📢 The near real-time frequency for custom detection rules with #Microsoft365Defender advanced hunting is now available in preview. The updated documentation highlights the #AdvancedHunting tables supported for continuous rule detection:

https://learn.microsoft.com/en-us/microsoft-365/security/defender/custom-detection-rules

Hunting - Office 365 Unified Audit Log

"This is a key data source in any cloud investigation because it contains a record of all the activity that has occurred in Office 365 and Azure Active Directory."

"If we use this resource correctly, it can help us build a full story of a threat actor’s activity in Office 365."

https://techcommunity.microsoft.com/t5/microsoft-security-experts-blog/good-ual-hunting/ba-p/3718421

#hunting #advancedhunting #office365 #microsoft365 #sentinel #microsoftsentinel #casb #xdr #Azure #microsoft #microsoftsecurity #audit #ual #AzureActiveDirectory #Exchange #OneDrive #DefenderforCloudApps #siem #soar #cloud #cloudsecrity #data #kql

So #zeek is officially part of #Defender now, I found the files on a few computers. But, to my major disappointment, you can't interact with the logs at all. Not that I'm finding, at least. I was hoping that I could export the logs into #Rita or #ACHunter but it's looking like I'll still have to install zeek a second time for that to happen. I can't even find the zeek logs in #AdvancedHunting...

Who has been clicking on Windows tray notifications & what's the url? #Defender #AdvancedHunting #malvertising

DeviceProcessEvents
| where FileName in~ ("msedge.exe","chrome.exe") and ProcessCommandLine has ("--notification-launch-id")
| extend u=tostring(split(ProcessCommandLine,"|",4)[0])
| where u startswith "http"
| distinct u,AccountUpn,DeviceName,FileName,DeviceId