We’re excited to announce the Microsoft Incident Response Ninja Hub. This page includes a compilation of guides and resources that the Microsoft Incident Response team has developed on threat hunting, case studies, incident response guides, and more. Many of these pieces were also developed in collaboration with Microsoft’s partners across Microsoft Security, providing a unique view into how the Microsoft Security ecosystem leans on cross-team collaboration to protect our customers.
This page will be continually updated as the team develops and publishes more resources, so be sure to bookmark our Ninja Hub and stay up to date: https://aka.ms/MicrosoftIRNinjaHub
Incident Response (IR) best practices for security teams and leaders
- Navigating the Maze of Incident Response: Microsoft IR guide shares best practices for security teams and leaders
- Creating a proactive incident response plan | How to boost your incident response readiness
- The art and science behind Microsoft threat hunting: Part 1
- The art and science behind Microsoft threat hunting: Part 2
- The art and science behind Microsoft threat hunting: Part 3
- Microsoft Security tips to reduce risk in mergers and acquisitions
Deep dives and threat hunting guides
- One-page guides
- Cloud hunting and Microsoft Entra
- Threat hunting with Microsoft Graph activity logs
- Hunting for MFA manipulations in Entra ID tenants using KQL
- Hunting in Azure subscriptions
- Good UAL Hunting
- Investigating malicious OAuth applications using the Unified Audit Log
- Forensic artifacts in Office 365 and where to find them
- Follow the Breadcrumbs with Microsoft IR & MDI: Working Together to Fight Identity-based Attacks
- How to investigate service provider trust chains in the cloud
- Techniques for threat hunting
Attacker tactics, techniques, and procedures explained
- Proactive Measures: Safeguarding Against Vulnerable Driver Attacks with Effective Monitoring and Prevention Strategies
- Defenders beware: A case for post-ransomware investigations
- Token tactics: How to prevent, detect, and respond to cloud token theft
- Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
- Guidance for investigating attacks using CVE-2023-23397
- Protect against CVE-2019-0708: BlueKeep
- IIS modules: The evolution of web shells and how to detect them
- Web shell attacks continue to rise
- Ghost in the shell: Investigating web shell attacks
- Tarrask malware uses scheduled tasks for defense evasion
Case studies
- Cyberattack Series
- Advanced Persistent Threats (APTs) and named Threat Actor groups
- Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction | Microsoft Security Blog
- A guide to combatting human-operated ransomware: Part 1
- A guide to combatting human-operated ransomware: Part 2
- MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone
- Destructive malware targeting Ukrainian organizations
- DEV-0537 criminal actor targeting organizations for data exfiltration and destruction
- Ransomware and case studies
Lessons from the field and compromise recovery how-to
- Compromise recovery
- Lessons from the field on securing your cloud
- Total Identity Compromise: Microsoft Incident Response lessons on securing Active Directory
- Microsoft Incident Response lessons on preventing cloud identity compromise
- Protect your business from password sprays with Microsoft DART recommendations
- Microsoft Incident Response tips for managing a mass password reset
- Effective strategies and technical recommendations for conducting Mass Password Resets during cybersecurity incidents
- How Microsoft Incident Response and Microsoft Defender for Identity work together
- A "quick wins" approach to securing Azure Active Directory and Office 365 and improving your security posture
- Using Microsoft Security APIs for Incident Response - Part 1
- Using Microsoft Security APIs for Incident Response - Part 2
- Microsoft Office 365—Do you have a false sense of cloud security?
- Lessons from the field on ransomware response
Long-form resources and books
- Microsoft Defender for Endpoint in Depth: Take any organization's endpoint security to the next level
- The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting (1st Edition)
Learn more about the Microsoft Incident Response team
- DART: the Microsoft cybersecurity team we hope you never meet
- How the Microsoft Incident Response team helps customers remediate threats
- Microsoft Incident Response Retainer is generally available
- An integrated incident response solution with Microsoft and PwC
To stay up to date, follow blogs published to the Security Experts Tech Community Blog and to Microsoft Security Blog.