Defender Lab Notes 2 (License, Hunting, Vulnerability Management, API, Cross Platform)

 This is the second post to collect some Notes from a lab practice.

 

License

Defender for business : less than 300 users, up to five devcies

Defender for Endpoint P1
Defender for Endpoint P2

Microsoft 365 for Business

Defender for servers

Microsoft 365 Defender vs Microsoft Defender for Cloud

Hunting

Endpoint Detection & Response

1 Proactive hunting

Not all threat scenarios begin with an alert

  • Proactive and iterative search for threats
  • The power of knowing the network

2 Enrich existing information

  • Understand the impact of existing alerts
  • Get more information on entities and IOCs

3 Datasets

Emails (Defender for Office)

  • Email transactions, including post-delivery
  • Emails attachments and URLs

Identities (Defender for Identities, Defender for Cloud Apps)

  • Logons, Active Directory queries
  • All activities against Active Directorymonitored by MDI(preview)

Cloud applications (Defender for Cloud Apps)

  • File actions

Endpoints (Defender for Endpoint)

  • Existing advanced hunting data from MDE

4 Custom detections

Build your own rule based on advanced hunting query

  • Across different datasets
  • Choose impact entities
  • Choose automatic remediation actions

Custom detections can be

  • Environment-specific threats (high value assets, unique data)
  • Lower threshold for specific type of threats
  • Unique attack techniques

Detection frequencies are available for

  • Near real time (NRT), 1 hour, 3 hours, 12 hours, 24 hours

Detection rule & Permission

  • Manage security settings in the Security Center – MDE role
  • Authorization and settings / Security setting–Unified RBAC
  • Security administrator, Security operator –AAD role

Query in builder:

5 Hunt in Microsoft 365 Defender without KQL!

Guided mode in Advanced Hunting

  • Hunt data without writing KQL and Function

Easy-to-hunt activities across the data domain

  • Endpoints, Emails, Applications and Identities
  • Conditions such as OR, AND, Subgroups

Flexibly shift to hunting modes

  • Switching from Guided mode to Advanced mode

6 More advanced hunting features

Save and share queries

Take actions from hunting

Go hunt

  • From incidents

Documentation

  • Built in the product

Profile enrichments

  • Files, Identities, IPs, etc.

Threat Vulnerability Management

 

1 Discover

Periodic scanning

Blind spots

No run-time info

“Static snapshot”

2 Prioritize

Based on severity

Missing org context

No threat view

Large threat reports

3 Remediate

Waiting for a patch

No IT/Security bridge

Manual process

No validation

1 Continuous Discovery

Extensive vulnerability assessment across the entire stack

Broad secure configuration assessment

2 Threat & Business Prioritization (“TLV”)

Helping customers focus on the right things at the right time

Threat Landscape

  • Vulnerability characteristics (CVSS score, days vulnerable)
  • Exploit characteristics (public exploit & difficulty, bundle)
  • EDR security alerts (Active alerts, breach history)
  • Threat analytics (live campaigns, threat actors)

Breach Likelihood

  • Current security posture
  • Internet facing
  • Exploit attempts in the org

Business Value

  • HVA analysis (WIP, HVU, critical process)
  • Run-time & Dependency analysis

3 Remediation Requests/Tickets

Bridging between the IT and Security admins

Game changing bridge between IT and Security teams

  • 1-click remediation requests via Intune
  • Automated task monitoring via run-time analysis
  • Tracking Mean-time-to-mitigate KPIs
  • Rich exception experience to mitigate/accept risk
  • Ticket management integration (Intune, Planner, Service Now, JIRA)
Device Discovery
Threat Analytics

API

 

API Explorer
  • Explore variousMicrosoft Defender for EndpointAPIs interactively
Integrated compliance assessment
  • Track appsthatintegrates with Microsoft Defender for Endpoint platformin your organization.
Data Export API
  • Configure Microsoft Defender for Endpoint to stream AdvancedHunting events to your storage account

Cross Platform

 

Mac
Linux
Android & iOS

References

Advanced Hunting
  • Learn the query language
  • Advanced hunting schema reference
  • Webinar series, episode 1: KQL fundamentals (MP4, YouTube)
  • Webinar series, episode 2: Joins (MP4, YouTube)
  • Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (MP4, YouTube)
  • Webinar series, episode 4: Let’s hunt! Applying KQL to incident tracking (MP4, YouTube)
  • Hunting for reconnaissance activities using LDAP search filters
  • Plural sight KQL training

版权声明:
作者:siwei
链接:https://www.techfm.club/p/160810.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>