Forum Discussion
HeikeRitter Microsoft
Microsoft
Mar 23, 2023Ninja Cat Giveaway: Episode 7 | Defender for Identity and Defender for Endpoint: Better to together
 For this episode, your opportunity to win a plush ninja cat is the following - 
 Tell us about an alert that started either from Defender for Endpoint or Defender for Identity and what additional inf...
miller34mike
Apr 11, 2023Iron Contributor
In a previous role, we had numerous alerts flowing into Sentinel from both MDE and MDI. Based on severity, my investigation start with the MDI alerts regarding Pass the hash attacks occurring multiple times, indicating lateral movement on the clients servers. Through MDI investigations we were able to identify the initial device, which was a windows 10 endpoint being monitored through MDE, which tied back to the MDE alerts we originally saw. Thanks to the capabilities within MDE and MDI, we were able to identify the compromised endpoints, servers, and identities in an efficient manner and respond accordingly, to include leveraging Indicators of Compromise to block the files that originated the attack, and identify the vulnerabilities that allowed for the lateral movement once the attacker had access so we could take the appropriate actions with the client to better secure their environment.