsp;</P> <P class="lia-indent-padding-left-60px">a.&nbsp; &nbsp;Prevalence</P> <P class="lia-indent-padding-left-60px">b.&nbsp; &nbsp;First seen</P> <P class="lia-indent-padding-left-60px">c.&nbsp; &nbsp;Last seen</P> <P class="lia-indent-padding-left-30px">For example: <A href="#" target="_blank" rel="noopener">https://api.securitycenter.microsoft.com/api/domains/microsoft.com/stats?lookBackHours=24</A></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">3.&nbsp; &nbsp;You have a list of IOCs, and you would like to make sure you are alerted if there is any activity associated with this URL in your organization.</P> <P class="lia-indent-padding-left-30px">To implement this scenario you can use Indicators:</P> <P class="lia-indent-padding-left-60px">a.&nbsp; &nbsp;Add IOCs to MDE indicators via <A href="#" target="_blank" rel="noopener">Indicators API</A> and set the required action (“Alert” or “Alert and Block”).</P> <P class="lia-indent-padding-left-60px">b.&nbsp; &nbsp;To check if any of the IOCs was observed in the organization in the last 30 days, you can run a <U>single</U> Advanced hunting query:</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <PRE class="lia-indent-padding-left-60px">// See if any process created a file matching a hash on the list <BR />let covidIndicators = (externaldata(TimeGenerated:datetime, FileHashValue:string, FileHashType: string )<BR />[@"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Sample%20Data/Feeds/Microsoft.Covid19.Indicators.csv"]<BR />with (format="csv"))<BR />| where FileHashType == 'sha256'; //and TimeGenerated &gt; ago(1d);<BR />covidIndicators<BR />| join (DeviceFileEvents<BR />| where ActionType == 'FileCreated'<BR />| take 100) on $left.FileHashValue&nbsp; == $right.SHA256</PRE> <P>&nbsp;</P> <H2>How to optimize your Advanced hunting queries</H2> <P>Once you determine that the only way to resolve your scenario is using Advanced hunting queries, you should write efficient optimized queries so your queries will execute faster and will consume less resources. Queries may be throttled or limited based on how they're written, to limit impact to other sessions. You can read all <A href="#" target="_blank" rel="noopener">our best practices recommendations</A>, and also watch this <A href="#" target="_blank" rel="noopener">webcast</A><SPAN> to learn more</SPAN>. In this section we will highlight a few recommendations to improve query performance.</P> <P>&nbsp;</P> <OL> <LI><STRONG>Always use time filters </STRONG>as your first query condition. Most of the time you will use Advanced hunting to get more information on an entity following an incident, so make sure to insert the time of the incident, and narrow your lookback time. The shorter the lookback time is, the faster the query will be executed.</LI> </OL> <P class="lia-indent-padding-left-30px">&nbsp; There are multiple ways to insert time filters to your query.</P> <P class="lia-indent-padding-left-30px">&nbsp; Scenario example – get all logon activities of the Finance departments users in Office 365.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <PRE class="lia-indent-padding-left-30px">// Filter timestamp in the query using “ago”<BR />IdentityInfo<BR />| where Department == "Finance"<BR />| distinct AccountObjectId<BR />| join (IdentityLogonEvents | where Timestamp &gt; ago(10d)) on AccountObjectId<BR />| where Application == "Office 365"</PRE> <PRE class="lia-indent-padding-left-30px">// Filter timestamp in the query using “between”<BR />let selectedTimestamp = datetime(2020-11-12T19:35:03.9859771Z);<BR />IdentityInfo<BR />| where Department == "Finance"<BR />| distinct AccountObjectId<BR />| join (IdentityLogonEvents | where Timestamp between ((selectedTimestamp - 2h) .. (selectedTimestamp + 2h))) on AccountObjectId<BR />| where Application == "Office 365"</PRE> <P class="lia-indent-padding-left-30px">&nbsp; In general, always filter your query by adding <STRONG>Where</STRONG> conditions, so it will be accurate and will query for the exact data you are looking for.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">2.&nbsp; &nbsp;Only use “join” when it is <U>necessary</U> for your scenario.</P> <P class="lia-indent-padding-left-60px">a.&nbsp; &nbsp;If you are using a join, try to <STRONG>reduce the dataset before joining</STRONG> to limit the join size. <STRONG>Filter</STRONG> <STRONG>the table on the left side</STRONG>, to reduce its size as much as you can.</P> <P class="lia-indent-padding-left-60px">b.&nbsp; &nbsp;<STRONG>Use an accurate key</STRONG> for the join.</P> <P class="lia-indent-padding-left-60px">c.&nbsp; &nbsp;Choose <A href="#" target="_blank" rel="noopener">the join flavor(kind)</A> according to your scenario.</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp; In the following example we want to see all details of emails and their attachments.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp; The following example is an inefficient query, because:</P> <P class="lia-indent-padding-left-60px">a.&nbsp; &nbsp;<FONT color="#FF0000">EmailEvents</FONT> table is the largest table, it should never be on the left side of the join, without substantial filtering on it.</P> <P class="lia-indent-padding-left-60px">b.&nbsp; &nbsp;<FONT color="#3366FF">Join kind=leftouter</FONT> returns all emails, including ones without attachments, which make the result set very large. We don’t need to see emails without attachments therefore this kind of join is not the right kind for this scenario.</P> <P class="lia-indent-padding-left-60px">c.&nbsp; &nbsp;The Key of the join is not accurate , NetworkMessageId. This is an email identifier, but the same email can be set to multiple recipients.</P> <P>&nbsp;</P> <PRE class="lia-indent-padding-left-60px"><FONT color="#FF0000">EmailEvents</FONT><BR />| project NetworkMessageId, Subject, Timestamp, SenderFromAddress , SenderIPv4 , RecipientEmailAddress , AttachmentCount<BR />| <FONT color="#3366FF">join kind=leftouter</FONT>(EmailAttachmentInfo<BR />| project NetworkMessageId,FileName, FileType, MalwareFilterVerdict, SHA256, RecipientEmailAddress )<BR />on NetworkMessageId</PRE> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp; This query should be changed and improved to the following query by:</P> <P class="lia-indent-padding-left-60px">a.&nbsp; &nbsp;Putting the smaller table, EmailAttachmentInfo, on the left.</P> <P class="lia-indent-padding-left-60px">b.&nbsp; &nbsp;Increasing join accuracy using join kind=inner</P> <P class="lia-indent-padding-left-60px">c.&nbsp; &nbsp;Using an accurate key for the join (NetworkMessageId, RecipientEmailAddress)</P> <P class="lia-indent-padding-left-60px">d.&nbsp; &nbsp;Filtering the EmailEvents table to only include emails with attachments before the join.</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <PRE class="lia-indent-padding-left-60px">// Smaller table on the left side, with kind = inner, as default join (innerunique)<BR />// will remove left side duplications, so if a single email has more than one attachments we will miss it<BR />EmailAttachmentInfo<BR />| project NetworkMessageId, FileName, FileType, MalwareFilterVerdict, SHA256, RecipientEmailAddress<BR />| join kind=inner<BR />(EmailEvents<BR />| where AttachmentCount &gt; 0<BR />|project NetworkMessageId, Subject, Timestamp, SenderFromAddress , SenderIPv4 , RecipientEmailAddress , AttachmentCount)<BR />on NetworkMessageId, RecipientEmailAddress</PRE> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp;3.&nbsp; &nbsp;When you want to search for an attribute/entity in multiple tables, use the <STRONG>search in</STRONG> operator instead of using union. For example, if you want to search for list of Urls, use the following query:</P> <P>&nbsp;</P> <PRE class="lia-indent-padding-left-30px">let ListOfIoc = dynamic(["t20saudiarabia@outlook.sa", "t20saudiarabia@hotmail.com", "t20saudiarabia@gmail.com", "munichconference@outlook.com",<BR />"munichconference@outlook.de", "munichconference1962@gmail.com", "ctldl.windowsupdate.com"]);<BR />search in (DeviceNetworkEvents, DeviceFileEvents, DeviceEvents, EmailUrlInfo )<BR />Timestamp &gt; ago(1d) and<BR />RemoteUrl in (ListOfIoc) or FileOriginUrl in (ListOfIoc) or FileOriginReferrerUrl in (ListOfIoc)</PRE> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">4.&nbsp; &nbsp;<STRONG>Using “Has” is better than “contains”</STRONG>: When looking for full tokens, “has” is more efficient,</P> <P class="lia-indent-padding-left-30px">&nbsp; &nbsp; &nbsp; since it doesn't look for substrings.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">&nbsp; &nbsp; &nbsp;Instead of using “contains”:</P> <PRE class="lia-indent-padding-left-60px">DeviceNetworkEvents<BR />| where RemoteUrl contains "microsoft.com"<BR />| take 50</PRE> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; Use “has”:</P> <PRE class="lia-indent-padding-left-60px">DeviceNetworkEvents<BR />| where RemoteUrl has "microsoft.com"<BR />| take 50</PRE> <P class="lia-indent-padding-left-30px">&nbsp; &nbsp; &nbsp;If possible, <STRONG>Use case-sensitive operators</STRONG></P> <PRE class="lia-indent-padding-left-60px">DeviceNetworkEvents<BR />| where RemoteUrl has_cs "microsoft.com"<BR />| take 50</PRE> <P>&nbsp;</P> <P>For more information about Advanced hunting and the features discussed in this article, read:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Advanced hunting overview</A></LI> <LI><A href="#" target="_blank" rel="noopener">Advanced hunting best practices</A></LI> <LI><A href="#" target="_blank" rel="noopener">Advanced hunting APIs - Microsoft 365 security | Microsoft Docs</A></LI> <LI><A href="#" target="_blank" rel="noopener">Advanced hunting quota and resources</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft 365 Defender APIs</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint APIs</A></LI> </UL> <P>&nbsp;</P> <P>As always, we’d love to know what you think. Leave us feedback directly on Microsoft 365 security center or start a discussion in <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/bd-p/MicrosoftThreatProtection" target="_blank" rel="noopener">Microsoft 365 Defender community.</A></P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 28 Jan 2021 10:37:28 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2102893 Tali Ash 2021-01-28T10:37:28Z Hunt for Azure Active Directory sign-in events https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-for-azure-active-directory-sign-in-events/ba-p/2040278 <P>We are happy to announce the public preview availability of a new data source in <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender advanced hunting</A>.</P> <P>&nbsp;</P> <P>Two new tables for <STRONG>Azure Active Directory sign-ins are now available </STRONG>in advanced hunting:</P> <UL> <LI><A href="#" target="_blank" rel="noopener"><STRONG>AADSpnSignInEventsBeta</STRONG></A><SPAN><STRONG> – </STRONG>includes</SPAN> service principal and managed identities sign-in events</LI> <LI><A href="#" target="_self"><STRONG>AADSignInEventsBeta</STRONG></A><SPAN><STRONG> – </STRONG>includes </SPAN>interactive and non-interactive sign-in events</LI> </UL> <P>Tables are visible for <U>global roles assigned in Azure Active Directory only</U>, as enforced by Azure Active Directory.</P> <P>&nbsp;</P> <P>The tables are suffixed with “beta” because it is a short-term solution to help you quickly identify possible malicious sign-in events for investigation. In parallel to making this data available, we are working on a more robust and complete solution. We will share more details on that soon.</P> <P><STRONG>&nbsp;</STRONG></P> <P>Here are some useful sample queries that can also help you understand how to use these new tables:</P> <P>&nbsp;</P> <PRE><SPAN style="font-family: Consolas; color: green;">// Finds attempts to sign in to disabled accounts, listed by IP address<BR /></SPAN><SPAN style="font-family: Consolas; color: blue;">let</SPAN><SPAN style="font-family: Consolas;"> <SPAN style="color: midnightblue;">timeRange</SPAN> = 14d;<BR /></SPAN><SPAN style="font-family: Consolas; color: purple;">AADSignInEventsBeta</SPAN> <BR /><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">where</SPAN>&nbsp; <SPAN style="color: mediumvioletred;">Timestamp</SPAN> &gt;= <SPAN style="color: blue;">ago</SPAN>(<SPAN style="color: midnightblue;">timeRange</SPAN>)<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">where</SPAN> <SPAN style="color: mediumvioletred;">ErrorCode</SPAN> == <SPAN style="color: firebrick;">'50057'</SPAN>&nbsp; <SPAN style="color: green;">// The user account is disabled.<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">summarize</SPAN> <SPAN style="color: mediumvioletred;">StartTime</SPAN> = <SPAN style="color: blue;">min</SPAN>(<SPAN style="color: mediumvioletred;">Timestamp</SPAN>), <SPAN style="color: mediumvioletred;">EndTime</SPAN> = <SPAN style="color: blue;">max</SPAN>(<SPAN style="color: mediumvioletred;">Timestamp</SPAN>), <SPAN style="color: mediumvioletred;">numberAccountsTargeted</SPAN> = <SPAN style="color: blue;">dcount</SPAN>(<SPAN style="color: mediumvioletred;">AccountObjectId</SPAN>),<BR /></SPAN><SPAN style="font-family: Consolas; color: mediumvioletred;">numberApplicationsTargeted</SPAN><SPAN style="font-family: Consolas;"> = <SPAN style="color: blue;">dcount</SPAN>(<SPAN style="color: mediumvioletred;">ApplicationId</SPAN>), <SPAN style="color: mediumvioletred;">accountSet</SPAN> = <SPAN style="color: blue;">make_set</SPAN>(<SPAN style="color: mediumvioletred;">AccountUpn</SPAN>), <SPAN style="color: mediumvioletred;">applicationSet</SPAN>=<SPAN style="color: blue;">make_set</SPAN>(<SPAN style="color: mediumvioletred;">Application</SPAN>),<BR /></SPAN><SPAN style="font-family: Consolas; color: mediumvioletred;">numberLoginAttempts</SPAN><SPAN style="font-family: Consolas;"> = <SPAN style="color: blue;">count</SPAN>() <SPAN style="color: blue;">by</SPAN> <SPAN style="color: mediumvioletred;">IPAddress<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">extend</SPAN> <SPAN style="color: mediumvioletred;">timestamp</SPAN> = <SPAN style="color: mediumvioletred;">StartTime</SPAN>, <SPAN style="color: mediumvioletred;">IPCustomEntity</SPAN> = <SPAN style="color: mediumvioletred;">IPAddress<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">order</SPAN> <SPAN style="color: blue;">by</SPAN> <SPAN style="color: mediumvioletred;">numberLoginAttempts</SPAN> <SPAN style="color: blue;">desc</SPAN> </SPAN><U></U></PRE> <PRE><SPAN style="font-family: Consolas; color: green;">// Users with multiple cities <BR /></SPAN><SPAN style="font-family: Consolas; color: green;">// Gets a list of users that signed in from multiple locations in the last 24 hours<BR /></SPAN><SPAN style="font-family: Consolas; color: purple;">AADSignInEventsBeta</SPAN> <BR /><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">where</SPAN>&nbsp; <SPAN style="color: mediumvioletred;">Timestamp</SPAN> &gt;= <SPAN style="color: blue;">ago</SPAN>(<SPAN style="color: midnightblue;">1d</SPAN>)<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">summarize</SPAN> <SPAN style="color: mediumvioletred;">CountPerCity</SPAN> = <SPAN style="color: blue;">dcount</SPAN>(<SPAN style="color: mediumvioletred;">City</SPAN>), <SPAN style="color: mediumvioletred;">citySet</SPAN> = <SPAN style="color: blue;">make_set</SPAN>(<SPAN style="color: mediumvioletred;">City</SPAN>) <SPAN style="color: blue;">by</SPAN> <SPAN style="color: mediumvioletred;">AccountUpn</SPAN> <BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">where</SPAN> <SPAN style="color: mediumvioletred;">CountPerCity</SPAN> &gt; 1<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">order</SPAN> <SPAN style="color: blue;">by</SPAN> <SPAN style="color: mediumvioletred;">CountPerCity</SPAN> <SPAN style="color: blue;">desc</SPAN> </SPAN></PRE> <PRE><SPAN style="font-family: Consolas; color: purple;"><FONT color="#339966">// Most active Managed Identities<BR />// Gets list of the top 100 most active managed identities in the last 24 hours </FONT><BR />AADSpnSignInEventsBeta<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">where</SPAN> <SPAN style="color: mediumvioletred;">Timestamp</SPAN> &gt; <SPAN style="color: blue;">ago</SPAN>(1d)<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">where</SPAN> <SPAN style="color: mediumvioletred;">IsManagedIdentity</SPAN> == True<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">summarize</SPAN> <SPAN style="color: mediumvioletred;">CountPerManagedIdentity</SPAN> = <SPAN style="color: blue;">count</SPAN>() <SPAN style="color: blue;">by</SPAN> <SPAN style="color: mediumvioletred;">ServicePrincipalId<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">order</SPAN> <SPAN style="color: blue;">by</SPAN> <SPAN style="color: mediumvioletred;">CountPerManagedIdentity</SPAN> <SPAN style="color: blue;">desc<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">take</SPAN> 100 </SPAN></PRE> <PRE><SPAN style="font-family: Consolas; color: purple;"><FONT color="#339966">// Inactive Service Principals </FONT><BR /><FONT color="#339966">// Gets list of service principals with no sign-ins in the last ten days</FONT><BR />AADSpnSignInEventsBeta<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">where</SPAN> <SPAN style="color: mediumvioletred;">Timestamp</SPAN> &gt; <SPAN style="color: blue;">ago</SPAN>(30d)<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">where</SPAN> <SPAN style="color: mediumvioletred;">ErrorCode</SPAN> == 0<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">summarize</SPAN> <SPAN style="color: mediumvioletred;">LastSignIn</SPAN> = <SPAN style="color: blue;">max</SPAN>(<SPAN style="color: mediumvioletred;">Timestamp</SPAN>) <SPAN style="color: blue;">by</SPAN> <SPAN style="color: mediumvioletred;">ServicePrincipalId<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">where</SPAN> <SPAN style="color: mediumvioletred;">LastSignIn</SPAN> &lt; <SPAN style="color: blue;">ago</SPAN>(10d)<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN style="color: orangered;">order</SPAN> <SPAN style="color: blue;">by</SPAN> <SPAN style="color: mediumvioletred;">LastSignIn</SPAN> <SPAN style="color: blue;">desc</SPAN> </SPAN><U></U></PRE> <P>&nbsp;</P> <P><U>Note:</U> Customers who can access Microsoft 365 Defender through the Azure Security Center’s integrated Microsoft Defender for Endpoint solution, but do not have licenses for any of Microsoft Defender for Office 365, Microsoft Defender for Identity, or Microsoft Cloud App Security, will not be able to view this schema.</P> Wed, 12 May 2021 05:47:48 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-for-azure-active-directory-sign-in-events/ba-p/2040278 Tali Ash 2021-05-12T05:47:48Z Get email notifications on new incidents from Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/get-email-notifications-on-new-incidents-from-microsoft-365/ba-p/2012518 <P>A new Microsoft 365 Defender feature now lets you receive notification emails directly to your mailbox for each new incident or incident update, this will help you to stay on top of the incident queue.</P> <P>Get notifications based on incident severity or by device group. You can also choose to only be notified on the first update for each incident.</P> <DIV id="tinyMceEditorIdan_Pelleg_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorIdan_Pelleg_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorIdan_Pelleg_2" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorIdan_Pelleg_3" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorIdan_Pelleg_4" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorIdan_Pelleg_5" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2020-12-23 165410.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/242519iA002C63711C7E974/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2020-12-23 165410.png" alt="Screenshot 2020-12-23 165410.png" /></span></P> <P>&nbsp;</P> <P>The notification email contains important details like the incident name, severity, and category.</P> <P>&nbsp;</P> <P>This notification email enables you to review your incidents effectively, without requiring any trouble ticketing system or API integrations.&nbsp; It can be a big help in transitioning your security operations processes and leveraging the great efficiency improvements provided through the incident's alert correlation capabilities</P> <P>&nbsp;</P> <P>Once you get the notification, you can go directly to the incident and start your investigation right away. For more information on investigating incidents, see <A href="#" target="_blank">Investigate incidents in Microsoft 365 Defender</A>.</P> <P>&nbsp;</P> <P>If you are looking for more information on how to set up incident email notification in Microsoft 365 Defender, <A href="#" target="_self">see the full instructions</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 23 Dec 2020 15:01:21 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/get-email-notifications-on-new-incidents-from-microsoft-365/ba-p/2012518 Idan_Pelleg 2020-12-23T15:01:21Z Advanced hunting product name changes https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/advanced-hunting-product-name-changes/ba-p/2009233 <P>As announced in Ignite, we have updated our Microsoft 365 threat detection portfolio. We have made the following branding changes to align these solutions:</P> <P>&nbsp;</P> <P>Microsoft 365 Defender (previously Microsoft Threat Protection).</P> <P>Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection).</P> <P>Microsoft Defender for Office 365 (previously Office 365 Advanced Threat Protection).</P> <P>Microsoft Defender for Identity (previously Azure Advanced Threat Protection).</P> <P>&nbsp;</P> <P>With this change, values in the <A href="#" target="_blank" rel="noopener"><STRONG>AlertInfo</STRONG></A> and <A href="#" target="_blank" rel="noopener"><STRONG>AlertEvidence</STRONG></A> tables in the advanced hunting schema for Microsoft 365 Defender will also need to change. On Jan 25, 2021 we will update the values in the <STRONG>ServiceSource</STRONG> and <STRONG>DetectionSource</STRONG> columns as shown in the tables below.</P> <P>&nbsp;</P> <P><STRONG>ServiceSource values</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <TABLE> <TBODY> <TR> <TD width="199"> <P><STRONG>Old value</STRONG></P> </TD> <TD width="191"> <P><STRONG>New value</STRONG></P> </TD> </TR> <TR> <TD width="199"> <P>Microsoft Defender ATP</P> </TD> <TD width="191"> <P>Microsoft Defender for Endpoint</P> </TD> </TR> <TR> <TD width="199"> <P>Microsoft Cloud App Security</P> </TD> <TD width="191"> <P>Microsoft Cloud App Security</P> </TD> </TR> <TR> <TD width="199"> <P>Microsoft Threat Protection</P> </TD> <TD width="191"> <P>Microsoft 365 Defender</P> </TD> </TR> <TR> <TD width="199"> <P>Office 365 ATP</P> </TD> <TD width="191"> <P>Microsoft Defender for Office 365</P> </TD> </TR> <TR> <TD width="199"> <P>Azure ATP</P> </TD> <TD width="191"> <P>Microsoft Defender for Identity</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>DetectionSource values</STRONG></P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="202"> <P><STRONG>Old value</STRONG></P> </TD> <TD width="185"> <P><STRONG>New value</STRONG></P> </TD> </TR> <TR> <TD width="202"> <P>MCAS</P> </TD> <TD width="185"> <P>Cloud App Security</P> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="202"> <P>WindowsDefenderAtp</P> </TD> <TD width="185"> <P>EDR</P> </TD> </TR> <TR> <TD width="202"> <P>WindowsDefenderAv</P> </TD> <TD width="185"> <P>Antivirus</P> </TD> </TR> <TR> <TD width="202"> <P>WindowsDefenderSmartScreen</P> </TD> <TD width="185"> <P>SmartScreen</P> </TD> </TR> <TR> <TD width="202"> <P>CustomerTI</P> </TD> <TD width="185"> <P>Custom TI</P> </TD> </TR> <TR> <TD width="202"> <P>OfficeATP</P> </TD> <TD width="185"> <P>Microsoft Defender for Office 365</P> </TD> </TR> <TR> <TD width="202"> <P>MTP</P> </TD> <TD width="185"> <P>Microsoft 365 Defender</P> </TD> </TR> <TR> <TD width="202"> <P>AzureATP</P> </TD> <TD width="185"> <P>Microsoft Defender for Identity</P> </TD> </TR> <TR> <TD width="202"> <P>CustomDetection</P> </TD> <TD width="185"> <P>Custom Detection</P> </TD> </TR> <TR> <TD width="202"> <P>AutomatedInvestigation</P> </TD> <TD width="185"> <P>Automated investigation</P> </TD> </TR> <TR> <TD width="202"> <P>ThreatExperts</P> </TD> <TD width="185"> <P>Microsoft Threat Experts</P> </TD> </TR> <TR> <TD width="202"> <P>3<SUP>rd</SUP> party TI</P> </TD> <TD width="185"> <P>3<SUP>rd</SUP> Party sensors</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>You’ll need to update queries that search for these values. For example:</P> <P>&nbsp;</P> <PRE>AlertInfo<BR />| where ServiceSource == "Microsoft Defender ATP"<SPAN>&nbsp;</SPAN></PRE> <P>&nbsp;</P> <P>Within 30 days of the change, you should update this query to include both new and old values. This will match both existing alerts and newly logged alerts.</P> <P>&nbsp;</P> <PRE>AlertInfo<BR />| where ServiceSource in ("Microsoft Defender ATP", "Microsoft Defender for Endpoint")</PRE> <P>&nbsp;</P> <P>Beyond 30 days of the change, you can switch to using just the new names:</P> <P>&nbsp;</P> <PRE>AlertInfo<BR />| where ServiceSource == "Microsoft Defender for Endpoint"</PRE> <P>&nbsp;</P> <P>Please make sure to update all your saved queries, custom detection rules, and queries you run using the API.</P> Tue, 22 Dec 2020 12:23:14 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/advanced-hunting-product-name-changes/ba-p/2009233 Tali Ash 2020-12-22T12:23:14Z New Threat analytics report shares the latest intelligence on recent nation-state cyber attacks https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-threat-analytics-report-shares-the-latest-intelligence-on/ba-p/2001095 <P>Microsoft security researchers have been investigating and responding to the recent nation-state cyber-attack involving a supply-chain compromise followed by cloud assets compromise.</P> <P>&nbsp;</P> <P>Microsoft 365 Defender can help you track and respond to emerging threats with <A href="#" target="_blank" rel="noopener">threat analytics</A>. Our Threat Intelligence team has published a new Threat analytics report, shortly following the discovery of this new cyber attack. This report is being constantly updated as the investigations and analysis unfold.</P> <P>&nbsp;</P> <P>The threat analytics report includes deep-dive analysis, MITRE techniques, detection details, recommended mitigations, updated list of indicators of compromise (IOCs), and advanced hunting queries that expand detection coverage.</P> <P>&nbsp;</P> <P>Given the high profile of this threat, we have made sure that all our customers, E5 and E3 alike, can access and use this important information.</P> <P>&nbsp;</P> <P>If you’re an E5 customer, you can use threat analytics to view your organization’s state relevant to this attack and help with the following security operation tasks:</P> <UL> <LI>Monitor related incidents and alerts</LI> <LI>Handle impacted assets</LI> <LI>Track mitigations and their status, with options to investigate further and remediate weaknesses using threat and vulnerability management.</LI> </UL> <P>&nbsp;</P> <P>For guidance on how to read the report, see <A href="#" target="_blank" rel="noopener">Understand the analyst report section in threat analytics</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TA blog.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/241556iD946F01E72D4098C/image-size/large?v=v2&amp;px=999" role="button" title="TA blog.png" alt="TA blog.png" /></span></P> <P>&nbsp;</P> <P>Read the Solorigate supply chain attack threat analytics report:</P> <UL> <LI>For unified Microsoft 365 Defender early adopters, use this link: <A href="#" target="_blank" rel="noopener">Threat Analytics - Microsoft 365 security</A></LI> <LI>For Microsoft Defender for Endpoint customers, use this link: <A href="#" target="_blank" rel="noopener">Threat overview - Microsoft Defender for Endpoint</A></LI> </UL> <P>&nbsp;</P> <P>For our E3 customers, you can read similar relevant Microsoft threat intelligence data, including the updated list of IOCs, through the MSRC blog. Monitor the blog, <A href="#" target="_blank" rel="noopener">Customer Guidance on Recent Nation-State Cyber Attacks</A><SPAN>,</SPAN> where we share the latest details as the situation unfolds.</P> <P>&nbsp;</P> Fri, 18 Dec 2020 13:15:19 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-threat-analytics-report-shares-the-latest-intelligence-on/ba-p/2001095 Dana_Bargury 2020-12-18T13:15:19Z Azure Active Directory audit logs now available in Advanced Hunting (public preview) https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/azure-active-directory-audit-logs-now-available-in-advanced/ba-p/1999523 <P>We are happy to announce the availability of a new data source in <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender Advanced Hunting.</A></P> <P>We have just enabled streaming of <STRONG>Azure Active Directory audit logs</STRONG> into Advanced Hunting, already available for all customers in <A href="#" target="_blank" rel="noopener">public preview</A>.</P> <P>These logs provide traceability for all changes done by various features within Azure AD. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.</P> <P>&nbsp;</P> <P>At the moment, the data ingestion has a dependency on MCAS, so customers that have MCAS with the <A href="#" target="_blank" rel="noopener">Office365 connector</A> connected will be able to see this data. Our intent is to expand availability to more Microsoft 365 Defender customers going forward.</P> <P>&nbsp;</P> <P>The new log data is available in the <A href="#" target="_blank" rel="noopener">CloudAppEvents</A> table:</P> <P>&nbsp;</P> <PRE>CloudAppEvents<BR />| where Application == "Office 365"</PRE> <P>and contains activity logs useful for investigating and finding related activities.</P> <P>We are publishing a handful of relevant queries to our <A href="#" target="_blank" rel="noopener">Git</A>&nbsp;as they can assist with recent nation state attack investigation.</P> <P>&nbsp;</P> <P>Here’s an example <A href="#" target="_blank" rel="noopener">query</A> that helps you see when credentials were added to an Azure AD application after 'Admin Consent' permissions were granted:</P> <P>&nbsp;</P> <PRE>CloudAppEvents<BR />| where Application == "Office 365"<BR />| where ActionType == "Consent to application."<BR />| where RawEventData.ModifiedProperties[0].Name == "ConsentContext.IsAdminConsent" and RawEventData.ModifiedProperties[0].NewValue == "True"<BR />| extend spnID = tostring(RawEventData.Target[3].ID)<BR />| parse RawEventData.ModifiedProperties[4].NewValue with * "=&gt; [[" dummpy "Scope: " After "]]" *<BR />| extend PermissionsGranted = split(After, "]",0)<BR />| project ConsentTime = Timestamp , AccountDisplayName , spnID , PermissionsGranted<BR />| join (<BR />CloudAppEvents<BR />| where Application == "Office 365"<BR />| where ActionType == "Add service principal credentials." or ActionType == "Update application – Certificates and secrets management "<BR />| extend spnID = tostring(RawEventData.Target[3].ID) <BR />| project AddSecretTime = Timestamp, AccountDisplayName , spnID <BR />) on spnID <BR />| where ConsentTime &lt; AddSecretTime and AccountDisplayName &lt;&gt; AccountDisplayName1</PRE> <P>&nbsp;</P> <P>Keep watching for our updates, we will publish more information and guidance on how to leverage Microsoft 365 Defender for investigations of this evolving advanced threat soon!</P> Thu, 17 Dec 2020 22:05:51 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/azure-active-directory-audit-logs-now-available-in-advanced/ba-p/1999523 Tali Ash 2020-12-17T22:05:51Z Additional email data in advanced hunting https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/additional-email-data-in-advanced-hunting/ba-p/1985849 <P>We’re thrilled to share new enhancements to the advanced hunting data for Office 365 in Microsoft 365 Defender. Following your feedback we’ve added new columns and optimized existing columns to provide more email attributes you can hunt across. These additions are now available in public preview.</P> <P>&nbsp;</P> <P>We’ve made the following changes to the <A href="#" target="_blank" rel="noopener"><STRONG>EmailEvents</STRONG></A> and <A href="#" target="_blank" rel="noopener"><STRONG>EmailAttachmentInfo</STRONG></A> tables:</P> <UL> <LI>Detailed sender info through the following new columns:<BR /> <UL> <LI><STRONG>SenderDisplayName - </STRONG>Name of the sender displayed in the address book, typically a combination of a given or first name, a middle initial, and a last name or surname</LI> <LI><STRONG>SenderObjectId</STRONG><STRONG> - </STRONG>Unique identifier for the sender’s account in Azure AD</LI> </UL> </LI> <LI>We’ve also optimized and organized threat detection information, replacing four separate columns for malware and phishing verdict information with three new columns that can accommodate spam and other threat types.</LI> </UL> <TABLE width="521"> <TBODY> <TR> <TD width="137"> <P><STRONG>New column</STRONG></P> </TD> <TD width="185"> <P><STRONG>Mapping to previous columns</STRONG></P> </TD> <TD width="200"> <P><STRONG>Description</STRONG></P> </TD> </TR> <TR> <TD rowspan="2" width="137"> <P>ThreatTypes</P> </TD> <TD width="185"> <P>MalwareFilterVerdict</P> </TD> <TD rowspan="2" width="200"> <P>Verdicts from the email filtering stack on whether the email contains malware, phishing, or other threats</P> </TD> </TR> <TR> <TD width="185"> <P>PhishFilterVerdict</P> </TD> </TR> <TR> <TD rowspan="2" width="137"> <P>DetectionMethods</P> </TD> <TD width="185"> <P>MalwareDetectionMethod</P> </TD> <TD rowspan="2" width="200"> <P>Technologies used to threats. This column will cover spam detection technologies in addition to the previous phishing and malware coverage.</P> <P>As part of this change, we have updated the set of technologies for Phish/Malware threats, as well as introduced detection tech targeted for Spam verdicts.</P> <P>(NOTE: This is available in <STRONG>EmailEvents</STRONG> only, but will eventually be added to EmailAttachmentInfo.)</P> </TD> </TR> <TR> <TD width="185"> <P>PhishDetectionMethod</P> </TD> </TR> <TR> <TD width="137"> <P>ThreatNames</P> </TD> <TD width="185"> <P>N/A - New</P> </TD> <TD width="200"> <P>Json of technology used to malware, phishing, or other threats found in the email.</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><SPAN style="color: black; font-size: 12pt;">If you want to look for a specific threat, you can use the </SPAN><STRONG style="color: black; font-size: 12pt;">ThreatTypes</STRONG><SPAN style="color: black; font-size: 12pt;"> column. These new columns will be empty if there are no threats—they will no longer be populated with values like with “Null”, “Not phish”, or “Not malware”.</SPAN></P> <P>&nbsp;</P> <P>Here is an example comparing the values in the old columns and the new columns:</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="273"> <P><STRONG>Columns</STRONG></P> </TD> <TD width="273"> <P><STRONG>Values</STRONG></P> </TD> </TR> <TR> <TD width="273"> <P><STRONG>Old columns</STRONG></P> </TD> <TD width="273"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="273"> <P>PhishDetectionMethod</P> </TD> <TD width="273"> <P>["Anti-spoof: external domain"]</P> </TD> </TR> <TR> <TD width="273"> <P>PhishFilterVerdict</P> </TD> <TD width="273"> <P>Phish</P> </TD> </TR> <TR> <TD width="273"> <P>MalwareFilterVerdict</P> </TD> <TD width="273"> <P>Not malware</P> </TD> </TR> <TR> <TD width="273"> <P>MalwareDetectionMethod</P> </TD> <TD width="273"> <P>null</P> </TD> </TR> <TR> <TD width="273"> <P><STRONG>New columns</STRONG></P> </TD> <TD width="273"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="273"> <P>ThreatTypes</P> </TD> <TD width="273"> <P>Phish, Spam</P> </TD> </TR> <TR> <TD width="273"> <P>ThreatNames</P> </TD> <TD width="273"> <P>&nbsp;</P> </TD> </TR> <TR> <TD width="273"> <P>DetectionMethods</P> </TD> <TD width="273"> <P>{"Phish":["Anti-spoof: external domain"],"Spam":["DomainList"]}</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <UL> <LI><STRONG>Connectors</STRONG>—this new column in the <STRONG>EmailEvents</STRONG> table provides information about <A href="#" target="_self">custom instructions that define organizational mail flow</A>&nbsp;and how the email was routed.</LI> <LI>Additional information on <STRONG>organizational-level policies</STRONG> and <STRONG>user-level policies</STRONG> that were applied on emails during the delivery. This information can help you identify any unintentional delivery of malicious messages (or blocking of benign messages) due to configuration gaps or overrides, such as very broad Safe Sender policies. This information is provided through the following new columns: <UL> <LI><STRONG>OrgLevelAction</STRONG> - Action taken on the email in response to matches to a policy defined at the organizational level</LI> <LI><STRONG>OrgLevelPolicy</STRONG> - Organizational policy that triggered the action taken on the email</LI> <LI><STRONG>UserLevelAction</STRONG> - Action taken on the email in response to matches to a mailbox policy defined by the recipient</LI> <LI><STRONG>UserLevelPolicy&nbsp;</STRONG> - End user mailbox policy that triggered the action taken on the email</LI> </UL> </LI> </UL> <P>&nbsp;</P> <P>As always,&nbsp;we’d&nbsp;love to know what you think. Leave us feedback&nbsp;directly&nbsp;on Microsoft 365 security center or&nbsp;contact us at&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=mailto:AHfeedback@microsoft.com" target="_blank" rel="noopener">AHfeedback@microsoft.com</A><U>.</U>&nbsp;</P> Mon, 14 Dec 2020 16:32:57 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/additional-email-data-in-advanced-hunting/ba-p/1985849 Tali Ash 2020-12-14T16:32:57Z Microsoft Defender for Office 365 investigation improvements coming soon https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-defender-for-office-365-investigation-improvements/ba-p/1947236 <P>For those of you using Microsoft Defender for Office 365 automated investigations, we have several new investigation improvements rolling out this month to improve your experience in the security center.&nbsp; These new features improve the clarity of Office 365 investigations, as well as improve Defender for Office 365 integration with SecOps tools in the security center.</P> <P>&nbsp;</P> <UL> <LI><STRONG>Manually triggered investigations</STRONG> – Office 365 has supported investigations <A href="#" target="_blank" rel="noopener">triggered manually by security administrators</A> from Explorer since the Office 365 automated investigation features were released.&nbsp; This capability allows security teams to trigger ‘email investigations’ to see if anything in an email is bad, identify any unusual Office 365 behaviors for the recipient, and queue remediation actions for anything malicious or suspicious.&nbsp; With the addition of <A href="#" target="_blank" rel="noopener">a new alert</A> for admin-triggered email investigations from explorer, SecOps teams can now see alert notifications for these investigations in their alert queues – as well as view these investigations in the <A href="#" target="_blank" rel="noopener">Microsoft 365 security center</A>.&nbsp; The alert and investigations from these admin-triggered email investigations will be <A href="#" target="_blank" rel="noopener">correlated in incidents</A>, which further expands the signal provided by the admin action to show the full relevant scope of the suspected attack or malicious activity.&nbsp; In addition, this enables use of other Microsoft 365 Defender capabilities for these investigations, including the <A href="#" target="_blank" rel="noopener">unified investigation page</A>, the display of investigation actions in <A href="#" target="_blank" rel="noopener">action center</A>, and the <A href="#" target="_blank" rel="noopener">alerts/entities</A> within <A href="#" target="_blank" rel="noopener">advanced hunting</A>.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="johnengels_3-1606886736792.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/237181iCB9748369CEC43C0/image-size/large?v=v2&amp;px=999" role="button" title="johnengels_3-1606886736792.png" alt="johnengels_3-1606886736792.png" /></span></P> <P>&nbsp;</P> <UL> <LI>Mailbox configuration entities – Defender for Office 365 identifies suspicious configurations like external forwarding rules and suspicious delegation rules – which are key methods that attackers can setup malicious persistence in their attack on businesses. &nbsp;Microsoft 365 Defender incident view has shown such findings under the mailbox tab.&nbsp; Since these configuration findings will have actions to disable them, we have added a new entity type called ‘Mailbox configuration’.&nbsp; These new entities help you will clearly see these suspicious mailbox configuration findings in the <A href="#" target="_blank" rel="noopener">incident and investigation evidence</A> tabs, so that you can more easily review these suspicious mailbox configurations associated with the pending actions.</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="johnengels_4-1606886736821.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/237182i5367EDB6273DA6FA/image-size/large?v=v2&amp;px=999" role="button" title="johnengels_4-1606886736821.png" alt="johnengels_4-1606886736821.png" /></span></P> <P>&nbsp;</P> <UL> <LI>Outbound email clusters for user compromise investigations— Microsoft Defender for Office 365’s user compromise investigations analyze users in scenarios where the user has been blocked for sending out too many suspicious or malicious emails.&nbsp; To extend these investigations and provide better understanding of the potential impact of compromised mailboxes, we have added <A href="#" target="_blank" rel="noopener">new email clusters</A> to show recent email being sent from the mailbox.&nbsp; The three new email clusters show the ‘suspicious’ spam email, the ‘malicious’ malware/phish email, and the ‘clean’ email sent from the account in the last week.&nbsp; This information aids security operations teams in assessing: <UL> <LI>Whether the mailbox account was compromised</LI> <LI>What problems may have been created through malicious/suspicious use of the account</LI> <LI>Whether there was any potential data exfiltration through email</LI> <LI>Which outbound emails are legitimate (differentiate good email use from abuse/misuse)</LI> </UL> </LI> </UL> <P>These new email clusters will augment the existing email clusters in the user compromise investigation, which find emails similar to the malicious/suspicious messages that triggered the compromise-related mailbox alerts.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="johnengels_6-1606887175023.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/237184i719FE86B1DC6907E/image-size/large?v=v2&amp;px=999" role="button" title="johnengels_6-1606887175023.png" alt="johnengels_6-1606887175023.png" /></span></P> <UL> <LI>Deprecation of block URL investigation action – We are removing the redundant ‘block URL’ action from our current investigations.&nbsp; In these current investigations, this action appears when the investigation finds a malicious URL.&nbsp; Since the Office 365 protection stack will be blocking the URL at the time of delivery and from Safe Links protected clicks, &nbsp;the investigation action is no longer needed.&nbsp; There will be future action uses from advanced hunting and explorer for false positive and false negative related admin remediation actions.</LI> </UL> <P>&nbsp;</P> <P>There is no impact to your current incident and automated investigation use.&nbsp; These new features add new fields you can use to find items easier.&nbsp; The main thing to note is that the new manually triggered email investigation alert will be seen in the security center, will generate alert email notifications, and will be available alongside other alerts in the Office 365 Management Activity API.</P> Wed, 02 Dec 2020 05:37:28 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-defender-for-office-365-investigation-improvements/ba-p/1947236 johnengels 2020-12-02T05:37:28Z Hunt across cloud app activities with Microsoft 365 Defender advanced hunting https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857 <P>We’re&nbsp;thrilled to share that the new <STRONG>CloudAppEvents</STRONG> table is now available as a public preview in advanced hunting for Microsoft 365 Defender.</P> <P>&nbsp;</P> <P>This new advanced hunting schema table contains activities monitored by Microsoft Cloud App Security (MCAS) involving the following services:</P> <UL> <LI>Microsoft Exchange Online</LI> <LI>Microsoft Teams</LI> </UL> <P>&nbsp;</P> <P>In Microsoft 365 Defender advanced hunting, you can use Kusto Query Language (KQL) to proactively find threat activity involving these applications including setting inbox rules, mailbox permissions, and Teams channels updates.</P> <P>&nbsp;</P> <P>This new table includes:</P> <UL> <LI>Precise location information in these columns: <UL> <LI><STRONG>CountryCode</STRONG></LI> <LI><STRONG>City</STRONG></LI> </UL> </LI> <LI><STRONG>UserAgent</STRONG> information from web browsers or other client applications</LI> <LI><STRONG>ActivityObjects&nbsp;</STRONG>column listing various objects involved in the recorded event, such as files or folders. This is identical to what is already displayed for each activity in Cloud App Security.</LI> </UL> <DIV id="tinyMceEditorTali Ash_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>In early 2021,&nbsp;this table will also include activities involving the following O365 services:</P> <UL> <LI>OneDrive for Business</LI> <LI>SharePoint Online</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="CloudAppEvents.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/234042iC91FD0A40C86CAB7/image-size/large?v=v2&amp;px=999" role="button" title="CloudAppEvents.png" alt="CloudAppEvents.png" /></span></P> <H2>&nbsp;</H2> <H2>Replacing the AppFileEvents table</H2> <P>&nbsp;</P> <P>The <STRONG>AppFileEvents</STRONG> table, which contains file activities from these applications, will <STRONG>stop getting populated with new data</STRONG> in early 2021. Activities involving these applications, including file activities, <STRONG>will be recorded in the new CloudAppEvents table</STRONG>. In addition to this change, SMB file copy activity (action type: <EM>SmbFileCopy</EM>) from Microsoft Defender for Identity currently stored in the AppFileEvents table will be moved to the IdentityDirectoryEvents.</P> <P>&nbsp;</P> <P>If you have any saved queries, custom detection rules or queries running through the API, using the AppFileEvents table, <STRONG>please make sure to edit them to work with the CloudAppEvents table</STRONG>.</P> <P>&nbsp;</P> <P>For example, here is a query that checks the AppFileEvents table:</P> <P>&nbsp;</P> <PRE>AppFileEvents<BR />| where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online"<BR />| where FileName endswith ".xlsx"<BR />| project Timestamp, ActionType, Application, FileName, FolderPath, AccountObjectId, AccountDisplayName, IPAddress, Location<BR />| take 50</PRE> <P>&nbsp;</P> <P>You can edit it to use the CloudAppEvents table like so:</P> <P>&nbsp;</P> <PRE>CloudAppEvents<BR />| where ActionType == "FileUploaded" and Application == "Microsoft SharePoint Online"<BR />| where ObjectType == "File" and ObjectName endswith ".xlsx"<BR />| project Timestamp, ActionType, Application, ObjectName, AccountObjectId, AccountDisplayName, IPAddress, CountryCode<BR />| take 50</PRE> <P>&nbsp;</P> <H2>Sample queries with CloudAppEvents</H2> <P>&nbsp;</P> <P>Here are some samples queries that might help you understand how to use this new table:</P> <P>&nbsp;</P> <PRE>//Activities from a specific app<BR />CloudAppEvents<BR />| where Application == "Microsoft SharePoint Online"<BR />| take 100</PRE> <P>&nbsp;</P> <PRE><SPAN>//Activities made by a specific user, the user is the "actor"<BR /></SPAN><SPAN>let</SPAN> <SPAN>user</SPAN> = "&lt;user name&gt;" ;<BR /><SPAN>CloudAppEvents<BR /></SPAN>| where AccountDisplayName == <SPAN>user<BR /></SPAN>| take 100</PRE> <P>&nbsp;</P> <PRE><SPAN>//Activities involving a specific user, the user is with any role, not "actor" only<BR /></SPAN><SPAN>let</SPAN> <SPAN>user</SPAN> = "&lt;user name&gt;" ;<BR /><SPAN>CloudAppEvents<BR /></SPAN>| where ActivityObjects has <SPAN>user<BR /></SPAN>| take 100</PRE> <P>&nbsp;</P> <PRE><SPAN>//Activities on a specific file<BR /></SPAN><SPAN>let</SPAN> <SPAN>fileName</SPAN> = "&lt;file name&gt;";<BR /><SPAN>CloudAppEvents<BR /></SPAN>| where ObjectType == and ObjectName == <SPAN>fileName<BR /></SPAN>| take 100</PRE> <P>&nbsp;</P> <PRE><SPAN>//Activities from specific IP address<BR /></SPAN><SPAN>CloudAppEvents<BR /></SPAN>| where IPAddress == "&lt;IP&gt;"<BR />| take 100</PRE> <P>&nbsp;</P> <PRE><SPAN>//Activities from a </SPAN><SPAN>specific user agent<BR /></SPAN><SPAN>CloudAppEvents<BR /></SPAN>| where UserAgent == "&lt;user agent&gt;"<BR />| take 100</PRE> <P>&nbsp;</P> <P>As always,&nbsp;we’d&nbsp;love to know what you think. Leave us feedback&nbsp;directly&nbsp;on Microsoft 365 security center or&nbsp;contact us at&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=mailto:AHfeedback@microsoft.com" target="_blank" rel="noopener">AHfeedback@microsoft.com</A>.&nbsp;</P> <P>&nbsp;</P> <P>Stay safe and happy&nbsp;hunting!&nbsp;</P> <P>&nbsp;</P> Thu, 19 Nov 2020 06:47:01 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857 Tali Ash 2020-11-19T06:47:01Z Microsoft 365 Defender connector now in Public Preview for Azure Sentinel https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-connector-now-in-public-preview-for-azure/ba-p/1879675 <P>We’re very pleased to announce that the public preview of the new Microsoft 365 Defender connector is now available, alongside&nbsp;<A href="#" target="_blank">a&nbsp;new Azure Sentinel benefit for Microsoft 365 E5 customers</A>!</P> <P>&nbsp;</P> <P>The Microsoft 365 Defender connector lets you stream advanced hunting logs—a type of raw event data—from Microsoft 365 Defender into Azure Sentinel.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SentinelConnector.png" style="width: 936px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233122i14B23C00CB5D800E/image-size/large?v=v2&amp;px=999" role="button" title="SentinelConnector.png" alt="SentinelConnector.png" /></span></P> <P>&nbsp;</P> <P>To learn more about the new Microsoft 365 Defender connector, how to enable it, and the benefit for Microsoft 365 E5 customers read out latest blog: <A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-microsoft-365-defender-connector-now-in-public/ba-p/1865651" target="_blank">What’s new: Microsoft 365 Defender connector now in Public Preview for Azure Sentinel - Microsoft Tech Community</A></P> Thu, 12 Nov 2020 09:34:05 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-connector-now-in-public-preview-for-azure/ba-p/1879675 Tali Ash 2020-11-12T09:34:05Z Improved incident queue in Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/improved-incident-queue-in-microsoft-365-defender/ba-p/1872084 <P><SPAN>If you enjoyed working on alerts in the alert queue of Microsoft 365 Defender or Microsoft Defender for Endpoint, we are excited to tell you that we have expanded the </SPAN><SPAN>features </SPAN><SPAN>of our incident queue. Now you can benefit from the sophisticated incident correlation logic of the incident queue without losing the capabilities you had in the alert queue.</SPAN></P> <P>&nbsp;</P> <P><SPAN>This includes:</SPAN></P> <UL> <LI><STRONG>Nested list of&nbsp;</STRONG><SPAN><STRONG>alert</STRONG></SPAN><STRONG>s grouped by&nbsp;</STRONG><SPAN><STRONG>incident</STRONG></SPAN><STRONG><BR /></STRONG>Enables you to quickly view which&nbsp;<SPAN>alert</SPAN>s make up each&nbsp;<SPAN>incident</SPAN>&nbsp;and easily drill down to each&nbsp;<SPAN>alert</SPAN></LI> <LI><STRONG>Extended list of&nbsp;filters&nbsp;</STRONG><STRONG><BR /></STRONG>Improves your ability to analyze&nbsp;<SPAN>incident</SPAN>s using more types of filters including investigation state, device groups, OS platforms, and more</LI> <LI><STRONG>Full alignment with Microsoft Defender for Endpoint alert queue</STRONG></LI> </UL> <P><SPAN>&nbsp;</SPAN></P> <P>The new and improved&nbsp;<SPAN>incident</SPAN>&nbsp;<SPAN>queue</SPAN>&nbsp;now&nbsp;includes all the related&nbsp;<SPAN>alert</SPAN>s within the same&nbsp;<SPAN>queue</SPAN>. Th<SPAN>is</SPAN> means that right from the&nbsp;<SPAN>incident</SPAN>&nbsp;<SPAN>queue</SPAN>&nbsp;you can view all <SPAN>the </SPAN>associated alerts and open them directly. We also added <SPAN>more </SPAN>valuable<SPAN> columns like investigation status</SPAN> and device groups, filter capabilities that applies on the incidents based on any of the&nbsp;<SPAN>alert</SPAN>s’&nbsp;attributes including investigation state,&nbsp;<SPAN>alert</SPAN>&nbsp;status, classification and more.</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>This capability can help you quickly assess, narrow down, and prioritize among incidents. For example, you can filter the incidents by device group to immediately see if sensitive devices have been affected--and spend your first few hours of the day analyzing those.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="123.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/232622i86371F45F8E1DF72/image-size/large?v=v2&amp;px=999" role="button" title="123.png" alt="123.png" /></span></P> <P>&nbsp;</P> Tue, 10 Nov 2020 14:54:40 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/improved-incident-queue-in-microsoft-365-defender/ba-p/1872084 Idan_Pelleg 2020-11-10T14:54:40Z Become a Microsoft 365 Defender Ninja https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/become-a-microsoft-365-defender-ninja/ba-p/1789376 <P>Microsoft 365 Defender, part of Microsoft’s XDR solution, leverages the Microsoft 365 security portfolio to automatically analyze threat data across domains, building a complete picture of each attack in a single dashboard. This Ninja blog covers the features and functions of Microsoft 365 Defender – everything that goes across the workloads, but not the individual workloads themselves. The content is structured into three different knowledge levels, with multiple modules: Fundamentals, Intermediate, and Expert.</P> <P>&nbsp;</P> <P>In addition, after each level, we offer you a&nbsp;<STRONG>knowledge check&nbsp;</STRONG>based on the training material you have just finished! Since there’s a lot of content, the goal of the knowledge checks is to help ensure understanding of the key concepts that were covered. Lastly, there’ll be a fun&nbsp;<STRONG>certificate</STRONG>&nbsp;issued at the end of the training: Disclaimer:&nbsp;<STRONG>This is not an official Microsoft certification and only acts as a way of recognizing your participation in this training content</STRONG>.</P> <P>&nbsp;</P> <P>I want to give kudos to my colleagues:&nbsp;<LI-USER uid="708110"></LI-USER>&nbsp;for letting me copy from her MCAS Ninja training,&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/user/viewprofilepage/user-id/809429" target="_blank" rel="noopener">@DanEdwards</A> for helping me automate the certificate distribution and <LI-USER uid="104809"></LI-USER>&nbsp;for helping me pull the questions together! Thank you!</P> <P>&nbsp;</P> <P>We will keep updating this training on a regular basis and highlight new resources.</P> <P>&nbsp;</P> <PRE>If you already did the training, you can focus on the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-ninja-training-august-2021-update/ba-p/2611831" target="_blank" rel="noopener">latest updates</A>&nbsp;(August update)</PRE> <P>&nbsp;</P> <P><U><STRONG>Table of Contents</STRONG></U></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749480" target="_self"><STRONG>Security Operations Fundamentals</STRONG></A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749481" target="_self">Module 1. Technical overview </A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749482" target="_self">Module 2. Getting started</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749483" target="_self">Module 3. Investigation – Incident</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749484" target="_self">Module 4. Threat analytics</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_AH53749325" target="_self">Module 5. Advanced hunting</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749485" target="_self">Module 6. Self-healing</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749505" target="_self">Module 7. Community (blogs, webinars, GitHub)</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_PAR53749325" target="_self">Module 8. Partners</A></P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749486" target="_self"><STRONG>Security Operations Intermediate</STRONG></A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749487" target="_self">Module 1. Architecture</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749488" target="_self">Module 2. Investigation</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749496" target="_self">Module 3. Advanced hunting</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749497" target="_self">Module 4. Automated investigation and remediation</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749498" target="_self">Module 6. Self-healing</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749499" target="_self">Module 5. Build your own lab</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749500" target="_self">Module 7. Reporting</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_MTE53749500" target="_self">Module 8. Microsoft Threat Experts</A></P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749501" target="_self"><STRONG>Security Operations Expert</STRONG></A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749502" target="_self">Module 1. Incidents</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749503" target="_self">Module 2. Advanced hunting</A></P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_Toc53749504" target="_self">Module 3. APIs, custom reports, SIEM &amp; other integrations</A></P> <P>&nbsp;</P> <P>Legend:</P> <TABLE border="1"> <TBODY> <TR> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> Product videos</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span> Webcast recordings</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TechCommunity.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205059iE2A42D8A7F13D7BC/image-dimensions/17x19?v=v2" width="17" height="19" role="button" title="TechCommunity.png" alt="TechCommunity.png" /></span> Tech Community</P> </TD> </TR> <TR> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Docs on Microsoft</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Blogs on Microsoft</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GitHub.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205065i083675CF15D6F1EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="GitHub.png" alt="GitHub.png" /></span>&nbsp;GitHub</P> </TD> </TR> <TR> <TD width="208.889px" height="27px"> <P>⤴ External</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="InteractiveGuides.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205067iF93A500E533F67FB/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="InteractiveGuides.png" alt="InteractiveGuides.png" /></span>&nbsp;Interactive guides</P> </TD> <TD width="208.889px" height="27px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H2><A target="_blank" name="_Toc53749321"></A><A target="_blank" name="_Toc53749480"></A>Security Operations Fundamentals</H2> <H3><A target="_blank" name="_Toc53749322"></A><A target="_blank" name="_Toc53749481"></A><A target="_blank" name="_Toc45281201"></A>Module 1. Technical overview</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Short overview “What is Microsoft 365 Defender"</A></LI> <LI><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span></STRONG></SPAN>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/unified-experiences-across-endpoint-and-email-are-now-generally/ba-p/2278132" target="_blank" rel="noopener">Unified experiences across endpoint and email</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">New value for ​Defender for Identity</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">New value for Defender for Office 365</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">XDR announcement blog</A></LI> </UL> <H3><A target="_blank" name="_Toc45281202"></A><A target="_blank" name="_Toc53749323"></A><A target="_blank" name="_Toc53749482"></A>Module 2. Getting started</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Quick tutorial to get you started</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Starting the service</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Prepare your Azure Active Directory</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Manage access</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Provide your feedback</A></LI> </UL> <H3><A target="_blank" name="_Toc45281206"></A><A target="_blank" name="_Toc53749324"></A><A target="_blank" name="_Toc53749483"></A>Module 3. Investigation – Incident</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Work with incidents</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/get-email-notifications-on-new-incidents-from-microsoft-365/ba-p/2012518" target="_blank" rel="noopener">Get email notifications on new incidents</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/improved-incident-queue-in-microsoft-365-defender/ba-p/1872084" target="_blank" rel="noopener">Improved incident queue</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Classification of incidents &amp; alerts</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/see-how-consolidated-incidents-improve-soc-efficiency-through/ba-p/1557341" target="_blank" rel="noopener">See how consolidated incidents improve SOC efficiency</A></LI> <LI><A href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="InteractiveGuides.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205067iF93A500E533F67FB/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="InteractiveGuides.png" alt="InteractiveGuides.png" /></span>&nbsp;Protect your organization with Microsoft 365 Defender</A></LI> <LI><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;</STRONG></SPAN><A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/easily-find-anomalies-in-incidents-and-alerts/ba-p/2339243" target="_blank" rel="noopener">Incidents trend graph view</A></LI> <LI> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Responding to my first incident</A>, a tutorial and walkthrough for new-to-role analysts</P> </LI> <LI> <P><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;</STRONG></SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/new-alert-page-for-microsoft-365-defender-incident-detections/ba-p/2350425" target="_blank" rel="noopener">Alert page for incident detections</A>&nbsp;&nbsp;</P> </LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Email Entity page</A></LI> </UL> <H3><A target="_blank" name="_Toc53749484"></A>Module 4. Threat Analytics</H3> <UL> <LI><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;</STRONG></SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/launching-threat-analytics-for-microsoft-365-defender/ba-p/2232724" target="_blank" rel="noopener">Threat analytics</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Overview of Threat Analytics</A></LI> </UL> <H3><A target="_blank" name="_AH53749325"></A>Module 5. Advanced hunting</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Quick overview &amp; a short tutorial that will get you started fast</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Learn the query language</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Understand the schema</A></LI> </UL> <H3><A target="_blank" name="_Toc53749485"></A>Module 6. Self-healing</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">How automation works</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Learn about the various AIR capabilities</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/the-action-center-in-microsoft-threat-protection-your-one-stop/ba-p/1550178" target="_blank" rel="noopener">The action center</A></LI> </UL> <H3><A target="_blank" name="_Toc53749505"></A>Module 7. Community (blogs, webinars, GitHub)</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/bg-p/MicrosoftThreatProtectionBlog" target="_blank" rel="noopener">Microsoft Threat Protection Blog</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TechCommunity.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205059iE2A42D8A7F13D7BC/image-dimensions/17x19?v=v2" width="17" height="19" role="button" title="TechCommunity.png" alt="TechCommunity.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Tech Community</A></LI> </UL> <H3><A target="_blank" name="_PAR53749325"></A>Module 8. Partner</H3> <UL> <LI><SPAN><SPAN><STRONG><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;</STRONG></SPAN></SPAN><A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/take-your-security-to-the-next-level-with-professional-security/ba-p/2528757" target="_blank" rel="noopener">Professional security services catalog</A><SPAN style="font-family: inherit; background-color: transparent;">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><FONT size="4"><STRONG>&gt; Ready for the <A href="#" target="_blank" rel="noopener">Fundamentals&nbsp;Knowledge Check</A>?&nbsp;</STRONG></FONT></P> <P>&nbsp;</P> <H2><A target="_blank" name="_Toc45281212"></A><A target="_blank" name="_Toc53749327"></A><A target="_blank" name="_Toc53749486"></A><SPAN>Security Operations Intermediate</SPAN></H2> <H3>Module 1.&nbsp;&nbsp;<A target="_blank" name="_Toc45281213"></A><A target="_blank" name="_Toc53749328"></A><A target="_blank" name="_Toc53749487"></A>Architecture</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Threat Protection data security and privacy</A></LI> </UL> <H3><A target="_blank" name="_Toc45281216"></A><A target="_blank" name="_Toc53749329"></A><A target="_blank" name="_Toc53749488"></A>Module 2. Investigation</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Correlating and consolidating attacks into incidents</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Investigate incidents</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Mapping attack chains from cloud to endpoint</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Prioritize incidents</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Manage incidents</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-defender-for-office-365-investigation-improvements/ba-p/1947236" target="_blank" rel="noopener">Investigation improvements for Microsoft Defender for Office 365</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Report false positives/negatives</A></LI> </UL> <H3><A target="_blank" name="_Toc53749337"></A><A target="_blank" name="_Toc53749496"></A>Module 3. Advanced hunting</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/microsoft-threat-protection-advanced-hunting-cheat-sheet/ba-p/1505100" target="_blank" rel="noopener">Advanced hunting cheat sheet</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-in-a-multi-stage-incident/ba-p/2193484" target="_blank" rel="noopener">Microsoft Cloud App Security: The Hunt in a multi-stage incident</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Hunting with Microsoft Cloud App Security data</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-cloud-app-security-the-hunt-for-insider-risk/ba-p/2346242" target="_blank" rel="noopener">Microsoft Cloud App Security: The Hunt for Insider Risk</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/blog-series-limitless-advanced-hunting-with-azure-data-explorer/ba-p/2328705" target="_blank" rel="noopener">Limitless Advanced Hunting with Azure Data Explorer (ADX)</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Take action on advanced hunting query results</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Advanced Hunting in portal Schema Reference</A>&nbsp;</LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> <A href="#" target="_blank" rel="noopener">DeviceFromIP() function in advanced hunting</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span> Webinar series, episode 1: KQL fundamentals (<A href="#" target="_blank" rel="noopener">MP4</A>,&nbsp;<A href="#" target="_blank" rel="noopener">YouTube</A>)</LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Advanced hunting query best practices</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-across-cloud-app-activities-with-microsoft-365-defender/ba-p/1893857" target="_blank" rel="noopener">Hunt across cloud app activities</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/additional-email-data-in-advanced-hunting/ba-p/1985849" target="_blank" rel="noopener">Use additional email data in your hunting queries</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/azure-active-directory-audit-logs-now-available-in-advanced/ba-p/1999523" target="_blank" rel="noopener">Use Azure Active Directory audit log data in advanced hunting</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-for-azure-active-directory-sign-in-events/ba-p/2040278" target="_blank" rel="noopener">Hunt for Azure Active Directory sign-in events</A></LI> <LI><A href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GitHub.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205065i083675CF15D6F1EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="GitHub.png" alt="GitHub.png" /></span>&nbsp;Advanced hunting queries on GitHub</A></LI> </UL> <H3><A target="_blank" name="_Toc45281217"></A><A target="_blank" name="_Toc53749338"></A><A target="_blank" name="_Toc53749497"></A>Module 4. Automated investigation and remediation</H3> <UL> <LI><A href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Remediation actions following automated investigations</A></LI> <LI><A href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Approve or reject pending actions</A></LI> </UL> <H3><A target="_blank" name="_Toc53749339"></A><A target="_blank" name="_Toc53749498"></A>Module 6. Self-healing</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Learn about the various AIR capabilities</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/self-healing-in-microsoft-365-defender/ba-p/1729527" target="_blank" rel="noopener">Self-healing explained based on an example</A><SPAN>&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Configure automated investigation and response capabilities</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Approve or reject pending actions</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Report a false positive/negative to Microsoft for analysis</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/the-action-center-in-microsoft-threat-protection-your-one-stop/ba-p/1550178" target="_blank" rel="noopener">The action center</A></LI> </UL> <H3><A target="_blank" name="_Toc53749340"></A><A target="_blank" name="_Toc53749499"></A>Module 5. Build your own lab</H3> <UL> <LI><A href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Create a lab environment</A></LI> </UL> <H3><A target="_blank" name="_Toc53749341"></A><A target="_blank" name="_Toc53749500"></A>Module 7. Reporting</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Out of the box reports</A></LI> </UL> <H3><A target="_blank" name="_Toc53749341"></A><A target="_blank" name="_MTE53749500"></A>Module 8. Microsoft Threat Experts</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Threat Experts</A></LI> </UL> <P>&nbsp;</P> <P><FONT size="4"><STRONG>&gt; Ready for the <A href="#" target="_blank" rel="noopener">Intermediate Knowledge Check</A>?&nbsp;</STRONG></FONT></P> <P>&nbsp;</P> <H2><A target="_blank" name="_Toc45281222"></A><A target="_blank" name="_Toc53749342"></A><A target="_blank" name="_Toc53749501"></A>Security Operations Expert</H2> <H3><A target="_blank" name="_Toc53749343"></A><A target="_blank" name="_Toc53749502"></A>Module 1. Incidents</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Prioritize incidents</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Manage incidents</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Report false positives/negatives</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Deep-dive attack playbooks</A> from the DART team for seasoned analysts</LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;Incident response <A href="#" target="_blank" rel="noopener">overview</A></LI> </UL> <H3><A target="_blank" name="_Toc45281226"></A><A target="_blank" name="_Toc53749344"></A><A target="_blank" name="_Toc53749503"></A>Module 2. Advanced hunting</H3> <UL> <LI>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Webinar series, episode 2: Joins (<A href="#" target="_blank" rel="noopener">MP4</A>,&nbsp;<A href="#" target="_blank" rel="noopener">YouTube</A>)</LI> <LI>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (<A href="#" target="_blank" rel="noopener">MP4</A>,&nbsp;<A href="#" target="_blank" rel="noopener">YouTube</A>)</LI> <LI>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Webinar series, episode 4: Let’s hunt!&nbsp;Applying KQL to incident tracking (<A href="#" target="_blank" rel="noopener">MP4</A>,&nbsp;<A href="#" target="_blank" rel="noopener">YouTube</A>)</LI> <LI>⤴&nbsp;<A href="#" target="_blank" rel="noopener">Plural sight KQL training</A></LI> </UL> <H3><A target="_blank" name="_Toc53749345"></A><A target="_blank" name="_Toc53749504"></A>Module 3. APIs, custom reports, SIEM &amp; other integrations</H3> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/say-hello-to-the-new-microsoft-threat-protection-apis/ba-p/1669234" target="_blank" rel="noopener">Microsoft 365 Defender APIs</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/best-practices-for-leveraging-microsoft-365-defender-api-s/ba-p/2198820" target="_blank" rel="noopener">Best practices for leveraging API's - Episode Two</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/announcing-microsoft-365-defender-streaming-api-public-preview/ba-p/2410767" target="_blank" rel="noopener">Streaming API Announcement blog</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Overview of the Streaming API</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Stream Microsoft 365 Defender events</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/azure-sentinel-and-microsoft-365-defender-incident-integration/ba-p/2201959" target="_blank" rel="noopener">Azure Sentinel and Microsoft 365 Defender incident integration</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Overview Azure Sentinel integration</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Azure Sentinel integration</A></LI> </UL> <P>&nbsp;</P> <P><FONT size="4"><STRONG>&gt; Ready for the <A href="#" target="_blank" rel="noopener">Expert Knowledge Check</A>?&nbsp;</STRONG></FONT></P> <P>&nbsp;</P> <P><FONT size="4">Once you’ve finished the training and the knowledge checks, please<STRONG> <A href="#" target="_blank" rel="noopener">click here</A> to request your certificate</STRONG> (you'll see it in your inbox within 3-5 business days.</FONT></P> Mon, 09 Aug 2021 20:09:32 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/become-a-microsoft-365-defender-ninja/ba-p/1789376 Heike Ritter 2021-08-09T20:09:32Z ZeroLogon is now detected by Microsoft Defender for Identity (CVE-2020-1472 exploitation) https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034 <P>We know that all of you have been intrigued about the recently patched <A href="#" target="_blank" rel="noopener">CVE-2020-1472 Netlogon Elevation of Privilege Vulnerability, widely known as ZeroLogon</A>. While we strongly recommend that you deploy the latest security updates to your servers and devices, we also want to provide you with the best detection coverage possible for your domain controllers. Microsoft Defender for Identity (previously Azure Advanced Threat Protection) along with other <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender</A> (previously Microsoft Threat Protection) solutions detect adversaries as they try to exploit this vulnerability against your domain controllers.</P> <P>&nbsp;</P> <H2>Here’s a sneak&nbsp;peek into our detection lifecycle</H2> <P>Whenever a vulnerability or attack surface is disclosed, our research teams immediately investigate possible exploits and come up with various methods for detecting attacks. This is highlighted in our response to suspected <A href="#" target="_self">WannaCry</A> attacks and with the alert for&nbsp;<A href="#" target="_blank" rel="noopener">Suspected SMB packet manipulation</A>&nbsp;(CVE-2020-0796 exploitation). These detection methods are tested in our lab environment, and experimental detectors are deployed to Microsoft Defender for Identity to assess performance and accuracy and find possible attacker activity.</P> <P>&nbsp;</P> <P>Over the past month since the CVE-2020-1472 was first disclosed, the interest in this detection rapidly increased. This happened even if we did not observe <U>any activity matching exploitation of this vulnerability </U>in the initial weeks after the August security updates. It generally takes a while before disclosed vulnerabilities are successfully reverse-engineered and corresponding mechanism are built.</P> <P>&nbsp;</P> <P>This lack of activity changed on September 13, when our triggered a surge in alerts. Simultaneously, this increase in activity was followed by the publication of several proof-of-concept tools and demo exploits that can leverage the vulnerability.</P> <P>&nbsp;</P> <H5 class="lia-align-center"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="1.png" style="width: 871px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/223306iC717B5CF6C2A9F9B/image-size/large?v=v2&amp;px=999" role="button" title="1.png" alt="1.png" /></span><EM><STRONG>Figure 1 – Orgs with ZeroLogon exploitation attempts by red teams and real attackers starting September 13</STRONG></EM></H5> <P>&nbsp;</P> <P>Microsoft Defender for Identity can detect this vulnerability early on. It covers both the aspects of exploitation and traffic inspection of the Netlogon channel.</P> <P>&nbsp;</P> <H5 class="lia-align-center"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/223307i16194C5450F86810/image-size/large?v=v2&amp;px=999" role="button" title="2.png" alt="2.png" /></span><STRONG>&nbsp; <EM>Figure 2 – Alert page experience</EM></STRONG></H5> <P>&nbsp;</P> <P>With this Microsoft Defender for Identity alert, you will be able to identify:</P> <UL> <LI>The device that attempted the impersonation</LI> <LI>The domain controller</LI> <LI>The targeted asset</LI> <LI>Whether the impersonation attempts were successful</LI> </UL> <P>Finally, customers using Microsoft 365 Defender (previously Microsoft Threat Protection) can take full advantage of the power of the signals and alerts from Microsoft Defender for Identity, combined with behavioral events and detections from Microsoft Defender for Endpoint (previously Microsoft Defender Advanced Threat Protection). This coordinated protection enables you not just to observe Netlogon exploitation attempts over network protocols, but also to see device process and file activity associated with the exploitation.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>A close look at some of the earliest ZeroLogon attacks</H2> <P>ZeroLogon is a powerful vulnerability for attackers to leverage, but in a normal attack scenario it will require an initial entry vector inside an organization to facilitate exploitation against domain controllers. During initial monitoring of security signals, <A href="#" target="_self">Microsoft Threat Experts</A> observed ZeroLogon exploitation activity in multiple orgs. In many cases, it was clear that the activity was originated by red teams or pen testers using automated vulnerability scanners to locate vulnerable servers. However, Microsoft researchers were also able to identify a few limited cases of real attackers jumping on the ZeroLogon train to expand their perimeter into organizations that, after a month of patch being available, were still running unpatched domain controllers.</P> <P>&nbsp;</P> <H5 class="lia-align-center"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/223309iE73767DC352A2ABC/image-size/large?v=v2&amp;px=999" role="button" title="3.png" alt="3.png" /></span><EM>Figure 3 – Typical ZeroLogon exploitation activity generated by a vulnerability scanner or a red team testing domain controllers at scale</EM></H5> <P>&nbsp;</P> <P>One of the adversaries noticed by our analysts was interesting because the attacker leveraged an older vulnerability for SharePoint (CVE-2019-0604) to exploit remotely unpatched servers (typically Windows Server 2008 and Windows Server 2012) and then implant a web shell to gain persistent access and code execution. Following the web shell installation, this attacker quickly deployed a Cobalt Strike-based payload and immediately started exploring the network perimeter and targeting domain controllers found with the ZeroLogon exploit.</P> <P>&nbsp;</P> <P>Using the @MsftSecIntel handle on twitter, we&nbsp;<A href="#" target="_blank" rel="noopener">publicly shared some file indicators</A>&nbsp;used during the attack. We also shared the variations of the ZeroLogon exploits we detected, many of which were recompiled versions of well-known, publicly available proof-of-concept code. Microsoft Defender for Endpoint can also detect certain file-based versions of the CVE-2020-1472 exploit when executed on devices protected by Microsoft Defender for Endpoints.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="4.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/223312i87C9327D46BB6469/image-size/large?v=v2&amp;px=999" role="button" title="4.png" alt="4.png" /></span></P> <P>&nbsp;</P> <H2>Hunting for ZeroLogon in Microsoft 365 Defender</H2> <P>Combining signals from Microsoft Defender for Endpoint with the ZeroLogon alerts from Microsoft Defender for Identity can help assess the nature of the alert quickly. Microsoft 365 Defender automatically leverages signals from both products. It has logic that constantly attempts to combine alerts and events using a variety of correlation logic based on knowledge of cause-effect attack flows, the MITRE ATT&amp;CK framework, and machine learning models.</P> <P>&nbsp;</P> <P>In this section, we provide an example (in the simplified form of an <A href="#" target="_blank" rel="noopener">advanced hunting query</A>) of how Microsoft 365 Defender correlation logic operates behind-the-scenes to combine alerts, reducing SOC fatigue and facilitating investigation.</P> <P>&nbsp;</P> <P>The following Microsoft 365 Defender advanced hunting queries identify process and network connection details from the source device suspected to have launched the NetLogon exploit.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="5.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/223313iD40CE5B43CCA5C09/image-size/large?v=v2&amp;px=999" role="button" title="5.png" alt="5.png" /></span></P> <P>First, we gather the relevant details on recent Netlogon exploit attempts from Microsoft Defender for Identity alerts. This will help populate the AlertId for the second query.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="ruby">// Find all Netlogon exploit attempt alerts containing source devices let queryWindow = 3d; AlertInfo | where Timestamp &gt; ago(queryWindow) | where ServiceSource == "Azure ATP" | where Title == "Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)" | join (AlertEvidence | where Timestamp &gt; ago(queryWindow) | where EntityType == "Machine" | where EvidenceDirection == "Source" | where isnotempty(DeviceId) ) on AlertId | summarize by AlertId, DeviceId, Timestamp</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Next, populate one AlertId from the prior query into NLAlertId in the next query to hunt for the likely process that launched the exploit and its network connection to the domain controller:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="ruby">// Find potential endpoint Netlogon exploit evidence from AlertId let NLAlertId = "insert alert ID here"; let lookAhead = 1m; let lookBehind = 6m; let NLEvidence = AlertEvidence | where AlertId == NLAlertId | where EntityType == "Machine" | where EvidenceDirection == "Source" | where isnotempty(DeviceId) | summarize Timestamp=arg_min(Timestamp, *) by DeviceId; let sourceMachine = NLEvidence | distinct DeviceId; let alertTime = todatetime(toscalar(ZLEvidence | distinct Timestamp)); DeviceNetworkEvents | where Timestamp between ((alertTime - lookBehind) .. (alertTime + lookAhead)) | where DeviceId in (sourceMachine) | where RemotePort == 135 or RemotePort between (49670 .. 49680) | summarize (Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid)=arg_min(ReportId, Timestamp, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountSid), TargetDevicePorts=make_set(RemotePort) by DeviceId, DeviceName, RemoteIP, RemoteUrl | project-rename SourceComputerName=DeviceName, SourceDeviceId=DeviceId, TargetDeviceIP=RemoteIP, TargetComputerName=RemoteUrl </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>This query can return a result that looks like this:</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="249"> <P>SourceDeviceId</P> </TD> <TD width="375"> <P>&lt;DeviceId&gt;</P> </TD> </TR> <TR> <TD width="249"> <P>SourceComputerName</P> </TD> <TD width="375"> <P>CLIENT1.test.local</P> </TD> </TR> <TR> <TD width="249"> <P>TargetDeviceIP</P> </TD> <TD width="375"> <P>10.0.0.1</P> </TD> </TR> <TR> <TD width="249"> <P>TargetDevicePorts</P> </TD> <TD width="375"> <P>[135, 49670]</P> </TD> </TR> <TR> <TD width="249"> <P>TargetComputerName</P> </TD> <TD width="375"> <P>DC1.test.local</P> </TD> </TR> <TR> <TD width="249"> <P>Timestamp</P> </TD> <TD width="375"> <P>2020-09-21 17:02:41</P> </TD> </TR> <TR> <TD width="249"> <P>InitiatingProcessFileName</P> </TD> <TD width="375"> <P>python.exe</P> </TD> </TR> <TR> <TD width="249"> <P>InitiatingProcessCommandLine</P> </TD> <TD width="375"> <P>python.exe “C:\Users\CLIENT1\Documents\zerologon_tester.py”</P> </TD> </TR> <TR> <TD width="249"> <P>InitigatingProcessAccountSid</P> </TD> <TD width="375"> <P>&lt;UserSid&gt;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>Tying Microsoft Defender for Endpoint data together with the original Microsoft Defender for Identity alert can give a clearer picture as to what happened on the device suspected of launching the exploit. This could save SOC analysts time when investigating alerts, because the relevant details are there to determine if it was caused by a curious researcher or from an actual attack.</P> <P>&nbsp;</P> <H2>Defend against ZeroLogon</H2> <P><EM>As always, it’s important to keep your assets up to date with </EM><A href="#" target="_blank" rel="noopener"><EM>the latest security updates</EM></A></P> <P>Learn more about the <A href="#" target="_blank" rel="noopener">alert</A>.</P> <P>&nbsp;</P> <P>Also, feel free to review&nbsp;<A href="#" target="_blank" rel="noopener">our guidance</A>&nbsp;on managing changes in Netlogon secure channel connections and how you can prevent this vulnerability</P> <P>&nbsp;</P> <P>Customers with Microsoft Defender for Endpoint can get additional guidance from <A href="#" target="_blank" rel="noopener">the threat analytics article</A> available in Microsoft Defender Security Center.</P> <P>&nbsp;</P> <H2>Get started today</H2> <P>Are you just starting your Microsoft Defender for Identity journey? Begin a trial of&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft 365 Defender</A>&nbsp;to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for your organization.</P> <P>&nbsp;</P> <P>Join the&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/Azure-Advanced-Threat-Protection/bd-p/AzureAdvancedThreatProtection" target="_blank" rel="noopener">Microsoft Defender for Identity community</A>&nbsp;for the latest updates and news about Identity Security Posture Management assessments, detections and other updates.</P> Thu, 01 Oct 2020 23:24:08 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/zerologon-is-now-detected-by-microsoft-defender-for-identity-cve/ba-p/1734034 Daniel Naim 2020-10-01T23:24:08Z Self-healing in Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/self-healing-in-microsoft-365-defender/ba-p/1729527 <P>Microsoft security workloads, such Microsoft Defender for Endpoint and Microsoft Defender for Office 365 have automated investigation and remediation capabilities that include self-healing of your organization’s <A href="#" target="_blank" rel="noopener">devices</A> and <A href="#" target="_blank" rel="noopener">mailboxes</A>. However, modern threats are usually running across security workloads. For example, an attack can start with a malicious document in Office 365, continue by compromising a device when a targeted user opens the document, and proceed through lateral movement, attempting to compromise other devices and user accounts in an organization. In such cases, individual workload capabilities are not enough. You need an infrastructure with playbooks that investigate and remediate threats across workloads. This is where self-healing through <A href="#" target="_blank" rel="noopener">automated investigation and response capabilities</A> in Microsoft 365 Defender comes into play.</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Microsoft 365 Defender</STRONG></FONT></P> <P><A href="#" target="_blank" rel="noopener">Microsoft 365 Defender</A> stops attacks across Microsoft 365 services and auto-heals affected assets. As threats become more complex and persistent, alerts increase, and security teams are overwhelmed, Microsoft 365 Defender leverages the Microsoft 365 security portfolio to automatically analyze threat data across endpoints, identities, apps and cloud apps, email and docs, building a complete picture of each attack in a single dashboard. With this breadth and depth of clarity defenders can focus on the critical threats and hunting across their data utilizing their unique organizational expertise, trusting that Microsoft 365 Defender’s powerful automation detects and stops attacks anywhere in the kill chain and returns the organization to a secure state.</P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>How does self-healing work?</STRONG></FONT></P> <P>Self-healing is an integral part of <A href="#" target="_blank" rel="noopener">Microsoft</A> 365 Defender that automatically investigates and remediates potentially compromised assets—identities, mailboxes, and devices—by orchestrating signals and remediation actions across workloads.</P> <P>Currently, self-healing in <A href="#" target="_blank" rel="noopener">Microsoft 365</A> Defender provides the following capabilities:</P> <UL> <LI>Zero-hour auto-purge (ZAP) malware playbook that orchestrates investigation and cleanup of impacted mailboxes and devices as soon as malware is detected after delivery.</LI> <LI>Automated investigation and remediation of potentially compromised devices triggered by <A href="#" target="_blank" rel="noopener">Microsoft Defender for Identity alerts</A>.</LI> <LI>The <A href="#" target="_blank" rel="noopener">Action center</A>, a single pane of glass experience for reviewing and approving pending actions, and an audit log across security workloads</LI> </UL> <P><FONT size="5"><STRONG>Example: Emotet threat</STRONG></FONT></P> <P>Let see an example of the ZAP malware playbook in action. This is an Emotet threat example.</P> <P>Emotet has evolved from being just a banking trojan to a downloader. It has recently been observed introducing Trickbot to infected systems. The most common attack kill chain for Emotet looks like this:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Emotet.jpg" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/223075iAED64AC1E55AAF4F/image-size/large?v=v2&amp;px=999" role="button" title="Emotet.jpg" alt="Emotet.jpg" /></span></P> <P>&nbsp;</P> <P>Emotet uses a malicious document with macro code as its delivery mechanism. Once clicked and running, a PowerShell script downloads additional modules to devices. The malicious document is usually crafted to target specific users, and is highly polymorphic. Within a few minutes, Microsoft Defender for Office 365 can detect the document as malicious, block the file from being delivered to other mailboxes within the organization, and trigger the automated investigation and response playbook that removes all the email messages that have the malicious file (ZAP).</P> <P>ZAP signal is also sent to Microsoft 365 Defender, and the ZAP malware playbook initiates.</P> <P>The playbook identifies devices with malicious document (as reported by Microsoft Defender for Office 365) and then quarantines the document. In addition, Microsoft 365 Defender triggers a suspicious host investigation playbook to clean up additional malware from users’ devices and ensure that no more threats remain. Remediation actions across both mailboxes and endpoints are tracked in the Action center, and are listed on the <A href="#" target="_blank" rel="noopener">Pending actions</A> or History tabs, based on your tenant configuration.</P> <P>&nbsp;</P> <P>Speaking of configuration, we recommend <A href="#" target="_blank" rel="noopener">configuring Microsoft Defender for Endpoint for full automation</A>. That can help ensure automatic cleanup and self-healing from malware on infected devices.</P> <H1>Want to learn more?</H1> <P>&nbsp;</P> <P>See the following resources:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Microsoft 365 Defender</A></LI> <LI><A href="#" target="_blank" rel="noopener">Create a Microsoft 365 Defender trial lab environment</A></LI> <LI><A href="#" target="_blank" rel="noopener">Automated investigation and response capabilities in Microsoft 365 Defender</A></LI> </UL> <P>&nbsp;</P> <P>Let us know what you think! Feel free to leave us a comment.</P> <P>&nbsp;</P> <P>Microsoft 365 Defender team</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 30 Sep 2020 15:40:58 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/self-healing-in-microsoft-365-defender/ba-p/1729527 Evald Markinzon 2020-09-30T15:40:58Z Say hello to the new Microsoft Threat Protection APIs! https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/say-hello-to-the-new-microsoft-threat-protection-apis/ba-p/1669234 <P><SPAN data-contrast="none">A typical enterprise&nbsp;</SPAN><SPAN data-contrast="none">environment</SPAN><SPAN data-contrast="none">&nbsp;often requires customers to&nbsp;</SPAN><SPAN data-contrast="none">augment security solutions by&nbsp;</SPAN><SPAN data-contrast="none">build</SPAN><SPAN data-contrast="none">ing</SPAN><SPAN data-contrast="none">&nbsp;their own custom automation&nbsp;</SPAN><SPAN data-contrast="none">logic</SPAN><SPAN data-contrast="none">&nbsp;to automate procedures, integrate data, and orchestrate actions to enable security teams to effectively operate and respond to threats.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none"> </SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">Today</SPAN><SPAN data-contrast="none">&nbsp;we are announcing&nbsp;</SPAN><SPAN data-contrast="none">public preview&nbsp;</SPAN><SPAN data-contrast="none">f</SPAN><SPAN data-contrast="none">or</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">t</SPAN><SPAN data-contrast="none">hree</SPAN><SPAN data-contrast="none">&nbsp;exciting&nbsp;</SPAN><SPAN data-contrast="none">enhancements</SPAN><SPAN data-contrast="none">:</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="14" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="none">Microsoft Threat Protection&nbsp;</SPAN><SPAN data-contrast="none">Incident</SPAN><SPAN data-contrast="none">&nbsp;and&nbsp;</SPAN><SPAN data-contrast="none">Hunting</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">APIs</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="14" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="none">N</SPAN><SPAN data-contrast="none">ew</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">Microsoft Threat Protection</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">SIEM&nbsp;</SPAN><SPAN data-contrast="none">connectors&nbsp;</SPAN><SPAN data-contrast="none">for</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">Splunk Enterprise</SPAN><SPAN data-contrast="none">&nbsp;and&nbsp;</SPAN><SPAN data-contrast="none">Micro Focus</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">ArcSight</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="14" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="none">Microsoft Threat Protection alerts will be available soon via the Microsoft Graph Security API</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P aria-level="2"><SPAN data-contrast="none">With these t</SPAN><SPAN data-contrast="none">hree a</SPAN><SPAN data-contrast="none">dditions, Microsoft Threat Protection is now an integration-ready platform!</SPAN><SPAN data-contrast="none">&nbsp;<BR />Let’s have a closer look at&nbsp;</SPAN><SPAN data-contrast="none">the new</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">capabilities</SPAN><SPAN data-contrast="none">:</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN>&nbsp;<BR /></SPAN><STRONG><SPAN data-contrast="none">Microsoft Threat Protection API model</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><LI-WRAPPER></LI-WRAPPER></P> <P><SPAN data-contrast="none">Microsoft Defender ATP&nbsp;</SPAN><SPAN data-contrast="none">offers a layered API model exposing data and capabilities in a structured,&nbsp;</SPAN><SPAN data-contrast="none">clear</SPAN><SPAN data-contrast="none">&nbsp;and easy to use model</SPAN><SPAN data-contrast="none">.</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">E</SPAN><SPAN data-contrast="none">xposed through a standard&nbsp;</SPAN><SPAN data-contrast="none">Azure Active Directory (</SPAN><SPAN data-contrast="none">AAD</SPAN><SPAN data-contrast="none">)</SPAN><SPAN data-contrast="none">&nbsp;based authentication and authorization model&nbsp;</SPAN><SPAN data-contrast="none">and&nbsp;</SPAN><SPAN data-contrast="none">allowing access in context of users or SaaS applications.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">The lop-level Microsoft Threat Protection APIs will enable you to automate workflows based on the shared incident and advanced hunting tables</SPAN><SPAN data-contrast="none">:</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px"><STRONG><SPAN data-contrast="none"><BR />The I</SPAN></STRONG><STRONG><SPAN data-contrast="none">ncidents&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="none">API</SPAN></STRONG><SPAN data-contrast="none"> -&nbsp;</SPAN><SPAN data-contrast="none">This API exposes Microsoft Threat Protection&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/see-how-consolidated-incidents-improve-soc-efficiency-through/ba-p/1557341" target="_blank" rel="noopener"><SPAN data-contrast="none">incidents</SPAN></A><SPAN data-contrast="none">&nbsp;-&nbsp;</SPAN><SPAN data-contrast="none">a</SPAN><SPAN data-contrast="none">&nbsp;more efficient, more comprehensive and more descriptive evolution of alerts.</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">Incidents</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">h</SPAN><SPAN data-contrast="none">elp security professionals focus on what's critical by ensuring that the full attack scope and impacted assets are grouped together and surfaced in a timely manner under the incident API</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:570,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="o" data-font="Courier New" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="2"><SPAN data-contrast="none">For m</SPAN><SPAN data-contrast="none">ore about incidents&nbsp;</SPAN><SPAN data-contrast="none">watch&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/see-how-consolidated-incidents-improve-soc-efficiency-through/ba-p/1557341" target="_blank" rel="noopener"><SPAN data-contrast="none">this short video</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">or&nbsp;</SPAN><SPAN data-contrast="none">read more about&nbsp;</SPAN><SPAN data-contrast="none">the&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/see-how-consolidated-incidents-improve-soc-efficiency-through/ba-p/1557341" target="_blank" rel="noopener"><SPAN data-contrast="none">logic that drives it</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><SPAN data-contrast="none">You can pull all the alerts related to the incident and other information about them such as severity, entities that were involved in the alert, the source of the alerts (Azure ATP, Microsoft Defender ATP , Office 365 ATP) and the reason they were linked together.&nbsp;</SPAN><SPAN data-contrast="none">To learn more about the schema see</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><A href="#" target="_self"><SPAN>Incidents API&nbsp;</SPAN></A><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}"><SPAN class="TextRun SCXW186318185 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW186318185 BCX0">and&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW186318185 BCX0" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW186318185 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW186318185 BCX0" data-ccp-charstyle="Hyperlink">Update Incident API.</SPAN></SPAN></A></SPAN><STRONG><SPAN data-contrast="none"><BR /><BR />Cross-product threat hunting</SPAN></STRONG><SPAN data-contrast="none"> </SPAN><STRONG><SPAN data-contrast="none">API</SPAN></STRONG><SPAN data-contrast="none">-&nbsp;</SPAN><SPAN data-contrast="none">This API provides&nbsp;</SPAN><SPAN data-contrast="none">query-based&nbsp;</SPAN><SPAN data-contrast="none">access to Microsoft Threat Protection raw&nbsp;</SPAN><SPAN data-contrast="none">data&nbsp;</SPAN><SPAN data-contrast="none">store,&nbsp;</SPAN><SPAN data-contrast="none">aggregated&nbsp;</SPAN><SPAN data-contrast="none">across&nbsp;</SPAN><SPAN data-contrast="none">the&nbsp;</SPAN><SPAN data-contrast="none">suite</SPAN><SPAN data-contrast="none">&nbsp;protection products.</SPAN><SPAN data-contrast="none">&nbsp;Using the hunting API security</SPAN><SPAN data-contrast="none">&nbsp;teams can leverage their unique organizational knowledge</SPAN><SPAN data-contrast="none">&nbsp;and expertise</SPAN><SPAN data-contrast="none">&nbsp;to hunt for signs of compromise by creating their own custom queries</SPAN><SPAN data-contrast="none">.</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:570,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="none">For&nbsp;</SPAN><SPAN data-contrast="none">more about hunting&nbsp;</SPAN><SPAN data-contrast="none">see&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">this introduction</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">and&nbsp;</SPAN><SPAN data-contrast="none">view&nbsp;</SPAN><SPAN data-contrast="none">the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">various available</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">data sources</SPAN></A><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="none">T</SPAN><SPAN data-contrast="none">o learn more about the schema see&nbsp;</SPAN><A href="#" target="_self"><SPAN data-contrast="none">Advanced hunting API</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P aria-level="3"><STRONG><SPAN data-contrast="none">Ready to start? Let's talk a</SPAN></STRONG><STRONG><SPAN data-contrast="none">uthentication</SPAN></STRONG><STRONG><SPAN data-contrast="none">&nbsp;and&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="none">authorization</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Accessing Microsoft&nbsp;</SPAN><SPAN data-contrast="none">Threat Protection&nbsp;</SPAN><SPAN data-contrast="none">APIs is granted in accordance with the service users and permissions model. For users, Single Sign On (SSO) and RBAC rules apply, and for services - permissions management. Using an AAD Applications model solves them all. A user’s API calls use the delegated permissions model. It means that the user context is used when calling the API, leveraging SSO capabilities. Since the user identity is used, the same RBAC rules applied for interactive user, applied also for API user. For services, the AAD application model is applied where the AAD Global Admin grants the permissions to the application. Any change of the application “manifested” permissions will require Global Admin Consent.&nbsp;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">Full control. Full transparency.</SPAN></P> <P><SPAN data-contrast="none"><SPAN class="TextRun SCXW26922864 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW26922864 BCX0" data-ccp-parastyle="Normal (Web)">To try it out please use,&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW26922864 BCX0" href="#" target="_blank" rel="noopener noreferrer"><SPAN class="TextRun Underlined SCXW26922864 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW26922864 BCX0" data-ccp-charstyle="Hyperlink">Microsoft Threat Protection API “Hello World” </SPAN></SPAN></A><SPAN class="TextRun SCXW26922864 BCX0" data-contrast="auto"><SPAN class="NormalTextRun SCXW26922864 BCX0" data-ccp-parastyle="Normal (Web)">sample.</SPAN></SPAN><SPAN class="EOP SCXW26922864 BCX0" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;<BR /><BR /></SPAN></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="aad.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/218399i5F9599EA9A300736/image-size/medium?v=v2&amp;px=400" role="button" title="aad.png" alt="aad.png" /></span></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="none">Say hello to the upcoming Microsoft Threat protection SIEM connectors!</SPAN></STRONG><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">We’re thrilled to announce our latest integration with Splunk Enterprise and&nbsp;</SPAN><SPAN data-contrast="none">Micro Focus&nbsp;</SPAN><SPAN data-contrast="none">ArcSight</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">are ready for&nbsp;</SPAN><SPAN data-contrast="none">preview</SPAN><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="-" data-font="Calibri" data-listid="12" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><STRONG><SPAN data-contrast="none">Splunk</SPAN></STRONG><SPAN data-contrast="none">&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Enterprise</SPAN></STRONG></A><SPAN data-contrast="none">&nbsp;partnered with Microsoft Threat protection to develop a new add-on that allows our joint customers to easily integrate security incident in Splunk Enterprise. Security incidents and related evidence ingested through this add-on are mapped to the Splunk Common Information Model, which allows you to easily integrate the incidents into your existing processes and dashboards.&nbsp;</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">Would you like to sign up for the Preview?</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">P</SPAN><SPAN data-contrast="none">lease submit this form</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}"><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="splunk.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/218394i8FE7B05CD0D0F6A8/image-size/medium?v=v2&amp;px=400" role="button" title="splunk.png" alt="splunk.png" /></span></SPAN></LI> <LI data-leveltext="-" data-font="Calibri" data-listid="12" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}"><STRONG><A class="Hyperlink SCXW224629983 BCX0" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-charstyle="Hyperlink">Micro Focus&nbsp;</SPAN></SPAN><SPAN class="TextRun Underlined SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-charstyle="Hyperlink">ArcSight</SPAN></SPAN></A></STRONG><SPAN class="TextRun SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-parastyle="Normal (Web)">&nbsp;partnered with Microsoft Threat protection to develop a new ArcSight&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SpellingErrorV2 SCXW224629983 BCX0" data-ccp-parastyle="Normal (Web)">FlexConnector</SPAN></SPAN><SPAN class="TextRun SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-parastyle="Normal (Web)">&nbsp;that allows our joint customers to integrate security incident in to&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SpellingErrorV2 SCXW224629983 BCX0" data-ccp-parastyle="Normal (Web)">Arcsight</SPAN></SPAN><SPAN class="TextRun SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-parastyle="Normal (Web)">.&nbsp;</SPAN></SPAN><SPAN class="LineBreakBlob BlobObject DragDrop SCXW224629983 BCX0"><SPAN class="SCXW224629983 BCX0">&nbsp;</SPAN><BR class="SCXW224629983 BCX0" /></SPAN><SPAN class="TextRun SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-parastyle="Normal (Web)">Would you like to sign up for the Preview?</SPAN></SPAN><SPAN class="TextRun Highlight SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-parastyle="Normal (Web)">&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW224629983 BCX0" href="#" target="_blank" rel="noopener noreferrer"><SPAN class="TextRun Underlined SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-charstyle="Hyperlink">P</SPAN></SPAN><SPAN class="TextRun Underlined SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-charstyle="Hyperlink">lease submit this form</SPAN></SPAN></A><SPAN class="TextRun SCXW224629983 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW224629983 BCX0" data-ccp-parastyle="Normal (Web)">.</SPAN></SPAN><SPAN class="EOP SCXW224629983 BCX0" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}"><SPAN class="EOP SCXW224629983 BCX0" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}"><BR /><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Arcsight.jpg" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/218395i7E0BA05CED17E117/image-size/medium?v=v2&amp;px=400" role="button" title="Arcsight.jpg" alt="Arcsight.jpg" /></span></SPAN></SPAN></LI> </UL> <P><SPAN class="EOP SCXW224629983 BCX0" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}"><SPAN class="TextRun SCXW236535880 BCX0" style="font-family: inherit;" data-contrast="none"><SPAN class="NormalTextRun SCXW236535880 BCX0" data-ccp-parastyle="Normal (Web)">And yes, a&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW236535880 BCX0" style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW236535880 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW236535880 BCX0" data-ccp-charstyle="Hyperlink">Microsoft&nbsp;</SPAN></SPAN><SPAN class="TextRun Underlined SCXW236535880 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW236535880 BCX0" data-ccp-charstyle="Hyperlink">Azure&nbsp;</SPAN></SPAN><SPAN class="TextRun Underlined SCXW236535880 BCX0" data-contrast="none"><SPAN class="NormalTextRun SCXW236535880 BCX0" data-ccp-charstyle="Hyperlink">Sentinel</SPAN></SPAN></A><SPAN class="TextRun SCXW236535880 BCX0" style="font-family: inherit;" data-contrast="none"><SPAN class="NormalTextRun SCXW236535880 BCX0" data-ccp-parastyle="Normal (Web)">&nbsp;connector is also on the way, coming soon later this calendar year.</SPAN></SPAN><SPAN class="EOP SCXW236535880 BCX0" style="font-family: inherit;" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;<BR /><BR /></SPAN></SPAN><STRONG><SPAN data-contrast="none">Microsoft Threat Protection alerts via the&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="none">Microsoft Graph Security API</SPAN></STRONG><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">The Microsoft Graph Security API is an intermediary service (or broker) that provides a programmatic interface to connect multiple Microsoft security solution. Microsoft Threat Protection&nbsp;</SPAN><SPAN data-contrast="none">alerts</SPAN><SPAN data-contrast="none">&nbsp;and custom detection created by the customer</SPAN><SPAN data-contrast="none">&nbsp;will be surfaced under the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft Graph Security&nbsp;Alert&nbsp;API</SPAN></A>&nbsp;in the coming weeks<SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="none">And there’s more c</SPAN></STRONG><STRONG><SPAN data-contrast="none">oming</SPAN></STRONG><STRONG><SPAN data-contrast="none">&nbsp;soon</SPAN></STRONG><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">We will&nbsp;</SPAN><SPAN data-contrast="none">be exposing</SPAN><SPAN data-contrast="none">&nbsp;calculated or ‘profiled’&nbsp;</SPAN><SPAN data-contrast="none">Microsoft threat protection&nbsp;</SPAN><SPAN data-contrast="none">entities (for example, device, user,&nbsp;</SPAN><SPAN data-contrast="none">email&nbsp;</SPAN><SPAN data-contrast="none">and&nbsp;</SPAN><SPAN data-contrast="none">file</SPAN><SPAN data-contrast="none">) and additional set of response actions.&nbsp;</SPAN><SPAN data-contrast="none">The pattern of using other capabilities or entities will be similar.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">In addition we are&nbsp;</SPAN><SPAN data-contrast="none">working</SPAN><SPAN data-contrast="none">&nbsp;to also expose an event streaming interface allowing customers to flow event data to an external storage, correlate with additional data sources, perform custom analytics, and others.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">W</SPAN><SPAN data-contrast="none">e will gradually&nbsp;</SPAN><SPAN data-contrast="none">expand&nbsp;</SPAN><SPAN data-contrast="none">the set of APIs and exp</SPAN><SPAN data-contrast="none">a</SPAN><SPAN data-contrast="none">nding our ecosystem to fulfill the needs of security operations teams, enabling interoperability with enterprise security applications and automation.</SPAN><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">As always, your feedback is welcome!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="none">Additional reading and references</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <TABLE data-tablestyle="MsoTableGrid" data-tablelook="1184"> <TBODY> <TR> <TD width="561.667px" height="29px" data-celllook="0"> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft&nbsp;</SPAN><SPAN data-contrast="none">Threat Protection</SPAN><SPAN data-contrast="none">&nbsp;API “Hello World” </SPAN></A><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD width="561.667px" height="29px" data-celllook="0"> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft&nbsp;</SPAN><SPAN data-contrast="none">Threat Protection</SPAN><SPAN data-contrast="none">&nbsp;API Documentation</SPAN></A><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD width="561.667px" height="29px" data-celllook="0"> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft&nbsp;</SPAN><SPAN data-contrast="none">Threat Protection&nbsp;</SPAN><SPAN data-contrast="none">Jupyther</SPAN><SPAN data-contrast="none">&nbsp;notebooks</SPAN><SPAN data-contrast="none">&nbsp;- MVP blog</SPAN><SPAN data-contrast="none">&nbsp;by Maarten Goet</SPAN></A><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> </TD> </TR> <TR> <TD width="561.667px" height="29px" data-celllook="0"> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Other API resources</SPAN><SPAN data-contrast="none">&nbsp;for the&nbsp;</SPAN><SPAN data-contrast="none">various protection products</SPAN></A><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> Tue, 22 Sep 2020 06:57:06 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/say-hello-to-the-new-microsoft-threat-protection-apis/ba-p/1669234 Efrat Kliger 2020-09-22T06:57:06Z Microsoft Threat Protection now uses more descriptive incident names https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-threat-protection-now-uses-more-descriptive-incident/ba-p/1601520 <P>The new incident naming feature in Microsoft Threat Protection now lets you understand an incident's scope at a glance!</P> <P>&nbsp;</P> <P>When you are looking at the incident queue and need to determine which incident you should look at next, hints about the content of the incident play an important role in making this choice. Giving incidents automatic names is complex because it encompasses a variety of different suspicious activities.</P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Our</SPAN><SPAN data-contrast="none">&nbsp;researchers&nbsp;</SPAN><SPAN>have&nbsp;</SPAN><SPAN data-contrast="none">developed</SPAN><SPAN data-contrast="none">&nbsp;a state-of-the-art algorithm t</SPAN><SPAN data-contrast="none">hat</SPAN><SPAN data-contrast="none">&nbsp;automatically describe</SPAN><SPAN data-contrast="none">s</SPAN><SPAN data-contrast="none">&nbsp;incident</SPAN><SPAN data-contrast="none">s</SPAN><SPAN data-contrast="none">&nbsp;with comprehensive name</SPAN><SPAN data-contrast="none">s,</SPAN><SPAN data-contrast="none">&nbsp;leveraging</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">the MITRE&nbsp;</SPAN><SPAN data-contrast="none">ATT&amp;CK</SPAN><SPAN data-contrast="auto">®&nbsp;</SPAN><SPAN data-contrast="none">categories we have for each alert</SPAN><SPAN data-contrast="none">.</SPAN> Instead of having numerical incident names like <EM>Incident 1234</EM>, you now see incident names like <EM>Multi-stage incident involving Discovery &amp; Collection reported by multiple sources.</EM></P> <DIV id="tinyMceEditorIdan_Pelleg_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorIdan_Pelleg_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="image (1).png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/214144iF92C71030CF37502/image-size/large?v=v2&amp;px=999" role="button" title="image (1).png" alt="image (1).png" /></span></P> <P> </P> <P>Now, analysts can quickly understand the scope of the incident right from the Microsoft Threat Protection incident queue. Having the incidents name and supporting data (like the number of endpoints affected, users affected, detection sources, categories, and more) in one view, analysts can make faster decisions based on the nature of the incident. This improvement saves analysts time and effort better spent investigating and remediating high-priority threats.</P> <P>&nbsp;</P> <P>Here are some examples of incident names developed with the new algorithm:</P> <P>&nbsp;</P> <UL> <LI>'Dirtelti' backdoor was prevented on multiple endpoints</LI> <LI>Office process dropped and executed a PE file on multiple endpoints</LI> <LI>Multi-stage incident involving Initial access &amp; Execution on one endpoint reported by multiple sources</LI> <LI>Ransomware activity</LI> <LI>Multi-stage incident involving Discovery &amp; Command and control on one endpoint</LI> </UL> <P>To learn more about incident in Microsoft Threat Protection go to the following links:</P> <P>&nbsp;</P> <UL> <LI><SPAN class="inner-wrap"><A class="" href="#" target="_blank" rel="noopener">Inside Microsoft Threat Protection: Correlating and consolidating attacks into incidents</A></SPAN></LI> <LI><SPAN class="inner-wrap"><A class="" href="#" target="_blank" rel="noopener">Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint</A></SPAN></LI> <LI><SPAN class="inner-wrap"><A class="" href="#" target="_blank" rel="noopener">Inside Microsoft Threat Protection: Attack modeling for finding and stopping lateral movement</A></SPAN></LI> <LI class=""><SPAN class="inner-wrap"><A class="" href="#" target="_blank" rel="noopener">Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of correlation analytics</A></SPAN></LI> </UL> Sun, 23 Aug 2020 07:38:01 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-threat-protection-now-uses-more-descriptive-incident/ba-p/1601520 Idan_Pelleg 2020-08-23T07:38:01Z Hunt for threats using events captured by Azure ATP on your domain controller https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-for-threats-using-events-captured-by-azure-atp-on-your/ba-p/1598212 <P>&nbsp;</P> <P><SPAN>We’re&nbsp;thrilled to share that you can now hunt for threats using events on your domain controller with advanced hunting in Microsoft Threat Protection.</SPAN></P> <P>&nbsp;</P> <P><SPAN>The new </SPAN><STRONG>IdentityDirectoryEvents</STRONG><SPAN> table—available in </SPAN><A href="#" target="_blank" rel="noopener">public preview</A><SPAN>—incorporates data from the Azure Advanced Threat Protection (Azure ATP) sensor, including various identity-related activities, such as account password changes or remote creation of scheduled tasks on the domain controller. </SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AATPTable.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213255iB3E5C990D530AA6B/image-size/large?v=v2&amp;px=999" role="button" title="AATPTable.png" alt="AATPTable.png" /></span></P> <P>&nbsp;</P> <P>In general, the table captures three categories of events on your domain controller:</P> <UL> <LI>Remote code execution</LI> <LI>Changes to attributes of Active Directory objects, including groups, users, and devices</LI> <LI>Other activities performed against the directory, such as replication or SMB session enumeration</LI> </UL> <P>You can get the full list of supported events or action types in the in-portal reference.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AATPTable2.png" style="width: 786px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213256i0E34C1C13CD27A5B/image-size/large?v=v2&amp;px=999" role="button" title="AATPTable2.png" alt="AATPTable2.png" /></span></P> <P>&nbsp;</P> <P>Here are some samples queries you can use:</P> <P>&nbsp;</P> <PRE>//Track domain controller replication<BR />IdentityDirectoryEvents<BR />| where ActionType == "Directory Services replication"<BR />| limit 100</PRE> <P><A href="#" target="_blank" rel="noopener">Run query</A></P> <P>&nbsp;</P> <PRE>//Track service creation activities on domain controllers<BR />IdentityDirectoryEvents<BR />| where ActionType == "Service creation"<BR />| extend ServiceName = AdditionalFields["ServiceName"]<BR />| extend ServiceCommand = AdditionalFields["ServiceCommand"]<BR />| project Timestamp, ActionType, Protocol, DC = TargetDeviceName, ServiceName, ServiceCommand, AccountDisplayName, AccountSid, AdditionalFields<BR />| limit 100</PRE> <P><A href="#" target="_blank" rel="noopener">Run query</A></P> <P>&nbsp;</P> <PRE>//Find the latest password change event for a specific account<BR />let userAccount = '&lt;insert your user account&gt;';<BR />let deviceAccount = '&lt;insert your device account&gt;';<BR />IdentityDirectoryEvents<BR />| where ActionType == "Account Password changed"<BR />| where TargetAccountDisplayName == userAccount<BR />//If you are looking for last password change of a device account comment the above row and remove comment from the below row<BR />//| where TargetDeviceName == deviceAccount<BR />| summarize LastPasswordChangeTime = max(Timestamp) by TargetAccountDisplayName // or change to TargetDeviceName for device account</PRE> <P><A href="#" target="_blank" rel="noopener">Run query</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>As always, please let us know what you think and how we can tweak this enhancement further!</P> <P>&nbsp;</P> <P>To learn more about advanced hunting in Microsoft Threat Protection and these new enhancements, go to the following links:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Advanced hunting overview</A></LI> <LI><A href="#" target="_blank" rel="noopener">Preview features</A></LI> <LI><A href="#" target="_blank" rel="noopener">MTP Git community</A></LI> <LI><SPAN><A href="#" target="_blank" rel="noopener">IdentityDirectoryEvents schema</A> </SPAN></LI> </UL> <P>&nbsp;</P> Wed, 19 Aug 2020 08:03:18 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/hunt-for-threats-using-events-captured-by-azure-atp-on-your/ba-p/1598212 Tali Ash 2020-08-19T08:03:18Z On-demand webcast series: “Tracking the adversary” https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/on-demand-webcast-series-tracking-the-adversary/ba-p/1579366 <P>Thanks to everyone who joined us throughout these epic four episodes of “Tracking the adversary”. We had lots of attendees and received overwhelming feedback!</P> <P>&nbsp;</P> <P>Don’t worry if you missed any of the episodes. All webcasts have been recorded, so it’s not too late to become an expert in hunting for threats with advanced hunting in Microsoft Threat Protection.</P> <P>&nbsp;</P> <P>You can watch all four episodes on demand:</P> <P>&nbsp;</P> <TABLE style="width: 821px;" width="821"> <TBODY> <TR> <TD width="130px" style="background-color: #0070c0; width: 130px;"> <P><FONT color="#FFFFFF"><STRONG>Title</STRONG></FONT></P> </TD> <TD width="322.222px" style="background-color: #0070c0; width: 322.222px;"> <P><FONT color="#FFFFFF"><STRONG>Description</STRONG></FONT></P> </TD> <TD width="90px" style="background-color: #0070c0; width: 90px;"> <P class="lia-align-center"><FONT color="#FFFFFF"><STRONG>Download MP4</STRONG></FONT></P> </TD> <TD width="76.6667px" style="background-color: #0070c0; width: 76.6667px;"> <P class="lia-align-center"><FONT color="#FFFFFF"><STRONG>Watch on YouTube</STRONG></FONT></P> </TD> </TR> <TR> <TD width="130px"> <P>Episode 1: KQL fundamentals</P> </TD> <TD width="322.222px"> <P>In the first episode, we cover the basics of advanced hunting capabilities in Microsoft Threat Protection (MTP). Learn about available advanced hunting data and basic KQL syntax and operators.</P> </TD> <TD width="90px"> <P class="lia-align-center"><A href="#" target="_blank" rel="noopener">MP4</A></P> </TD> <TD width="76.6667px"> <P class="lia-align-center"><A href="#" target="_blank" rel="noopener">YouTube</A></P> </TD> </TR> <TR> <TD width="130px"> <P>Episode 2: Joins</P> </TD> <TD width="322.222px"> <P>In episode 2, we continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, as well as the nuances of the default Kusto innerunique join.</P> </TD> <TD width="90px"> <P class="lia-align-center"><A href="#" target="_blank" rel="noopener">MP4</A></P> </TD> <TD width="76.6667px"> <P class="lia-align-center"><A href="#" target="_blank" rel="noopener">YouTube</A></P> </TD> </TR> <TR> <TD width="130px"> <P>Episode 3: Summarizing, pivoting, and visualizing data</P> </TD> <TD width="322.222px"> <P>Now that we’re able to filter, manipulate, and join data, it’s time to start summarizing, quantifying, pivoting, and visualizing. In this episode, we cover the summarize operator and some of the calculations you can perform while diving into additional tables in the advanced hunting schema. We turn our datasets into charts that can help improve analysis.</P> </TD> <TD width="90px"> <P class="lia-align-center"><A href="#" target="_blank" rel="noopener">MP4</A></P> </TD> <TD width="76.6667px"> <P class="lia-align-center"><A href="#" target="_blank" rel="noopener">YouTube</A></P> </TD> </TR> <TR> <TD width="130px"> <P>Episode 4: Let’s hunt!&nbsp;Applying KQL to incident tracking</P> </TD> <TD width="322.222px"> <P>Time to track some attacker activity! In this episode, we use our improved understanding of KQL and advanced hunting in Microsoft Threat Protection to track an attack. Learn some of the tips and tricks used in the field to track attacker activity, including the ABCs of cybersecurity and how to apply them to incident response.</P> </TD> <TD width="90px"> <P class="lia-align-center"><A href="#" target="_blank" rel="noopener">MP4</A></P> </TD> <TD width="76.6667px"> <P class="lia-align-center"><A href="#" target="_blank" rel="noopener">YouTube</A></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>This webcast series was presented by Michael Melone, Principal Program Manager at Microsoft and resident threat hunter. He started this webcast series with the basics of threat hunting and then continued with more sophisticated techniques in succeeding episode. Michael brings more than seven years of threat hunting experience from his time with Microsoft Detection and Response Team (DART), where he responded to targeted attack incidents and helped our customers become cyber-resilient.</P> <P>&nbsp;</P> <P>Throughout the series, he was joined by Tali Ash, the feature Program Manager for advanced hunting, who answered all your chat questions and presented some cool additional capabilities in the last episode.</P> <P>&nbsp;</P> <P>If you have any questions about advanced hunting or if there are specific scenarios or techniques you would like us to demonstrate in future webinars, please don’t hesitate to bring them up here in our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/share-your-hunting-challenges/m-p/1567334" target="_blank" rel="noopener">Tech Community</A>.</P> <P>&nbsp;</P> <P>Also, sharing is caring! Now that you've become a hunting ninja, please share your hunting queries with the community at <A href="#" target="_blank" rel="noopener">https://aka.ms/hunting-queries</A>.</P> <P>&nbsp;</P> <P>For more information about existing and future webcasts, visit:&nbsp;<A href="#" target="_blank" rel="noopener">https://aka.ms/securitywebinars</A></P> <P>&nbsp;</P> <P>Heike</P> Tue, 11 Aug 2020 06:02:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/on-demand-webcast-series-tracking-the-adversary/ba-p/1579366 Heike Ritter 2020-08-11T06:02:09Z Pull in more intelligence and act fast while you hunt https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/pull-in-more-intelligence-and-act-fast-while-you-hunt/ba-p/1578320 <P>In the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/pivot-fast-and-investigate-freely-with-go-hunt-amp-other/ba-p/1535768" target="_blank" rel="noopener">previous chapter of this series</A>, we started our investigation from an incident involving a particular mailbox that received phishing email. We saw how we can use <STRONG><EM>go hunt</EM></STRONG> and the <STRONG>in-portal schema reference </STRONG>to quickly pivot and deepen our investigation, utilizing query-based&nbsp;<A href="#" target="_blank" rel="noopener">advanced hunting</A>&nbsp;capabilities.</P> <P>&nbsp;</P> <P>However, phishing isn’t the only threat impacting email—let's look into how emails with malware are affecting our environment. Our initial mailbox asset, bamorel@mtpdemos.net, did not receive malware, but maybe other mailboxes in the organization did? Let’s check by modifying our first <EM>go hunt </EM>query to extend our search beyond the original mailbox.</P> <P>&nbsp;</P> <PRE>let selectedTimestamp = datetime(2020-07-18T08:02:04.0000000Z);<BR />EmailEvents<BR />| where Timestamp between ((selectedTimestamp - 24h) .. (selectedTimestamp + 24h))<BR />//malware emails<BR />and MalwareFilterVerdict == "Malware"</PRE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="senderdomain.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211408iD0E2569EF5768F55/image-size/large?v=v2&amp;px=999" role="button" title="senderdomain.png" alt="senderdomain.png" /></span></P> <P>&nbsp;</P> <P>We find a bunch of malware emails, all of them from the same sender <A href="https://gorovian.000webhostapp.com/?exam=mailto:mtpdemos@juno.com" target="_blank" rel="noopener">mtpdemos@juno.com</A>. Let’s hunt for all the attachments coming from this sender, and see if someone downloaded them to their devices.</P> <P>&nbsp;</P> <PRE><SPAN class="csl-comment1"><SPAN style="font-family: Consolas;">// Find the first appearance of files sent by a malicious sender in your organization<BR /></SPAN></SPAN><SPAN class="csl-command1"><SPAN style="font-family: Consolas;">let</SPAN></SPAN><SPAN style="font-family: Consolas;"> <SPAN class="csl-let-variable1">MaliciousSender</SPAN> = <SPAN class="csl-string-literal1">"mtpdemos@juno.com"</SPAN>;<BR /></SPAN><SPAN class="csl-column1"><SPAN style="font-family: Consolas;">EmailAttachmentInfo<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN class="csl-operator1">where</SPAN> <SPAN class="csl-column1">Timestamp</SPAN> &gt; <SPAN class="csl-function1">ago</SPAN>(30d)<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN class="csl-operator1">where</SPAN> <SPAN class="csl-column1">SenderFromAddress</SPAN> =~ <SPAN class="csl-let-variable1">MaliciousSender<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN class="csl-operator1">join</SPAN> (<BR /></SPAN><SPAN class="csl-column1"><SPAN style="font-family: Consolas;">DeviceFileEvents<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN class="csl-operator1">where</SPAN> <SPAN class="csl-column1">Timestamp</SPAN> &gt; <SPAN class="csl-function1">ago</SPAN>(30d)<BR /></SPAN><SPAN style="font-family: Consolas;">) <SPAN class="csl-command1">on</SPAN> <SPAN class="csl-column1">SHA256<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN class="csl-operator1">summarize</SPAN> <SPAN class="csl-column1">FirstAppearance</SPAN> = <SPAN class="csl-function1">min</SPAN>(<SPAN class="csl-column1">Timestamp</SPAN>) <SPAN class="csl-command1">by</SPAN> <SPAN class="csl-column1">DeviceName</SPAN>, <SPAN class="csl-column1">SHA256</SPAN>, <SPAN class="csl-column1">FileName</SPAN></SPAN></PRE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="FileOnDevices.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211409iF7E1DDA7E3EBBE19/image-size/large?v=v2&amp;px=999" role="button" title="FileOnDevices.png" alt="FileOnDevices.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><FONT color="#000000">Get enriched file intel</FONT></H3> <P>Unfortunately, there were users that downloaded the malicious files. To quickly learn more about the files, we can use the <STRONG>FileProfile()</STRONG> function to pull in meta data from the Microsoft file reputation database:</P> <P>&nbsp;</P> <PRE><SPAN>// Get more details about the malicious files using the FileProfile() enrichment function<BR /></SPAN><SPAN>let</SPAN> <SPAN>MaliciousSender</SPAN> = <SPAN>"mtpdemos@juno.com"</SPAN>;<BR /><SPAN>EmailAttachmentInfo<BR /></SPAN>| <SPAN>where</SPAN> <SPAN>Timestamp</SPAN> &gt; <SPAN>ago</SPAN>(30d)<BR />| <SPAN>where</SPAN> <SPAN>SenderFromAddress</SPAN> =~ <SPAN>MaliciousSender<BR /></SPAN>| <SPAN>join</SPAN> (<SPAN>DeviceFileEvents<BR /></SPAN>| <SPAN>where</SPAN> <SPAN>Timestamp</SPAN> &gt; <SPAN>ago</SPAN>(30d)) <SPAN>on</SPAN> <SPAN>SHA256<BR /></SPAN>| <SPAN>distinct</SPAN> <SPAN>SHA1</SPAN>| <SPAN>invoke</SPAN> <SPAN>FileProfile</SPAN>()<BR />| <SPAN>project</SPAN> <SPAN>SHA1</SPAN>, <SPAN>SHA256</SPAN> , <SPAN>FileSize</SPAN> , <SPAN>GlobalFirstSeen</SPAN> , <SPAN>GlobalLastSeen</SPAN> , <SPAN>GlobalPrevalence</SPAN> , <SPAN>IsExecutable</SPAN></PRE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fileProfile.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211410i6ACE859E9D5F9D07/image-size/large?v=v2&amp;px=999" role="button" title="fileProfile.png" alt="fileProfile.png" /></span>&nbsp;</P> <P>By invoking the FileProfile() function, we can derive additional insights from enriched information in the form of additional file hashes, size, prevalence, first and last seen, signer info, and various other attributes. For example, we can identify files that are rare or files that are very new, potentially requiring closer inspection.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Learn more about the FileProfile() function</A></P> <P>&nbsp;</P> <H3><FONT color="#000000">Take action as part of the hunt</FONT></H3> <P>Once we’ve done sufficient investigation to verify that the files are malicious and the devices that contain them have been adversely impacted, our next step would be to ensure we respond quickly enough to minimize the impact of the malicious files. We can actually do this from the query results by selecting the records and then selecting <STRONG>Take actions</STRONG>.</P> <P>&nbsp;</P> <PRE><SPAN class="csl-comment1"><SPAN style="font-family: Consolas;">// Find the first appearance of files sent by a malicious sender in your organization<BR /></SPAN></SPAN><SPAN class="csl-command1"><SPAN style="font-family: Consolas;">let</SPAN></SPAN><SPAN style="font-family: Consolas;"> <SPAN class="csl-let-variable1">MaliciousSender</SPAN> = <SPAN class="csl-string-literal1">"mtpdemos@juno.com"</SPAN>;<BR /></SPAN><SPAN class="csl-column1"><SPAN style="font-family: Consolas;">EmailAttachmentInfo<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN class="csl-operator1">where</SPAN> <SPAN class="csl-column1">Timestamp</SPAN> &gt; <SPAN class="csl-function1">ago</SPAN>(30d)<BR /></SPAN><SPAN style="font-family: Consolas;">| <SPAN class="csl-operator1">where</SPAN> <SPAN class="csl-column1">SenderFromAddress</SPAN> =~ <SPAN class="csl-let-variable1">MaliciousSender<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN class="csl-operator1">join</SPAN> (<BR /></SPAN><SPAN class="csl-column1"><SPAN style="font-family: Consolas;">DeviceFileEvents<BR />| <SPAN class="csl-operator1" style="white-space: normal;">where</SPAN> <SPAN class="csl-column1" style="white-space: normal;">Timestamp</SPAN><SPAN style="font-family: Consolas; white-space: normal;"> &gt; </SPAN><SPAN class="csl-function1" style="white-space: normal;">ago</SPAN><SPAN style="font-family: Consolas; white-space: normal;">(30d)<BR /></SPAN></SPAN></SPAN><SPAN style="font-family: Consolas;">) <SPAN class="csl-command1">on</SPAN> <SPAN class="csl-column1">SHA256<BR /></SPAN></SPAN><SPAN style="font-family: Consolas;">| <SPAN class="csl-operator1">summarize</SPAN> <SPAN class="csl-column1">FirstAppearance</SPAN> = <SPAN class="csl-function1">min</SPAN>(<SPAN class="csl-column1">Timestamp</SPAN>) <SPAN class="csl-command1">by</SPAN> <SPAN class="csl-column1">DeviceName</SPAN>, DeviceId, <SPAN class="csl-column1">SHA256</SPAN>, <SPAN class="csl-column1">FileName</SPAN></SPAN></PRE> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="takeActions.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211411iD83E3C832D34FFC3/image-size/large?v=v2&amp;px=999" role="button" title="takeActions.png" alt="takeActions.png" /></span>&nbsp;</P> <P>&nbsp;</P> <P>This feature lets you select particular entities to address in the selected records as well as the type of actions to take. When you proceed, the necessary actions are taken automatically and swiftly on available devices.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="takeActions2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211412i29F7B96F39035B1D/image-size/large?v=v2&amp;px=999" role="button" title="takeActions2.png" alt="takeActions2.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="takeActions3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/211413i9731C2CED2260AFB/image-size/large?v=v2&amp;px=999" role="button" title="takeActions3.png" alt="takeActions3.png" /></span></P> <P>&nbsp;</P> <H3><FONT color="#000000">Key takeaways</FONT></H3> <P>We started our investigation from a single mailbox that was connected to an incident. Using advanced hunting, we gathered more data about the affected asset, explored other activities that might be related to asset, expand our investigation to cover other threat types, pulled in more threat intel, and took actions quickly.</P> <P>&nbsp;</P> <P>During this investigation, we learned:</P> <UL> <LI>How easy it is to pivot from an incident investigation into advanced hunting using <STRONG><EM>go hunt</EM></STRONG></LI> <LI>How we can conveniently find what we need in the schema using the <STRONG>in-portal reference</STRONG></LI> <LI>How quickly we can enrich an investigation using functions like <STRONG>FileProfile()</STRONG></LI> <LI>How we can remediate threats directly from our hunting results by selecting <STRONG>Take actions</STRONG></LI> </UL> <P>&nbsp;</P> <P>To learn more about advanced hunting in Microsoft Threat Protection and these new enhancements, go to the following links:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Advanced hunting overview</A></LI> <LI><A href="#" target="_blank" rel="noopener">FileProfile</A></LI> <LI><A href="#" target="_blank" rel="noopener">Take actions</A></LI> <LI><A href="#" target="_blank" rel="noopener">Go hunt</A></LI> <LI><A href="#" target="_blank" rel="noopener">In-portal reference</A></LI> <LI><A href="#" target="_blank" rel="noopener">Preview features</A></LI> <LI><A href="#" target="_blank" rel="noopener">MTP Git community</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 10 Aug 2020 14:11:21 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/pull-in-more-intelligence-and-act-fast-while-you-hunt/ba-p/1578320 Tali Ash 2020-08-10T14:11:21Z See how consolidated incidents improve SOC efficiency through this attack sprawl simulation https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/see-how-consolidated-incidents-improve-soc-efficiency-through/ba-p/1557341 <P><A href="#" target="_blank" rel="noopener">Microsoft Threat Protection</A> continuously and seamlessly scours endpoints, email and docs, cloud app, and identity activities for suspicious signals and uses deep correlation logic to automatically find links between related signals across domains. It connects related existing alerts and generates additional alerts for suspicious events that could otherwise be missed.</P> <P>&nbsp;</P> <P>Correlated signals, alerts, and relevant entities are collected and consolidated into a single comprehensive <A href="#" target="_blank" rel="noopener">incident</A> representing the whole attack.</P> <P>&nbsp;</P> <P>We put Microsoft Threat Protection’s incident feature to the test by simulating an end-to-end attack chain that involves various attacker techniques across multiple domains, including spear-phishing, credential theft, overpass-the-hash attack, lateral movement, and other techniques observed in actual investigations.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="fig1-attack-chain-overpass-the-hash-spear-phishing-lateral-movement.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/209160iA504B2E24F63E3E4/image-size/large?v=v2&amp;px=999" role="button" title="fig1-attack-chain-overpass-the-hash-spear-phishing-lateral-movement.png" alt="fig1-attack-chain-overpass-the-hash-spear-phishing-lateral-movement.png" /></span></P> <P>&nbsp;</P> <P>Learn how automatic correlations in Microsoft Threat Protection detected the initial access, lateral movement, and lateral phishing stages of the attack sprawl simulation. Read our latest blog: <A href="#" target="_blank" rel="noopener"><STRONG>Inside Microsoft Threat Protection: Solving cross-domain security incidents through the power of correlation analytics.</STRONG></A></P> Thu, 30 Jul 2020 22:14:30 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/see-how-consolidated-incidents-improve-soc-efficiency-through/ba-p/1557341 Eric Avena 2020-07-30T22:14:30Z The Action center in Microsoft Threat Protection – Your one-stop shop for remediation actions https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/the-action-center-in-microsoft-threat-protection-your-one-stop/ba-p/1550178 <P>The results of current and past automatic investigations and remediation actions across your organization's devices and mailboxes are visible in the <A href="#" target="_blank" rel="noopener">Action center</A> in Microsoft Threat Protection. The Action center provides a unified experience for remediation actions and an audit log. The Action center enables your security operations team to approve pending remediation actions and to remediate impacted assets. You can also review approved actions in an audit log. The Action center brings all this together across Microsoft Threat Protection security workloads, including <A href="#" target="_blank" rel="noopener">Office 365 Advanced Threat Protection</A> (Office 365 ATP) and <A href="#" target="_blank" rel="noopener">Microsoft Defender Advanced Threat Protection</A> (Microsoft Defender ATP).</P> <P>Furthermore, if you need to undo a remediation action that was taken by Microsoft Defender ATP, in most cases, you can do that in the Action center in Microsoft Threat Protection. The <STRONG>History</STRONG> tab tracks all remediation actions that were completed, and you can undo an action there.</P> <P>But what about remediation actions that were taken manually or from an advanced hunting experience, such as isolating a device, or restricting app execution on a specific device? How do you view an audit log for those actions?</P> <P>Suppose, for example, that in order to slow down the spread of ransomware, your security operations team decides to isolate all of the devices connected to specific subnet in your org. To take this action, you could use an advanced hunting custom detection with the predefined action, “Isolate device.” Such a custom detection might look like this:</P> <P>&nbsp;</P> <PRE>DeviceNetworkEvents<BR />| extend Subnet = extract(@"(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}",0,LocalIP ) <BR />| where Subnet starts with "192.168.0."</PRE> <P>&nbsp;</P> <P>Or, maybe you use a slightly more advanced example with specific alert categories to view the list of devices, like this:</P> <P>&nbsp;</P> <PRE>DeviceAlertEvents<BR />| where Category in("Credential access", "Ransomware") <BR />| join kind=leftouter(<BR />DeviceNetworkEvents<BR />| extend Subnet = extract(@"(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}",0,LocalIP )<BR />| where Subnet starts with "192.168.0." )</PRE> <P>&nbsp;</P> <P>, but how do you know which devices were isolated, and how do you undo device isolation if needed?</P> <P>We’re happy to announce that you can now <STRONG>audit and undo manually taken actions</STRONG> in Microsoft Defender ATP in the Action center in Microsoft Threat Protection. This capability is in public preview now!</P> <P>This capability provides you with one location to view an audit log of manually taken remediation actions that were performed in different portal experiences, such as the <A href="#" target="_blank" rel="noopener">device page</A>, <A href="#" target="_blank" rel="noopener">file page</A>, and <A href="#" target="_blank" rel="noopener">advanced hunting</A>. You can also undo certain actions, such as <A href="#" target="_blank" rel="noopener">device isolation</A> and <A href="#" target="_blank" rel="noopener">app restriction</A>, on the <STRONG>History</STRONG> tab in the Action center.</P> <P>The full set of manual actions that are logged in the action center are :</P> <UL> <LI>Collect investigation package</LI> <LI>Isolate device / Undo isolate device</LI> <LI>Offboard machine</LI> <LI>Release code execution</LI> <LI>Release from quarantine</LI> <LI>Request sample</LI> <LI>Restrict code execution / Undo restrict code execution</LI> <LI>Run antivirus scan</LI> <LI>Stop and quarantine</LI> </UL> <P>&nbsp;</P> <P>Want to see what this looks like? Here’s an example of an audit record showing device isolation:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Isolate device.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/208468iE47D66CF23B5DB01/image-size/large?v=v2&amp;px=999" role="button" title="Isolate device.png" alt="Isolate device.png" /></span></P> <P><SPAN style="font-size: 12.0pt; font-family: 'Segoe UI',sans-serif; color: #333333;">Here’s an example of undoing an action to isolate device:</SPAN></P> <P><SPAN style="font-size: 12.0pt; font-family: 'Segoe UI',sans-serif; color: #333333;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Undo isolation.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/208469iF7439A178B6B294B/image-size/large?v=v2&amp;px=999" role="button" title="Undo isolation.png" alt="Undo isolation.png" /></span></SPAN></P> <P>Make sure to <A href="#" target="_blank" rel="noopener">opt in to preview features</A>, and <A href="#" target="_blank" rel="noopener">try it now</A>!</P> <P>&nbsp;</P> <P><STRONG>Let us know what you think by leaving a comment below. </STRONG></P> <P><STRONG>The Microsoft Threat Protection Team</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 29 Jul 2020 06:54:54 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/the-action-center-in-microsoft-threat-protection-your-one-stop/ba-p/1550178 Evald Markinzon 2020-07-29T06:54:54Z Pivot fast and investigate freely with go hunt & other advanced hunting enhancements https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/pivot-fast-and-investigate-freely-with-go-hunt-amp-other/ba-p/1535768 <P><SPAN data-contrast="auto">Microsoft Threat Protection simplifies&nbsp;</SPAN><SPAN data-contrast="auto">security operations center (SOC)</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">work</SPAN><SPAN data-contrast="auto">&nbsp;by&nbsp;</SPAN><SPAN data-contrast="auto">consolidating</SPAN><SPAN data-contrast="auto">&nbsp;powerful security solutions&nbsp;</SPAN><SPAN data-contrast="auto">protecting&nbsp;</SPAN><SPAN data-contrast="auto">your devices,&nbsp;</SPAN><SPAN data-contrast="auto">email and docs</SPAN><SPAN data-contrast="auto">, id</SPAN><SPAN data-contrast="auto">entities, and cloud apps.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">With&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">advanced hunting</SPAN></A><SPAN data-contrast="auto">, y</SPAN><SPAN data-contrast="auto">ou get an&nbsp;</SPAN><SPAN data-contrast="auto">extremely flexible&nbsp;</SPAN><SPAN data-contrast="auto">query-based&nbsp;</SPAN><SPAN data-contrast="auto">tool&nbsp;</SPAN><SPAN data-contrast="auto">designed for proactive exploration, investigation, and hunting</SPAN><SPAN data-contrast="auto">&nbsp;across a comprehensive&nbsp;</SPAN><SPAN data-contrast="auto">set of data</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;covering system information, regular event logs, and security alerts.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To make&nbsp;</SPAN><SPAN data-contrast="auto">advanced hunting</SPAN><SPAN data-contrast="auto">&nbsp;even more accessible and easy to use</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;we’</SPAN><SPAN data-contrast="auto">ve built some&nbsp;</SPAN><SPAN data-contrast="auto">enhancements</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">that many</SPAN><SPAN data-contrast="auto">&nbsp;SOC analysts, whether&nbsp;</SPAN><SPAN data-contrast="auto">hunting enthusiasts&nbsp;</SPAN><SPAN data-contrast="auto">or&nbsp;</SPAN><SPAN data-contrast="auto">budding defenders</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;will&nbsp;</SPAN><SPAN data-contrast="auto">find useful</SPAN><SPAN data-contrast="auto">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Pivot&nbsp;</SPAN><SPAN data-contrast="auto">and query from multiple contexts</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Inspect records quickly</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Get&nbsp;</SPAN><SPAN data-contrast="auto">reference</SPAN><SPAN data-contrast="auto">&nbsp;info while hunting</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <H4 aria-level="3"><SPAN data-contrast="none">Pivot and query from multiple contexts</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">W</SPAN><SPAN data-contrast="auto">hen&nbsp;</SPAN><SPAN data-contrast="auto">investigating an</SPAN><SPAN data-contrast="auto">&nbsp;incident,&nbsp;</SPAN><SPAN data-contrast="auto">we&nbsp;</SPAN><SPAN data-contrast="auto">always look to learn more about&nbsp;</SPAN><SPAN data-contrast="auto">affected&nbsp;</SPAN><SPAN data-contrast="auto">assets&nbsp;</SPAN><SPAN data-contrast="auto">and other entities, hoping to&nbsp;</SPAN><SPAN data-contrast="auto">enrich&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">investigation</SPAN><SPAN data-contrast="auto">&nbsp;with more data&nbsp;</SPAN><SPAN data-contrast="auto">and&nbsp;</SPAN><SPAN data-contrast="auto">insight</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">The</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">new&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Go hunt&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">action in&nbsp;</SPAN><SPAN data-contrast="auto">Microsoft Threat Protection</SPAN><SPAN data-contrast="auto">&nbsp;lets us</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">quickly</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">pivot from&nbsp;</SPAN><SPAN data-contrast="auto">an&nbsp;</SPAN><SPAN data-contrast="auto">ongoing</SPAN><SPAN data-contrast="auto">&nbsp;incident</SPAN><SPAN data-contrast="auto">&nbsp;investigation&nbsp;</SPAN><SPAN data-contrast="none">to inspecting a specific event, user, device, or other entity type&nbsp;</SPAN><SPAN data-contrast="none">on</SPAN><SPAN data-contrast="none"> </SPAN><SPAN data-contrast="auto">advanced hunting</SPAN><SPAN data-contrast="none"> </SPAN><SPAN data-contrast="none">with a</SPAN><SPAN data-contrast="none">n</SPAN><SPAN data-contrast="none">&nbsp;exhaustive, predefined query</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Let’s&nbsp;</SPAN><SPAN data-contrast="auto">take a loo</SPAN><SPAN data-contrast="auto">k</SPAN><SPAN data-contrast="auto">&nbsp;at this incident involving&nbsp;</SPAN><SPAN data-contrast="auto">a&nbsp;</SPAN><SPAN data-contrast="auto">particular&nbsp;</SPAN><SPAN data-contrast="auto">mailbox</SPAN><SPAN data-contrast="auto">:</SPAN></P> <P><SPAN data-contrast="auto"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="gohunt.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/207070i0789956F1863569F/image-size/large?v=v2&amp;px=999" role="button" title="gohunt.png" alt="gohunt.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">For most intrusions,&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">a</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">&nbsp;mailbox</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">&nbsp;is typically the initial entry point of an attack</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">.&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">Therefore</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">,&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">we</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">&nbsp;should</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">&nbsp;start</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">by&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">investigat</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">ing</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">&nbsp;th</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">e</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">&nbsp;mailbox&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">to</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">&nbsp;look for suspicious emails that were identified by Office&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">365&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">ATP as phishing or malware.&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">By selecting&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">Go hunt</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">&nbsp;from the mailbox details pane</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">,&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">we are immediately taken to&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">a</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">dvanced hunting with&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">a&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">prepopulated query&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">for&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">email&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">events related to the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">mailbox</SPAN></SPAN><SPAN class="TextRun SCXW234478877 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW234478877 BCX8">.</SPAN></SPAN><SPAN class="EOP SCXW234478877 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Gohunt2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/207071i8673A07D71902E86/image-size/large?v=v2&amp;px=999" role="button" title="Gohunt2.png" alt="Gohunt2.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><SPAN class="EOP SCXW234478877 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">From this starting point, we can make small tweaks to the query to go deeper&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">into the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">pivot.&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">We&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">add&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">a new line&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">to&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">narrow down to&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">only&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">emails&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">found&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">to be</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">&nbsp;phishing or malware.</SPAN></SPAN><SPAN class="TextRun SCXW67892142 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW67892142 BCX8">&nbsp;</SPAN></SPAN><SPAN class="EOP SCXW67892142 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240,&quot;469777462&quot;:[916,1832,2748,3664,4580,5496,6412,7328,8244,9160,10076,10992,11908,12824,13740,14656],&quot;469777927&quot;:[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],&quot;469777928&quot;:[1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]}">&nbsp;</SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <PRE>let selectedTimestamp = datetime(2020-07-18T08:02:04.0000000Z); <BR />let emailAddress = "bamorel@mtpdemos.net"; <BR />EmailEvents <BR />| where Timestamp between ((selectedTimestamp - 24h) .. (selectedTimestamp + 24h)) <BR />and RecipientEmailAddress == emailAddress <BR />//malicious emails <BR />and (MalwareFilterVerdict == "Malware" or PhishFilterVerdict == "Phish") </PRE> <P>&nbsp;</P> <P><SPAN class="TextRun SCXW117618635 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW117618635 BCX8">S</SPAN></SPAN><SPAN class="TextRun SCXW117618635 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW117618635 BCX8">easoned hunters will find many other ways to tweak these queries and surface even more insights about the mailbox in question and ultimately the investigation. As you work with other investigations on Microsoft Threat Protection, you will find many other<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW117618635 BCX8" data-contrast="auto"><SPAN class="NormalTextRun ContextualSpellingAndGrammarErrorV2 SCXW117618635 BCX8">go</SPAN></SPAN><SPAN class="TextRun SCXW117618635 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW117618635 BCX8"><SPAN>&nbsp;</SPAN>hunt</SPAN></SPAN><SPAN class="TextRun SCXW117618635 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW117618635 BCX8"><SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW117618635 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW117618635 BCX8">entry points for<SPAN>&nbsp;</SPAN></SPAN></SPAN><SPAN class="TextRun SCXW117618635 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW117618635 BCX8">digging deeper while utilizing the power of flexible queries.</SPAN></SPAN><SPAN class="EOP SCXW117618635 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Read more about go hunt</SPAN></A><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H4 aria-level="3"><SPAN data-contrast="none">Inspect records thoroughly and quickly</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">Let’s say o</SPAN><SPAN data-contrast="auto">ur&nbsp;</SPAN><SPAN data-contrast="auto">modified&nbsp;</SPAN><I><SPAN data-contrast="auto">go hunt</SPAN></I><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">query for malicious emails&nbsp;</SPAN><SPAN data-contrast="auto">returned two emails,</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">both&nbsp;</SPAN><SPAN data-contrast="auto">of which&nbsp;</SPAN><SPAN data-contrast="auto">had</SPAN><SPAN data-contrast="auto">&nbsp;links&nbsp;</SPAN><SPAN data-contrast="auto">and&nbsp;</SPAN><SPAN data-contrast="auto">were&nbsp;</SPAN><SPAN data-contrast="auto">detected as&nbsp;</SPAN><SPAN data-contrast="auto">phishing</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">Of course, we’ll&nbsp;</SPAN><SPAN data-contrast="auto">want to inspect each of those emails.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In the past, the best we could do was scroll slowly to the right while reading the values under each column. To&nbsp;</SPAN><SPAN data-contrast="auto">speed things up and&nbsp;</SPAN><SPAN data-contrast="auto">give defenders back a little bit more leis</SPAN><SPAN data-contrast="auto">ure&nbsp;</SPAN><SPAN data-contrast="auto">time, we</SPAN><SPAN data-contrast="auto">’ve</SPAN><SPAN data-contrast="auto">&nbsp;added&nbsp;</SPAN><SPAN data-contrast="auto">the</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Inspect record</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">pane, which slides out to display all the columns as well as other relevant details about&nbsp;</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">&nbsp;selected record.&nbsp;</SPAN><SPAN data-contrast="auto">You also</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">get&nbsp;</SPAN><SPAN data-contrast="auto">related assets</SPAN><SPAN data-contrast="auto">, such as users and mailboxes that received or sent the email</SPAN><SPAN data-contrast="auto">. I</SPAN><SPAN data-contrast="auto">f the record has process-related information, you also get a process tree</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sidepane.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/207072iA2EB460B2F51F7C6/image-size/large?v=v2&amp;px=999" role="button" title="sidepane.png" alt="sidepane.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW141559367 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW141559367 BCX8">You’ll be scrolling down</SPAN></SPAN><SPAN class="TextRun SCXW141559367 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW141559367 BCX8">&nbsp;for more info</SPAN></SPAN><SPAN class="TextRun SCXW141559367 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW141559367 BCX8">, which is much faster than scrolling</SPAN></SPAN><SPAN class="TextRun SCXW141559367 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW141559367 BCX8">&nbsp;to the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW141559367 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW141559367 BCX8">right</SPAN></SPAN><SPAN class="TextRun SCXW141559367 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW141559367 BCX8">.</SPAN></SPAN><SPAN class="EOP SCXW141559367 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="EOP SCXW141559367 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="sidepane2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/207073iEA3E1E365B94471F/image-size/large?v=v2&amp;px=999" role="button" title="sidepane2.png" alt="sidepane2.png" /></span></SPAN></SPAN></P> <P aria-level="2">&nbsp;</P> <H4 aria-level="2"><SPAN data-contrast="none">Get reference info while hunting</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">As we inspect one of the phishing emails, we</SPAN><SPAN data-contrast="auto">'</SPAN><SPAN data-contrast="auto">d&nbsp;</SPAN><SPAN data-contrast="auto">want to inspect the phishing&nbsp;</SPAN><SPAN data-contrast="auto">link or&nbsp;</SPAN><SPAN data-contrast="auto">URL embedded in the email.&nbsp;</SPAN><SPAN data-contrast="auto">Our original&nbsp;</SPAN><I><SPAN data-contrast="auto">go hunt</SPAN></I><SPAN data-contrast="auto">&nbsp;query traversed the&nbsp;</SPAN><I><SPAN data-contrast="auto">EmailEvents</SPAN></I><I><SPAN data-contrast="auto">&nbsp;</SPAN></I><SPAN data-contrast="auto">table, which broadly contains email processing events</SPAN><SPAN data-contrast="auto">, but what we need is email content information.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">To locate the right schema table,&nbsp;</SPAN><SPAN data-contrast="auto">most of us w</SPAN><SPAN data-contrast="auto">ill</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">likely&nbsp;</SPAN><SPAN data-contrast="auto">look at the schema tree and&nbsp;</SPAN><SPAN data-contrast="auto">find</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><I><SPAN data-contrast="auto">EmailUrlInfo</SPAN></I><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">We can&nbsp;</SPAN><SPAN data-contrast="auto">quickly confirm&nbsp;</SPAN><SPAN data-contrast="auto">that&nbsp;</SPAN><SPAN data-contrast="auto">this is the right table</SPAN><SPAN data-contrast="auto">&nbsp;by&nbsp;</SPAN><SPAN data-contrast="auto">select</SPAN><SPAN data-contrast="auto">ing</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">View reference</SPAN></STRONG><SPAN data-contrast="auto">.</SPAN></P> <P><SPAN data-contrast="auto"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="schemaref.png" style="width: 563px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/207077iA0B7B9C4EE558C44/image-size/large?v=v2&amp;px=999" role="button" title="schemaref.png" alt="schemaref.png" /></span>&nbsp;</SPAN></P> <P><SPAN data-contrast="auto"><SPAN class="TextRun SCXW184168709 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW184168709 BCX8" data-ccp-parastyle="x_msonormal" data-ccp-parastyle-defn="{&quot;ObjectId&quot;:&quot;b070ca57-6880-4025-b9cb-1b4bfadc23e6|53&quot;,&quot;Properties&quot;:[134233614,&quot;true&quot;,201340122,&quot;2&quot;,201341983,&quot;0&quot;,201342448,&quot;1&quot;,335559739,&quot;0&quot;,335559740,&quot;240&quot;,469769226,&quot;Calibri&quot;,469775450,&quot;x_msonormal&quot;,469777841,&quot;Calibri&quot;,469777842,&quot;Calibri&quot;,469777843,&quot;Calibri&quot;,469777844,&quot;Calibri&quot;,469778129,&quot;xmsonormal&quot;],&quot;ClassId&quot;:1179649}">This opens the&nbsp;</SPAN></SPAN><EM><SPAN class="TextRun SCXW184168709 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW184168709 BCX8" data-ccp-parastyle="x_msonormal">in-portal reference</SPAN></SPAN></EM><SPAN class="TextRun SCXW184168709 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW184168709 BCX8" data-ccp-parastyle="x_msonormal">, which can also be accessed by select</SPAN></SPAN><SPAN class="TextRun SCXW184168709 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW184168709 BCX8" data-ccp-parastyle="x_msonormal">ing</SPAN></SPAN><SPAN class="TextRun SCXW184168709 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW184168709 BCX8" data-ccp-parastyle="x_msonormal">&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW184168709 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW184168709 BCX8" data-ccp-parastyle="x_msonormal"><STRONG>Schema reference</STRONG>&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW184168709 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW184168709 BCX8" data-ccp-parastyle="x_msonormal">in the upper right</SPAN></SPAN><SPAN class="TextRun SCXW184168709 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW184168709 BCX8" data-ccp-parastyle="x_msonormal">&nbsp;of the page</SPAN></SPAN><SPAN class="TextRun SCXW184168709 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW184168709 BCX8" data-ccp-parastyle="x_msonormal">.</SPAN></SPAN><SPAN class="EOP SCXW184168709 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></SPAN></P> <P><SPAN data-contrast="auto"><SPAN class="EOP SCXW184168709 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="schemaReference2.jpg" style="width: 442px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/206838i0302B2DBD69ABAC0/image-size/large?v=v2&amp;px=999" role="button" title="schemaReference2.jpg" alt="schemaReference2.jpg" /></span></SPAN></SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><SPAN class="EOP SCXW184168709 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}"><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal" data-ccp-parastyle-defn="{&quot;ObjectId&quot;:&quot;b070ca57-6880-4025-b9cb-1b4bfadc23e6|53&quot;,&quot;Properties&quot;:[134233614,&quot;true&quot;,201340122,&quot;2&quot;,201341983,&quot;0&quot;,201342448,&quot;1&quot;,335559739,&quot;0&quot;,335559740,&quot;240&quot;,469769226,&quot;Calibri&quot;,469775450,&quot;x_msonormal&quot;,469777841,&quot;Calibri&quot;,469777842,&quot;Calibri&quot;,469777843,&quot;Calibri&quot;,469777844,&quot;Calibri&quot;,469778129,&quot;xmsonormal&quot;],&quot;ClassId&quot;:1179649}">The</SPAN></SPAN><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal">&nbsp;</SPAN></SPAN><EM><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal">in-portal</SPAN></SPAN></EM><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal"><EM>&nbsp;reference</EM>&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal">includes</SPAN></SPAN><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal">&nbsp;detailed information about each table and its columns. For those who want to explore schema items further, it also comes with sample queries as&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal">well as detailed&nbsp;</SPAN></SPAN><EM><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SpellingErrorV2 SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal">ActionType</SPAN></SPAN><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal">&nbsp;</SPAN></SPAN></EM><SPAN class="TextRun SCXW253286869 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW253286869 BCX8" data-ccp-parastyle="x_msonormal">(event type) information for tables that hold event information.</SPAN></SPAN><SPAN class="EOP SCXW253286869 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="urlinfo.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/207074iF1B979B724E833F0/image-size/large?v=v2&amp;px=999" role="button" title="urlinfo.png" alt="urlinfo.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto"><SPAN class="EOP SCXW184168709 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}"><SPAN class="EOP SCXW253286869 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}"><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">Now that we’ve found the&nbsp;</SPAN></SPAN><EM><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SpellingErrorV2 SCXW48012814 BCX8">EmailUrlInfo</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">&nbsp;</SPAN></SPAN></EM><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">table&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">and have verified that it&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">holds</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">&nbsp;information about URLs in email messages</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">,</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">&nbsp;we</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">&nbsp;can try a little bit of&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">Kusto Query Language (KQL)</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">&nbsp;magic</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">. In the example below, we use&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">join</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">operator to&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">get</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">the embedded&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">URL</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">s</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">in each</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">of the&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">phishing emails</SPAN></SPAN><SPAN class="TextRun SCXW48012814 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW48012814 BCX8">:</SPAN></SPAN><SPAN class="EOP SCXW48012814 BCX8" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></SPAN></SPAN></P> <P>&nbsp;</P> <PRE>let selectedTimestamp = datetime(2020-07-18T08:02:04.0000000Z); <BR />let emailAddress = "bamorel@mtpdemos.net"; <BR />EmailEvents <BR />| where Timestamp between ((selectedTimestamp - 24h) .. (selectedTimestamp + 24h)) <BR />and RecipientEmailAddress == emailAddress <BR />//malicious emails <BR />and (MalwareFilterVerdict == "Malware" or PhishFilterVerdict == "Phish") <BR />| join EmailUrlInfo on NetworkMessageId <BR />| project EmailTime = Timestamp, Subject, Url </PRE> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="emailwithUrl.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/207076iA797AD6108561354/image-size/large?v=v2&amp;px=999" role="button" title="emailwithUrl.png" alt="emailwithUrl.png" /></span></P> <H4 aria-level="2">&nbsp;</H4> <P>&nbsp;</P> <H4 aria-level="2"><SPAN data-contrast="none">The hunt continues</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><I><SPAN data-contrast="auto">Want to see how&nbsp;</SPAN></I><I><SPAN data-contrast="auto">the rest of this</SPAN></I><I><SPAN data-contrast="auto">&nbsp;investigation</SPAN></I><I><SPAN data-contrast="auto">&nbsp;</SPAN></I><I><SPAN data-contrast="auto">unfolds</SPAN></I><I><SPAN data-contrast="auto">?&nbsp;</SPAN></I><SPAN data-contrast="auto">Read </SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">next chapter:&nbsp;<STRONG><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/pull-in-more-intelligence-and-act-fast-while-you-hunt/ba-p/1578320" target="_self">Pull in more intelligence and act fast while you hunt</A></STRONG>.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">For more information about advanced hunting and the features discussed in this article, read</SPAN><SPAN data-contrast="none">:</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:2,&quot;335559740&quot;:300}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Advanced hunting overview</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Go hunt</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Inspect record</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">In-portal reference</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="0" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Preview features</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> Mon, 10 Aug 2020 18:02:46 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/pivot-fast-and-investigate-freely-with-go-hunt-amp-other/ba-p/1535768 Tali Ash 2020-08-10T18:02:46Z Short & sweet educational videos on Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/short-amp-sweet-educational-videos-on-microsoft-365-defender/ba-p/1525296 <P>Microsoft 365 Defender (formerly known as Microsoft Threat Protection) is an integrated, cross-domain threat detection and response solution. It provides organizations with the ability to prevent, detect, investigate and remediate sophisticated cross-domain attacks within their Microsoft 365 environments.</P> <P>&nbsp;</P> <P>To help you get started with Microsoft 365 Defender and take advantage of its capabilities we’ve compiled a series of short videos. These will walk through the key product features and show you how to apply them to your business today.</P> <P>&nbsp;</P> <P>We’re constantly adding new capabilities to Microsoft 365 Defender so check back here regularly for new videos and instructional content.&nbsp;</P> <P>The latest additions are marked with <FONT color="#339966"><STRONG>NEW</STRONG></FONT></P> <P>&nbsp;</P> <P>Please share your feedback, or ask questions in the comments section below; let us know what other videos and topics you would like to see.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR style="background-color: #002060;"> <TD width="354.667px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Overview</FONT></STRONG></P> </TD> <TD width="361.333px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Getting started</FONT></STRONG></P> </TD> </TR> <TR> <TD width="354.667px" height="81px"> <P>Watch an all-up overview of Microsoft 365 Defender and learn about its capabilities</P> </TD> <TD width="361.333px" height="81px"> <P>Check out how you can get started quickly and start benefiting from its capabilities</P> </TD> </TR> <TR> <TD width="354.667px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4G6DS?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> <TD width="361.333px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4FTDg?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> </TR> <TR> <TD colspan="2" width="716px" height="28px">&nbsp;</TD> </TR> <TR style="background-color: #002060; height: 27px;"> <TD width="354.667px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Unified portal</FONT></STRONG></P> </TD> <TD width="361.333px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Azure Sentinel integration</FONT></STRONG></P> </TD> </TR> <TR> <TD width="354.667px" height="54px"> <P><FONT color="#339966"><STRONG>NEW</STRONG></FONT>&nbsp;This videos shows you the improved and enhanced Microsoft 365 security center.</P> </TD> <TD width="361.333px" height="54px"> <P><FONT color="#339966"><STRONG>NEW</STRONG></FONT>&nbsp;This video describes how you can stream all Microsoft 365 Defender incidents into Azure Sentinel and keep them synchronized.</P> </TD> </TR> <TR> <TD width="354.667px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RWBKau?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> <TD width="361.333px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RWFIRo?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> </TR> <TR> <TD colspan="2" width="716px" height="28px">&nbsp;</TD> </TR> <TR style="background-color: #002060; height: 27px;"> <TD width="354.667px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Incident</FONT></STRONG></P> </TD> <TD width="361.333px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Advanced hunting</FONT></STRONG></P> </TD> </TR> <TR> <TD width="354.667px" height="54px"> <P>Learn how alerts are being correlated into incidents and how to work with them</P> </TD> <TD width="361.333px" height="54px"> <P>Get started with advanced hunting to hunt for threats across your Microsoft 365 Defender data</P> </TD> </TR> <TR> <TD width="354.667px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4G6DR?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> <TD width="361.333px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4G6DO?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> </TR> <TR> <TD colspan="2" width="716px" height="28px">&nbsp;</TD> </TR> <TR style="background-color: #002060; height: 27px;"> <TD width="354.667px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Hunting with Microsoft Cloud App Security data</FONT></STRONG></P> </TD> <TD width="361.333px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Streaming API</FONT></STRONG></P> </TD> </TR> <TR> <TD width="354.667px" height="54px"> <P><FONT color="#339966"><STRONG>NEW</STRONG></FONT>&nbsp;This videos shows you some real examples on how to use advanced hunting to investigate incidents with Microsoft Cloud App Security data.</P> </TD> <TD width="361.333px" height="54px"> <P><FONT color="#339966"><STRONG>NEW</STRONG></FONT>&nbsp;Learn how you can setup the streaming API to ship event information directly to Azure Event hubs or to Azure storage.</P> </TD> </TR> <TR> <TD width="354.667px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RWFISa?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> <TD width="361.333px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> </TR> <TR> <TD colspan="2" width="716px" height="28px">&nbsp;</TD> </TR> <TR style="background-color: #002060; height: 27px;"> <TD width="354.667px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Microsoft 365 Defender and Power Automate</FONT></STRONG></P> </TD> <TD width="361.333px" height="28px"><!--<p><strong><font color="#FFFFFF">Azure Sentinel integration</font></strong></p> --></TD> </TR> <TR> <TD width="354.667px" height="54px"> <P><FONT color="#339966"><STRONG>NEW</STRONG></FONT>&nbsp;Learn how you can use Power Automate to automate your workflows.</P> </TD> <TD width="361.333px" height="54px"><!--<p><font color="#339966"><strong>NEW</strong></font>&nbsp;This video describes how you can stream all Microsoft 365 Defender incidents into Azure Sentinel and keep them synchronized.</p>--></TD> </TR> <TR> <TD width="354.667px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RWFIRn?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> <TD width="361.333px" height="158px"><!-- <p><iframe src="https://www.microsoft.com/en-us/videoplayer/embed/RE4r4ga?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></iframe></p>--></TD> </TR> <TR> <TD colspan="2" width="716px" height="28px">&nbsp;</TD> </TR> <TR style="background-color: #002060; height: 27px;"> <TD width="354.667px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Automated self-healing</FONT></STRONG></P> </TD> <TD width="361.333px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Submit feedback</FONT></STRONG></P> </TD> </TR> <TR> <TD width="354.667px" height="81px"> <P>This video helps you better understand how Microsoft 365 Defender automates remediation actions</P> </TD> <TD width="361.333px" height="81px"> <P>We are listening! See how easy it is to share your feedback with us</P> </TD> </TR> <TR> <TD width="354.667px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4G6DP?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> <TD width="361.333px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4LWeP?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> </TR> <TR> <TD colspan="2" width="716px" height="28px">&nbsp;</TD> </TR> <TR style="background-color: #002060; height: 27px;"> <TD width="354.667px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Security center for Microsoft Defender for Office 365 customers</FONT></STRONG></P> </TD> <TD width="361.333px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Security center for Microsoft Defender for Identity customers</FONT></STRONG></P> </TD> </TR> <TR> <TD width="354.667px" height="81px"> <P><SPAN>See the improved and NEW features you get when you start using the Microsoft 365 Defender portal - at no costs.</SPAN></P> </TD> <TD width="361.333px" height="81px"> <P><SPAN>This video shows improved and NEW features you get when you move to the Microsoft 365 Defender portal - at no costs!&nbsp;</SPAN></P> </TD> </TR> <TR> <TD width="354.667px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4HhT6?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> <TD width="361.333px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4HcEU?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> </TR> <TR> <TD colspan="2" width="716px" height="28px">&nbsp;</TD> </TR> <TR style="background-color: #002060; height: 27px;"> <TD width="354.667px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Classification</FONT></STRONG></P> </TD> <TD width="361.333px" height="28px"> <P><STRONG><FONT color="#FFFFFF">Threat Analytics</FONT></STRONG></P> </TD> </TR> <TR> <TD width="354.667px" height="81px"> <P>See how quickly you can classify your incidents &amp; alerts</P> </TD> <TD width="361.333px" height="81px"> <P>With threat analytics you can track and respond to emerging threats</P> </TD> </TR> <TR> <TD width="354.667px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4LHJq?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> <TD width="361.333px" height="158px"> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RWwJfU?rel=0" width="400" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 20 Jul 2021 20:15:06 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/short-amp-sweet-educational-videos-on-microsoft-365-defender/ba-p/1525296 Heike Ritter 2021-07-20T20:15:06Z Webinar series: Unleash the hunter in you! https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/webinar-series-unleash-the-hunter-in-you/ba-p/1509232 <P>Do you want to proactively hunt for threat activity like an expert? Then don’t miss our upcoming webinar series, “Tracking the adversary”!</P> <P>Michael Melone, Principal Program Manager at Microsoft and resident threat hunter, will start with the basics of threat hunting and cover more advanced techniques throughout the series. Our hope is that you’ll come out of this a rock star in advanced hunting and Kusto Query Language (KQL).</P> <P>Michael brings more than seven years of threat hunting experience from his time with Microsoft Detection and Response Team (DART), where he responded to targeted attack incidents and helped our customers become cyber-resilient.</P> <P>&nbsp;</P> <P>The details of the series are below. You can register to get a calendar invite at this <A href="#" target="_blank" rel="noopener">registration link</A>. &nbsp;&nbsp;</P> <TABLE width="1374"> <TBODY> <TR> <TD width="123"> <P><STRONG>Go-live date</STRONG></P> </TD> <TD width="273"> <P><STRONG>Subject</STRONG></P> </TD> <TD width="978"> <P><STRONG>Webinar description</STRONG></P> </TD> </TR> <TR> <TD width="123"> <P>July 15<SUP>th</SUP> 08:00-09:00&nbsp;PST</P> </TD> <TD width="273"> <P>Microsoft Threat Protection - Tracking the adversary, episode 1: KQL fundamentals</P> </TD> <TD width="978"> <P>In the first episode, we will cover the basics of advanced hunting capabilities in Microsoft Threat Protection (MTP). Learn about available advanced hunting data and basic KQL syntax and operators. The best part?&nbsp; No slides!</P> </TD> </TR> <TR> <TD width="123"> <P>July 22<SUP>nd</SUP> 08:00-09:00&nbsp;PST&nbsp;</P> </TD> <TD width="273"> <P>Microsoft Threat Protection - Tracking the adversary, episode 2: Joins</P> </TD> <TD width="978"> <P>In episode 2, we will continue learning about data in advanced hunting and how to join tables together. Learn about inner, outer, unique, and semi joins, as well as the nuances of the default Kusto innerunique join. Make Edgar F. Codd proud!</P> </TD> </TR> <TR> <TD width="123"> <P>July 29<SUP>th</SUP> 08:00-09:00&nbsp;PST&nbsp;</P> </TD> <TD width="273"> <P>Microsoft Threat Protection - Tracking the adversary, episode 3: Summarizing, pivoting, and visualizing Data</P> </TD> <TD width="978"> <P>Now that we’re able to filter, manipulate, and join data, it’s time to start summarizing, quantifying, pivoting, and visualizing. In this episode, we will cover the summarize operator and some of the various calculations you can perform while diving into additional tables within MTP. We will turn our datasets into charts that can help improve analysis.</P> </TD> </TR> <TR> <TD width="123"> <P>August&nbsp;5<SUP>th</SUP> 08:00-09:00&nbsp;PST&nbsp;</P> </TD> <TD width="273"> <P>Microsoft Threat Protection - Tracking the adversary, episode 4: Let’s hunt!&nbsp;Applying KQL to incident tracking</P> </TD> <TD width="978"> <P>Time to track some attacker activity! In this episode, we will use our improved understanding of KQL and advanced hunting in Microsoft Threat Protection to track an attack. Learn some of the tips and tricks used in the field to track attacker activity, including the ABCs of cybersecurity and how to apply them to incident response.</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>We hope to see you!</P> Tue, 14 Jul 2020 17:28:31 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/webinar-series-unleash-the-hunter-in-you/ba-p/1509232 Tali Ash 2020-07-14T17:28:31Z Microsoft Threat Protection advanced hunting cheat sheet https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-threat-protection-advanced-hunting-cheat-sheet/ba-p/1505100 <P><SPAN>Cheat sheets can be handy for penetration testers, security analysts, and for many other technical roles. They provide best practices, shortcuts, and other ideas that save defenders a lot of time. They are especially helpful when working with tools that require special knowledge like advanced hunting because:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN>The required syntax can be unfamiliar, complex, and difficult to remember.</SPAN></LI> <LI><SPAN>Often someone else has already thought about the same problems we want to solve and has written elegant solutions.</SPAN></LI> <LI><SPAN>We can use some inspiration and guidance, especially when just starting to learn a new programming or query language.</SPAN></LI> <LI><SPAN>Examples of the most frequently used cases and queries can help us quickly understand both the problem space and the solution.</SPAN></LI> </UL> <P><SPAN>In the area of Digital Forensics Incident Response (DFIR), there are some great existing cheat sheets. Many of them are bookmarked or, in some cases, printed and hanging somewhere in the Security Operations Center (SOC).</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>Recently, several Microsoft employees and security analysts from large enterprise customers and partners came together to work on a community project to build the very first cheat sheet for advanced hunting in Microsoft Threat Protection. To get it done, we had the support and talent of &nbsp;<A href="#" target="_blank" rel="noopener">Marcus Bakker</A>, <A href="#" target="_blank" rel="noopener">Maarten Goet</A>, <A href="#" target="_blank" rel="noopener">Pawel Partyka</A>, <A href="#" target="_blank" rel="noopener">Michael Melone</A>, <A href="#" target="_blank" rel="noopener">Tali Ash,</A>and <A href="#" target="_blank" rel="noopener">Milad Aslaner</A>.</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2020-07-06 at 1.26.17 PM.png" style="width: 988px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/203472i747A7FDB5842CC00/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2020-07-06 at 1.26.17 PM.png" alt="Screenshot 2020-07-06 at 1.26.17 PM.png" /></span></SPAN></P> <P>&nbsp;</P> <P><SPAN>You can get the cheat sheet in light and dark themes in the links below:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <UL> <LI>Light theme:&nbsp;<A href="#" target="_blank" rel="noopener">MTPAHCheatSheetv01-light.pdf</A></LI> <LI>Dark theme:&nbsp;<A href="#" target="_blank" rel="noopener">MTPAHCheatSheetv01-dark.pdf</A></LI> </UL> <P>&nbsp;</P> <P><SPAN>Microsoft Threat Protection’s advanced hunting community is continuously growing, and we are excited to see that more and more security analysts and threat hunters are actively sharing their queries in the <A href="#" target="_blank" rel="noopener">public repository on GitHub</A>. This GitHub repo provides access to many frequently used advanced hunting queries across Microsoft Threat Protection capabilities as well as new exciting projects like Jupyter Notebook examples and now the advanced hunting cheat sheet.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>You can explore and get all the queries in the cheat sheet from the GitHub repository.</SPAN></P> <P>&nbsp;</P> <P><SPAN>For more information about advanced hunting and Kusto Query Language (KQL), go to:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN><A href="#" target="_blank" rel="noopener">Overview of advanced hunting in Microsoft Threat Protection</A> </SPAN></LI> <LI><SPAN><A href="#" target="_blank" rel="noopener">Proactively hunt for threats with advanced hunting in Microsoft Threat Protection</A></SPAN></LI> <LI><A href="#" target="_blank" rel="noopener"><SPAN>Learn the query language</SPAN></A></LI> <LI><SPAN><A href="#" target="_blank" rel="noopener">Understand the schema</A></SPAN></LI> <LI><SPAN><A href="#" target="_blank" rel="noopener">Custom detections overview</A></SPAN></LI> </UL> <P><SPAN>Stay safe and happy hunting!</SPAN></P> Mon, 06 Jul 2020 09:56:45 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-threat-protection-advanced-hunting-cheat-sheet/ba-p/1505100 Milad Aslaner 2020-07-06T09:56:45Z Welcome to the new community home for Microsoft Threat Protection (MTP) https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/welcome-to-the-new-community-home-for-microsoft-threat/ba-p/1502203 <P><STRONG>Welcome!</STRONG></P> <P>&nbsp;</P> <P>We all understand that attackers know no boundaries—they will cross multiple domains like email, identity, endpoints, and applications to go after your most valuable assets. Current solutions that have been designed as point solutions don’t talk to each other and don’t connect the dots. While you might block an attacker from stealing your password, they might have found another way in via email or a vulnerable SaaS application.</P> <P>&nbsp;</P> <P>With Microsoft Threat protection (MTP) we are fundamentally changing the approach to detection, investigation and response across domains to better help security teams gain end-to-end visibility into attacker activities and automatically correlate signals across domains, so we can fully understand the breadth of an attack and stop it.</P> <DIV id="tinyMceEditorRaviv Tamir_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>MTP is an integrated, cross-domain threat detection and response solution. It provides organizations with the ability to prevent, detect, investigate, and remediate sophisticated cross-domain attacks within their Microsoft 365 environments. MTP leverages raw signal data from individual domains -- user identity, endpoints, applications, email, and collaboration tools -- normalizing the data at the point of creation. The data is analyzed and low-level signals that may otherwise be missed as well as individual alerts are fused into incidents, giving a complete view of an attack that can be responded to in its entirety. Powerful workflows and AI auto-heal affected assets, and advanced hunting capabilities mean organizations can use their proprietary knowledge to uncover sophisticated breaches and customize their responses.</P> <P>&nbsp;</P> <P>This community will be a forum for open discussions, questions, and interaction with the Microsoft product teams working on MTP. Check back for exciting product announcements and feature updates, as well as security best practices and instructional webcasts. Be part of MTP’s innovation journey: provide feedback and inputs that will help inform our decisions and investments in building products and features that work for you.</P> <P>&nbsp;</P> <P>To learn more about Microsoft Threat Protection, visit our <A href="#" target="_blank" rel="noopener">webpage</A> and our corporate security <A href="#" target="_blank" rel="noopener">blog.</A> Visit our <A href="#" target="_blank" rel="noopener">Documentation</A> page for deep how-to information and technical guidance. We look forward to talking with you soon.</P> <P>&nbsp;</P> <P><LI-USER uid="73387"></LI-USER>&nbsp; – Partner Group Program Manager (Microsoft Threat Protection).</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 01 Jul 2020 21:09:52 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/welcome-to-the-new-community-home-for-microsoft-threat/ba-p/1502203 Raviv Tamir 2020-07-01T21:09:52Z