Defender Lab Notes 2 (License, Hunting, Vulnerability Management, API, Cross Platform)

 This is the second post to collect some Notes from a lab practice.

Lab:

Topology:

https://learn.microsoft.com/en-us/azure/network-watcher/network-insights-topology

• Network watcher - monitoring - topology
• Virtual networks: Monitoring > Diagram.

 

Basic Operation

1. Email Notification

• Alerts - New

• MDE Alert - Alert Severity : high - Add Email Address for Delivery

• New Vulnerability Notification
• Critical Vulnerability Notification - New Critical Vuls - Email to Delivery notificaiton

2. Onboarding Devices Through Intune

• Entra ID - Manage - Mobility (MDM and WIP) - Microsoft Intune 
• MDM user scope : all
• automatically enroll user into intune. 
• WIP user scope : all 
• Microsoft Defender - Settings - Endpoints - Advanced features : Enable Microsoft Intune Connection.
• 
  
  
  
  
• Intune : https://intune.microsoft.com/
• 
  
  
  
  
• Create security profile in Intune to onboard devices
• Intune - Endpoint security - Manage - Endpoint Detection and Response - Create policy

3. Onboarding Device through MDE

• Microsoft Defender - Settings - Endpoints - Device Mgmt - Onboarding
• 
  
  
  
  

4. Security Policies (Intune)

• AntiVirus
• Disk Encryption
• Firewall
• EPM
• EDR
• App Control
• ASR
• Account Protection
• Device Compliance
• Conditional access

Note: best practice from blog : https://jeffreyappel.nl/tag/mde-series/

5. Security Baseline (Intune)

• Create profile based on default baseline (Security Baseline for Windows 10 and later)
• Apply to all users

License

Check the license from Admin portal:

https://admin.microsoft.com/Adminportal/Home#/licenses

Here is a E5 license. But you might be able to see some other license as shown below:

• Defender for business : less than 300 users, up to five devcies
• Defender for Endpoint P1 (No servers) >300 users
• Defender for Endpoint P2 (No Servers) > 300 users
• Microsoft 365 for Business (Premium)
• Defender for servers

For servers, we must have license for Defender for Cloud or MS Defender for Business Servers.

If you are using E5, you Defender for Endpoints will be on P2. 

If you donot have a proper Defender license, you will not be able to see the Device menu option from https://security.microsoft.com/.

• Defender for business < 300 users. 
• MDE P1 and P2 > 300 users

Microsoft 365 Defender vs Microsoft Defender for Cloud

Hunting

Endpoint Detection & Response

1 Proactive hunting

Not all threat scenarios begin with an alert

• Proactive and iterative search for threats
• The power of knowing the network

2 Enrich existing information

• Understand the impact of existing alerts
• Get more information on entities and IOCs

3 Datasets

Emails (Defender for Office)

• Email transactions, including post-delivery
• Emails attachments and URLs

Identities (Defender for Identities, Defender for Cloud Apps)

• Logons, Active Directory queries
• All activities against Active Directorymonitored by MDI(preview)

Cloud applications (Defender for Cloud Apps)

• File actions

Endpoints (Defender for Endpoint)

• Existing advanced hunting data from MDE

4 Custom detections

Build your own rule based on advanced hunting query

• Across different datasets
• Choose impact entities
• Choose automatic remediation actions

Custom detections can be

• Environment-specific threats (high value assets, unique data)
• Lower threshold for specific type of threats
• Unique attack techniques

Detection frequencies are available for

• Near real time (NRT), 1 hour, 3 hours, 12 hours, 24 hours

Detection rule & Permission

• Manage security settings in the Security Center – MDE role
• Authorization and settings / Security setting–Unified RBAC
• Security administrator, Security operator –AAD role

Query in builder:

5 Hunt in Microsoft 365 Defender without KQL!

Guided mode in Advanced Hunting

• Hunt data without writing KQL and Function

Easy-to-hunt activities across the data domain

• Endpoints, Emails, Applications and Identities
• Conditions such as OR, AND, Subgroups

Flexibly shift to hunting modes

• Switching from Guided mode to Advanced mode

6 More advanced hunting features

Save and share queries

Take actions from hunting

Go hunt

• From incidents

Documentation

• Built in the product

Profile enrichments

• Files, Identities, IPs, etc.

Threat Vulnerability Management

 

1 Discover

Periodic scanning

Blind spots

No run-time info

“Static snapshot”

2 Prioritize

Based on severity

Missing org context

No threat view

Large threat reports

3 Remediate

Waiting for a patch

No IT/Security bridge

Manual process

No validation

1 Continuous Discovery

Extensive vulnerability assessment across the entire stack

Broad secure configuration assessment

2 Threat & Business Prioritization (“TLV”)

Helping customers focus on the right things at the right time

Threat Landscape

• Vulnerability characteristics (CVSS score, days vulnerable)
• Exploit characteristics (public exploit & difficulty, bundle)
• EDR security alerts (Active alerts, breach history)
• Threat analytics (live campaigns, threat actors)

Breach Likelihood

• Current security posture
• Internet facing
• Exploit attempts in the org

Business Value

• HVA analysis (WIP, HVU, critical process)
• Run-time & Dependency analysis

3 Remediation Requests/Tickets

Bridging between the IT and Security admins

Game changing bridge between IT and Security teams

• 1-click remediation requests via Intune
• Automated task monitoring via run-time analysis
• Tracking Mean-time-to-mitigate KPIs
• Rich exception experience to mitigate/accept risk
• Ticket management integration (Intune, Planner, Service Now, JIRA)

Device Discovery

Threat Analytics

API

 

API Explorer

• Explore variousMicrosoft Defender for EndpointAPIs interactively

Integrated compliance assessment

• Track appsthatintegrates with Microsoft Defender for Endpoint platformin your organization.

Data Export API

• Configure Microsoft Defender for Endpoint to stream AdvancedHunting events to your storage account

Cross Platform

 

Mac

Linux

Android & iOS

From EDR to XDR

 From EDR to XDR - Microsoft 365 Defender

• Incidents

• Automated Investigation & Response

• Attack Disruption

• Microsoft 365 Defender APIs

• Microsoft Sentinel Integration

Extended Detection and Response (XDR) is a SaaS-based, vendor specific, security threat detection and incident response tool that natively integrates multiple security productsinto a cohesive security operations system that unifies all licensed components.  - from Gartner

Microsoft Sentinel : visibility across your entire organization

Microsoft 365 Defender: Secure your end users

• Endpoints - Microsoft Defender for Endpoint
• Email & Doscs - Microsoft Defender for Office 365
• Apps & Cloud Apps -  Microsoft Defender for Cloud Apps
• Identities -   Microsoft Defender for Identity & AAD Identity Protection

Microsoft Defender for Cloud: Secure your infrastructure

• Servers
• Containers
• Databases
• Storage
• Cloud Service Layer
• IoT

XDR actions to an Attack 

 What should we look into once there is an alert or incident?

Here are some sample answers for those questions:

List attack chain and users action steps:

References

Advanced Hunting

• Learn the query language
• Advanced hunting schema reference
• Webinar series, episode 1: KQL fundamentals (MP4, YouTube)
• Webinar series, episode 2: Joins (MP4, YouTube)
• Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (MP4, YouTube)
• Webinar series, episode 4: Let’s hunt! Applying KQL to incident tracking (MP4, YouTube)
• Hunting for reconnaissance activities using LDAP search filters
• Plural sight KQL training