Finding Top Attacked Users in Microsoft 365 or Microsoft 365 Defender for the Entire Tenant - Clarification and Methods

Swahela Mulla 95 Reputation points
2023-07-03T17:53:52.9966667+00:00

Hello everyone,

I have a query regarding identifying the top (5) attacked users across the entire tenant in Microsoft 365 or Microsoft 365 Defender. However, I would like some clarification on what qualifies as an "attacked user" and which criteria should be considered when determining this.

Specifically, I'm unsure about the definition of an "attacked user" and the metrics or indicators that can be used to identify them. For example, should we consider the number of security incidents, compromised accounts, successful phishing attempts, or any other relevant factors?

I'm particularly interested in finding a solution that can provide insights for the entire tenant, not just individual users.

Additionally, I'm keen on exploring the possibility of utilizing APIs or PowerShell commands to retrieve this information. If anyone has experience or knowledge about specific endpoints, cmdlets, or any other methods that can assist in identifying the top 5 attacked users across the tenant, please provide guidance or suggestions.

Your expertise and insights in this matter would be greatly appreciated, as I'm looking to gain a clearer understanding of how to find the top 5 attacked users across the tenant in Microsoft 365 or Microsoft 365 Defender, as well as any potential API or PowerShell solutions.

Thank you!

Note: I'm referring to attacks within the Microsoft 365 environment or tracked by Microsoft 365 Defender.

Microsoft 365
Microsoft 365
Formerly Office 365, is a line of subscription services offered by Microsoft which adds to and includes the Microsoft Office product line.
5,555 questions
Microsoft Graph
Microsoft Graph
A Microsoft programmability model that exposes REST APIs and client libraries to access data on Microsoft 365 services.
12,860 questions
Microsoft Defender for Cloud
Microsoft Defender for Cloud
An Azure service that provides threat protection for workloads running in Azure, on-premises, and in other clouds. Previously known as Azure Security Center and Azure Defender.
1,474 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,756 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Limitless Technology 44,566 Reputation points
    2023-07-04T14:23:22.61+00:00

    Hello Swahela,

    Thank you for your question and for reaching out with your question today.

    Identifying the top attacked users across a Microsoft 365 tenant or in Microsoft 365 Defender involves considering various factors and indicators. While there isn't a single definition of an "attacked user," you can look at several metrics and indicators to determine the level of threat or risk faced by a user. Here are some criteria to consider:

    1. Security Incidents: Analyzing the number of security incidents related to each user can provide insights into their exposure to attacks. Security incidents can include activities such as malware detections, suspicious logins, or compromised accounts.
    2. Compromised Accounts: Tracking the number of compromised accounts associated with each user is essential. This can include instances where an attacker gained unauthorized access to the user's account.
    3. Phishing Attempts: Monitoring the number of successful phishing attempts against each user can indicate their susceptibility to social engineering attacks. This can include instances where users clicked on malicious links or provided credentials to phishing websites.
    4. Threat Intelligence: Leveraging threat intelligence sources and indicators can help identify users who have been targeted or affected by known threats or attack campaigns. This could involve analyzing indicators such as malicious IPs, domains, or email addresses associated with attacks.
    5. Anomaly Detection: Employing anomaly detection techniques can help identify users who exhibit unusual or suspicious behavior, which might indicate they are under attack. This can involve analyzing patterns of logins, access requests, or data transfers that deviate from the user's normal behavior.

    To gather this information and identify the top attacked users across the tenant, you can utilize the Microsoft 365 Defender APIs or PowerShell cmdlets. Here are some potential approaches:

    1. Microsoft Graph API: The Microsoft Graph API provides access to security-related data, including alerts, incidents, and user information. You can use the API to retrieve information on security incidents, compromised accounts, and phishing attempts for each user. By aggregating and analyzing this data, you can identify the top attacked users.
    2. Microsoft 365 Defender APIs: Microsoft 365 Defender also provides specific APIs that focus on security-related data and insights. These APIs, such as the Microsoft Defender for Endpoint API, can provide information on security incidents, threat intelligence, and user-related data. By leveraging these APIs, you can gather the necessary information to identify attacked users.
    3. PowerShell cmdlets: Microsoft provides PowerShell modules, such as the Security & Compliance Center PowerShell module, that allow you to interact with Microsoft 365 security data. These cmdlets enable you to retrieve information on security incidents, compromised accounts, and other relevant metrics. By leveraging PowerShell, you can automate the retrieval and analysis of data to identify the top attacked users.

    It's important to note that the availability of specific APIs and PowerShell cmdlets may vary based on the Microsoft 365 subscriptions and services you have deployed. Review the documentation and capabilities of the respective APIs and cmdlets to determine the specific endpoints and commands that align with your requirements.

    I used AI provided by ChatGPT to formulate part of this response. I have verified that the information is accurate before sharing it with you.

    If the reply was helpful, please don’t forget to upvote or accept as answer.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.