Microsoft 365 Defender - Resource Hub

Welcome to the Microsoft 365 Defender Resource Hub.

Update! as the list of Microsoft 365 Defender resources keeps growing I am highlighting 🆕 additions

Become a Microsoft Defender for Endpoint Ninja

Security Community Webinars

On-demand webcast series: “Tracking the adversary”

Microsoft 365 Security for IT Pros A must have for every IT Pro

---

• Microsoft 365 Defender - Resource Hub
  • Microsoft Tech Community Blog posts
    • 2021
    • 2020
    • 2019
    • 2018
    • 2017
    • 2016
    • 2015
    • 2005
  • Other Blog Posts
  • Webinars and Videos
  • Advanced Hunting
  • Microsoft Security on Twitter
  • Microsoft Docs
  • Microsoft 365 Defender related content on GitHub
  • Azure Sentinel

Microsoft Tech Community Blog posts

---

2021

• Business Email: Uncompromised – Part Two 🆕
• Business Email: Uncompromised – Part One 🆕
• MITRE ATT&CK Techniques now available in the device timeline 🆕
• Protecting sensitive information on devices 🆕
• Microsoft Defender for Endpoint Ninja Training: February 2021 update 🆕
• Microsoft Defender Antivirus: 12 reasons why you need it 🆕
• Extending threat and vulnerability management to more devices 🆕
• Windows Virtual Desktop support is now generally available 🆕
• How to use tagging effectively (Part 3) 🆕
• Microsoft Defender for Endpoint: Automation defaults are changing
• EDR for Linux is now generally available 🆕
• How to use tagging effectively (Part 2) 🆕
• How to use tagging effectively (Part 1) 🆕
• Microsoft 365 Defender Ninja Training: January 2021 update 🆕
• Hunt for Azure Active Directory sign-in events 🆕
• Best practices for leveraging Microsoft 365 Defender API's - Episode One 🆕

---

2020

• Get email notifications on new incidents from Microsoft 365 Defender December 23,2020
• Advanced hunting product name changes December 22,2020
• New Threat analytics report shares the latest intelligence on recent nation-state cyber attacks December 18,2020
• Azure Active Directory audit logs now available in Advanced Hunting (public preview) December 17,2020
• Additional email data in advanced hunting December 14,2020 -Announcing EDR in block mode general availability December 9,2020 -Microsoft Defender for Endpoint on iOS is generally available December 7,2020
• Microsoft Defender for Office 365 investigation improvements coming soon December 1,2020
• EDR for Linux is now available in public preview November 17,2020
• Hunt across cloud app activities with Microsoft 365 Defender advanced hunting November 17,2020
• Microsoft 365 Defender connector now in Public Preview for Azure Sentinel November 12,2020
• Improved incident queue in Microsoft 365 Defender November 10,2020
• Introducing a new threat and vulnerability management report October 28,2020
• Investigating Alerts in Defender for Office 365 October 28,2020
• ZeroLogon is now detected by Microsoft Defender for Identity CVE-2020-1472 exploitation October 1,2020
• Self-healing in Microsoft 365 Defender September 30,2020
• Announcing Priority Account Protection in Microsoft Defender for Office 365 September 22,2020
• Microsoft delivers unified SIEM and XDR to modernize security operations September 22,2020
• Office 365 ATP is now Microsoft Defender for Office 365 September 22, 2020
• Microsoft Defender for Endpoint adds depth and breadth to threat defense across platforms September 22,2020
• Say hello to the new Microsoft Threat Protection APIs! September 15,2020
• Microsoft Defender ATP for Mac is moving to system extensions August 31,2020
• How behavioral blocking & containment stops post-exploitation tools like BloodHound, Kerberoasting August 28, 2020
• A new look for threat analytics August 25, 2020
• Microsoft Threat Protection now uses more descriptive incident names August 20,2020
• Hunt for threats using events captured by Azure ATP on your domain controller August 19,2020
• Introducing EDR in block mode: Stopping attacks in their tracks August 18,2020
• Introducing an improved timeline investigation with event flagging August 12,2020
• Pull in more intelligence and act fast while you hunt August 10,2020
• See how consolidated incidents improve SOC efficiency through this attack sprawl simulation July 30,2020
• The Action center in Microsoft Threat Protection – Your one-stop shop for remediation actions July 28,2020
• Pivot fast and investigate freely with go hunt & other advanced hunting enhancements July 22,2020
• Multi-tenant access for Managed Security Service Providers July 20,2020
• Changes in the support case submission experience July 14,2020
• Announcing high value asset tagging in Microsoft Defender ATP July 14,2020
• SHA-2 signing enforcement on Windows 7 and Windows Server 2008 R2 July 13,2020
• Microsoft Defender ATP awarded a perfect 5-star rating by SC Media July 9,2020
• Introducing event timeline – an innovative, new way to manage your security exposure July 6, 2020
• An update on Web Content Filtering July 6,2020
• Configuring Microsoft Defender Antivirus for non-persistent VDI machines June 25,2020
• Improving defenses against Exchange server compromise June 24,2020
• Safe Documents is Generally Available June 22,2020
• Microsoft Defender ATP for Linux is now generally available! June 23,2020
• Announcing Microsoft Defender ATP for Android June 23, 2020
• Microsoft Threat Protection leads in real-world detection in MITRE ATT&CK evaluation May 1, 2020
• A deeper dive into the APT29 MITRE ATT&CK evaluation June 19. 2020
• Microsoft Defender ATP has a new UEFI scanner June 17,2020
• New partnerships with innovative leaders helps you fight advanced threats! June 16,2020
• Say hello to the new alert page in Microsoft Defender ATP June 15,2020
• Migrate the old Power BI App to Microsoft Defender ATP Power BI templates! June 4, 2020
• Microsoft Defender ATP evaluation lab breach & attack simulators are now available in public preview May 25,2020
• Demystifying attack surface reduction rules - Part 4 May 13,2020
• Defending networks against human-operated ransomware May 12, 2020
• Automate the boring for your SOC with automatic investigation and remediation! May 11,2020
• Indicators enhancements: Allow/Block by certificates & more May 10,2020
• Demystifying attack surface reduction rules - Part 3 May 5,2020
• Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP May 5,2020
• Harden endpoint security for COVID-19 and working from home with Threat & Vulnerability Management April 30, 2020
• Deploy Microsoft Defender ATP for Mac in just a few clicks April 27, 2020
• MITRE ATT&CK evaluation results April 24, 2020
• Demystifying attack surface reduction rules - Part 2 April 22, 2020
• Demystifying attack surface reduction rules - Part 1 March 14,2020
• Threat & Vulnerability Management APIs are now generally available March 14,2020
• Live response for earlier versions of Windows is now in public preview April 6,2020
• Secure your remote workforce with Microsoft Defender ATP April 1st, 2020
• Secure Configuration Assessment (SCA) for Windows Server now in public preview March 22,2020
• Microsoft Defender ATP service notification improvements March 22,2020
• Connect the dots using a device network overview Power BI report March 19,2020
• Raw data export: Announcing Microsoft Defender ATP Streaming API GA March 18,2020
• Microsoft Defender ATP for Linux is coming! ...And a sneak peek into what’s next February 25,2020
• Enable tamper protection in Threat & Vulnerability Management to increase your security posture February 19,2020
• Put regulation fears to rest when deploying Microsoft Defender ATP February 13,2020
• Web content filtering with Microsoft Defender ATP now in public preview January 28, 2020
• Extending Microsoft Defender ATP network of partners January 27, 2020
• Block Access to Unsanctioned Apps using Microsoft Defender ATP & Microsoft Cloud App SecurityJanuary 22, 2020
• Enforcement of TLS 1.2 for connections to Microsoft Defender ATP January 01, 2020

---

2019

• EDR capabilities for macOS have now arrived December 04,2019
• Advanced hunting data schema changes December 03,2019
• Short & sweet educational videos for Microsoft Defender ATP November 20, 2019
• Create custom reports using Microsoft Defender ATP APIs and Power BI November 14, 2019
• Recordings now online: Microsoft Defender ATP sessions from #MSIgnite 2019 November 12, 2019
• Microsoft Defender ATP for Mac - EDR in Public Preview November 6, 2019
• How insights from system attestation and advanced hunting can improve enterprise security November 6, 2019
• Reducing risk with new Threat & Vulnerability Management capabilities November 4, 2019
• Experts on demand: now generally available October 28,2019
• Microsoft Defender ATP sessions at #MSIgnite 2019 October 16,2019
• Tamper protection now generally available for Microsoft Defender ATP customers October 14, 2019
• Manage Windows Defender Firewall with Microsoft Defender ATP and Intune October 4,2019
• Forrester names Microsoft a Leader in 2019 Endpoint Security Suites Wave October 1, 2019
• Enhanced visibility into web threats with Microsoft Defender ATP September 30,2019
• Microsoft Defender ATP EDR support for Windows Server 2008 R2 now generally available September 26,2019
• New! API Explorer and Connected applications September 18,2019
• MITRE ATT&CK technique info in Microsoft Defender ATP alerts September, 16, 2019
• Microsoft Defender ATP supports custom IOCs for URLs, IP addresses, and domains September 13,2019
• Enhance your SOC with Microsoft Defender ATP Automatic Investigation and Remediation September 11,2019
• Test security products the right way and find new protection features with MDATP evaluation lab September 11,2019
• Hunting for reconnaissance activities using LDAP search filters August 28,2019
• Advanced hunting updates: USB events, machine-level actions, and schema changes August 27,2019
• Gartner names Microsoft a Leader in 2019 Endpoint Protection Platforms Magic Quadrant August 23,2019
• Microsoft Defender ATP 'Ask Me Anything' August 2019 - Summary August 15,2019
• Migrate your custom Threat Intelligence (TI) to indicators! August 6,2019
• Microsoft Defender Advanced Threat Protection is now available as an offer to US GCC High customers August 2, 2019
• The Golden Hour remake - Defining metrics for a successful security operations July 31,2019
• Download files for in-depth investigation July 31,2019
• MDATP Streaming API - Public Preview - DIY example July 23,2019
• Microsoft Defender ATP Evaluation lab is now available in public preview 23 July, 2019
• Microsoft’s Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time July 2, 2019
• Microsoft Defender ATP alert categories are now aligned with MITRE ATT&CK! July 1, 2019
• Microsoft Defender ATP automation & cloud app discovery now available in previous Windows 10 builds! June 26,2019
• Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection June 24,2019
• MDATP Python automation - Automate machine isolation with Python script June 3,2019
• Microsoft Defender ATP unified indicators of compromise (IoCs) experience May 29,2019
• Microsoft Defender ATP for Mac now in open public preview May 22,2019
• Incident response at your fingertips with Microsoft Defender ATP live response May 20,2019
• Microsoft Defender ATP and Malware Information Sharing Platform integration May 16,2019
• Updates to attack surface reduction rules for Office apps May 15,2019
• Pushing custom Indicator of Compromise (IoCs) to Microsoft Defender ATP May 5,2019
• Microsoft Defender ATP third-party solution integrations May 5,2019
• Microsoft Threat Experts reaches general availability April 30,2019
• Protecting disconnected devices with Microsoft Defender ATP April 29,2019
• MDATP Threat & Vulnerability Management now publicly available! April 16,2019
• Native support for the discovery of Shadow IT April 15,2019
• Introducing a risk-based approach to threat and vulnerability management March 21,2019
• Tamper protection in Microsoft Defender ATP March 27,2019
• Announcing Microsoft Defender ATP for Mac March 21,2019
• Palo Alto Networks and WDATP ad-hoc integration March 17,2019
• MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender ATP March 15,2019
• Automate Windows Defender ATP response action: Machine isolation March 7,2019
• Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules February 24,2019
• Ticketing system integration – Alert update API February 17,2019
• Help protect the exec – go with the Flow! February 15,2019
• WDATP API “Hello World” (or using a simple PowerShell script to pull alerts via WDATP APIs) January 28,2019
• Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices January 17,2019
• Microsoft Defender ATP built-in threat summary and health reports January 4,2019

---

2018

• What’s new in Windows Defender ATP, November 2018 November 19,2018
• New! Windows Defender ATP Incidents narrate the end-to-end attack story November 5,2018
• Automating investigation and response for memory-based attacks October 22,2018
• SecOps is more effective thanks to Microsoft Windows Defender Advanced Threat Protection October 16,2019
• Microsoft Cloud App Security and Windows Defender ATP - better together September 27,2018
• WDATP September 2018 preview features are out September 5,2018)
• Hunting tip of the month: Downloads originating from email links August 29,2018
• Optimized reporting latency and expedite mode August 16,2018
• Interpreting Exploit Guard ASR audit alerts August 14,2018
• Improve your defensive posture with Exploit Guard ASR August 6,2018
• Advanced hunting now includes network adapters information August 5,2018
• Hunting tip of the month: Browser downloads July 31,2018
• Getting Started with Windows Defender ATP Advanced Hunting July 15,2018
• Hunting tip of the month: PowerShell commands June 29,2018
• What’s new in the WDATP Portal? June 5,2018
• Protecting Windows Server with Windows Defender ATP
• Enhancing conditional access with machine-risk data from Windows Defender Advanced Threat Protectionf April 18,2018
• Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) April 18,2018
• New demo: Advanced Threat Protection across Windows 10 and Office March 31,2018
• Exploit Guard - Network Protection February 20, 2018
• Announcing: Windows Defender ATP support for Windows 7 and Windows 8.1 February 12, 2018

---

2017

• Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’ December 4,2017
• Microsoft partners extend Windows Defender ATP across platforms November 8,2017
• Windows Defender ATP helps analysts investigate and respond to threats September 21,2017
• Windows Defender ATP Windows 10 Fall Creators Update now open for public preview September 7, 2017
• Windows Defender ATP machine learning: Detecting new and unusual breach activity August 3, 2017
• Windows Defender ATP Fall Creators Update June 27,2017
• Microsoft signs agreement to acquire Hexadite June 8, 2017
• Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack May 4,2017
• The Story of Windows Defender April 17,2017

---

2016

• Windows Defender Advanced Threat Protection Preview Expands May 16,2016
• Announcing Windows Defender Advanced Threat Protection March 1, 2016

---

2015

• Windows 10 to offer application developers new malware defenses

---

2005

Yes no typo , it was around 2005 when 'Windows Defender' appeared

• What’s in a name?? A lot!! Announcing Windows Defender! November 4, 2005

---

Other Blog Posts

• Gundog 🆕
• Microsoft Defender — Detect Hidden Windows Run
• Detecting SolarWinds SUNBURST IOC, from Microsoft Defender for Endpoint and Azure Sentinel
• Using Active Directory Replication Metadata for hunting purposes
• Getting started with Microsoft Defender for Endpoint for iOS
• Integrate Microsoft Defender for Endpoint with Azure Defender
• Integrate Microsoft Defendr for Endpoint with MCAS
• Defender for Endpoint (MDATP) for Windows Servers
• MTP Advanced Hunting – Public free E-Mail services
• Hunting for Local Group Membership changes
• Microsoft Threat Protection Jupyter notebook AdvancedHunting sample
• Showcasing some Endpoint Detection & Response Features of Microsoft Defender ATP
• Microsoft Defender ATP for Android
• Assigning MDATP tags through the machine name & logged on user with Logic Apps
• MANAGE OFFICE ATP ALERTS LIKE A BOSS
• Microsoft Defender ATP Web Content Filtering – Migrate Rules from Existing Security Software
• Microsoft Defender ATP Web Content Filtering – Administration, Limitations, and User Experience
• MDATP 💙 THOR
• Windows Defender configuration tool ConfigureDefender 3.0.0.0 released
• Analyzing your Microsoft Defender ATP data in real-time in ELK using the new streaming API
• 24/7 protection during Covid-19 – Defender ATP Auto IR
• Threat & Vulnerability Management – improve client security with MDATP
• Microsoft Defender Antivirus (MDAV) “Cloud Protection” (Cloud-Delivered Protection aka MAPS)
• BLOCK IT.
• DEEP DIVE: FORENSICS VIA MDATP LIVE RESPONSE
• Microsoft Defender ATP – network control made easy
• Microsoft Defender ATP for Linux
• How to create your Defender ATP Admin Audit Log Dashboard
• EmptyDC Jan Geisbauer
• How to generate a monthly Defender ATP Threat and Vulnerability Report
• Automate MDATP response with Microsoft Flow
• Windows Defender ATP: harnessing the collective intelligence of the InfoSec community for threat hunting
• MDATP: talking to the User
• Examining access token privileges with MDATP and Kusto
• My Pluralsight Course – Incident Response and Remediation With Azure Security Center
• Hunting for MiniNt security audit block in registry
• Microsoft Defender ATP Streaming API
• Send Intune security task notifications to Microsoft Teams, email, etc. using Microsoft Flow
• How to accelerate your Microsoft Defender ATP Evaluation
• How to Create a Custom Slack Alert for Windows Defender Advanced Threat Protection (ATP) using Microsoft Flow in 5 minutes
• Automate response with Defender ATP and Microsoft Flow
• Hunting for USB Rubber Ducky/ Bad USB with ATP
• Managing Alerts from MDATP in ServiceNow – Part I: Bearer Token Request And ServiceNow Connect
• Hunting Windows Defender Exploit Guard with ATP
• Announcing new exciting capabilities of Windows Defender ATP (April 2018)
• Automated Response for Windows Defender ATP
• Managing Role Based Access (RBAC) for Microsoft Defender Advanced Threat Protection
• Retrieving Windows Defender Exploit Guard Windows Event logs with PowerShell
• Defender ATP and PowerBI

---

Webinars and Videos

• 057 - EN - Defender for Office 365 with Pawel Partyka
• The NEW Attack Simulator in M365 w/ End User Training
• Elevate your endpoint security with Microsoft Defender ATP
• Security Community Webinars
• Join Our Security Community
• MS Defender ATP Overview and Full Attack Simulation
• Live response in Microsoft Defender ATP
• Webinar: Stopping attacks in their tracks through behavioral blocking and containment
• Azure Sentinel and Defender ATP Webinar
• Microsoft Defender ATP Threat & Vulnerability Management
• Upcoming webinar 📣 The Power of Advanced Hunting - Unleash the hunter in you!
• SANS - Windows Defender ATP’s Advanced Hunting: Using Flexible Queries to Hunt Across Your Endpoints
• Conditional Access with WDATP - The Endpoint Zone 1805
• How to Configure Splunk to pull Windows Defender ATP alerts
• How to customize Windows Defender ATP Alert Email Notifications
• Check Windows Defender ATP Client Status with PowerShell
• Microsoft Defender ATP [Attack Simulation & Investigation] Demos
• Automate machine isolation with MDATP and Microsoft Flow - YouTube MVP Demo
• Windows Defender ATP now extends beyond Windows clients October 11,2017
• Windows Defender ATP Investigation and Response
• Microsoft 365 Conditional access based on device-risk with Windows Defender ATP
• Windows Defender ATP Secure Score
• RSA Conference 2018 Windows Defender ATP – Unified platform for endpoint security
• RSA Conference 2018 Taking Ransomware to task with Windows Defender ATP

---

Advanced Hunting

• Kusto King blog
• Become a KQL Ninja
• Kusto Query Language (KQL) - cheat sheet
• Sigma-Hunting-App
• Go hunt, join us on GitHub
• Microsoft MDATP Hunting Queries on GitHub
• Kusto Query Language (KQL) from Scratch
• Maarten Goet - Wortell
• Advanced Hunting Cheat Sheet by @PowershellPoet, @maarten_goet, @Pawp81, @Bakk3rM and @MicrosoftMT

---

Microsoft Security on Twitter

• Eshlomo - Advanced Hunting Queries
• NotNinjaCat @RavivTamir
• Microsoft Defender ATP @WindowsATP
• Microsoft Threat Protection @MicrosoftMTP
• Dan Michelson
• Hadar Feldman
• Tomer Teller
• Heike Ritter
• Christian H. Müller
• Alex Benoit
• Jan Geisbauer
• Matias Borg
• Oliver Kieselbach
• Amar Hasayen
• Maarten Goet
• Eric Soldierer
• Christian H. Mueller
• @DebugPrivilege
• @thijslecomte
• @YongRheeMSFT
• @castello_johnny
• Matt Soseman

---

Microsoft Docs

• Microsoft 365 Defender
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Office 365

---

Microsoft 365 Defender related content on GitHub

• MTP - Advanced Hunting
• Microsoft Defender Advanced Threat Protection PowerShell Module
• WindowsDefenderATP-Hunting-Queries
• MicrosoftDefenderATP-API-PowerShell
• defender-atp-manageability
• MDATP PowerBI
• Github - Power BI Report templates powered by Microsoft Defender Advanced Threat Protection Advance Hunting Queries
• MDATP PowerBI
• CGCFAD WDATP-Advanced-Hunting
• richlilly2004 MDATP hunting queries
• Huy - DebugPrivilege
• AndyFul - ConfigureDefender
• David Sass - DefenderASR
• CGCFAD Hunting Queries
• Eli Shlomo
• KQL Tools
• GunDog 🆕

---

Azure Sentinel

• [More content coming soon!]
• Become an Azure Sentinel Ninja: The complete level 400 training
• Azure Sentinel: design considerations