Threat Hunting – SEC-LABS R&D

Take actions from Threat Hunting in M365 Defender

SEC-LABS R&D 2022-03-26 0 Comments

We wrote a blog post earlier about the news in threat hunting

New features in Advanced Hunting – Microsoft 365 Defender – SEC-LABS R&D

Another feature in hunting, which will speed up responses from a threat hunting scenario is Take Action

When selecting a record in the result, the Take Action button will be visible as seen in below picture

So instead of just creating a new incident or adding events to an existing incident we can take actions from the hunting experience.

In the Take actions experience we have actions grouped by Devices, Files and Users.

The action options available is dependent on the data in the result. For instance, file information like checksum is required to being able to quarantine a file.

When clicking Next we can see the target selected and click Next

We can add a Remediation name and Description for our action

This feature enables a rapid response at the fingertips of the threat hunters for immediate actions

For further information, please visit

https://docs.microsoft.com/en-us/microsoft-365/security/defender/advanced-hunting-take-action?view=o365-worldwide

Happy Hunting!

Sec-Labs Team

Detect, Respond, Security

Advanced Hunting, Isolate device, M365D, Microsoft 365 Defender, Threat Hunting

Becoming a Sentinel Notebooks Ninja – training links

SEC-LABS R&D 2021-09-09 0 Comments

Do you want to learn more about Sentinel Notebooks (built on Jupyter Notebooks)? Microsoft have released a set of trainings to skill up in the area

Notebooks can be useful for cross tenant hunting and also cross product and multiple data sources if needed.

They can also be interactive in terms of a manual playbook with steps mixed with queries and graphs which would make it easy to follow through.

Part 1: Azure Sentinel notebook ninja – the series! (microsoft.com)
Part 2: How to get started with notebooks and tour of the features
Part 3: Overview of the pre-built notebooks and how to use them
Part 3.5: Using Code Snippets to build your own Sentinel Notebooks
Part 4: How to create your own notebooks from scratch and how to customize the existing ones

Sorry for the short blog post, but this one is about sharing content

Happy Hunting!

Detect, Security

Jupyter, Notebooks, Sentinel, Threat Hunting

Use kusto to breakdown time stamps

SEC-LABS R&D 2021-03-28 0 Comments

Some times you might want to split the time stamp of an event into smaller pieces, like month, day, hour etc.

For instance, you might want to see if you have more alerts during some specific hours of the day or if anyone is using RDP in the middle of the night.

To achieve this we use the function datetime_part which can split the time stamp to the following parts

Year
Quarter
Month
week_of_year
Day
DayOfYear
Hour
Minute
Second
Millisecond
Microsecond
Nanosecond

This data could, of course, be used to further analysis and joined with other events.

//Sample query
AlertInfo
| extend alerthour = datetime_part("hour", Timestamp)
| summarize count() by alerthour, DetectionSource
| sort by alerthour asc
| render areachart

For further reading about Kusto datetime_part, please visit
https://docs.microsoft.com/en-us/azure/data-explorer/kusto/query/datetime-partfunction

#HappyHunting

Detect

Kusto, Microsoft365Defender, Threat Hunting

Tag Archive: Threat Hunting

Take actions from Threat Hunting in M365 Defender

Becoming a Sentinel Notebooks Ninja – training links

Use kusto to breakdown time stamps