Microsoft Defender Compromise Assessment

Important questions answered

What do you do if it looks like an attacker has bypassed your defences and alerting mechanisms?

Or if someone outside your organisation says it appears that you’ve been breached, or a zero-day is released that is being actively exploited, or your IDS is reporting but you just can’t find a confirmed incident?

To answer these questions and more, we provide an assessment to give you definitive expert triage. “Have I been breached?” We can give you the answer.

Assessment 101

We identify compromised hosts and report our findings. With access to your Microsoft tenant, we will:

Run initial compromise assessment scans.

Review scan results and provide feedback.

Provide a high-level report on the results and recommend further actions.

In our threat hunt, we target these 7 key areas in the Microsoft framework:

• Identity
• Network
• Login Activity
• Email
• Endpoints
• Insider Threat
• Ransomware

What can you expect?

We evaluate your network security using your Defender for Endpoint deployment. We look for indicators of historic and/or ongoing compromise, as well as highlighting any poor security hygiene.

The assessment can be used in response to a security incident, or to provide a point in time understanding of the security of your environment.

Our CREST accredited Incident Response team have 11 years’ experience of compromise assessments. We apply our proprietary methodology based on best practice frameworks.

Following the assessment, you will be presented with a report of any issues that exist in your environment, with a management summary as well as technical detail.

How does it work?

Your Microsoft Defender platform has been harvesting data since it was first switched on.

With access to that data, we can conduct assessments over various points in time. Using key metrics and logs, we provide a granular view of malicious and suspicious events.

Our intelligent queries probe data points that may indicate a historic breach, or evidence of threat actors living off the land on your network, or using email as a vector for successful phishing operations.

This means that responders can research and investigate incidents faster and more precisely.

There is no interference with your endpoints as we use your already deployed framework.

Key features

Threat intelligence integration

Using Microsoft’s extensive threat intelligence database we identify known indicators of compromise (IOCs) and emerging threats. We also enrich all data points built into our query sets.

Behavioural analysis

We leverage sophisticated behavioural analytics to detect unusual patterns and behaviours indicative of potential security compromises and any other endpoint device behaviour to identify anomalous activities, providing insights into potential security incidents.

Telemetry data analysis

We dig into telemetry network, file, and command line data generated by Microsoft Defender for Endpoint to gain deep insights into the security status of endpoint devices.

We also provide a detailed analysis of endpoint activities, helping you and your organisation understand and respond to potential threats effectively.

We analyse all historic defender detections to ascertain any missed detections or patterns of suspicious activity.

Indicators of compromise ID

We identify and report IOCs quickly for effective response to historic security incidents with detailed information on compromised systems, enabling you to address and fix potential security breaches and endpoints.

Remediation recommendations

We deliver actionable recommendations to remediate identified vulnerabilities and security gaps and provide a roadmap for improving security controls and preventing future compromises.