Defender Lab Notes 2 (License, Hunting, Vulnerability Management, API, Cross Platform)
This is the second post to collect some Notes from a lab practice.
License
Defender for business : less than 300 users, up to five devcies
Microsoft 365 for Business
Microsoft 365 Defender vs Microsoft Defender for Cloud
Hunting
1 Proactive hunting
Not all threat scenarios begin with an alert
- Proactive and iterative search for threats
- The power of knowing the network
2 Enrich existing information
- Understand the impact of existing alerts
- Get more information on entities and IOCs
3 Datasets
Emails (Defender for Office)
- Email transactions, including post-delivery
- Emails attachments and URLs
Identities (Defender for Identities, Defender for Cloud Apps)
- Logons, Active Directory queries
- All activities against Active Directorymonitored by MDI(preview)
Cloud applications (Defender for Cloud Apps)
- File actions
Endpoints (Defender for Endpoint)
- Existing advanced hunting data from MDE
4 Custom detections
Build your own rule based on advanced hunting query
- Across different datasets
- Choose impact entities
- Choose automatic remediation actions
Custom detections can be
- Environment-specific threats (high value assets, unique data)
- Lower threshold for specific type of threats
- Unique attack techniques
Detection frequencies are available for
- Near real time (NRT), 1 hour, 3 hours, 12 hours, 24 hours
Detection rule & Permission
- Manage security settings in the Security Center – MDE role
- Authorization and settings / Security setting–Unified RBAC
- Security administrator, Security operator –AAD role
Query in builder:
5 Hunt in Microsoft 365 Defender without KQL!
Guided mode in Advanced Hunting
- Hunt data without writing KQL and Function
Easy-to-hunt activities across the data domain
- Endpoints, Emails, Applications and Identities
- Conditions such as OR, AND, Subgroups
Flexibly shift to hunting modes
- Switching from Guided mode to Advanced mode
6 More advanced hunting features
Save and share queries
Take actions from hunting
Go hunt
- From incidents
Documentation
- Built in the product
Profile enrichments
- Files, Identities, IPs, etc.
Threat Vulnerability Management
1 Discover
Periodic scanning
Blind spots
No run-time info
“Static snapshot”
2 Prioritize
Based on severity
Missing org context
No threat view
Large threat reports
3 Remediate
Waiting for a patch
No IT/Security bridge
Manual process
No validation
1 Continuous Discovery
Extensive vulnerability assessment across the entire stack
Broad secure configuration assessment
2 Threat & Business Prioritization (“TLV”)
Helping customers focus on the right things at the right time
Threat Landscape
- Vulnerability characteristics (CVSS score, days vulnerable)
- Exploit characteristics (public exploit & difficulty, bundle)
- EDR security alerts (Active alerts, breach history)
- Threat analytics (live campaigns, threat actors)
Breach Likelihood
- Current security posture
- Internet facing
- Exploit attempts in the org
Business Value
- HVA analysis (WIP, HVU, critical process)
- Run-time & Dependency analysis
3 Remediation Requests/Tickets
Bridging between the IT and Security admins
Game changing bridge between IT and Security teams
- 1-click remediation requests via Intune
- Automated task monitoring via run-time analysis
- Tracking Mean-time-to-mitigate KPIs
- Rich exception experience to mitigate/accept risk
- Ticket management integration (Intune, Planner, Service Now, JIRA)
API
- Explore variousMicrosoft Defender for EndpointAPIs interactively
- Track appsthatintegrates with Microsoft Defender for Endpoint platformin your organization.
- Configure Microsoft Defender for Endpoint to stream AdvancedHunting events to your storage account
Cross Platform
References
- Learn the query language
- Advanced hunting schema reference
- Webinar series, episode 1: KQL fundamentals (MP4, YouTube)
- Webinar series, episode 2: Joins (MP4, YouTube)
- Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (MP4, YouTube)
- Webinar series, episode 4: Let’s hunt! Applying KQL to incident tracking (MP4, YouTube)
- Hunting for reconnaissance activities using LDAP search filters
- Plural sight KQL training
共有 0 条评论