Author Archives: m365guy

Incident Response in a Microsoft cloud environment

Microsoft Detection and Response (DART) team recently shared a PowerShell module, that they are using in their IR engagements, so I thought it would be great to blog about it. I’ve previously blogged about IR in Azure AD, but today I want to extend it further. This blog post includes more details comparing to my previous blog posts, regarding to

Read more

Start having visibility in service accounts with defender for identity

Defender for Identity is a cloud-based security solution that leverages On-Premises Active Directory signals to identify and detect threats. It monitors Domain Controllers by capturing it’s network traffic to leverage it with Windows event logs to analyze data for attacks, that might occur on a network. Once the sensor of Defender for Identity has been installed on all the Domain

Read more

Incident Response Series: Reviewing data in Azure AD for investigation

In my previous blog post, I’ve blogged about collecting logs in Azure AD and how we could use the exported logs to analyze it. Today, I want to focus on reviewing relevant data to perform further investigation, in a compromised environment. An successful investigation requires understanding of adversaries their behaviors. It is a balance between understanding how they operate, so

Read more

Guided hunting notebook: Use Jupyter notebooks with m365 defender

Microsoft 365 Defender has a feature that is called ‘Advanced Hunting’, which is a query based hunting tool that allows you to explore up to 30 days of raw data. This allows threat hunters to analyze data across different domains such as, identities, endpoints, cloud apps, email and documents. While using the Advanced Hunting feature in the portal is great.

Read more
Recent Entries »