Microsoft 365 Defender connector for Azure Sentinel in public preview

A new connector for Microsoft 365 Defender is in public preview in Azure Sentinel. This connector makes it possible to ingest the hunting data into Sentinel

Currently, the Defender for Endpoint Data is available

To enable

• Go to you Azure Sentinel Instance and select Connectors
• Search for Microsoft 365 Defender

• Click Open Connector Page
• Select which Events you want to ingest

• Click Apply Changes

Example queries

//Registry events
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "DefaultPassword"
| where RegistryKey has @"SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp

//Process and Network events
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient",
"DownloadFile",
"DownloadData",
"DownloadString",
"WebRequest",
"Shellcode",
"http",
"https")
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType

If we look at the tables we can see the new created tables

More information about the data in these tables is available in this post https://blog.sec-labs.com/2018/06/threat-hunting-with-windows-defender-atp/

For further reading:

• Azure Sentinel https://docs.microsoft.com/sv-se/azure/sentinel
• Microsoft 365 Defender https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-threat-protection