Microsoft Defender Advanced Threat Detection Queries

Recently, I shared on Twitter how you could run a query to detect if a user has clicked on a link within their Outlook using Microsoft Defender Advanced Threat Protection (MDATP). If you are not familiar, MDATP is available within your Microsoft 365 E5 license and is an enhancement to the traditional Windows Defender you might be used to.

What is Microsoft Defender Advanced Threat Protection?

Microsoft says that “Microsoft Defender Advanced Threat Protection is a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.” MDATP offers quite a few endpoints that you can leverage in both incident response and threat hunting.

Swimlane's Research Teams Open Sources pyattck

As security teams adopt the Mitre ATT&CK Framework to help them identify gaps in their defenses, having a way to identify what malware and tools are being used by specific actors or groups becomes more critical. Additionally, having a way to identify these relationships programatically is even more critical.

Today, we are excited to announce the Swimlane research team has released pyattck — a Python package to interact with the Mitre ATT&CK Framework. There are many different open-source projects being released on a daily basis, but we wanted to provide a straightforward Python package that allows the user to identify known relationships between all verticals of the Mitre ATT&CK Framework.

Swimlane Open Sources graphish to Help SecOps Teams

While having a conversation on Twitter about Microsoft Graph API I was convinced that the traditional Exchange eDiscovery features were not available in the Microsoft Graph API. Boy was I wrong.

After stumbling across a few endpoints I had not seen previously, I decided to write a python package called graphish. graphish is an open-source python package Swimlane is open-sourcing that will enable IT, security operations (SecOps), developers and others to search and delete email messages from mailboxes using the Microsoft Graph API.

Hey InfoSec, What Are You Doing to Protect Your DevOps Teams

DevOps, serverless applications and containers are just a few of the latest advancements in a developer’s toolbox. For development teams, this means that the time to market (TTM) is faster—especially for Agile teams. So, how and what are security operations teams doing to ensure that security is keeping pace with this rapid development? Most are attempting to incorporate a security engineer within their development teams—which is a great first step—but there are multiple layers that you need to ensure you are protecting your organization beyond your source-code.

Swimlane Research Team Open Sources py-ews

Phishing impacts every organization, and security operations (SecOps) teams need to act quickly to remediate and prevent unknown threats within their email infrastructure. To help combat these threats, the Swimlane research team has open sourced py-ews to enable security and IT teams to interact with Microsoft Exchange Web Services (EWS) using Python.

Why py-ews?

Organizations continue to battle against malicious phishing emails in their email environments, but security and IT teams have limited visibility into what currently resides in their users’ mailboxes. py-ews was written to give control back to your security and IT teams so they can remediate threats faster.

Automate Employee Off Boarding Process With Swimlane

As more organizations discontinue internal services and begin adopting an increasing number of third-party *aaS-based services, ensuring the appropriate access is revoked in a timely manner is critical. By using our new employee off-boarding use case, you can automatically gather historical data, add a user to a monitoring watch list, and finally remove access when it is time to off-board an employee.

The employee off-boarding use case contains two distinct applications to assist an organization with managing their employee off-boarding process. The first is the employee application, which contains all relevant information about the employee as well as references to the second application: assets. The assets application contains individual assets to which the employee has access. These assets can be applications, services or hardware.

Microsoft OAuth2 Part3: Using Microsoft Graph API

In this third and final part of the “Understanding Microsoft’s OAuth2 Implementation” series, we will be using the application that we have previously created to authenticate to the Microsoft Graph API.

If you have not done so, please read Part 1 and Part 2 before continuing.

Now, let’s start using the Microsoft Graph API using PowerShell Core!

Read More