Generating Advanced hunting queries with PowerShell

Posted onLeave a comment

I was recently writing some advanced hunting queries for Microsoft Defender ATP to search for the execution of specific PowerShell commands. If you are just looking for one specific command, you can run query as sown below But if you are looking for several functions, then there is going to be a lot of manual editing, and so the idea was born to use PowerShell to help me generate an advanced hunting query. The below Read More …

Defender ATP Advanced hunting with TI from URLhaus

Posted on5 Comments

Hello everyone, in today’s article we are going to take look at how we can use Threat Intelligence (TI) data from URLhaus with Microsoft Defender ATP advanced hunting. URLhaus URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. https://urlhaus.abuse.ch/ The project provides several ways to find and retrieve information about malware URLs. You can browse the URL database interactively through https://urlhaus.abuse.ch/browse/ You can also Read More …

Managing Time Zone and Date formats in Microsoft Defender Security Center

Posted onLeave a comment

When you receive security alerts or are investigating security related events , the aspect of time is important element. By default, date and time is displayed in Coordinated Universal Time (UTC) within the Microsoft Defender security center portal. In todays’ blog post, I want to provide you with some insights and tips how to manage Timezone and the date time format within the Microsoft Defender security center. Time zones You can use the Time zone Read More …

Advance your Microsoft Defender ATP hunting skills using the Atomic execution framework

Posted on1 Comment

Hello everyone, during the past months I took a closer look at MITRE ATT&CK to advance my hunting skills using Microsoft Defender Advanced Threat Protection. For those not familiar with MITRE ATT&CK, in short, it is a knowledge base knowledge base of adversary tactics and techniques based on real-world observations. To familiarize myself with MITRE ATT&CK, I first started reading through all the tactics and techniques, to be honest while reading, I often couldn’t resists Read More …

Meet the new Microsoft Defender ATP evaluation lab

Posted onLeave a comment

This week Hadar Feldmann, senior program manager and security researcher at Microsoft announced the public preview of the new Microsoft Defender ATP evaluation lab that now includes two attack simulation solutions from AttackIQ and SafeBreach. The term ‘evaluation’ might indicate that the lab is only intended for new customers hat are in the process of evaluating Microsoft Defender ATP, but that’s not the case, personally I think that it is also a perfect playground for Read More …

Windows 10 2004 – What is new in the Windows Security App

Posted onLeave a comment

When all goes well, Microsoft will soon release the next version of Windows 10 aka as Windows 10 2004. I am an active Windows Insider user and noticed a few little changes within the Windows 10 Security App that I think are worth sharing. I used the following Windows 10 builds to identify changes, new features: Windows 10, 1909, Version 10.0.18363.836 Windows 10, 2004, Version 10.0.19628.1 Windows Security App Icon First thing you will notice Read More …

How to create your Defender ATP Admin Audit Log Dashboard

Posted onLeave a comment

Hello everyone, In today’s blogpost I will walk you through the process of creating an admin audit log dashboard for Defender Advanced Threat Protection. During my past customer engagements, I was often asked if there is a way to show device actions taken by Defender ATP admins. The answer is yes, this is possible. First the information is available through the Defender ATP API, second the information is also stored within the Windows event log Read More …

How to deploy your jump host in Azure

Posted onLeave a comment

Due to the current CODV 19 pandemic, governments are urging their citizens to stay at home. For many people this means finding alternative ways to continue their work from home. This article is primarily aimed at IT administrators or IT consultants who do not have an existing solution in place and who are looking for a simple but secure solution to access their IT infrastructure remotely. When saying existing solutions, I’m referring to remote access Read More …

User Spam & Phish Submissions configuration in Office 365 – Part 1

Posted on3 Comments

Yesterday I noticed a tweet from @Pawp81 about a new feature being rolled out in Office 365 to configure user submissions. So, let’s have a look at this. When enabling the ‘Report Message’ add-in in Office 365, users can report misclassified email, whether safe or malicious, to Microsoft and its affiliates for analysis. Until now IT admins had to deploy the ‘Report Message’ add-in to their end users by configuring the centralized add-in deployment within Read More …

Microsoft Threat Protection – Using advanced hunting to see what’s going on with your mail

Posted onLeave a comment

Last December Microsoft introduced Microsoft Threat Protection (MTP) including advanced hunting that allows us to run queries across multiple data sources i.e. Microsoft Defender ATP and Office 365 ATP. If you haven’t heard yet about MTP I recommend reading Christian Müller’s blog post Microsoft Threat Protection – unified hunting Now while the primary purpose of the unified hunting capability is to find information about indicators and entities, we can also use it to get an Read More …