Ninja Cat Giveaway: Episode 7 | Defender for Identity and Defender for Endpoint: Better to together

In a previous role, we had numerous alerts flowing into Sentinel from both MDE and MDI. Based on severity, my investigation start with the MDI alerts regarding Pass the hash attacks occurring multiple times, indicating lateral movement on the clients servers. Through MDI investigations we were able to identify the initial device, which was a windows 10 endpoint being monitored through MDE, which tied back to the MDE alerts we originally saw. Thanks to the capabilities within MDE and MDI, we were able to identify the compromised endpoints, servers, and identities in an efficient manner and respond accordingly, to include leveraging Indicators of Compromise to block the files that originated the attack, and identify the vulnerabilities that allowed for the lateral movement once the attacker had access so we could take the appropriate actions with the client to better secure their environment.