Hey, thank you stopping by! Well, being here means that you are either familiar with the discipline of Digital Forensics & Incident Reponse (DFIR) or you are interested in beginning to explore DFIR tools and techniques. The common denominator, no matter what your sense is around DFIR, is that you are using Microsoft Defender for Endpoint (MDE) and the wider Microsoft Azure and Microsoft 365 Defender environments. I hope you will enjoy the following resources which come from my notes and relevant research and testing I have done. Do you have any other resources that fit here? Drop me a line at any of my mediums here.
If you find this repo useful, don't forget to โญ it!
- Mitigate threats using Microsoft Defender for Endpoint
- Remote collection of Windows Forensic Artifacts using KAPE and MDE
- @BertJanCyber Incident Response guide
- THOR-Cloud forensic scanning through MDE
- HUNTERS Human-Friendly Guide for Incident Response & Threat Hunting
What better way to begin the resource list other than Microsoft Learn itself? MDE supports a lot of functionalities including artifacts collection, containment, live response, advanced hunting and others which help analysts and investigators unfold alerts and incidents.
KAPE (Kroll Artifact Parser and Extractor) is a powerful DFIR tool by Eric Zimmerman that primarily collects and processes collected files. @DFIRanjith has built and published a guide on how to deploy KAPE through MDE live response and collect forensic artifacts.
Bert-Jan (@BertJanCyber), a fellow community contributor has prepared a detailed and comprehensive guide on how to accomodate Microsoft technologies available including KQL queries and Live Response in order to practice the DFIR discipline.
- Incident Response Part 1: IR on Microsoft Security Incidents (KQL edition)
- Incident Response Part 2: What about the other logs?
- Incident Response Part 3: Leveraging Live Response
THOR-Cloud allows live compromise assessment scans for YARA, Sigma and IOCs on endpoints through MDE. THOR-Cloud Lite comes with a free plan as well.
HUNTERS, an advanced platform that levarages SIEM to help SOC teams, provides highly technical blogs around Microsoft Security. They started unfolding a series of blogs about IR and Threat hunting that really go deep into platform, differentiating sources, user's persmissions etc.
Last update: 02/11/2023