Thank you for attending our session at Sans Threat Hunting & IR Summit in London.
Here are some resources as promised during our session which may help.
Threat Hunting
https://docs.microsoft.com/en-us/microsoft-365/security/mtp/hunting
https://blog.sec-labs.com/2018/06/threat-hunting-with-windows-defender-atp/
https://blog.sec-labs.com/2019/10/hunting-for-minint-security-audit-block-in-registry/
https://blog.sec-labs.com/2019/07/hunt-for-nuget-squirrel-update/
Power Automate / Logic Apps
https://docs.microsoft.com/en-us/cloud-app-security/flow-integration
https://docs.microsoft.com/en-us/power-automate/
https://docs.microsoft.com/en-us/azure/logic-apps/
https://docs.microsoft.com/en-us/azure/logic-apps/logic-apps-create-api-app
Azure Automation:
https://docs.microsoft.com/en-us/azure/automation/automation-dsc-overview
https://docs.microsoft.com/en-us/azure/automation/automation-hybrid-runbook-worker
https://docs.microsoft.com/en-us/azure/automation/shared-resources/credentials
Configuration
https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/best-practices-for-configuring-eop
https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices
https://docs.microsoft.com/en-us/microsoft-365/security/mtp/microsoft-secure-score
Auditing and Logs
https://support.microsoft.com/en-gb/help/4026501/office-auditing-in-office-365-for-admins
https://docs.microsoft.com/en-us/microsoft-365/compliance/enable-mailbox-auditing
Investigation
https://github.com/OfficeDev/O365-InvestigationTooling
https://docs.microsoft.com/en-us/cloud-app-security/investigate-risky-oauth
https://docs.microsoft.com/en-us/cloud-app-security/manage-app-permissions
API
https://docs.microsoft.com/en-us/cloud-app-security/investigate-activities-api
https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0
Free Training resources
https://www.pluralsight.com/courses/kusto-query-language-kql-from-scratch
Happy Hunting!
follow us on twitter @mattiasborg82 and @stefanschorling
