Blog Post

Microsoft Security Experts Blog
3 MIN READ

Enhancing Threat Hunting with Microsoft Defender Experts Plugin

Zophar's avatar
Zophar
Icon for Microsoft rankMicrosoft
Nov 14, 2024

A new addition to Copilot for Security - Proactive threat hunting across your entire organization

In today's rapidly evolving digital landscape, cybersecurity threats are becoming increasingly sophisticated, requiring organizations to adopt proactive measures to safeguard their assets. Recognizing this need, Microsoft has introduced the Defender Experts Plugin—a powerful addition to Copilot for Security’s GitHub. This plugin is designed to elevate your cybersecurity defenses by integrating proactive threat hunting capabilities across your entire organization, including Office 365, cloud applications, and identity platforms. 

What is Defender Experts for Hunting? 

Defender Experts for Hunting is a specialized managed service from Microsoft that provides proactive, human-led threat hunting across a broad range of organizational environments. Unlike automated detection, this service involves active threat hunting by Microsoft’s seasoned security experts, who analyze activities across endpoints, cloud applications, email, and identity platforms. Defender Experts for Hunting focuses on detecting advanced threats and human adversary behaviors, particularly those involving sophisticated or “hands-on-keyboard” attacks, and provides organizations with detailed alerts, expert guidance, and remediation recommendations. 

Overview of the Plugin 

Microsoft’s Defender Experts Plugin is a comprehensive threat hunting tool that expands traditional security boundaries. It goes beyond endpoints to investigate Office 365, cloud applications, and identity platforms, where Microsoft’s seasoned security professionals build detections to investigate these suspicious activities. The plugin specializes in tracking sophisticated threats, especially those posed by human adversaries and hands-on-keyboard attacks. The plugin is skills-based leaning on KQL for Advanced Hunting Queries (AHQs) to scan across Defender tables for risky behaviors and suspicious activities, with support for tables such as CloudAppEvents, EmailEvents, EmailAttachmentInfo, and AADSignIn. These queries are not a one-off, as Defender Experts will continue to contribute to the plugin in line with our normal research efforts.  

Some of the threat detection “skills” included in this plugin are: 

  • Suspicious Use of AzureHound: Flags potentially unauthorized data gathering using AzureHound on devices. 
  • Reconnaissance Activity Using Network Logs: Detects reconnaissance behavior by analyzing network logs and identifying specific command-line activity. 
  • Cobalt Strike DNS Beaconing: Detects suspicious DNS queries associated with Cobalt Strike beacons. 

By leveraging Microsoft’s Defender Experts Plugin, organizations can benefit from the deep expertise and proactive approach of Microsoft’s security researchers. This tool ensures that potential threats are not only identified but also thoroughly investigated and addressed with the eventual addition of Promptbooks, thus enhancing the overall security posture of the organization.  

Furthermore, the integration of the Defender Experts Plugin with Copilot for Security’s GitHub allows for seamless collaboration and information sharing among the greater security community. 

Step-by-Step Guided Walkthrough 

Getting started with the Defender Experts Security Copilot Plugin is straightforward: 

1 - Download the Defender Experts plugin (YAML) from GitHub. 

2 - Access Security Copilot 

3 - In the bottom-left corner, click the Plugins icon. 

4 - Under Custom upload, select Upload plugin. 

5 - Upload the Defender Experts Plugin. 

 

 

6 - Click Add to finalize. 

7 - Find the plugin under Custom. 

 

 

8 - Your installation will now include specialized prompts in Defender Experts, with skills tailored for effective collaboration with Copilot for Security’s capabilities. 

 

 

Conclusion 

The Defender Experts Plugin is a vital addition to any organization’s cybersecurity arsenal. By incorporating proactive threat hunting and leveraging the expertise of Microsoft’s security analysts, this plugin helps organizations to stay ahead of potential threats and maintain a robust security posture. Embrace this powerful tool and take your cybersecurity defenses to the next level. Let’s get started securing your environment with Defender Experts for Hunting! 

If you’re interested in learning more about our Defender Experts services, visit the following resources: 

 

Updated Dec 12, 2024
Version 6.0
  • john66571's avatar
    john66571
    Brass Contributor

    Im curious to this. It cost about nothing to run a threat hunt query for this (in NRT or even in live feed) in sentinel. Running this query in Security for Copilot cost me about 1.47-3.6$ - that's running it once and depending on resources i had access to (one being global reader/reader on all azure resources).  And this price is just for the queries themself.  How is this just? (what i can see there is no new "detection" happening unless the LLM used is trained specifically for patterns that the queries/hunts already existing is not able to detect? If so, that would be the bigger news in itself!). The query in sentinel (if logs ingested) required the user to have less access (least privileged) and was quicker, even cost less - therefor also much more secure due to boundaries.   Unless we can move under the threshold of existing tooling - this is not viable, just rather something that looks cool?