SANS Threat Hunting Summit – Link list

Thank you for attending our session at Sans Threat Hunting & IR Summit in London.

Here are some resources as promised during our session which may help.

Threat Hunting

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-overview

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-query-language

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-schema-reference

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/hunting

https://blog.sec-labs.com/2018/06/threat-hunting-with-windows-defender-atp/

https://blog.sec-labs.com/2019/10/hunting-for-minint-security-audit-block-in-registry/

https://blog.sec-labs.com/2019/07/hunt-for-nuget-squirrel-update/

Power Automate / Logic Apps

https://docs.microsoft.com/en-us/cloud-app-security/flow-integration

https://docs.microsoft.com/en-us/power-automate/

https://docs.microsoft.com/en-us/azure/logic-apps/

https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-create-api-app

Azure Automation:

https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview

https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker

https://docs.microsoft.com/en-us/azure/automation/shared-resources/credentials

Configuration

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/best-practices-for-configuring-eop

https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/turn-on-modern-auth

https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices

https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score

Auditing and Logs

https://support.microsoft.com/en-gb/help/4026501/office-auditing-in-office-365-for-admins

https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing

Investigation

https://github.com/OfficeDev/O365-InvestigationTooling

https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/automated-investigation-response-office

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/automated-investigations

https://docs.microsoft.com/en-us/cloud-app-security/investigate-risky-oauth

https://docs.microsoft.com/en-us/cloud-app-security/manage-app-permissions

API

https://docs.microsoft.com/en-us/office/office-365-management-api/office-365-management-apis-overview

https://docs.microsoft.com/en-us/cloud-app-security/investigate-activities-api

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/apis-intro

https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0

Free Training resources

https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch

Happy Hunting!

follow us on twitter @mattiasborg82 and @stefanschorling