Did you miss any of the Ninja Show this season? Not to worry!  We have assembled a synopsis of each episode highlighting the central focus points established in our discussions.  

(However, reading the main points are never as good as the real thing... Watch any episode on demand here!) 

Overview: Episodes 1-5 of this season were part of our first mini-series! Focused on incident response cases, experts from several teams across the Microsoft 365 Defender suite shared their knowledge regarding incident investigations as well as the critical tools and capabilities available to help improve defense in any organization. Episodes 6-8 shifted gears and included content about Microsoft Defender for Cloud Apps, Near real-time custom detection rules in M365D, and new Microsoft Teams protections! 

Ep 1: Oren Saban kicked off our Incident Response series by sharing IR investigation capabilities in Microsoft 365 Defender. We introduce how to best use the attack story view in the Defender portal, dive into the benefits of alert insights, and provide a guided walkthrough of a specific incident investigation that demonstrates how to pivot on affected entities to confirm nothing is being missed – with a special segment unveiling the updated File Content page (coming soon)!  

Ep 2: Michael Melone shifts us into an IR investigation of malware. Here we learn the ABC’s (and D!) of IR – a simplistic approach to manage malware incidents effectively. Through Michael’s demo you will also find updated advanced hunting capabilities in Microsoft 365 Defender and get to know the process of connecting alerts to primary incidents, creating a comprehensive view of an attack. 

Ep 3: Pawel Partyka unveils the impacts of business email compromise incidents (cyberattacks with financial fraud motivation) through an in-depth attack investigation. Takeaways we found critical were:  

• Understanding the complexities of AiTM (adversary in the middle) phishing and  
• Identifying the various connections of an attack story through the threat factors uncovered in Microsoft 365 Defender portal  
• Recommended actions tab in Microsoft 365 Defender to help prevent damage to your assets 

 Pawel’s demo walks through each step of the process extremely diligently.  

Ep 4 & 5: Corina Feuerstein wraps up our IR focus with a two-part investigation of a ransomware incident. Part 1 defines human-operated ransomware and the numerous phases of impact on an organization. Using a multi-stage incident generated by Microsoft 365 Defender, she shares how attackers use automation and exhibits how automated attack disruption defends at an even faster speed - enabling isolation tactics that prevent them from gaining a larger foothold within the enterprise. We also follow a ransomware playbook to assist during the containment and incident response phase of the attack, showing how to investigate step-by-step, verifying the attack is disrupted and prevent future risks. 

Part 2 continues our ransomware investigation using advanced hunting KQL queries. We dig into the behaviors and processes of the attack, learn the benefit of adding indicator markers, and make note of the tagging capability to review and connect future incidents. Key takeaways also include learning about remediation procedures, prevention tactics, and professional recommendations to improve security posture. 

Ep 6: Keith Fleming brings us out of incident investigations and explains the latest updates in Microsoft Defender for Cloud Apps! He first shares the 4 simple steps to deploy this product in your environment to confidently secure your applications and protect your data. Then, our conversation leads into a demonstration of:  

• Connecting SaaS applications to Defender for Cloud Apps and receiving additional insights from these connections   

• Explaining the Activity Log where you can take part in advanced hunting without KQL expertise! 

• Enabling Defender for Endpoint connection and gain rich insights without the use of a proxy.   

There are so many more valuable resources shared throughout this episode, only matching the constant progress happening in the Defender for Cloud Apps world.  

Ep 7: Microsoft 365 Defender launched near real-time (NRT) custom detection rules and Christos Ventouris expertly dives into the benefits of this public preview feature. Watch this episode to learn:  

• What custom detection rules are 
• How you can create and modify them to your needs using advanced hunting queries  
• And recognize the positive impact these near real-time rulesets make when it comes to mitigating threats in your organization as quickly as possible  

Ep 8: Closing out our fourth season are Senior Product Managers Malvika Balaraj and Daniel Mozes! They unveil an added layer of security within the Defender for Office suite, the collaboration and security within Microsoft Teams. Topics of focus are the new features Defender for Office 365 brings to Microsoft Teams. We learn how Microsoft 365 Defender blocks and removes malicious links or files from Teams or SharePoint and the self-reporting capability of files that may be a security risk - allowing a more proactive approach to prevent phishing attacks by educating users on basic security measures. 

Et voilà! The end of another great season  We are extremely grateful to have the opportunity to help minimize learning gaps in the Microsoft Security community through the Virtual Ninja Show – but please help us keep it relevant to your needs! Add a comment including any topics you would like to see us bring forth next season so we can deliver what is helpful to you.  

Until next time, ninjas!