Posts tagged kql
Examining access token privileges with MDATP and Kusto

As a defender, looking at events occurring at user endpoints is very useful. Knowing exactly what’s happening is essential and having insight in detailled log information gives the opportunity to perform threat hunting and to create detection rules.

It’s a no-brainer that looking at processes on an user endpoint is crucial in order to find adversary’s activities. In this blog I will show you the value of looking at the access token of a process using Microsoft Defender ATP (MDATP) and the Kusto query language.

Read More