Defender ATP Advanced hunting with TI from URLhaus

Hello everyone, in today’s article we are going to take look at how we can use Threat Intelligence (TI) data from URLhaus with Microsoft Defender ATP advanced hunting. URLhaus URLhaus is a project from abuse.ch with the goal of sharing malicious URLs that are being used for malware distribution. https://urlhaus.abuse.ch/ The project provides several ways to find and retrieve information about malware URLs. You can browse the URL database interactively through https://urlhaus.abuse.ch/browse/ You can also Read More …

Microsoft Defender Advanced Threat Protection – Respond Actions Events

Hey there, to be honest I had some difficulties to find the right title for todays blog post, so if you are still wondering here’s what this is all about. I had a customer asking me “how can we see what MDATP Respond actions were taken on a particular machine both from a Console and client perspective?“. At the time of writing this blog post we have the following machine response actions that trigger a Read More …

Windows Defender, More than just Antivirus – Part 2

In the previous post I provided an overview of the history of Windows Defender and an overview of the various features that have the name Windows Defender in them. When then looked at Windows Defender SmartScreen and Windows Defender Cloud based protection. Today I’d like to continue with my notes from the field and personal experiences and take a look at Windows Defender Exploit guard. Again, the objective of this blog post is to inspire Read More …

Microsoft Defender ATP Advanced Hunting – Who’s logging on with local admin rights?

Note: I have updated the kql queries below, but the screenshots itself still refer to the previous (old) schema names If you’re among those administrators that use Microsoft Defender Advanced Threat Protection, here’s a handy tip how to find out who’s logging on with local administrators’ rights. But first when would you want to run this? Well here are some scenarios I can think of: You want to find users that have local administrator rights Read More …

Managing Role Based Access (RBAC) for Microsoft Defender Advanced Threat Protection

I spend quite some time during the week travelling to and from customers, to make the best use of travel time, I usually read blogs and tweets or take online trainings to keep myself up to date about whatever interests me. Yesterday I noticed a tweet from someone regarding MDATP Portal access “Security Administrator can’t be assigned to staff in my org. It’s too powerful.” Maybe not everyone is aware of the RBAC capabilities in Read More …