Defender Lab Notes 2 (License, Hunting, Vulnerability Management, API, Cross Platform)

Microsoft 365 Defender vs Microsoft Defender for Cloud

Hunting

1 Proactive hunting

Not all threat scenarios begin with an alert

• Proactive and iterative search for threats
• The power of knowing the network

2 Enrich existing information

• Understand the impact of existing alerts
• Get more information on entities and IOCs

3 Datasets

Emails (Defender for Office)

• Email transactions, including post-delivery
• Emails attachments and URLs

Identities (Defender for Identities, Defender for Cloud Apps)

• Logons, Active Directory queries
• All activities against Active Directorymonitored by MDI(preview)

Cloud applications (Defender for Cloud Apps)

• File actions

Endpoints (Defender for Endpoint)

• Existing advanced hunting data from MDE

4 Custom detections

Build your own rule based on advanced hunting query

• Across different datasets
• Choose impact entities
• Choose automatic remediation actions

Custom detections can be

• Environment-specific threats (high value assets, unique data)
• Lower threshold for specific type of threats
• Unique attack techniques

Detection frequencies are available for

• Near real time (NRT), 1 hour, 3 hours, 12 hours, 24 hours

Detection rule & Permission

• Manage security settings in the Security Center – MDE role
• Authorization and settings / Security setting–Unified RBAC
• Security administrator, Security operator –AAD role

Query in builder:

5 Hunt in Microsoft 365 Defender without KQL!

Guided mode in Advanced Hunting

• Hunt data without writing KQL and Function

Easy-to-hunt activities across the data domain

• Endpoints, Emails, Applications and Identities
• Conditions such as OR, AND, Subgroups

Flexibly shift to hunting modes

• Switching from Guided mode to Advanced mode

6 More advanced hunting features

Save and share queries

Take actions from hunting

Go hunt

• From incidents

Documentation

• Built in the product

Profile enrichments

• Files, Identities, IPs, etc.

Threat Vulnerability Management

1 Discover

Periodic scanning

Blind spots

No run-time info

“Static snapshot”

2 Prioritize

Based on severity

Missing org context

No threat view

Large threat reports

3 Remediate

Waiting for a patch

No IT/Security bridge

Manual process

No validation

1 Continuous Discovery

Extensive vulnerability assessment across the entire stack

Broad secure configuration assessment

2 Threat & Business Prioritization (“TLV”)

Helping customers focus on the right things at the right time

Threat Landscape

• Vulnerability characteristics (CVSS score, days vulnerable)
• Exploit characteristics (public exploit & difficulty, bundle)
• EDR security alerts (Active alerts, breach history)
• Threat analytics (live campaigns, threat actors)

Breach Likelihood

• Current security posture
• Internet facing
• Exploit attempts in the org

Business Value

• HVA analysis (WIP, HVU, critical process)
• Run-time & Dependency analysis

3 Remediation Requests/Tickets

Bridging between the IT and Security admins

Game changing bridge between IT and Security teams