RT by @SwiftOnSecurity: 🚀 𝗡𝗲𝘄 𝗶𝗻 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁 𝗗𝗲𝗳𝗲𝗻𝗱𝗲𝗿 𝗳𝗼𝗿 𝗢𝗳𝗳𝗶𝗰𝗲 365

Security teams can now trigger key email remediation actions—𝗦𝘂𝗯𝗺𝗶𝘁 𝘁𝗼 𝗠𝗶𝗰𝗿𝗼𝘀𝗼𝗳𝘁, 𝗔𝗱𝗱 𝘁𝗼 𝗮𝗹𝗹𝗼𝘄/𝗯𝗹𝗼𝗰𝗸 𝗹𝗶𝘀𝘁, and 𝗜𝗻𝗶𝘁𝗶𝗮𝘁𝗲 𝗮𝘂𝘁𝗼𝗺𝗮𝘁𝗲𝗱 𝗶𝗻𝘃𝗲𝘀𝘁𝗶𝗴𝗮𝘁𝗶𝗼𝗻—directly from the 𝗔𝗱𝘃𝗮𝗻𝗰𝗲𝗱 𝗛𝘂𝗻𝘁𝗶𝗻𝗴 interface.

No policy changes needed. Enabled by default since Nov 10, 2025.

Streamlined threat response, powered by your queries.

#MicrosoftDefender #AdvancedHunting #CyberSecurity #incidentresponse

🐦🔗: https://nitter.oksocial.net/0x534c/status/1988608813323411545#m

[2025/11/12 14:04]

Thought I'd start sharing some advanced hunting queries I run in Defender as part of my role.
I run the below when I need to figure out if any of the password spray attempts were successful.
I'll comment the 1st summarize statement and uncomment the 2nd while I filter out error codes.
When I get down to what I want to see I'll revert back and investigate individual sign in logs further to see what might be the cause of the error (e.g. excessive MFA prompt expiry on interactive logins).
I look out an for abnormally high count of a certain error against a user.
#KQL #Defender #AdvancedHunting #InfoSec

📢 New blog out!

💡 If you isolate an endpoint during IR, you probably don't have time to notify stakeholders like the help desk that might be reached out for troubleshooting by the user. This logic app is based on #KQL and identifies the isolation action, adds a tag for your #DefenderXDR portal and sends an email.

#MicrosoftSecurity #MicrosoftSentinel #MicrosoftDefender #LogicApps #MicrosoftAutomation #Automation #AdvancedHunting

https://www.michalos.net/2024/02/20/isolated-an-endpoint-automate-tag-adding-and-notifications/

Investigating initial access in compromised email accounts using Microsoft 365 Defender: https://www.michalos.net/2023/10/03/investigating-initial-access-in-compromised-email-accounts-using-microsoft-365-defender/

#AdvancedHunting #dfir #kql #kustoquerylanguage #microsoft365defender

Stay ahead in the world of cybersecurity with the latest advancements in network protection! 🛡️ Microsoft Defender for Endpoint is continuously evolving to provide comprehensive security for your network environment.

🔍 New Signatures for SSL, DNS, and NTLM Protocols

We're excited to announce that we've added new signatures for SSL, DNS, and NTLM protocols. These signatures enhance our ability to detect and respond to potential threats, bolstering your network's defense against evolving cyberattacks.

🚨 Deprecation of "NetworkSignaturesInspected" Signatures

Starting July 18, 2023, we will be deprecating a subset of signatures found in the "NetworkSignaturesInspected" action type of Advanced Hunting. Our integration with Zeek has led to more comprehensive network visibility, allowing us to consolidate signatures and provide you with a more streamlined experience.

🚀 Zeek Integration Unleashes New Capabilities

Our integration with Zeek has revolutionized network threat detection. With Zeek's advanced protocol parsing capabilities, we now offer enhanced visibility into network sessions, enabling us to identify anomalies and threats more effectively. This empowers you to take proactive measures against potential breaches.

🔗 Expanded Query Possibilities

The Zeek integration brings a wealth of opportunities for advanced hunting. From HTTP and SSH connections to ICMP and SSL sessions, you can now execute more intricate queries to uncover potential vulnerabilities and malicious activities.

💡 Actionable Insights from Protocol Data

Whether it's identifying suspicious user agents, detecting file downloads from HTTP, or even spotting potential ping scans, our advanced hunting examples showcase the power of Zeek-based events in uncovering threats that might go unnoticed.

🌐 Leveraging SSL and DNS Insights

Our SslConnectionInspected and DnsConnectionInspected action types provide detailed information about SSL and DNS connections, both inbound and outbound. These insights allow you to monitor network activity and identify potential risks associated with these protocols.

🔒 Securing NTLM Traffic

The introduction of the NtlmAuthenticationInspected action type allows you to track NTLM authentication events on managed endpoints. This invaluable data aids in monitoring and securing NTLM traffic, ensuring a strong defense against unauthorized access.

Stay vigilant and up-to-date with these enhancements to Microsoft Defender for Endpoint. By harnessing the power of Zeek integration and these advanced action types, you're empowered to defend your network against even the most sophisticated threats.

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/enrich-your-advanced-hunting-experience-using-network-layer/ba-p/3794693

#Cybersecurity #NetworkProtection #MicrosoftDefender #AdvancedHunting #ThreatDetection #zeek #edr #xdr #microsoft #azure #cloud #cloudnative

Discovering internet-facing devices using Microsoft Defender for Endpoint

MDE is expanding device discovery capabilities through our existing network telemetry and RiskIQ integration.

Find out how to discover your internet-facing devices through Microsoft 365 Defender portal and Advanced Hunting.

https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/discovering-internet-facing-devices-using-microsoft-defender-for/ba-p/3778975

#mde #edr #xdr #discovery #easm #riskiq #microsoftsecurity #microsoft365defender #advancedhunting #hunting #kql #soc #securityplatform #secops #network #discovery #microsoft #cloudsecurity

Who has been clicking on Windows tray notifications & what's the url? #Defender #AdvancedHunting #malvertising

DeviceProcessEvents
| where FileName in~ ("msedge.exe","chrome.exe") and ProcessCommandLine has ("--notification-launch-id")
| extend u=tostring(split(ProcessCommandLine,"|",4)[0])
| where u startswith "http"
| distinct u,AccountUpn,DeviceName,FileName,DeviceId