Discover and read the best of Twitter Threads about #MDE
Most recents (7)
Thread incoming:
I just sat on a roundtable with @IASME1 (and @NCSC) on upcoming '23 changes to #CyberEssentials.
I have lost *all* confidence that they know what they're doing, what requirements they're setting, or the impact on implementing associated technologies.
1/9
I just sat on a roundtable with @IASME1 (and @NCSC) on upcoming '23 changes to #CyberEssentials.
I have lost *all* confidence that they know what they're doing, what requirements they're setting, or the impact on implementing associated technologies.
1/9
Example: One of #Windows365's key use cases is the quick onboarding of staff and enabling a secure, managed desktop before a user gets, or possibly instead of a corporate device. Access can be secured via CA & MFA enforced. This could mean accessing via a "BYOD" device.
2/9
2/9
As far as they're concerned, W365 is a Cloud Service, so in scope (fine), but access to this from BYOD would _also_ be in scope (not fine).
This means that either: You can *only* access W365 from an existing corp device, OR you're forced to manage someone's PERSONAL PC!
3/9
This means that either: You can *only* access W365 from an existing corp device, OR you're forced to manage someone's PERSONAL PC!
3/9
New #KQL queries.
1. Detect Executable Files in C:\Users\Public*
2. ASR Executable Office Content
3. Hunt for AsyncRAT Initial Access
4. C2 IP Intel Feed
5. C2 Domain Intel Feed
For queries see below! Happy hunting! 🏹
#MDE #Sentinel
github.com/Bert-JanP/Hunt…
1. Detect Executable Files in C:\Users\Public*
2. ASR Executable Office Content
3. Hunt for AsyncRAT Initial Access
4. C2 IP Intel Feed
5. C2 Domain Intel Feed
For queries see below! Happy hunting! 🏹
#MDE #Sentinel
github.com/Bert-JanP/Hunt…
1. Based on the tweet from @malmoeb and research from @Mandiant, identify rare executables in the C:\Users\Public\* folders.
github.com/Bert-JanP/Hunt…
2. github.com/Bert-JanP/Hunt…
github.com/Bert-JanP/Hunt…
2. github.com/Bert-JanP/Hunt…
Tip 3 - Network Protection is important for Defender for Endpoint. With the use of Network Protection malicious sites and added indicators can be blocked. There are some important points which are commonly forgotten/ misconfigured for Windows.
👇
1/6
#30daysofm365d #MDE
👇
1/6
#30daysofm365d #MDE
Network Protection in itself is independent of MDE. The relationship between NP and MDE is the Custom Indicators features,C2-detection capability, WCF reporting, and some additional events. For Network Protection it is required to have Defender AV in active mode.
2/6
2/6
Configuration is possible with the use of Intune, GPO, PowerShell and other supported methods. Accepted configurations; Audit/ Block/ Disabled. Only block mode blocks the connection. For NP AV must be enabled with CP/RTP.
Some important info for the configuration.
3/6
Some important info for the configuration.
3/6
In the last months, I have collected some awesome new #KQL sources, and this 🧵lists them.
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Type: Query
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
Type: Query
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
MDE thread: Part 4A of the MDE series is online. Focussing on; AV baselines and policies.
Policy configuration is important. A small thread of 8 Defender Antivirus config tips that are often not applied or underrated.
Blog; jeffreyappel.nl/microsoft-defe…
#MDE
Policy configuration is important. A small thread of 8 Defender Antivirus config tips that are often not applied or underrated.
Blog; jeffreyappel.nl/microsoft-defe…
#MDE
Tip 1: Enable Cloud Protection, Sample Submission, and cloud block timeout period for getting all MDE features enabled. Always use one of the options for sending samples to Microsoft. Never use "Do not send" which is disabling the complete feature.
Tip 2: Enable Network Protection in block mode for block custom indicators and block C2 infrastructure attacks. Did you know Windows Servers require additional configuration for getting NP enabled?
Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR
#MDE #ThreatHunting #Detection #DFIR
github.com/reprise99/Sent… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.
github.com/Azure/Azure-Se… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
