Michalis Michalos

SecOps, DFIR & Threat Intelligence

Tag: kusto query language

  • Operationalizing MITRE ATT&CK with Microsoft Security (Part 2)

    Operationalizing MITRE ATT&CK with Microsoft Security (Part 2)

    It has been some time since Part 1 of this blog has been posted, you may find it here. First part, focused mainly on the benefits and how to operationalize MITRE ATT&CK at Microsoft Defender XDR while this blog will focus on Microsoft Sentinel. Table of contents Part 2: Microsoft Sentinel Analytics The first, and…

  • Isolated an Endpoint? Automate tag adding and notifications

    Isolated an Endpoint? Automate tag adding and notifications

    If you are part of a big organization, you might need to reach out to some colleagues and teams, in case you isolate an endpoint. An end user will probably reach out to your help desk in order to identify if there is an issue with her/his endpoint. Hence, you may want to spare some…

  • Harnessing threat intelligence using externaldata operator

    Harnessing threat intelligence using externaldata operator

    Having a Threat Intelligence Platform (TIP) to maintain Indicators of Compromise (IoCs) is somewhat a standard these days. However, not all organizations use a TIP such as MISP, but this shouldn’t prevent anyone from using threat intelligence feeds for hunting, especially when it comes to Microsoft Defender XDR. Table of Contents What are threat intelligence…

  • Detecting RMM tools using Microsoft Defender for Endpoint

    Detecting RMM tools using Microsoft Defender for Endpoint

    Introduction It’s no secret that Remote Monitoring and Management (RMM) software is being used by Threat Actors (TAs) for lateral movement and to establish command and control (C2). The Cybersecurity and Infrastructure Security Agency (CISA), National Security Agency (NSA), and Multi-State Information Sharing and Analysis Center (MS-ISAC), released a joint Cybersecurity Advisory (CSA), highlighting the…

  • Investigating initial access in compromised email accounts using Microsoft 365 Defender

    Investigating initial access in compromised email accounts using Microsoft 365 Defender

    Introduction Fortra recently released a report indicating that business email compromise (BEC) attacks are at their zenith. Why not? As ENISA mentions in its 2022 Threat Landscape Report, financially motivated threat actors find it far more easier to perform a Man-in-The-Middle (MiTM) through an account take over rather than preparing and conducting sophisticated malware attacks…

  • The absolute beginner’s guide for hunting with KQL

    The absolute beginner’s guide for hunting with KQL

    Building queries for Microsoft 365 Defender or Microsoft Sentinel could be challenging, especially when there are complex requirements which obligate mazelike table data. Be that as it may, it is important to keep a set of simple queries handy to be used immediately in case threat hunting or detecting is required to take place. As…