TL;DR — I’ve created a Microsoft Threat Protection advanced hunting Jupyter notebook and shared it on my GitHub repository: https://github.com/maartengoet/notebooks/blob/master/mtp_hunting.ipynb
Microsoft Threat Protection
Microsoft Threat Protection unifies pre- and post-breach enterprise defenses and natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
It combines the power of Microsoft Defender ATP, Azure AD Identity Protection, Microsoft Cloud App Security and Office 365 ATP. Do you have 2 or more of these products in your environment, then try out MTP by going to https://security.microsoft.com
Microsoft Threat Protection features a built-in Advanced Hunting capability, much like the one in Microsoft Defender ATP. …
Microsoft’s Defender ATP has been a big success. The EDR-based solution for endpoints is taking the market by storm and organizations are often using the renewal dates of their current solution to move to Microsoft’s E5 licensing package to enjoy the benefits of behavioral endpoint analysis and protection.
While Microsoft did release a MacOS agent last year, the real gap in the portfolio was the Linux-based protection. As workloads on Azure for more than 50% are Linux-based and growing, there is a real need to have the same EDR-based functionality on those OS’s.
At the annual RSA conference in California, Microsoft released a public preview of MDATP for Linux, along with announcing Microsoft Defender for iOS and Android later this year. I had a chance to try MDATP on Ubuntu, read further to see what I found out. …
Recently, Microsoft announced the general availability of Microsoft Threat Protection (MTP). The new over-arching solution combines signals from Microsoft Defender ATP (endpoints), Office 365 ATP (email), Azure ATP (identity) and Microsoft Cloud App Security (apps) into one central portal.
Microsoft Threat Protection can automatically block attacks and eliminate their persistence to keep them from starting again, prioritize incidents for investigation and response, auto-heal assets and provides cross-domain hunting.
Because the modern kill chain is evolving, there is a clear need to unify these signals and be able to see the bigger picture as threats are happening. …
Organizations can use so called Threat Intelligence feeds to purchase lists of IP addresses of potential malicious actors. Commercial parties like FireEye offer them at steep prices, but you could also look at freely available ones through for instance MISP.
These lists consist of millions of IP addresses where at one point in time it was assumed that an adversary was using time. However, often within 72 hours already, this IP address is no longer relevant because the criminal went on to use another IP address.
Due to the large amount of IP addresses it certainly feels like using a ‘hail cannon’ while at conferences such as BlackHat it is already proven that these feeds have less than 3% of usable information. …
Yesterday, Microsoft has released a security update for Windows which includes a fix to a dangerous bug that would allow an attacker to spoof a certificate, making it look like it came from a trusted source.
The vulnerability (CVE-2020–0601) was reported to Microsoft by the NSA. The root cause of this vulnerability is a flawed implementation of the Elliptic Curve Cryptography (ECC) within Microsoft’s code.
Tal Be’ery, Microsoft’s security research manager, wrote an article explaining the root cause of the vulnerability using a Load Bearing analogy. You can find that here.
Watching the logs
Windows has a function for publishing events when an attempted security vulnerability exploit is detected in your user-mode application called CveEventWrite. To my knowledge, the fix for CVE-2020–0601 is the first code to call this API. …
I’ve been publicly speaking at various tech conferences around the world since 2006. First at local conferences such as Microsoft Technet Live (~100 visitors) and in recent years I’ve been fortunate to have the opportunity to speak at flagship events such as Microsoft Ignite (~26.000 visitors).
Some speaking opportunities you apply for: your fill in a Call for Sessions/Papers form and wait for the result to come in, but also some opportunities come to you: the conference organizes know you and your work and asks you to speak.
If you apply for CfS/CfP the organizers often ask for your previous speaking experiences and proof of it, for instance by linking to a video of a recent conference. It helps them judge who can deliver a good presentation, as this is often half or more of how people perceive and rate a delivered session. …
Microsoft is touting that they are offering machine learning as part of Azure Sentinel, something they call Azure Sentinel FUSION. I’ve written about it before here, and since general availability of Azure Sentinel it is enabled by default.
You could easily be tricked into thinking that FUSION is marketing bingo, but nothing is truer: there are real machine learning models that help you in real world situations. One of the first that became available is named the “Advanced Multistage Detection”. …
You’ve successfully deployed Azure Sentinel and are collecting data and using it for monitoring and hunting purposes. Quickly after, your company’s privacy offer or auditor points out that both the law (for instance: GDPR & AVG) and the company’s requirements don’t allow all admins to have access all the time to all of that personal identifiable data.
You need to come up with a solution to design access to Azure Sentinel in a way that the SecOps people can work with the alerts, the SIEM admins can create/modify rules, and that hunters can sift through all the data to find what they are looking for. How should you do that? …
Over the past few weeks we’ve seen immense interest in Azure Sentinel. Companies, big and small, are looking at Azure Sentinel for multiple reasons, for instance: burned out for running their own complex SIEM infrastructures, the easy integration with Azure and Office 365 data that Sentinel provides, etc.
We’ve been fortunate to assist these customers with proof of concepts, pilots, trials or even the first pre-production environments. Based on this work we’ve built up quite a bit of field experience and it’s time we start contributing back :-)
Say hello to our open-source PowerShell module called AzSentinel.
In the past days our team at Wortell Enterprise Security has created a PowerShell module called AzSentinel. The goal is to provide programmatic access to Azure Sentinel. One of the first things we wanted to get done is to work with Azure Sentinel ‘rules’. …
Jupyter is a great platform for threat hunting where you can work with data in-context and natively connect to Azure Sentinel using Kqlmagic, but adding Visual Studio Code to the mix will give you even more superpowers!
When working with Visual Studio Code and Jupyter you get intellisense, debugging, a variable and data explorer, and live sharing; making the life of security analysts a bit easier. In this blog I’ll show you how.
Threat Hunting with python, Jupyter and Kusto
Jupyter Notebook, formerly called IPython, is an open-source application that allows you to create and share documents that contain live code, equations, visualizations and narrative text through markdown. It is already broadly used in cybersecurity for threat hunting, and has support for lots of programming languages such as R, Python, etc. …