Discover and read the best of Twitter Threads about #MDE

Most recents (7)

Thread incoming:
I just sat on a roundtable with @IASME1 (and @NCSC) on upcoming '23 changes to #CyberEssentials.
I have lost *all* confidence that they know what they're doing, what requirements they're setting, or the impact on implementing associated technologies.
1/9
Example: One of #Windows365's key use cases is the quick onboarding of staff and enabling a secure, managed desktop before a user gets, or possibly instead of a corporate device. Access can be secured via CA & MFA enforced. This could mean accessing via a "BYOD" device.
2/9
As far as they're concerned, W365 is a Cloud Service, so in scope (fine), but access to this from BYOD would _also_ be in scope (not fine).
This means that either: You can *only* access W365 from an existing corp device, OR you're forced to manage someone's PERSONAL PC!
3/9
Read 9 tweets
New #KQL queries.

1. Detect Executable Files in C:\Users\Public*
2. ASR Executable Office Content
3. Hunt for AsyncRAT Initial Access
4. C2 IP Intel Feed
5. C2 Domain Intel Feed

For queries see below! Happy hunting! 🏹

#MDE #Sentinel
github.com/Bert-JanP/Hunt…
1. Based on the tweet from @malmoeb and research from @Mandiant, identify rare executables in the C:\Users\Public\* folders.

github.com/Bert-JanP/Hunt…

2. github.com/Bert-JanP/Hunt…
Read 3 tweets
Tip 3 - Network Protection is important for Defender for Endpoint. With the use of Network Protection malicious sites and added indicators can be blocked. There are some important points which are commonly forgotten/ misconfigured for Windows.

👇

1/6

#30daysofm365d #MDE
Network Protection in itself is independent of MDE. The relationship between NP and MDE is the Custom Indicators features,C2-detection capability, WCF reporting, and some additional events. For Network Protection it is required to have Defender AV in active mode.

2/6
Configuration is possible with the use of Intune, GPO, PowerShell and other supported methods. Accepted configurations; Audit/ Block/ Disabled. Only block mode blocks the connection. For NP AV must be enabled with CP/RTP.

Some important info for the configuration.

3/6
Read 6 tweets
In the last months, I have collected some awesome new #KQL sources, and this 🧵lists them.
Are you using Defender For Endpoint, Sentinel, Intune or do you want to learn KQL then have a look!
#MDE #Sentinel #Intune #Detection #ThreatHunting
Type: Query
By: @msftsecurity
Link: github.com/Azure/Azure-Se…
Community-based repository for a lot of available data sources in Sentinel. For the E5 detections take a look in the Microsoft 365 Defender Folder.
Type: Query
By: @reprise_99
Link: github.com/reprise99/Sent…
Repository with 100s of KQL queries you can directly use. They are categorized into different Microsoft product categories. You are guaranteed to find useful queries here.
Read 14 tweets
MDE thread: Part 4A of the MDE series is online. Focussing on; AV baselines and policies.

Policy configuration is important. A small thread of 8 Defender Antivirus config tips that are often not applied or underrated.

Blog; jeffreyappel.nl/microsoft-defe…

#MDE
Tip 1: Enable Cloud Protection, Sample Submission, and cloud block timeout period for getting all MDE features enabled. Always use one of the options for sending samples to Microsoft. Never use "Do not send" which is disabling the complete feature. Image
Tip 2: Enable Network Protection in block mode for block custom indicators and block C2 infrastructure attacks. Did you know Windows Servers require additional configuration for getting NP enabled? Image
Read 9 tweets
Are you using any of the Microsoft Security products and/or #Sentinel? Then this thread is for you! The best resources for #KQL Advanced Hunting Queries or Analytics rules in my opinion.
#MDE #ThreatHunting #Detection #DFIR
github.com/reprise99/Sent… by @reprise_99. Awsome source! With the #365daysofkql series a lot of useful queries have been added. The queries are categorized by the different Microsoft products.
github.com/Azure/Azure-Se… by @msftsecurity. A lot of KQL queries can be found here, all of which are categorised on the basis of @MITREattack tactics.
Read 8 tweets

Related hashtags

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!