1 Proactive hunting
Not all threat scenarios begin with an alert
- Proactive and iterative search for threats
- The power of knowing the network
2 Enrich existing information
- Understand the impact of existing alerts
- Get more information on entities and IOCs
3 Datasets
Emails (Defender for Office)
- Email transactions, including post-delivery
- Emails attachments and URLs
Identities (Defender for Identities, Defender for Cloud Apps)
- Logons, Active Directory queries
- All activities against Active Directorymonitored by MDI(preview)
Cloud applications (Defender for Cloud Apps)
Endpoints (Defender for Endpoint)
- Existing advanced hunting data from MDE
4 Custom detections
Build your own rule based on advanced hunting query
- Across different datasets
- Choose impact entities
- Choose automatic remediation actions
Custom detections can be
- Environment-specific threats (high value assets, unique data)
- Lower threshold for specific type of threats
- Unique attack techniques
Detection frequencies are available for
- Near real time (NRT), 1 hour, 3 hours, 12 hours, 24 hours
Detection rule & Permission
- Manage security settings in the Security Center – MDE role
- Authorization and settings / Security setting–Unified RBAC
- Security administrator, Security operator –AAD role
Query in builder:
5 Hunt in Microsoft 365 Defender without KQL!
Guided mode in Advanced Hunting
- Hunt data without writing KQL and Function
Easy-to-hunt activities across the data domain
- Endpoints, Emails, Applications and Identities
- Conditions such as OR, AND, Subgroups
Flexibly shift to hunting modes
- Switching from Guided mode to Advanced mode
6 More advanced hunting features
Save and share queries
Take actions from hunting
Go hunt
Documentation
Profile enrichments
- Files, Identities, IPs, etc.
Threat Vulnerability Management
1 Discover
Periodic scanning
Blind spots
No run-time info
“Static snapshot”
2 Prioritize
Based on severity
Missing org context
No threat view
Large threat reports
3 Remediate
Waiting for a patch
No IT/Security bridge
Manual process
No validation
1 Continuous Discovery
Extensive vulnerability assessment across the entire stack
Broad secure configuration assessment
2 Threat & Business Prioritization (“TLV”)
Helping customers focus on the right things at the right time
Threat Landscape
- Vulnerability characteristics (CVSS score, days vulnerable)
- Exploit characteristics (public exploit & difficulty, bundle)
- EDR security alerts (Active alerts, breach history)
- Threat analytics (live campaigns, threat actors)
Breach Likelihood
- Current security posture
- Internet facing
- Exploit attempts in the org
Business Value
- HVA analysis (WIP, HVU, critical process)
- Run-time & Dependency analysis
3 Remediation Requests/Tickets
Bridging between the IT and Security admins
Game changing bridge between IT and Security teams
- 1-click remediation requests via Intune
- Automated task monitoring via run-time analysis
- Tracking Mean-time-to-mitigate KPIs
- Rich exception experience to mitigate/accept risk
- Ticket management integration (Intune, Planner, Service Now, JIRA)
Device Discovery
Threat Analytics
API Explorer
- Explore variousMicrosoft Defender for EndpointAPIs interactively
Integrated compliance assessment
- Track appsthatintegrates with Microsoft Defender for Endpoint platformin your organization.
Data Export API
- Configure Microsoft Defender for Endpoint to stream AdvancedHunting events to your storage account
Mac
Linux
Android & iOS
From EDR to XDR
From EDR to XDR – Microsoft 365 Defender
• Incidents
• Automated Investigation & Response
• Attack Disruption
• Microsoft 365 Defender APIs
• Microsoft Sentinel Integration
Extended Detection and Response (XDR) is a SaaS-based, vendor specific, security threat detection and incident response tool that natively integrates multiple security productsinto a cohesive security operations system that unifies all licensed components. – from Gartner
Microsoft Sentinel : visibility across your entire organization
Microsoft 365 Defender: Secure your end users
- Endpoints – Microsoft Defender for Endpoint
- Email & Doscs – Microsoft Defender for Office 365
- Apps & Cloud Apps – Microsoft Defender for Cloud Apps
- Identities – Microsoft Defender for Identity & AAD Identity Protection
Microsoft Defender for Cloud: Secure your infrastructure
- Servers
- Containers
- Databases
- Storage
- Cloud Service Layer
- IoT
XDR actions to an Attack
What should we look into once there is an alert or incident?
Here are some sample answers for those questions:
List attack chain and users action steps:
References
Advanced Hunting
- Learn the query language
- Advanced hunting schema reference
- Webinar series, episode 1: KQL fundamentals (MP4, YouTube)
- Webinar series, episode 2: Joins (MP4, YouTube)
- Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (MP4, YouTube)
- Webinar series, episode 4: Let’s hunt! Applying KQL to incident tracking (MP4, YouTube)
- Hunting for reconnaissance activities using LDAP search filters
- Plural sight KQL training
