Episode 3

Attack Testing Defender for Endpoint,

Advanced Hunting, and More

In this episode of ThreatCast, Microsoft MVP Ru Campbell is joined by Kijo Girardi, Product Manager for XDR at Microsoft, to talk about the user journey following deployment, some of the tools Kijo has published on GitHub, and how customers can get the most out of their Microsoft Security investment.

ThreatCast EP3 KIjo


With the Microsoft Security suite (and indeed any security solution), deployment is only the beginning. It’s not a case of set it and forget it. After taking the first step in your security journey with deployment, focus must shift to operationalising your new tools to get the most from your investment, both in terms of financial ROI and maximised security.

Ru and Kijo discuss their top tips for making the transition from deployment to continuous security a smooth one, touching on daily processes, best practice, environment-specific challenges, and preparing for the worst-case scenario to ensure readiness.

When protecting your organisation from cyber threats, data is key. Microsoft’s Advanced Hunting improves visibility and offers greater insight into the potential threats against your digital environment. But you can take it a step further. KQL enables users to tailor Advanced Hunting to get the most enriched data available, exceeding what’s available in Defender’s GUI. Kijo offers insight into KQL’s applications and the benefits he’s seen associated with learning the language.

During his time at Microsoft Kijo has developed MDE Tester and subsequently Research Dev, both of which are available on GitHub. Research Dev allows users to apply real-world threat scenarios to their Defender suite. While it’s an excellent resource for preparedness training, incident response, and evaluating an organisation’s detection capabilities, it also empowers teams to respond to environment-wide threats by correlating alerts and data. 

Ru and Kijo also consider solution consolidation, a trend we’re seeing across the entire industry. As security teams struggle under the weight of multiple vendor solutions and their associated data points and portals, we’re seeing more and more organisations move towards platform play, slimming down their security stacks and making the task of security more manageable.

That said, even with consolidated solutions, a working understanding of the functions and layout of your tools is essential. Kijo explains how familiarising yourself with navigation throughout your chosen security portal can make a significant difference when the time comes to utilise your tools to respond to threats or extract threat intelligence.

What is covered?