Microsoft Defender for Enterprise

Query’s integration with Microsoft Defender for Enterprise (MDE), utilizing Query’s integration with Microsoft’s GraphAPI, allows analysts to do the following:

  • Retrieves user device information (DNS name and IP Address) for a device
  • Retrieves malicious file information &  details (hash value)
  • Retrieves Security Finding information when malicious activity is detected (title, event time, event name, severity, etc).

For example, the analyst could obtain the following context:

  • Searching by the user’s hostname, i.e. hostname equals barbs_computer, the response would contain any malicious activity (Security Event) that has been detected by MIcrosoft Defender for Enterprise.
  • Searching by a device’s IP, i.e. IP equals x.x.x.x , the response would provide all the usernames and hostnames that have been associated with that IP address and malicious activity.

To integrate Microsoft Intune, see integration documentation here.

The integration will normalize data pulled from Microsoft Intune, via the GraphAPI,  into Query’s OCSF based QDM (Query Data Model) which then enables cross-platform joins, compounding the analyst’s ability to investigate. Query normalizes Microsoft Intune data into QDM User and Device objects, and Authentication events. Analysts can see key attributes like hostname, IP Address, state of any malicious activity, DNS hostnames, and subnet in the QDM device, security finding, and observables objects..

With the federated join capabilities, the analyst can now see context on that entity pulled from additional data sources Query is integrated with.

Based upon additional integrations in your environment, Query can show you:

  • Suspected IP addresses joined with Threat Intelligence data.
  • Additional alerts correlated with the user or the device, such as based upon email, web, or file activity.
  • Relevant follow up searches to get vulnerability, malware, and threat intelligence information associated with related entities like files, processes, and applications on that device.