This article was originally posted in the Microsoft Security blog.
Modern security teams need to proactively, efficiently, and effectively hunt for threats across multiple attack vectors. To address this need, today we’re excited to give you a glimpse of a new threat hunting capability coming soon to Microsoft Threat Protection. Building off the threat hunting technology currently available in Microsoft Defender Advanced Threat Protection (ATP), we are adding the ability to hunt for threats across endpoints and email (Figure 1).
The new Microsoft Threat Protection advanced threat hunting allows:
- Easy access to telemetry—The telemetry data is accessible in easy to use tables for you to query.
- Enhanced portal experience—Certain query results, such as machine name, link directly to the relevant portal, consolidating the hunting query experience and the portal investigation experience.
- Detailed query templates—A welcome page provides examples designed to get you started and get you familiar with the tables and the query language.
The example in Figure 1 demonstrates how Microsoft Threat Protection enables hunting for red teams leveraging a compromised account to store a payload on a local SharePoint site and for sending emails to individuals within the organization. Having the email come from an internal sender and pointing to a local SharePoint site guarantees a high click-through rate. With the advanced hunting capability in Microsoft Threat Protection, this scenario easier to identity, discover, and ultimately remediate. As Microsoft Threat Protection evolves, we’ll continue to extend the advanced hunting capability across the enterprise. Look for more details on threat hunting across endpoints and email in the coming weeks.
Figure 1. Hunting across endpoints and email with Microsoft Threat Protection.
Connecting the dots to protect your users
As we’ve discussed previously, securing enterprise identities is paramount for effective threat protection in modern organizations. Microsoft Threat Protection is built on best-in-class identity protection, and we’re pleased to announce the general availability of our new identity threat investigation experience, which correlates identity events from Microsoft Cloud App Security, Azure Advanced Threat Protection, and Azure Active Directory Identity Protection into a single investigation experience for security analysts and hunters alike.
Leverage state-of-the-art User and Entity Behavior Analytics (UEBA) capabilities to provide a risk score and rich contextual information for individual users across on-premises and cloud services. With the high volume of threat signals today’s security teams must analyze, it’s a challenge to know which users and threats to prioritize for deeper investigations (Figure 2). The new identity threat investigation experience enables security analysts to prioritize their investigations, helping reduce investigation times and eliminating the need to toggle between identity security solutions.
Figure 2. Top user view by investigation priority.
Delivering on our promise to empower defenders
Earlier this year, we announced two capabilities for endpoint security with the public preview of Threat & Vulnerability Management and the extension of our endpoint security capabilities to macOS. We’re excited to deliver on the promise of both these milestones for our endpoint security, which further empower defenders relying on our services to secure their organizations.
At the end of June, we announced the general availability of our endpoint security for macOS. Offered through Microsoft Defender ATP, it enables integrated experiences in Microsoft Defender Security Center across Windows and macOS clients. It supports the three latest versions of macOS: Mojave, High Sierra, and Sierra. Customers can use Microsoft Intune and Jamf to deploy and manage Microsoft Defender ATP for Mac. Just like with Microsoft Office applications on macOS, Microsoft Auto Update is used to manage Microsoft Defender ATP for Mac updates. Check out the public documentation to see what’s available now.
We further enhanced endpoint security with the general availability of Threat & Vulnerability Management for endpoints (Figure 3), which offers customers:
- Continuous discovery of vulnerabilities and misconfigurations.
- Prioritization based on business context and dynamic threat landscape.
- Seamless correlation of vulnerabilities providing enhanced breach insights.
- Ability to assess vulnerability at the single-machine level to enrich and provide greater detail on incident investigations.
- Built-in remediation processes through unique integration with Intune and Microsoft System Center Configuration Manager.
Figure 3. The Threat & Vulnerability Management dashboard.
This month, we also enriched the experience for security teams managing email security by introducing an email submission feature offered through Office 365 ATP. Microsoft is home to 3,500 security professionals, and now your organization can leverage their expertise to get quick and accurate analysis of potential email threats with the click of a button (Figure 4). The submission process is easy to use, and our Microsoft experts provide quick feedback, including insights on configurations that may have caused a false positive or false negative, reducing the time to investigate issues and improving overall effectiveness.
The new submission process allows admins to:
- Submit suspicious emails, files, and URLs to Microsoft for analysis.
- Find and remove rules allowing malicious content into the tenant.
- Find and remove rules blocking good content into the tenant.
Here’s a quick run-through of the experience. You can also learn more about it in our technical docs.
Figure 4. Admin submission experience with Office 365 ATP.