Solorigate Technical Workshop

You are here: Home / Solorigate Technical Workshop

As the recent events of December 2020 has shown us all, cyber attacks and breaches can happen at any moment.

On Tuesday 9th February 2021, Managing Director, Federico Charosky and Senior Security Engineer, Ben Docherty discussed the latest threat analysis, IOCs and lessons learnt of one of the biggest and most complex cyber-attacks of all time; Solorigate (also referred to as SUNBURST by FireEye).


Event suited for; CISO/Sentinel Security Engineers & Professionals; Technical capability using Microsoft Ecosystem; Azure Sentinel, Microsoft 365 Defender and Azure Defender.

Event Schedule 12:00-13:30


Welcome from Federico Charosky, Managing Director – Quorum Cyber

  • Analysing the Solorigate Security Breach

Microsoft Azure Sentinel – Live Demonstration with Ben Docherty, Senior Security Engineer at Quorum Cyber

  • Intro and TI for monitoring
  • Script read through
  • Post-compromise – example trigger and pointing to further investigation
  • What Supply Chain Attacks are and how to defend

Microsoft Defender XDR & Increasing Resilience

Q&A & Close


Solorigate Timeline - What we know so far

Explore the attack timeline that has been recently disclosed by SolarWinds* of one of the most sophisticated and extensive intrusion attacks of the decade; SUNBURST to TEARDROP and Raindrop.  **Estimated timeline of active based on forensic analysis.

Solorigate Technical Workshop Resources

Some further helpful resources from Microsoft, providing you with the latest threat intelligence, Indicators of Compromise (IOC)s and guidance related to the recent attack.

We will make updates to these linked resources as new information becomes available, so please check back or follow us on Twitter and/or LinkedIn to stay up to date on the latest news.

Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop – Microsoft Security

Solorigate Resource Center – updated February 5, 2021 – Microsoft Security Response Center

Using Microsoft 365 Defender to protect against Solorigate – Microsoft Security

Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers – Microsoft Security

Live Q&A - Your Questions Answered

During the live session, Federico Charosky answered some questions the audience had as part of the Q&A. Read the questions and his responses below.

Is there an easy way to learn KQL?

Yes. Microsoft has made the KQL query course work free. There is a KQL course free on Pluralsight and also in the Microsoft Learn environment. Check it out here

There is also a Ninja Course for Azure Sentinel and Ninja Course for Defender both of which take you through how to improve, get updated and refresh your knowledge.

How effective have you found MS endpoint protection tools to be for organisations with mixed OSs (windows, mac and linux)?

There is a lot of confusion out there between EDR and XDR.

XDR is not a product. XDR is an ecosystem of capabilities. The idea is that your eXtending (hence the x) the coverage of what you are able to see in your organisation to every dimension possible. So your Microsoft Defender XDR environment, your ecosystem, is all the different products within it – you have Microsoft Defender for Endpoint, Microsoft Defender for Identity, Microsoft Cloud App Security, Azure Defender (which is for protecting cloud workloads) – all these components pull together to form what is called Microsoft Defender XDR; the extended, detection and response capability.

In terms of how effective we have found it – it enables us to do OUR job really well. It provides the ability to have Defender for Endpoint (previously Defender ATP) running in all our Customers servers and endpoints regardless of the OS; whether Mac, Windows or Linux; and to have a unified view.

It can then extend, as well, to Identity (Azure AD, AD On-Prem), cloud workloads (everything running in Azure); it can actually extend to cloud workloads running in other clouds using Azure Arc.  So, by extending the ability for you to view across the full spectrum and then using Sentinel to do the insights of; what is an incident, what assets are effected what entities are affected; and then drive that automation into, so you can go and enrich or react across that full spectrum, makes our job extremely effective.

From our perspective it is one of the most powerful products out there in the EDR and definitely in the XDR space.