dfe

Internet Explorer End of Life. Find IE usage in your Defender for Endpoint data

Alex Mags
This post has some KQL to report usage of Internet Explorer. Internet Explorer is end of life Defender for Endpoint is a terrific source of data for IT Operations. Within M365 Defender for Endpoint Advanced Hunting you can build KQL queries to drill down into your data. KQL to find usage of Internet Explorer in your organisation Example KQL find which intranet sites are still frequented by people using Internet Explorer.

Shields up! Find CISA Known Exploited Vulns in your Defender for Endpoint data

Alex Mags
This post has some KQL to report CISA Known Exploited Vulns within your environment. First of all, if you have Ukrainian or Russian staff working with you, check-in with them and do what you can to support them and their families at this time. The US Cybersecurity and Infrastructure Security Agency (CISA) leads a national effort to understand, manage, and reduce risk to our cyber and physical infrastructure. They’re maintaining a list of Common Vulnerabilities and Exposures (CVEs) as Known Exploited Vulnerabilities catalog.

Exchange Onlne Email Investigation

Alex Mags
This post has some KQL to report “who read the sensitive email and who opened the sensitive attachment”. There are a few audit logs available to build a timeline of what happened with this email (send,recieve,forward) and who interacted with it: Office365 unified audit log (Activity Explorer/CloudAppEvents table) Defender for Office365/Exchange Online Protection mail flow events Defender for Endpoint (DeviceFileEvents) Mailbox audit logs (mail item accessed events) M365 has a Activity Explorer GUI for exploring activity around files.

KQL for files uploaded to cloud

Alex Mags
This post has some KQL to report on files uploaded to cloud via Microsoft or Google browsers. It requires Office365 sensitivity labels, Defender for EndPoint and (for Google Chrome) the Microsoft Compliance extention. M365 has a Activity Explorer GUI for exploring activity around files. If the files have been classified using Office365 sensitivity labels you can focus on your most sensitive documents. This interface is fine for a demo but you’re unable to save the searches and filters for reuse and you’ll want to filter out ‘normal’ approved activity.