Microsoft Defender for Endpoint (MDE)

Cloud & SaaSExecution EvidenceEDR TelemetrySIEM / Log Aggregator

Location

Microsoft 365 Defender Portal > Advanced Hunting (or Microsoft Graph Security API)

Description

Endpoint detection and response platform providing Advanced Hunting tables including DeviceProcessEvents, DeviceNetworkEvents, DeviceFileEvents, DeviceRegistryEvents, DeviceLogonEvents, and DeviceImageLoadEvents with 30 days of queryable telemetry.

Forensic Value

MDE Advanced Hunting provides the richest endpoint telemetry available in Microsoft environments. DeviceProcessEvents captures every process execution with full command lines, parent processes, and hashes. DeviceNetworkEvents records process-level network connections to correlate C2 communication with specific malware. DeviceFileEvents tracks file creation, modification, and deletion with SHA256 hashes. KQL queries across these tables enable rapid threat hunting and incident scoping across the entire fleet.

Tools Required

Microsoft 365 Defender PortalKQL (Kusto Query Language)Microsoft Graph Security APIPowerShell

Collection Commands

KQL

DeviceProcessEvents | where Timestamp > ago(7d) | where FileName in~ ("powershell.exe","cmd.exe","wscript.exe","cscript.exe") | project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName | take 1000

KQL

DeviceNetworkEvents | where Timestamp > ago(7d) | where RemotePort in (4444, 8080, 8888, 1337) | project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemotePort, RemoteUrl | take 1000

Graph API

GET https://graph.microsoft.com/v1.0/security/alerts_v2?$filter=createdDateTime ge 2024-01-01T00:00:00Z&$top=100

MITRE ATT&CK Techniques

T1059T1055T1071T1547.001T1003

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical