With ClickFix being one of the popular delivery methods for malware, infostealers and state-sponsored hackers it is time to share a blog on investigating these incidents using Defender For Endpoint. In ClickFix campaigns a fake (captcha) message is displayed forcing users to validate that they are human. The ‘validation’ executes a malicious command using Windows + Run. The topic discussed in this blog: Initial Compromise The Incident Device Timeline ClickFix Triage Query Next Steps Detection Possibilities Initial Compromise In the simulated ClickFix scenario the user John Davis visited the page as seen below on the lookout for content related to cloud robots.

Staying updated on new actions in Microsoft Sentinel and Defender for Endpoint is crucial for identifying threats. This blog explains how to get weekly reports on newly logged actions in your tenant. By deploying a Logic App, you can receive periodic updates on new actions using Defender for Endpoint and Azure Monitor APIs to query logs. The deployment strategy varies: for standalone Defender for Endpoint, deploy the Defender solution; for standalone Sentinel, deploy the Sentinel solution; if some data is forwarded to Sentinel, deploy both solutions; if all data is forwarded to Sentinel, deploy the Sentinel solution. Requirements include having a Sentinel or Defender for Endpoint tenant.

What started as a single blog is now becoming a yearly trend. More and more KQL related repositories are created, not only with a focus on security but also Intune, Entra and Azure Monitor related queries. Dive in and discover how these new additions can help you tackle challenges or give you new ideas for the new year. Happy New Year to all of you! KQL Sources Link Description kqlsearch.com KQL Search Engine Kusto Insights Newsletter Kusto Insights newsletter The Definitive Guide to KQL Using Kusto Query Language for Operations, Defending, and Threat Hunting Kusto Query Internals Hunting TTPs with Azure Sentinel Microsoft Sentinel Analytics Rules Exchange Microsoft Sentinel Analytics Rules GitHub Repositories KQL Community Repositories Link Description Stars Azure Sentinel Repository - Azure Cloud-native SIEM for intelligent security analytics for your entire enterprise Sentinel-Queries - reprise99 Collection of KQL queries Falcon Friday - FalconForceTeam Hunting queries and detections Threat-Hunting-and-Detection - Cyb3r-Monk Repository for threat hunting and detection queries, etc.

As the holiday season approaches and our schedules hopefully begin to open up, many of us find ourselves with a bit more time on our hands. This time could be perfectly spent delving into some hunting activities. And if you’re into hunting threats and sifting through vast amounts of data, the KQL External Data operator might be the holiday gift for you! This powerful capability enables you to seamlessly incorporate external data into your KQL queries, such as GitHub IOC lists or MISP Feeds.

The unified audit log is a centralized repository for M365 user and admin activities. The activities originate from different applications, such as Exchange, Teams, SharePoint, Azure, OneDrive and Defender XDR. In this blog, we compare four different ways to acquire and investigate the unified audit logs (UAL): Purview Audit Search Defender For Cloud Apps CloudAppEvents Logs Sentinel OfficeActivity Logs Invictus Incident Response Microsoft Extractor Suite There is another approach to acquire the UAL logs, which is not included in this blog.

The DeviceTvmInfoGathering table in Defender XDR is one of the understudied tables of Defender For Endpoint. With only the small amount of four listings from Alex Verboon on kqlsearch.com before researching this table. This blog explores the uncovered potential of this table, because this will help you a lot to get quick insights into the configuration Defender For Endpoint on your devices! DeviceTvmInfoGathering listings kqlsearch.com While the table serves little detection value, it is extremely useful to get insights into the Defender For Endpoint configuration of your devices.