Microsoft 365 Defender - Resource Hub

Welcome to the Microsoft 365 Defender Resource Hub.

Become a Microsoft Defender for Endpoint Ninja

Become a Microsoft Defender for Office 365 Ninja!

Become a Microsoft Defender for Cloud Apps Ninja!

Become a Microsoft Defender for Identity Ninja

Become an Azure Sentinel Ninja

Security Community Webinars

On-demand webcast series: “Tracking the adversary”

Microsoft 365 Security for IT Pros A must have for every IT Pro

Microsoft Security Blog

Subscribe to the Weekly Microsoft Sentinel Newsletter from Rod Trent

Subscribe to the Weekly Microsoft Defender Newsletter from Rod Trent

• Microsoft 365 Defender - Resource Hub
  • Microsoft Tech Community Blog posts
    • 2022
    • 2021
    • 2020
    • 2019
    • 2018
    • 2017
    • 2016
    • 2015
    • 2005
  • Podcasts
  • Other Blog Posts
  • Webinars and Videos
  • Advanced Hunting / KQL
  • Microsoft Security on Twitter
  • Microsoft Docs
  • Must Learn KQL Series
  • Microsoft 365 Defender related content on GitHub
  • Microsoft 365 Defender and Sentinel content on GitHub

Microsoft Tech Community Blog posts

2022

• Support for Common Vulnerabilities and Exposures (CVEs) without a security update in public preview
• Announcing Microsoft Defender Vulnerability Management in public preview
• Introducing new actions from the Email Entity page!
• Exciting Feature Updates to Attack Simulation Training
• Email Protection Basics in Microsoft 365: Spam & Phish
• Microsoft Defender for Office 365 Ninja Training: June 2022 Update
• Announcing the release of step-by-step guides!
• Email Protection Basics in Microsoft 365: Bulk Email
• Improving “Defense in Depth” with Trusted ARC Sealers for Microsoft Defender for Office 365
• Evaluate Defender for Office 365 in your environment!
• Configurable impersonation protection and scope for Preset Security policies
• Configurable impersonation protection and scope for Preset Security policies
• Simplifying the Quarantine Experience - Part Two
• Email remediation actions now available in unified Action Center
• Introducing the UrlClickEvents table in advanced hunting with Microsoft Defender for Office 365
• Introducing differentiated protection for priority accounts in Microsoft Defender for Office 365
• How to deploy Attack Surface Reduction rules to Azure VMs using Azure Guest Configurations
• Network Protection and Web Protection for macOS and Linux is now in Public Preview!
• Tamper protection on macOS is now generally available
• New Device Health Reporting for Microsoft Defender for Endpoint is now in Public Preview
• Announcing File page enhancements in Microsoft Defender for Endpoint
• Introducing the new alert suppression experience
• Mobile Network Protection in Microsoft Defender for Endpoint on Android & iOS now in Public Preview
• Prevent compromised unmanaged devices from moving laterally in your organization with “Contain”
• Mobile device support is now available for US Government Customers using Defender for Endpoint
• Hunting for network signatures in Microsoft Defender for Endpoint
• Evaluation Lab: new domain-joined devices support in Public Preview
• Troubleshooting mode for Microsoft Defender for Endpoint now Generally Available
• Announcing the public preview of Defender for Endpoint personal profile for Android Enterprise
• Security Settings Management in Microsoft Defender for Endpoint is now generally available
• Tamper Protection is now available on macOS
• Device Inventory - The evolution of the endpoint view
• Enhanced Antimalware Protection in Microsoft Defender for Endpoint Android
• Enhanced antimalware engine capabilities for Linux and macOS
• New Reporting Functionality for Device Control and Windows Defender Firewall
• Unified submissions in Microsoft 365 Defender now Generally Available!
• The new Microsoft 365 Defender APIs in Microsoft Graph are now available in public preview!
• Protect sensitive SharePoint sites with Defender for Cloud Apps
• Monthly news - July 2022
• Monthly news - June 2022
• Microsoft Defender for Cloud Apps experiences are now part of Microsoft 365 Defender
• New URL & domain pages in Microsoft 365 Defender
• The power of incidents in Microsoft 365 Defender
• Microsoft 365 Defender Streaming API: Identity and CloudApp Events in General Availability
• Introducing predefined policies in app governance
• Detecting and Remediating Impossible Travel
• What’s new: Unified Microsoft SIEM & XDR GitHub community
• New and improved incident queue
• Reduce time to response with classification
• Announcing expanded support and functionality for Live Response APIs
• Defending against ransomware with Microsoft Defender for Endpoint and Intel TDT: A Case Study
• The Splunk Add-on for Microsoft Security is now available
• Deprecating the legacy SIEM API
• Microsoft threat & vulnerability management integrates with Vulcan Cyber
• Announcing general availability of vulnerability management support for Android and iOS
• Microsoft Defender for Endpoint Plan 1 Now Included in M365 E3/A3 Licenses
• Zero-touch onboarding of Microsoft Defender for Endpoint on iOS now in public preview
• Streamlining the submissions experience in Microsoft Defender for Office 365

2021

• Updated Hunting and Investigation Experiences for Microsoft Defender for Office 365
• Introducing the Microsoft Defender for Office 365 Migration Guide
• CloudAppEvents in advanced hunting now includes non-Microsoft apps and new data columns
• Protect printers, cameras and the rest of your IoT devices with Microsoft 365 Defender
• Using gMSA account in Microsoft Defender for Identity in multi-domain forests.
• Protect your printers, cameras and the rest of your IoT devices starting today!
• Announcing Preview of New Security Management Capabilities for Microsoft Defender for Endpoint.
• Evaluation Lab: Expanded OS support & Atomic Red Team simulations
• Announcing the public preview of Microsoft Defender for Endpoint Mobile - Tamper protection
• AI-driven adaptive protection in Microsoft Defender for Endpoint
• Microsoft Defender for Endpoint Plan 1 Now Generally Available
• Announcing performance analyzer for Microsoft Defender Antivirus
• Device Control Device Installation update
• Defending Windows Server 2012 R2 and 2016
• Announcing live response for macOS and Linux
• Web content filtering now generally available on Windows
• Boost protection of your Linux estate with behavior monitoring, extended distro coverage, and more
• Automatically triage phish submissions in Microsoft Defender for Office 365
• Microsoft Defender for Office 365 Ninja Training: September 2021 Update
• Improving the reporting experience in Microsoft Defender for Office 365
• Automatic Redirection to Microsoft 365 Defender is coming!
• Reporting an email in Microsoft Defender for Office 365
• Mastering Configuration in Defender for Office 365 - Part Three
• New Incident Graph view in Microsoft 365 Defender
• Assign incidents and alerts to someone else
• Announcing the new advanced hunting page and link to incident feature
• Announcing Microsoft Defender for Cloud Apps
• Microsoft Defender for Identity and Npcap
• Advanced Hunting: Surfacing more email data from Microsoft Defender for Office 365
• Microsoft 365 Defender Ninja August 2021 special edition!
• Microsoft 365 Defender Ninja Training: August 2021 update
• Take your security to the next level with professional security services
• Introducing Microsoft Defender for Endpoint Plan 1
• Device Control Device Installation update
• Make sure Tamper Protection is turned on
• Device Control Device Installation update
• Announcing Apple M1 native support
• Device Control Device Installation update
• Public Preview: Custom file IoC enhancements and API schema update
• Device Control Device Installation update
• Best practices for optimizing custom indicators
• Device Control Device Installation update
• Microsoft Defender for Endpoint Ninja Training: August 2021 update
• Device Control Device Installation update
• DeepSurface integrates with Microsoft's vulnerability management capabilities
• Device Control Device Installation update
• Download quarantined files now in public preview
• Device Control Device Installation update
• Protect your removable storage and printers with Microsoft Defender for Endpoint
• Device Control Device Installation update
• Announcing live response API public preview
• Device Control Device Installation update
• Evaluation lab updates: device renewal and new simulations
• Device Control Device Installation update
• Simplifying the Quarantine Experience
• Device Control Device Installation update
• Microsoft Teams gets more Phishing Protection!
• Device Control Device Installation update
• Making the SecOps Team More Efficient - Focused Email Actions
• Device Control Device Installation update
• ICYMI: Announcing Microsoft 365 Defender Streaming API
• Vulnerability management for Linux now generally available
• Unmanaged device protection capabilities are now generally available
• Threat & vulnerability management integrates with ServiceNow VR
• New threat & vulnerability management APIs - create reports, automate, integrate
• Announcing new capabilities on Android and iOS
• Welcome to Microsoft 365 Defender!
• How to migrate advanced hunting to Microsoft 365 Defender
• Secure configuration assessment for macOS and Linux now in public preview
• Announcing Exciting Updates to Attack Simulation Training
• Microsoft Defender for Identity Experiences in Microsoft 365 Defender
• Setting up a New Phish Simulation Program - Part Two
• Setting up a New Phish Simulation Program - Part One
• Using Microsoft Defender for Identity Data to Make Powerful Advanced Hunting Queries
• Enhancing Microsoft Defender for Identity Data Using Microsoft 365 Defender
• Secure Access for applications with Microsoft Cloud App Security
• Uncover your blind spots: seamlessly control cloud usage risks to your organization
• Prevent sophisticated attacks: Microsoft Cloud App Security and Microsoft 365 Defender -Bypass Blocking PDF Previews in OWA -Microsoft Cloud App Security update: March 2021
• MCAS: Top 5 Queries You Need to Save
• MSTICPy and Jupyter Notebooks in Azure Sentinel, an update
• Non-interactive logins: minimizing the blind spot
• What’s new: Incident timeline
• How to use Azure Sentinel for Incident Response, Orchestration and Automation
• Group-IB Threat Intelligence and Attribution Connector - Azure Sentinel
• IoT Asset discovery based on FW logs
• Web Shell Threat Hunting with Azure Sentinel
• Best practices for migrating detection rules from ArcSight, Splunk and QRadar to Azure Sentinel
• What’s new: Automation rules
• Monitoring the Software Supply Chain with Azure Sentinel
• What’s new: Alert Enrichment – Custom Details and Entity Mapping
• Whats new: Azure Sentinel and Microsoft 365 Defender incident integration
• Microsoft Ignite 2021: Blob and File Storage Investigations
• Visibility of Azure key vault activity in Sentinel Azure Key Vault Workbook
• Mastering Configuration in Defender for Office 365 - Part Two
• Mastering Configuration in Defender for Office 365 - Part One
• Introducing the Email Entity Page in Microsoft Defender for Office 365!
• Become a Microsoft Defender for Office 365 Ninja!
• Business Email: Uncompromised - Part Three
• New Home for Microsoft Defender for Office 365
• Best practices for leveraging Microsoft 365 Defender API's - Episode Three
• Unified experiences across endpoint and email are now generally available in Microsoft 365 Defender
• Launching threat analytics for Microsoft 365 Defender
• Azure Sentinel and Microsoft 365 Defender incident integration
• Best practices for leveraging Microsoft 365 Defender API's - Episode Two
• Microsoft Cloud App Security: The Hunt in a multi-stage incident
• Microsoft 365 Defender now delivers unified experiences across endpoint, email and collaboration
• Endpoint Discovery - Navigating your way through unmanaged devices
• Network device discovery and vulnerability assessments
• Configuring exclusions for Splunk on RedHat Linux 7.9
• New threat and vulnerability management experiences in Microsoft 365 security
• Enhancing Linux antivirus with behavior monitoring capabilities!
• Mac updates: Control your USB devices with Microsoft Defender for Endpoint on Mac!
• Migrate advanced hunting from Microsoft Defender for Endpoint to Microsoft 365 Defender -Announcing a global switch for tamper protection
• Investigating the Print Spooler EoP exploitation
• Advanced hunting: updates to threat and vulnerability management tables
• One app for VPN and mobile threat defense
• Delivering world class SecOps experiences
• Business Email: Uncompromised – Part Two
• Business Email: Uncompromised – Part One
• MITRE ATT&CK Techniques now available in the device timeline
• Protecting sensitive information on devices
• Microsoft Defender for Endpoint Ninja Training: February 2021 update
• Microsoft Defender Antivirus: 12 reasons why you need it
• Extending threat and vulnerability management to more devices
• Windows Virtual Desktop support is now generally available
• How to use tagging effectively (Part 3)
• Microsoft Defender for Endpoint: Automation defaults are changing
• EDR for Linux is now generally available
• How to use tagging effectively (Part 2)
• How to use tagging effectively (Part 1)
• Microsoft 365 Defender Ninja Training: January 2021 update
• Hunt for Azure Active Directory sign-in events
• Best practices for leveraging Microsoft 365 Defender API's - Episode One

2020

• Get email notifications on new incidents from Microsoft 365 Defender December 23,2020
• Advanced hunting product name changes December 22,2020
• New Threat analytics report shares the latest intelligence on recent nation-state cyber attacks December 18,2020
• Azure Active Directory audit logs now available in Advanced Hunting (public preview) December 17,2020
• Additional email data in advanced hunting December 14,2020 -Announcing EDR in block mode general availability December 9,2020 -Microsoft Defender for Endpoint on iOS is generally available December 7,2020
• Microsoft Defender for Office 365 investigation improvements coming soon December 1,2020
• EDR for Linux is now available in public preview November 17,2020
• Hunt across cloud app activities with Microsoft 365 Defender advanced hunting November 17,2020
• Microsoft 365 Defender connector now in Public Preview for Azure Sentinel November 12,2020
• Improved incident queue in Microsoft 365 Defender November 10,2020
• Introducing a new threat and vulnerability management report October 28,2020
• Investigating Alerts in Defender for Office 365 October 28,2020
• ZeroLogon is now detected by Microsoft Defender for Identity CVE-2020-1472 exploitation October 1,2020
• Self-healing in Microsoft 365 Defender September 30,2020
• Announcing Priority Account Protection in Microsoft Defender for Office 365 September 22,2020
• Microsoft delivers unified SIEM and XDR to modernize security operations September 22,2020
• Office 365 ATP is now Microsoft Defender for Office 365 September 22, 2020
• Microsoft Defender for Endpoint adds depth and breadth to threat defense across platforms September 22,2020
• Say hello to the new Microsoft Threat Protection APIs! September 15,2020
• Microsoft Defender ATP for Mac is moving to system extensions August 31,2020
• How behavioral blocking & containment stops post-exploitation tools like BloodHound, Kerberoasting August 28, 2020
• A new look for threat analytics August 25, 2020
• Microsoft Threat Protection now uses more descriptive incident names August 20,2020
• Hunt for threats using events captured by Azure ATP on your domain controller August 19,2020
• Introducing EDR in block mode: Stopping attacks in their tracks August 18,2020
• Introducing an improved timeline investigation with event flagging August 12,2020
• Pull in more intelligence and act fast while you hunt August 10,2020
• See how consolidated incidents improve SOC efficiency through this attack sprawl simulation July 30,2020
• The Action center in Microsoft Threat Protection – Your one-stop shop for remediation actions July 28,2020
• Pivot fast and investigate freely with go hunt & other advanced hunting enhancements July 22,2020
• Multi-tenant access for Managed Security Service Providers July 20,2020
• Changes in the support case submission experience July 14,2020
• Announcing high value asset tagging in Microsoft Defender ATP July 14,2020
• SHA-2 signing enforcement on Windows 7 and Windows Server 2008 R2 July 13,2020
• Microsoft Defender ATP awarded a perfect 5-star rating by SC Media July 9,2020
• Introducing event timeline – an innovative, new way to manage your security exposure July 6, 2020
• An update on Web Content Filtering July 6,2020
• Configuring Microsoft Defender Antivirus for non-persistent VDI machines June 25,2020
• Improving defenses against Exchange server compromise June 24,2020
• Safe Documents is Generally Available June 22,2020
• Microsoft Defender ATP for Linux is now generally available! June 23,2020
• Announcing Microsoft Defender ATP for Android June 23, 2020
• Microsoft Threat Protection leads in real-world detection in MITRE ATT&CK evaluation May 1, 2020
• A deeper dive into the APT29 MITRE ATT&CK evaluation June 19. 2020
• Microsoft Defender ATP has a new UEFI scanner June 17,2020
• New partnerships with innovative leaders helps you fight advanced threats! June 16,2020
• Say hello to the new alert page in Microsoft Defender ATP June 15,2020
• Migrate the old Power BI App to Microsoft Defender ATP Power BI templates! June 4, 2020
• Microsoft Defender ATP evaluation lab breach & attack simulators are now available in public preview May 25,2020
• Demystifying attack surface reduction rules - Part 4 May 13,2020
• Defending networks against human-operated ransomware May 12, 2020
• Automate the boring for your SOC with automatic investigation and remediation! May 11,2020
• Indicators enhancements: Allow/Block by certificates & more May 10,2020
• Demystifying attack surface reduction rules - Part 3 May 5,2020
• Onboarding and servicing non-persistent VDI machines with Microsoft Defender ATP May 5,2020
• Harden endpoint security for COVID-19 and working from home with Threat & Vulnerability Management April 30, 2020
• Deploy Microsoft Defender ATP for Mac in just a few clicks April 27, 2020
• MITRE ATT&CK evaluation results April 24, 2020
• Demystifying attack surface reduction rules - Part 2 April 22, 2020
• Demystifying attack surface reduction rules - Part 1 March 14,2020
• Threat & Vulnerability Management APIs are now generally available March 14,2020
• Live response for earlier versions of Windows is now in public preview April 6,2020
• Secure your remote workforce with Microsoft Defender ATP April 1st, 2020
• Secure Configuration Assessment (SCA) for Windows Server now in public preview March 22,2020
• Microsoft Defender ATP service notification improvements March 22,2020
• Connect the dots using a device network overview Power BI report March 19,2020
• Raw data export: Announcing Microsoft Defender ATP Streaming API GA March 18,2020
• Microsoft Defender ATP for Linux is coming! ...And a sneak peek into what’s next February 25,2020
• Enable tamper protection in Threat & Vulnerability Management to increase your security posture February 19,2020
• Put regulation fears to rest when deploying Microsoft Defender ATP February 13,2020
• Web content filtering with Microsoft Defender ATP now in public preview January 28, 2020
• Extending Microsoft Defender ATP network of partners January 27, 2020
• Block Access to Unsanctioned Apps using Microsoft Defender ATP & Microsoft Cloud App SecurityJanuary 22, 2020
• Enforcement of TLS 1.2 for connections to Microsoft Defender ATP January 01, 2020

2019

• EDR capabilities for macOS have now arrived December 04,2019
• Advanced hunting data schema changes December 03,2019
• Short & sweet educational videos for Microsoft Defender ATP November 20, 2019
• Create custom reports using Microsoft Defender ATP APIs and Power BI November 14, 2019
• Recordings now online: Microsoft Defender ATP sessions from #MSIgnite 2019 November 12, 2019
• Microsoft Defender ATP for Mac - EDR in Public Preview November 6, 2019
• How insights from system attestation and advanced hunting can improve enterprise security November 6, 2019
• Reducing risk with new Threat & Vulnerability Management capabilities November 4, 2019
• Experts on demand: now generally available October 28,2019
• Microsoft Defender ATP sessions at #MSIgnite 2019 October 16,2019
• Tamper protection now generally available for Microsoft Defender ATP customers October 14, 2019
• Manage Windows Defender Firewall with Microsoft Defender ATP and Intune October 4,2019
• Forrester names Microsoft a Leader in 2019 Endpoint Security Suites Wave October 1, 2019
• Enhanced visibility into web threats with Microsoft Defender ATP September 30,2019
• Microsoft Defender ATP EDR support for Windows Server 2008 R2 now generally available September 26,2019
• New! API Explorer and Connected applications September 18,2019
• MITRE ATT&CK technique info in Microsoft Defender ATP alerts September, 16, 2019
• Microsoft Defender ATP supports custom IOCs for URLs, IP addresses, and domains September 13,2019
• Enhance your SOC with Microsoft Defender ATP Automatic Investigation and Remediation September 11,2019
• Test security products the right way and find new protection features with MDATP evaluation lab September 11,2019
• Hunting for reconnaissance activities using LDAP search filters August 28,2019
• Advanced hunting updates: USB events, machine-level actions, and schema changes August 27,2019
• Gartner names Microsoft a Leader in 2019 Endpoint Protection Platforms Magic Quadrant August 23,2019
• Microsoft Defender ATP 'Ask Me Anything' August 2019 - Summary August 15,2019
• Migrate your custom Threat Intelligence (TI) to indicators! August 6,2019
• Microsoft Defender Advanced Threat Protection is now available as an offer to US GCC High customers August 2, 2019
• The Golden Hour remake - Defining metrics for a successful security operations July 31,2019
• Download files for in-depth investigation July 31,2019
• MDATP Streaming API - Public Preview - DIY example July 23,2019
• Microsoft Defender ATP Evaluation lab is now available in public preview 23 July, 2019
• Microsoft’s Threat & Vulnerability Management now helps thousands of customers to discover, prioritize, and remediate vulnerabilities in real time July 2, 2019
• Microsoft Defender ATP alert categories are now aligned with MITRE ATT&CK! July 1, 2019
• Microsoft Defender ATP automation & cloud app discovery now available in previous Windows 10 builds! June 26,2019
• Inside out: Get to know the advanced technologies at the core of Microsoft Defender ATP next generation protection June 24,2019
• MDATP Python automation - Automate machine isolation with Python script June 3,2019
• Microsoft Defender ATP unified indicators of compromise (IoCs) experience May 29,2019
• Microsoft Defender ATP for Mac now in open public preview May 22,2019
• Incident response at your fingertips with Microsoft Defender ATP live response May 20,2019
• Microsoft Defender ATP and Malware Information Sharing Platform integration May 16,2019
• Updates to attack surface reduction rules for Office apps May 15,2019
• Pushing custom Indicator of Compromise (IoCs) to Microsoft Defender ATP May 5,2019
• Microsoft Defender ATP third-party solution integrations May 5,2019
• Microsoft Threat Experts reaches general availability April 30,2019
• Protecting disconnected devices with Microsoft Defender ATP April 29,2019
• MDATP Threat & Vulnerability Management now publicly available! April 16,2019
• Native support for the discovery of Shadow IT April 15,2019
• Introducing a risk-based approach to threat and vulnerability management March 21,2019
• Tamper protection in Microsoft Defender ATP March 27,2019
• Announcing Microsoft Defender ATP for Mac March 21,2019
• Palo Alto Networks and WDATP ad-hoc integration March 17,2019
• MITRE evaluation highlights industry-leading EDR capabilities in Windows Defender ATP March 15,2019
• Automate Windows Defender ATP response action: Machine isolation March 7,2019
• Windows 10: Windows Defender Exploit Guard-Attack Surface Reduction rules February 24,2019
• Ticketing system integration – Alert update API February 17,2019
• Help protect the exec – go with the Flow! February 15,2019
• WDATP API “Hello World” (or using a simple PowerShell script to pull alerts via WDATP APIs) January 28,2019
• Microsoft Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices January 17,2019
• Microsoft Defender ATP built-in threat summary and health reports January 4,2019

2018

• What’s new in Windows Defender ATP, November 2018 November 19,2018
• New! Windows Defender ATP Incidents narrate the end-to-end attack story November 5,2018
• Automating investigation and response for memory-based attacks October 22,2018
• SecOps is more effective thanks to Microsoft Windows Defender Advanced Threat Protection October 16,2019
• Microsoft Cloud App Security and Windows Defender ATP - better together September 27,2018
• WDATP September 2018 preview features are out September 5,2018)
• Hunting tip of the month: Downloads originating from email links August 29,2018
• Optimized reporting latency and expedite mode August 16,2018
• Interpreting Exploit Guard ASR audit alerts August 14,2018
• Improve your defensive posture with Exploit Guard ASR August 6,2018
• Advanced hunting now includes network adapters information August 5,2018
• Hunting tip of the month: Browser downloads July 31,2018
• Getting Started with Windows Defender ATP Advanced Hunting July 15,2018
• Hunting tip of the month: PowerShell commands June 29,2018
• What’s new in the WDATP Portal? June 5,2018
• Protecting Windows Server with Windows Defender ATP
• Enhancing conditional access with machine-risk data from Windows Defender Advanced Threat Protectionf April 18,2018
• Protecting-Windows-Server-with-Windows-Defender-ATP/ba-p/267114) April 18,2018
• New demo: Advanced Threat Protection across Windows 10 and Office March 31,2018
• Exploit Guard - Network Protection February 20, 2018
• Announcing: Windows Defender ATP support for Windows 7 and Windows 8.1 February 12, 2018

2017

• Windows Defender ATP machine learning and AMSI: Unearthing script-based attacks that ‘live off the land’ December 4,2017
• Microsoft partners extend Windows Defender ATP across platforms November 8,2017
• Windows Defender ATP helps analysts investigate and respond to threats September 21,2017
• Windows Defender ATP Windows 10 Fall Creators Update now open for public preview September 7, 2017
• Windows Defender ATP machine learning: Detecting new and unusual breach activity August 3, 2017
• Windows Defender ATP Fall Creators Update June 27,2017
• Microsoft signs agreement to acquire Hexadite June 8, 2017
• Windows Defender ATP thwarts Operation WilySupply software supply chain cyberattack May 4,2017
• The Story of Windows Defender April 17,2017

2016

• Windows Defender Advanced Threat Protection Preview Expands May 16,2016
• Announcing Windows Defender Advanced Threat Protection March 1, 2016

2015

• Windows 10 to offer application developers new malware defenses

2005

Yes no typo , it was around 2005 when 'Windows Defender' appeared

• What’s in a name?? A lot!! Announcing Windows Defender! November 4, 2005

Podcasts

• Talking Security hosted by Frans Oudendorp
• Security Unlocked hosted by Natalia Godyla and Nic Fillingham
• Security Insiders hosted by Maarten Goet
• Hairless in the Cloud hosted by Jan Geisbauer and Marco Scheel
• GeekZeugs by Alexander Benoit and Eric Berg
• RunAsRadio
• Microsoft Security Insights

Other Blog Posts

• Assessment and Control of Browser Extensions
• Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry
• Microsoft Defender for Endpoint Internals 0x03 — MDE telemetry unreliability and log augmentation
• Deep Diver – Defender for Cloud Apps Malware Detection in Office 365 Workloads
• Handling Inactive Devices in Microsoft Defender for Endpoint
• Microsoft Defender for Endpoint series – What is Defender for Endpoint? – Part1
• Microsoft Sentinel – Insights of Defender for Cloud Apps Data Connector
• Unboxing Microsoft Defender for Business, Part 1: Simplified configuration process
• Updated March 2022: Ultimate Comparison of Defender for Endpoint Features by Operating System
• MDE HUNTING 101
• Article 1 – Tips & Tricks #Investigate with Microsoft Defender for Identity
• Article 2 – Tips & Tricks #Deploy Microsoft Defender for Identity (gMSA Accounts)
• Managing Microsoft Defender for Endpoint with the new Security Management feature in MEM
• Sysmon vs Microsoft Defender for Endpoint, MDE Internals 0x01
• Defending Azure Active Directory with Azure Sentinel
• Keep an eye on your Azure AD guests with Microsoft Sentinel
• Alert changes to sensitive AD groups using MDI
• Automated response to C2 traffic on your devices
• Defender for Endpoint – unified solution for Windows Server 2012 R2 and 2016 (Part1)
• Enabling and configuring Web content filtering in Microsoft Defender for Endpoint (MDE)
• Microsoft Defender for Endpoint on AWS: Part 1
• Use advanced hunting to Identify Defender clients with outdated definitions
• Device Control Device Installation update
• The Impossible Travel Alert: Friend or Foe?
• Defender TVM: Configuration Benchmark Management
• Using the Defender for Endpoint API and PowerShell
• How To Hunt For LDAP Reconnaissance Within M365 Defender?
• Using Microsoft Defender For Endpoint During Investigation
• Hunting for Lateral Movement: Local Accounts
• Detecting network beacons via KQL using simple spread stats functions
• FalconFriday — Masquerading; LOLBin file renaming— 0xFF0C
• Practical Compromise Recovery Guidance For Active Directory
• Incident Response In A Microsoft Cloud Environment
• Use kusto to breakdown time stamps
• Adding TAXII Threat Intel
• ALERTRULE FROM GITHUB TO AZURE SENTINEL
• How to Use Microsoft Teams as a Frontend to Azure Sentinel
• How to Find the Enhanced Functions Capabilities in the Azure Sentinel Console
• Start Having Visibility In Service Accounts With Defender For Identity
• Gundog
• Microsoft Defender — Detect Hidden Windows Run
• Detecting SolarWinds SUNBURST IOC, from Microsoft Defender for Endpoint and Azure Sentinel
• Using Active Directory Replication Metadata for hunting purposes
• Getting started with Microsoft Defender for Endpoint for iOS
• Integrate Microsoft Defender for Endpoint with Azure Defender
• Integrate Microsoft Defendr for Endpoint with MCAS
• Defender for Endpoint (MDATP) for Windows Servers
• MTP Advanced Hunting – Public free E-Mail services
• Hunting for Local Group Membership changes
• Microsoft Threat Protection Jupyter notebook AdvancedHunting sample
• Showcasing some Endpoint Detection & Response Features of Microsoft Defender ATP
• Microsoft Defender ATP for Android
• Assigning MDATP tags through the machine name & logged on user with Logic Apps
• MANAGE OFFICE ATP ALERTS LIKE A BOSS
• Microsoft Defender ATP Web Content Filtering – Migrate Rules from Existing Security Software
• Microsoft Defender ATP Web Content Filtering – Administration, Limitations, and User Experience
• MDATP 💙 THOR
• Windows Defender configuration tool ConfigureDefender 3.0.0.0 released
• Analyzing your Microsoft Defender ATP data in real-time in ELK using the new streaming API
• 24/7 protection during Covid-19 – Defender ATP Auto IR
• Threat & Vulnerability Management – improve client security with MDATP
• Microsoft Defender Antivirus (MDAV) “Cloud Protection” (Cloud-Delivered Protection aka MAPS)
• BLOCK IT.
• DEEP DIVE: FORENSICS VIA MDATP LIVE RESPONSE
• Microsoft Defender ATP – network control made easy
• Microsoft Defender ATP for Linux
• How to create your Defender ATP Admin Audit Log Dashboard
• EmptyDC Jan Geisbauer
• How to generate a monthly Defender ATP Threat and Vulnerability Report
• Automate MDATP response with Microsoft Flow
• Windows Defender ATP: harnessing the collective intelligence of the InfoSec community for threat hunting
• MDATP: talking to the User
• Examining access token privileges with MDATP and Kusto
• My Pluralsight Course – Incident Response and Remediation With Azure Security Center
• Hunting for MiniNt security audit block in registry
• Microsoft Defender ATP Streaming API
• Send Intune security task notifications to Microsoft Teams, email, etc. using Microsoft Flow
• How to accelerate your Microsoft Defender ATP Evaluation
• How to Create a Custom Slack Alert for Windows Defender Advanced Threat Protection (ATP) using Microsoft Flow in 5 minutes
• Automate response with Defender ATP and Microsoft Flow
• Hunting for USB Rubber Ducky/ Bad USB with ATP
• Managing Alerts from MDATP in ServiceNow – Part I: Bearer Token Request And ServiceNow Connect
• Hunting Windows Defender Exploit Guard with ATP
• Announcing new exciting capabilities of Windows Defender ATP (April 2018)
• Automated Response for Windows Defender ATP
• Managing Role Based Access (RBAC) for Microsoft Defender Advanced Threat Protection
• Retrieving Windows Defender Exploit Guard Windows Event logs with PowerShell
• Defender ATP and PowerBI

Webinars and Videos

• Introduction into KQL/
• 057 - EN - Defender for Office 365 with Pawel Partyka
• The NEW Attack Simulator in M365 w/ End User Training
• Elevate your endpoint security with Microsoft Defender ATP
• Security Community Webinars
• Join Our Security Community
• MS Defender ATP Overview and Full Attack Simulation
• Live response in Microsoft Defender ATP
• Webinar: Stopping attacks in their tracks through behavioral blocking and containment
• Azure Sentinel and Defender ATP Webinar
• Microsoft Defender ATP Threat & Vulnerability Management
• Upcoming webinar 📣 The Power of Advanced Hunting - Unleash the hunter in you!
• SANS - Windows Defender ATP’s Advanced Hunting: Using Flexible Queries to Hunt Across Your Endpoints
• Conditional Access with WDATP - The Endpoint Zone 1805
• How to Configure Splunk to pull Windows Defender ATP alerts
• How to customize Windows Defender ATP Alert Email Notifications
• Check Windows Defender ATP Client Status with PowerShell
• Microsoft Defender ATP [Attack Simulation & Investigation] Demos
• Automate machine isolation with MDATP and Microsoft Flow - YouTube MVP Demo
• Windows Defender ATP now extends beyond Windows clients October 11,2017
• Windows Defender ATP Investigation and Response
• Microsoft 365 Conditional access based on device-risk with Windows Defender ATP
• Windows Defender ATP Secure Score
• RSA Conference 2018 Windows Defender ATP – Unified platform for endpoint security
• RSA Conference 2018 Taking Ransomware to task with Windows Defender ATP

Advanced Hunting / KQL

• Exploring Anomalies with Log Analytics using KQL
• Kusto King blog
• Become a KQL Ninja
• Kusto Query Language (KQL) - cheat sheet
• Sigma-Hunting-App
• Go hunt, join us on GitHub
• Microsoft MDATP Hunting Queries on GitHub
• Kusto Query Language (KQL) from Scratch
• Maarten Goet - Wortell
• Advanced Hunting Cheat Sheet by @PowershellPoet, @maarten_goet, @Pawp81, @Bakk3rM and @MicrosoftMT
• SecGroundZero

Must Learn KQL Series

blog post series to educate about the simplicity and power of the Kusto Query Language (KQL) by @rodtrent

Table of Contents

• Must Learn KQL Part 1: Tools and Resources - Posted November 17, 2021 - Video Edition
  
• Must Learn KQL Part 2: Just Above Sea Level - Posted November 18, 2021
  
• Must Learn KQL Part 3: Workflow - Posted November 19, 2021 - Video Edition
  
• Must Learn KQL Part 4: Search for Fun and Profit - Posted November 22, 2021
  
• Must Learn KQL Part 5: Turn Search into Workflow - Posted November 29, 2021 - Video Edition
  
• Must Learn KQL Part 6: Interface Intimacy - Posted December 2, 2021, Updated May 13, 2022 - Video Edition
  
• Must Learn KQL Part 7: Schema Talk - Posted December 7, 2021 - Video Edition
  
• Must Learn KQL Part 8: The Where Operator - Posted December 8, 2021 - Video Edition
  
• Must Learn KQL Part 9: The Limit/Take Operators - Posted December 13, 2021 - Video Edition
  
• Must Learn KQL Part 10: The Count Operator - Posted December 14, 2021 - Video Edition
  
• Must Learn KQL Part 11: The Summarize Operator - Posted January 5, 2022 - Video Edition
  
• Must Learn KQL Part 12: The Render Operator (with Bin and Time) - Posted January 10, 2022 - Video Edition
  
• Must Learn KQL Part 13: The Extend Operator - Posted January 18, 2022 - Video Edition
  
• Must Learn KQL Part 14: The Project Operator - Posted January 20, 2022 - Video Edition
  
• Must Learn KQL Part 15: The Distinct Operator - Posted January 24, 2022
  
• Must Learn KQL Part 16: The Order/Sort and Top Operators - Posted January 26, 2022
  
• Must Learn KQL Part 17: The Let Statement - Posted February 1, 2022
  
• Must Learn KQL Part 18: The Union Operator - Posted February 7, 2022
  
• Must Learn KQL Part 19: The Join Operator - Posted February 14, 2022
  
• Must Learn KQL Part 20: Building your first Microsoft Sentinel Analytics Rule - Posted February 17, 2022
  
  
  

Microsoft Security on Twitter

• Eshlomo - Advanced Hunting Queries
• NotNinjaCat @RavivTamir
• Microsoft Defender ATP @WindowsATP
• Microsoft Threat Protection @MicrosoftMTP
• Dan Michelson
• Hadar Feldman
• Tomer Teller
• Heike Ritter
• Christian H. Müller
• Alex Benoit
• Jan Geisbauer
• Matias Borg
• Oliver Kieselbach
• Amar Hasayen
• Maarten Goet
• Eric Soldierer
• Christian H. Mueller
• Huy
• @thijslecomte
• @YongRheeMSFT
• @castello_johnny
• Matt Soseman
• Frans Oudendorp
• Corina Feuerstein
• Daniel Naim
• Pawel Partyka
• Olaf Hartong
• Mehmet Ergene
• @BlueVoyant
• @Sec_GroundZero
• @ashwinpatil
• @reprise_99 Matt Zorich
• Sami Lamppu

Microsoft Docs

• Microsoft 365 Defender
• Microsoft Defender for Endpoint
• Microsoft Defender for Identity
• Microsoft Defender for Office 365
• Microsoft Cloud App Security
• Azure Sentinel

What's new

Stay up to date about latest releases (fixes, new features etc.)

• What’s new with Microsoft Cloud App Security?
• What’s new in Microsoft Defender for Identity
• What’s new in Microsoft Defender for Endpoint
• What’s new in Microsoft 365 Defender
• What’s new in Microsoft Defender for Office 365
• What’s new in Azure Sentinel

Microsoft 365 Defender and Azure Sentinel content on GitHub

• MTP - Advanced Hunting
• Microsoft Defender Advanced Threat Protection PowerShell Module
• WindowsDefenderATP-Hunting-Queries
• MicrosoftDefenderATP-API-PowerShell
• defender-atp-manageability
• MDATP PowerBI
• Github - Power BI Report templates powered by Microsoft Defender Advanced Threat Protection Advance Hunting Queries
• MDATP PowerBI
• CGCFAD WDATP-Advanced-Hunting
• richlilly2004 MDATP hunting queries
• Huy - DebugPrivilege
• AndyFul - ConfigureDefender
• David Sass - DefenderASR
• CGCFAD Hunting Queries
• Eli Shlomo
• KQL Tools
• GunDog
• mdatp pwsh
• blue-teaming-with-kql
• Threat hunting and detection by Cyb3r-Monk
• Microsoft Defender 365 raw data schema - Overview
• Azure Sentinel KQL Queries by reprise99
• KQL Reference Manual by SecGroundZero
• Blue teaming with KQL by Ashwin Patil
• Sentinel Queries
• SecGroundZero KQL Reference Material
• ashwin-patil - Blue Teaming with KQL
• Linux - iOS
• Adarsh Pandey
• Marco Gerber
• Live Response Scripts from YongRhee
• Azure AD - Attack and Defense Playbook