TL;DR — I’ve created a Microsoft Threat Protection advanced hunting Jupyter notebook and shared it on my GitHub repository: https://github.com/maartengoet/notebooks/blob/master/mtp_hunting.ipynb

Microsoft Threat Protection

Microsoft Threat Protection unifies pre- and post-breach enterprise defenses and natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection…


Wortell Enterprise Security

Microsoft’s Defender ATP has been a big success. The EDR-based solution for endpoints is taking the market by storm and organizations are often using the renewal dates of their current solution to move to Microsoft’s E5 licensing package to enjoy the benefits of behavioral endpoint analysis and protection.

While Microsoft…


Recently, Microsoft announced the general availability of Microsoft Threat Protection (MTP). The new over-arching solution combines signals from Microsoft Defender ATP (endpoints), Office 365 ATP (email), Azure ATP (identity) and Microsoft Cloud App Security (apps) into one central portal.

Microsoft Threat Protection can automatically block attacks and eliminate their persistence…


Organizations can use so called Threat Intelligence feeds to purchase lists of IP addresses of potential malicious actors. Commercial parties like FireEye offer them at steep prices, but you could also look at freely available ones through for instance MISP.

These lists consist of millions of IP addresses where at…


Yesterday, Microsoft has released a security update for Windows which includes a fix to a dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source.

The vulnerability (CVE-2020–0601) was reported to Microsoft by the NSA. The root cause of…


I’ve been publicly speaking at various tech conferences around the world since 2006. First at local conferences such as Microsoft Technet Live (~100 visitors) and in recent years I’ve been fortunate to have the opportunity to speak at flagship events such as Microsoft Ignite (~26.000 visitors).

Some speaking opportunities you…


Microsoft is touting that they are offering machine learning as part of Azure Sentinel, something they call Azure Sentinel FUSION. I’ve written about it before here, and since general availability of Azure Sentinel it is enabled by default.

You could easily be tricked into thinking that FUSION is marketing bingo…


You’ve successfully deployed Azure Sentinel and are collecting data and using it for monitoring and hunting purposes. …


Over the past few weeks we’ve seen immense interest in Azure Sentinel. Companies, big and small, are looking at Azure Sentinel for multiple reasons, for instance: burned out for running their own complex SIEM infrastructures, the easy integration with Azure and Office 365 data that Sentinel provides, etc.

We’ve been…


Jupyter is a great platform for threat hunting where you can work with data in-context and natively connect to Azure Sentinel using Kqlmagic, but adding Visual Studio Code to the mix will give you even more superpowers!

When working with Visual Studio Code and Jupyter you get intellisense, debugging, a…

Maarten Goet

Microsoft MVP and Microsoft Regional Director.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store