Mar 23 2023 08:59 AM
For this episode, your opportunity to win a plush ninja cat is the following -
Tell us about an alert that started either from Defender for Endpoint or Defender for Identity and what additional information from the other product (Defender for Endpoint or Defender for Identity) helped you get more details about that alert?
Or share your favorite KQL query with tables from both products.
This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14th, 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.
Mar 23 2023 09:10 AM
my favourite alert to see is the Suspicious activity - for Atypical Travel. I absolutely love the ability to drill done and track all of the activity of that specific user ( device, location, IP, previous log ins) that led to the Alert being flagged as high risk. @HeikeRitter
Mar 23 2023 09:39 AM
Mar 23 2023 09:52 AM
Mar 23 2023 11:12 AM - edited Mar 23 2023 11:13 AM
@HeikeRitter I think a good example of the MSDI and MSDE integration, is when you can see an Incident that has an alert or activity such as a suspicious login event, and then go into the user's page, and get a detailed breakdown of the user's threat exposure, as well as any endpoints that user is associated with. You can then assess the users' threat level, dive deep into any active automatic investigations, as well as lock down the user (via AD or AAD or both), the devices that may have been compromised, or both depending on the threat, and activity.
Mar 24 2023 12:37 AM
It is really good to see how we can integrate these two amazing tools, MDE and MDI, and get all the information about users' activities and specifically suspicious activities and how we can monitor these suspicious activities and alerts to keep us informed and take action on the compromised users' account. It is a very useful and comprehensive video to understand the use of both services and how the integration between them works. I love to use the KQL suggested queries and community queries, like Command and Control, Lateral Movement and Privilege escalation. Thanks for share @HeikeRitter
Mar 24 2023 03:30 AM
@HeikeRitter I would like to say that I have a favourite, but for me is just getting alerts and know that most of the time Defender for Endpoint takes care of business by it self.
Mar 24 2023 08:01 AM
Mar 27 2023 02:25 AM
@HeikeRitter The experience I want to describe comes from using Defender for Cloud Apps through the enrichment of alerts by Defender for Identity and Defender for Endpoint. Having fun with the product, I created a policy that was able to identify the massive download of data by a user on vacation, who accessed the system from an unusual location after several failed sign ins [Defender for Identity] from a device not managed by the organization and with an outdated browser [Defender for Endpoint]. The integration of the two products with each other has allowed the in-depth study of the case which otherwise would have been limited to a medium severity alert in the DFCA.
It was fun!
Mar 30 2023 04:37 PM
Apr 05 2023 12:25 AM
Apr 05 2023 10:36 AM
Apr 11 2023 05:50 AM