We’re excited to announce the Microsoft Incident Response Ninja Hub. This page includes a compilation of guides and resources that the Microsoft Incident Response team has developed on threat hunting, case studies, incident response guides, and more. Many of these pieces were also developed in collaboration with Microsoft’s partners across Microsoft Security, providing a unique view into how the Microsoft Security ecosystem leans on cross-team collaboration to protect our customers.

This page will be continually updated as the team develops and publishes more resources, so be sure to bookmark our Ninja Hub and stay up to date: https://aka.ms/MicrosoftIRNinjaHub

Incident Response (IR) best practices for security teams and leaders

Navigating the Maze of Incident Response: Microsoft Incident Response team guide shares best practices for security teams and leaders
Creating a proactive incident response plan | How to boost your incident response readiness
The art and science behind Microsoft threat hunting: Part 1
The art and science behind Microsoft threat hunting: Part 2
The art and science behind Microsoft threat hunting: Part 3
Microsoft Security tips to reduce risk in mergers and acquisitions

Deep dives and threat hunting guides

One-page guides

Download the new Microsoft Incident Response one-page guides on investigating suspicious activity in Microsoft 365 and Microsoft Entra
Download the Microsoft Incident Response guides on using Windows Internals for digital forensic investigations

Cloud hunting and Microsoft Entra

Threat hunting with Microsoft Graph activity logs
Hunting for MFA manipulations in Entra ID tenants using KQL
Hunting in Azure subscriptions
Good UAL Hunting
Investigating malicious OAuth applications using the Unified Audit Log
Forensic artifacts in Office 365 and where to find them
Follow the Breadcrumbs with Microsoft IR & MDI: Working Together to Fight Identity-based Attacks
How to investigate service provider trust chains in the cloud

Techniques for threat hunting

Fuzzy hashing logs to find malicious activity
Leveraging the Power of KQL in Incident Response

Attacker tactics, techniques, and procedures explained

Proactive Measures: Safeguarding Against Vulnerable Driver Attacks with Effective Monitoring and Prevention Strategies
Defenders beware: A case for post-ransomware investigations
Token tactics: How to prevent, detect, and respond to cloud token theft
Guidance for investigating attacks using CVE-2022-21894: The BlackLotus campaign
Guidance for investigating attacks using CVE-2023-23397
Protect against CVE-2019-0708: BlueKeep
IIS modules: The evolution of web shells and how to detect them 
Web shell attacks continue to rise
Ghost in the shell: Investigating web shell attacks
Tarrask malware uses scheduled tasks for defense evasion

Case studies

Cyberattack Series

Report 1: Solving one of NOBELIUM’s most novel attacks
Report 2: Healthy security habits to fight credential breaches
Report 3: Patch me if you can: Cyberattack Series
Report 4: Protecting credentials against social engineering

Advanced Persistent Threats (APTs) and named Threat Actor groups

Octo Tempest crosses boundaries to facilitate extortion, encryption, and destruction | Microsoft Security Blog
A guide to combatting human-operated ransomware: Part 1
A guide to combatting human-operated ransomware: Part 2
MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone
Destructive malware targeting Ukrainian organizations
DEV-0537 criminal actor targeting organizations for data exfiltration and destruction

Ransomware and case studies

The five-day job: A BlackByte ransomware intrusion case study
LockBit 2.0 ransomware bugs and database recovery attempt: Part 1
LockBit 2.0 ransomware bugs and database recovery attempts: Part 2  
Facing the cold chills: A case study of a targeted compromise

Lessons from the field and compromise recovery how-to

Compromise recovery

Octo Tempest: Hybrid identity compromise recovery
Recover ADCS from Compromise
Advice for incident responders on recovery from systemic identity compromises

Lessons from the field on securing your cloud

Total Identity Compromise: Microsoft Incident Response lessons on securing Active Directory
Microsoft Incident Response lessons on preventing cloud identity compromise
Protect your business from password sprays with Microsoft DART recommendations
Microsoft Incident Response tips for managing a mass password reset
Effective strategies and technical recommendations for conducting Mass Password Resets during cybersecurity incidents
How Microsoft Incident Response and Microsoft Defender for Identity work together
A “quick wins” approach to securing Azure Active Directory and Office 365 and improving your security posture
Using Microsoft Security APIs for Incident Response – Part 1
Using Microsoft Security APIs for Incident Response – Part 2
Microsoft Office 365—Do you have a false sense of cloud security?

Lessons from the field on ransomware response

Long-form resources and books

Microsoft Defender for Endpoint in Depth: Take any organization’s endpoint security to the next level
The Definitive Guide to KQL: Using Kusto Query Language for operations, defending, and threat hunting (1st Edition)

Learn more about the Microsoft Incident Response team

DART: the Microsoft cybersecurity team we hope you never meet
How the Microsoft Incident Response team helps customers remediate threats
Microsoft Incident Response Retainer is generally available
An integrated incident response solution with Microsoft and PwC

To stay up to date, follow blogs published to the Security Experts Tech Community Blog and to Microsoft Security Blog.

​Microsoft Tech Community – Latest Blogs –Read More