Hello Swahela,
Thank you for your question and for reaching out with your question today.
Identifying the top attacked users across a Microsoft 365 tenant or in Microsoft 365 Defender involves considering various factors and indicators. While there isn't a single definition of an "attacked user," you can look at several metrics and indicators to determine the level of threat or risk faced by a user. Here are some criteria to consider:
- Security Incidents: Analyzing the number of security incidents related to each user can provide insights into their exposure to attacks. Security incidents can include activities such as malware detections, suspicious logins, or compromised accounts.
- Compromised Accounts: Tracking the number of compromised accounts associated with each user is essential. This can include instances where an attacker gained unauthorized access to the user's account.
- Phishing Attempts: Monitoring the number of successful phishing attempts against each user can indicate their susceptibility to social engineering attacks. This can include instances where users clicked on malicious links or provided credentials to phishing websites.
- Threat Intelligence: Leveraging threat intelligence sources and indicators can help identify users who have been targeted or affected by known threats or attack campaigns. This could involve analyzing indicators such as malicious IPs, domains, or email addresses associated with attacks.
- Anomaly Detection: Employing anomaly detection techniques can help identify users who exhibit unusual or suspicious behavior, which might indicate they are under attack. This can involve analyzing patterns of logins, access requests, or data transfers that deviate from the user's normal behavior.
To gather this information and identify the top attacked users across the tenant, you can utilize the Microsoft 365 Defender APIs or PowerShell cmdlets. Here are some potential approaches:
- Microsoft Graph API: The Microsoft Graph API provides access to security-related data, including alerts, incidents, and user information. You can use the API to retrieve information on security incidents, compromised accounts, and phishing attempts for each user. By aggregating and analyzing this data, you can identify the top attacked users.
- Microsoft 365 Defender APIs: Microsoft 365 Defender also provides specific APIs that focus on security-related data and insights. These APIs, such as the Microsoft Defender for Endpoint API, can provide information on security incidents, threat intelligence, and user-related data. By leveraging these APIs, you can gather the necessary information to identify attacked users.
- PowerShell cmdlets: Microsoft provides PowerShell modules, such as the Security & Compliance Center PowerShell module, that allow you to interact with Microsoft 365 security data. These cmdlets enable you to retrieve information on security incidents, compromised accounts, and other relevant metrics. By leveraging PowerShell, you can automate the retrieval and analysis of data to identify the top attacked users.
It's important to note that the availability of specific APIs and PowerShell cmdlets may vary based on the Microsoft 365 subscriptions and services you have deployed. Review the documentation and capabilities of the respective APIs and cmdlets to determine the specific endpoints and commands that align with your requirements.
I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.
If the reply was helpful, please don’t forget to upvote or accept as answer.