For Ignite 2020, Tali and I put together a video covering some demos showing how you can use the Advanced Hunting feature of Microsoft 365 Defender to correlate activity between the various Defender capabilities. Among other things you’ll see an example of how to use Defender for Identity and Defender for Endpoint to track down suspicious replication activity.
A copy of the query file used in this webcast is available on our public GitHub if you want to try them out in your tenant: Microsoft-365-Defender-Hunting-Queries/Ignite 2020 – Best practices for hunting across domains with Microsoft 365 Defender.csl at master · microsoft/Microsoft-365-Defender-Hunting-Queries · GitHub
