Overview & Use Case
The field of Endpoint forensics seeks to help investigators reconstruct what happened during an endpoint intrusion. Did an attacker break in because of a missing definition / signature / policy / setting or a configuration, and if so, how? What havoc did the attacker wreak after breaking in? Tools that help investigators answer these types of questions are still quite primitive and are often hindered by incomplete or incorrect information. Analyzing Endpoints Forensics - Azure Sentinel Connector can enable more-powerful forensic analysis through techniques such as streaming a computer’s EPP (Endpoint Protection) health status, policies, settings, and configuration in addition to IoT vulnerable assets, data events & vulnerabilities.
Devices (IT/OT) health state and security configurations policies and settings (Microsoft Defender for Endpoint & Azure Defender for IoT) are critical to SOC team helping them to address the following use cases:
Step(1): Prep, App Registration & Azure Defender for IoT Key
Step(2): Microsoft Devices Forensics Custom Connector
Step(3): Microsoft Devices Forensics Workbook & Hunting
Notes & Consideration
Get started today!
We encourage you to try it now!
You can also contribute new connectors, workbooks, analytics and more in Azure Sentinel. Get started now by joining the Azure Sentinel Threat Hunters GitHub community.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.