Microsoft Defender for Endpoints technologies built into Windows
Endpoint behavioral sensors. Embedded in Windows 10, these sensors collect and process behavioral signals from the operating system. The sensors send the data to your private, isolated cloud instance of Microsoft Defender for Endpoint.
Cloud security analytics. Uses big data, machine learning, and unique Microsoft optics across the Windows ecosystem, enterprise cloud products (such as Office 365), and online assets, behavioral signals are translated into insights, detections, and recommended responses to advanced threats.
Threat intelligence. Generated by Microsoft hunters and security teams, and augmented by threat intelligence provided by partners, threat intelligence enables Microsoft Defender for Endpoint to identify attacker tools, techniques, and procedures, and generate alerts when these tools are observed in collected sensor data.
What is required to deploy Microsoft Defender for Endpoint to Windows devices in your organization?
Subscription to the Microsoft Defender for Endpoint online service
Microsoft Defender for Endpoints required role
Security Administrator
Microsoft Defender for Endpoints storage locatio, data retention, preview
Data storage location - determine where you want the primary hosted (US, EU, UK) you cant chnage the loacation after
Data retention - default is 6 months
Enable preview features - default is on
Microsoft Defender for Endpoints if enpoints use a proxy server to access internet
The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service. The embedded Microsoft Defender for Endpoint sensor runs in the system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender for Endpoint cloud service.
General settings advanced features for endpoints
Automated investigation - take advantage of the automated investigation and remediation features of the service
Live response & Live response for servers - users with the appropriate permissions can start a live response session on devices
Always remediate PUA - Potentially unwanted applications
Restrict correlation to within scoped device groups - for scenarios where local SOC operations would like to limit alert correlations only to device groups that they can access
Enable EDR in block mode - in block mode works behind the scenes to remediate malicious artifacts that are detected post breach.
Add or block file - you need to Use Microsoft Defender Antivirus as the active antimalware solution
The cloud-based protection feature is enabled
Tamper protection - Tamper protection essentially locks Microsoft Defender Antivirus and prevents your security settings from being changed through apps and methods.
Microsoft Defender for Identity integration - By enabling this feature, you’ll enrich the device-based investigation capability by pivoting across the network from an identity point of view.
Office 365 Threat Intelligence connection - only available if you have an active Office 365 E5 or the Threat Intelligence add-on.
When you turn on this feature, you’ll be able to incorporate data from Microsoft Defender for Office 365 into Microsoft Defender XDR to conduct a comprehensive security investigation across Office 365 mailboxes and Windows devices.
Attack surface reduction rules target behaviors
Launching executable files and scripts that attempt to download or run files
Running obfuscated or otherwise suspicious scripts
Performing behaviors that apps don’t usually initiate during normal day-to-day work.
Attack surface reduction rule settings
Each Attack Surface Reduction rule contains one of four settings:
Not configured: Disable the attack surface reduction rule
Block: Enable the Attack Surface Reduction rule
Audit: Evaluate how the attack surface reduction rule would impact your organization if enabled
Warn: Enable the Attack Surface Reduction rule but allow the end user to bypass the block
What does attack surface reduction rules in audit mode do?
to evaluate how attack surface reduction rules would impact your organization if they were enabled. It’s best to run all rules in audit mode first so you can understand their impact on your line-of-business applications.
Where can you enable attack surface reduction rules?
Microsoft Intune
Mobile Device Management (MDM)
Microsoft Endpoint Configuration Manager
Group Policy
PowerShell
Device info Risk level, Exposure level, Health state, Ati virus status
Risk level - overall risk assessment of the device based on a combination of factors, including the types and severity of active alerts on the device
Exposure level - the current exposure of the device based on the cumulative impact of its pending security recommendations
if level syays “No data available” the device hasnt reported in 30 days, OS isnt suppored, or stale agent
Health state - Active (reporting), Inactive (no signal for 7 days), Misconfigured (impaired communications)
Antivirus status - Disabled (virus and threat detection turned off), Not reporting, Not updated
Investigating a device (Response actions)
Manage tags
Isolate device
Restrict app execution
Run antivirus scan
Collect investigation package
Initiate Live Response Session
Initiate automated investigation
Consult a threat expert
Action center
Onboarding devices (modes of discovery)
Basic discovery: In this mode, endpoints passively collect events in your network and extract device information from them. Basic discovery uses the SenseNDR.exe binary for passive network data collection and no network traffic will be initiated. Endpoints extract data from every network traffic that is seen by an onboarded device. With basic discovery, you’ll only gain limited visibility of unmanaged endpoints in your network.
Standard discovery (recommended): This mode allows endpoints to actively find devices in your network to enrich collected data and discover more devices - helping you build a reliable and coherent device inventory. In addition to devices that were observed using the passive method, standard mode also uses common discovery protocols that use multicast queries in the network to find even more devices. Standard mode uses smart, active probing to discover additional information about observed devices to enrich existing device information. When Standard mode is enabled, minimal, and negligible network activity generated by the discovery sensor might be observed by network monitoring tools in your organization.
How should a security analyst react to discovering an interesting event?
a flag
Device actions (containment actions)
Isolate Device
Restrict app execution
Run antivirus scan
Device actions (Investigation actions)
Initiate Automated Investigation
Collect investigation package
Initiate Live Response Session
How can you see the actions performed on a device?
Action Center
What kind of file is downloaded when trying to get an investigation package?
.zip
Investigation Package material
Autoruns - files that each represent the content of the registry of a known auto start entry point (ASEP)
Installed Programs - .CSV list of installed programs
Network Connections -
ActiveNetConnections.txt – Displays protocol statistics and current TCP/IP network connections. It provides the ability to look for suspicious connectivity made by a process.
Arp.txt – Displays the current address resolution protocol (ARP) cache tables for all interfaces.
ARP cache can reveal other hosts on a network that have been compromised or suspicious systems on the network that might have been used to run an internal attack.
DnsCache.txt - Displays the contents of the DNS client resolver cache, which includes both entries preloaded from the local Hosts file and any recently obtained resource records for name queries resolved by the computer. This can help in identifying suspicious connections.
IpConfig.txt – Displays the full TCP/IP configuration for all adapters. Adapters can represent physical interfaces, such as installed network adapters, or logical interfaces, such as dial-up connections.
FirewallExecutionLog.txt and pfirewall.log
Prefetch files - Prefetch files are designed to speed up the application startup process. It can be used to track all the files recently used in the system and find traces for applications that might have been deleted but can still be found in the prefetch file list.
Process - .CSV listing the running processes, which provide the ability to identify current processes running on the device.
Schedualed tasks - .CSV listing the scheduled tasks
Security event log - login activity
Services - .CSV services and their state
Windows SMB sessions - Lists shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network
System informaiton - a SystemInformation.txt file that lists system information such as OS version and network cards
Temp directions - set of text files that lists the files located in %Temp% for every user in the system
Users & groups -
WdSupportLogs - Provides the MpCmdRunLog.txt and MPSupportFiles.cab.
CollectionSummaryReport.xls - summary of the investigation package collection, it contains the list of data points, the command used to extract the data, the execution status, and the error code if there’s failure
Live response
user will need Manage Portal Settings permissions & the device needs an automation remediation level assigned
Run basic and advanced commands to do investigative work on a device.
Download files such as malware samples and outcomes of PowerShell scripts.
Download files in the background (new!).
Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
Take or undo remediation actions.
Live response output types
JSON & Table
Live response limitations
Live response sessions are limited to 10 live response sessions at a time.
Large-scale command execution isn’t supported.
Live response session inactive timeout value is 5 minutes.
A user can only initiate one session at a time.
A device can only be in one session at a time.
The following file size limits apply:
Getfile limit: 3 GB
Fileinfo limit: 10 GB
Library limit: 250 MB
Investigating a File
Observed in orginization tab - specify a date range to see which devices have been observed with the file. This tab will show a maximum of 100 devices. To see all devices with the file, export the tab to a CSV file
Deep analysis tab - submit the file for deep analysis to uncover more details about the file’s behavior and its effect within your organizations
File needs to be a PE file (.exe or.dll)
File response actions on top of file page
Stop and Quarantine File
Add Indicator
Download file
Action center
