MDATP |

Tag Archives: MDATP

MDE Hunting 101

Posted on March 27, 2022 by Jan Geisbauer One comment

People that start working with Defender for Endpoint (MDE) often ask the question “where should I start when I see an alert in MDE?”. There is lot of valuable information available in the portal to help judge if an alert is a real incident or a false positive. Additionally, you can query the raw telemetry via KQL. But there is still lot of room for interpretation. So, what should you do to get started? And what is even more important: how do I keep the overview?

Main Articles

MDATP 💙 THOR

Posted on June 17, 2020 by Jan Geisbauer Leave a comment

THOR CLOUD is a useful extension for forensic analysis after MDATP threw some alerts. In this post, I take a quick look at it.

Garage Articles

Hide and Seek

Posted on May 28, 2020 by Jan Geisbauer Leave a comment

In this article, I give you an example of how malware is hiding through packer techniques to prevent getting caught on your systems. For that, I have recorded a small ‘adventure’ for you that I took last night.

Main Articles

Deep Dive: Forensics via MDATP Live Response

Posted on April 7, 2020 by Jan Geisbauer Leave a comment

In this post, I am digging deep into hidden possibilities with MDATP Live Response.

Main Articles

Block it.

Posted on January 27, 2020 by Jan Geisbauer 10 comments

There have been times, were there was no answer, when the question was raised: “how can I block access to certain internet domains in the modern workplace scenario?” – Those times are over.

Main Articles

Go, hack yourself! – Ignite 2019 Edition

Posted on November 21, 2019 by Jan Geisbauer Leave a comment

In spring 2019 I have written a post on how you can hack yourself to better understand the Microsoft Tools that help you defend modern attacks. Since then, several month and one MS Ignite have been past, in other words: things have changed.

Main Articles

MDATP: talking to the User

Posted on October 16, 2019 by Jan Geisbauer 4 comments

Sometimes isolating or blocking user actions (like downloads) is too restrictive – instead you just want to warn or ‘educate’ him. At the same time, I don’t know too many ITpros that enjoy talking to their end-users (I think we all should, but this is another story). Today we will look into a flow-automation of Microsoft Defender Advanced Threat Protection (MDATP) alerts.

Main Articles

Microsoft Defender ATP Streaming API

Posted on July 23, 2019 by Jan Geisbauer 2 comments

In the past, we could consume the MDATP API ‘on demand’ (pull) by PowerShell for example.

We could even do advanced hunting queries via the API.

However, pulling the data out of MDATP might bring in some delay in one or the other scenario and the information from the advanced hunting results are limited to the last 30 days.

With the brand new ‘Streaming API’, Microsoft is offering a new approach to make data from MDATP available outside of the portal.