A new connector for Microsoft 365 Defender is in public preview in Azure Sentinel. This connector makes it possible to ingest the hunting data into Sentinel
Currently, the Defender for Endpoint Data is available
Go to you Azure Sentinel Instance and select Connectors
Search for Microsoft 365 Defender
Click Open Connector Page
Select which Events you want to ingest
Click Apply Changes
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "DefaultPassword"
| where RegistryKey has @"SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp
//Process and Network events
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient",
| project Timestamp, DeviceName, InitiatingProcessFileName,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
If we look at the tables we can see the new created tables
One thing we usually discuss with customers is the workload. Everyone has too much to do and it can, sometimes be difficult to prioritize investigations.
now, where you might be short on staff, and the Covid-19 virus can strike at
the SOC organization or reduce the numbers of available people.
this does not only apply during the world crisis of Covid-19. Automation is
also a help in the normal day to day work.
There are benefits
of being able to automate responses and we have these discussions with many
Automatic self-healing is built-in into Defender ATP and is mimicking these
ideal steps a human would take to investigate and remediate organizational
assets, impacted by a cyber threat.
done using 20 built-in investigation playbooks and 10 remediation actions
at the speed of automation
and remediate all alerts automatically
up critical resources to work on strategic initiatives
will drive down the cost per investigation and remediation
away manual, repetitive tasks
remediation eliminates downtime
value of your protection suite and people, quick configuration and you are up
SecOps Investigation (Manual)
it will take some time from the alert being triggered until someone has the
time to start looking at it. Manual work
also requires more resources for review and approval for each action
SecOPs perspective, an initial response involves information gathering.
Where did the file originate from?
our results, we will decide the remediation steps (if we do not follow a
playbook here, the catch will be different result depending on who makes the
remediation will include connecting remotely or manually collect the device and
then launch tools for the remediation process.
Automatic response with Auto IR
to respond which will avoid additional damage and compromise of additional devices,
when attackers will start moving lateral in the environment.
24/7 buddy who assists the SOC staff to remediate threats so the human staff can
focus on other things
MDATP is sending telemetry data to
MDATP cloud continuously analyzes
the data to detect threats
Once a threat is identitfied an
alert is being raised
The alert kicks off a new automated
AIRS component asks Sense client to
SenseIR is then orchestrated by AIRS
on what action should be executed (Collection/Remediation)
Based on the data collected from the
machine (current and historical) AIRS decides what actions should be taken
For every threat identified, AIRS
will automatically analyze the best course of action and tailor a dedicated
surgical remediation action to be executed using on device components (e.g.
Windows Defender Antivirus)
Playbook is executed
“suspicious host” playbook is just an example of “catch all” playbook that is applied after detailed AutoIR investigation for evidences raised by alerts / incident to ensure that nothing is missed.
processes list – main image, loaded modules, handles, suspicious memory
created files – x minutes febore / after alert
Security Graph eco system – DaaS, AVaaS, TI, TA, Detection engine, ML
TI indicators – for allow / block list
leveraging OS components (e.g. Defender Antivirus) to perform the remediation
(prebuilt into the system, low level actions (driver), tried and tested)
methods (Reg, Link files, etc.) actions
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.