This is the second post to collect some Notes from a lab practice.
Lab:
Topology:
- Network watcher – monitoring – topology
- Virtual networks: Monitoring > Diagram.
Basic Operation
- Alerts – New
- MDE Alert – Alert Severity : high – Add Email Address for Delivery
- New Vulnerability Notification
- Critical Vulnerability Notification – New Critical Vuls – Email to Delivery notificaiton
- Entra ID – Manage – Mobility (MDM and WIP) – Microsoft Intune
- MDM user scope : all
- automatically enroll user into intune.
- WIP user scope : all
- Microsoft Defender – Settings – Endpoints – Advanced features : Enable Microsoft Intune Connection.
- Intune : https://intune.microsoft.com/
-
Create security profile in Intune to onboard devices
-
Intune – Endpoint security – Manage – Endpoint Detection and Response – Create policy
- AntiVirus
- Disk Encryption
- Firewall
- EPM
- EDR
- App Control
- ASR
- Account Protection
- Device Compliance
- Conditional access
- Create profile based on default baseline (Security Baseline for Windows 10 and later)
- Apply to all users
License
Check the license from Admin portal:
- Defender for business : less than 300 users, up to five devcies
- Defender for Endpoint P1 (No servers) >300 users
- Defender for Endpoint P2 (No Servers) > 300 users
- Microsoft 365 for Business (Premium)
- Defender for servers
- Defender for business < 300 users.
- MDE P1 and P2 > 300 users
Microsoft 365 Defender vs Microsoft Defender for Cloud
Hunting
1 Proactive hunting
Not all threat scenarios begin with an alert
- Proactive and iterative search for threats
- The power of knowing the network
2 Enrich existing information
- Understand the impact of existing alerts
- Get more information on entities and IOCs
3 Datasets
Emails (Defender for Office)
- Email transactions, including post-delivery
- Emails attachments and URLs
Identities (Defender for Identities, Defender for Cloud Apps)
- Logons, Active Directory queries
- All activities against Active Directorymonitored by MDI(preview)
Cloud applications (Defender for Cloud Apps)
- File actions
Endpoints (Defender for Endpoint)
- Existing advanced hunting data from MDE
4 Custom detections
Build your own rule based on advanced hunting query
- Across different datasets
- Choose impact entities
- Choose automatic remediation actions
Custom detections can be
- Environment-specific threats (high value assets, unique data)
- Lower threshold for specific type of threats
- Unique attack techniques
Detection frequencies are available for
- Near real time (NRT), 1 hour, 3 hours, 12 hours, 24 hours
Detection rule & Permission
- Manage security settings in the Security Center – MDE role
- Authorization and settings / Security setting–Unified RBAC
- Security administrator, Security operator –AAD role
Query in builder:
5 Hunt in Microsoft 365 Defender without KQL!
Guided mode in Advanced Hunting
- Hunt data without writing KQL and Function
Easy-to-hunt activities across the data domain
- Endpoints, Emails, Applications and Identities
- Conditions such as OR, AND, Subgroups
Flexibly shift to hunting modes
- Switching from Guided mode to Advanced mode
6 More advanced hunting features
Save and share queries
Take actions from hunting
Go hunt
- From incidents
Documentation
- Built in the product
Profile enrichments
- Files, Identities, IPs, etc.
Threat Vulnerability Management
1 Discover
Periodic scanning
Blind spots
No run-time info
“Static snapshot”
2 Prioritize
Based on severity
Missing org context
No threat view
Large threat reports
3 Remediate
Waiting for a patch
No IT/Security bridge
Manual process
No validation
1 Continuous Discovery
Extensive vulnerability assessment across the entire stack
Broad secure configuration assessment
2 Threat & Business Prioritization (“TLV”)
Helping customers focus on the right things at the right time
Threat Landscape
- Vulnerability characteristics (CVSS score, days vulnerable)
- Exploit characteristics (public exploit & difficulty, bundle)
- EDR security alerts (Active alerts, breach history)
- Threat analytics (live campaigns, threat actors)
Breach Likelihood
- Current security posture
- Internet facing
- Exploit attempts in the org
Business Value
- HVA analysis (WIP, HVU, critical process)
- Run-time & Dependency analysis
3 Remediation Requests/Tickets
Bridging between the IT and Security admins
Game changing bridge between IT and Security teams
- 1-click remediation requests via Intune
- Automated task monitoring via run-time analysis
- Tracking Mean-time-to-mitigate KPIs
- Rich exception experience to mitigate/accept risk
- Ticket management integration (Intune, Planner, Service Now, JIRA)
API
- Explore variousMicrosoft Defender for EndpointAPIs interactively
- Track appsthatintegrates with Microsoft Defender for Endpoint platformin your organization.
- Configure Microsoft Defender for Endpoint to stream AdvancedHunting events to your storage account
Cross Platform
From EDR to XDR
From EDR to XDR – Microsoft 365 Defender
- Endpoints – Microsoft Defender for Endpoint
- Email & Doscs – Microsoft Defender for Office 365
- Apps & Cloud Apps – Microsoft Defender for Cloud Apps
- Identities – Microsoft Defender for Identity & AAD Identity Protection
- Servers
- Containers
- Databases
- Storage
- Cloud Service Layer
- IoT
XDR actions to an Attack
What should we look into once there is an alert or incident?
References
- Learn the query language
- Advanced hunting schema reference
- Webinar series, episode 1: KQL fundamentals (MP4, YouTube)
- Webinar series, episode 2: Joins (MP4, YouTube)
- Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (MP4, YouTube)
- Webinar series, episode 4: Let’s hunt! Applying KQL to incident tracking (MP4, YouTube)
- Hunting for reconnaissance activities using LDAP search filters
- Plural sight KQL training