Welcome to the third section of my SC-200 study guide. First the ones that I didn’t have time to include in the last section but will cover them in different order as in my opinion it makes more sense:
- Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats
- Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps
And then I will go through the following content:
- Manage data retention, alert notification, and advanced features
- Recommend security baselines for devices
- Respond to incidents and alerts
- Manage automated investigations and remediations
- Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using the Microsoft’s threat and vulnerability management solution
- Manage endpoint threat indicators
Table of Contents
Microsoft Defender for Cloud Apps
Microsoft Defender for Cloud Apps is a Cloud Access Security Broker (CASB) that provides advanced security capabilities to protect cloud-based applications and services. It offers a range of deployment options, including log collection, API connectors, and reverse proxy, to provide comprehensive visibility and control over data movement and security threats.
With its advanced analytics and machine learning capabilities, Microsoft Defender for Cloud Apps can detect and respond to security threats in real-time, helping organizations to prevent data breaches, cyber attacks, and other security incidents.
Click the picture for licensing details of different solutions. It will download and PDF file.
How does Defender for Cloud apps compare?
There is similar capabilities in different products, Microsoft has made some comparisons for you to see the differences.
Defender for Cloud Apps vs Office 365 Cloud App Security
Microsoft Defender for Cloud Apps vs Cloud App Discovery
New home for the portal
First things first, have you seen that Defender for Cloud Apps has been integrated as part of Defender for Office 365? The feature is still in preview and could change before it goes GA but excellent step on consolidating different parts.
You can still open the old portal and do the setup there but you are strongly advised to user Defender for Office 365 portal
Configure Microsoft Defender for Cloud Apps to generate alerts and reports to detect threats
Identity based protection policies has been moved under Global alerts
And you will find them here https://security.microsoft.com/settings/mtp_settings/service_alert_settings
And SMS alerts has been deprecated
But you can enable them with Power Automate flows
To create get alerts, you need to first create an policy
Or you can use predefined templates
You have these policies that you can choose from
Let’s use File policy as an example
When creating file policy, you these templates ready to use
You can choose the sending domain and other filters, you can also preview the results to see what files trigger the policy
You can then send the alerts as email and trigger Power Automate flow like mentioned earlier.
And you can also do some governance based on the policy
Once the policy is create, you will see actions is Alert and you can also view all alerts from the same menu
Privileged user activity
You can also monitor other things, like Privileged user logins, I will make it easy and
And put alerts on
If you want to see what Cloud provider means, you can see open the addresses here
There is an predefined list of public addresses
Once done, you will see the policy ready for action
You will see the alerts under old portal and Defender for Office 365 portal
And the new one, you can see the source as Cloud Apps
Will not cover the old portal, only the new one. When you open the alert, you will the details and the already created incident that it’s linked to
When you scroll down in the right side, you will the Application and more information on the account that triggered the alert
And you can mark the alerts
What the three options mean?
- True positive: An alert on a confirmed malicious activity
- Benign: An alert on a suspicious but not malicious activity, such as a penetration test or other authorized suspicious action
- False positive: An alert on a non-malicious activity
Identify, investigate, and remediate security risks by using Microsoft Defender for Cloud Apps
Then to the hunting part, now the we the incident and let’s see what is under it.
Incidents and remediation
When you click the incident link, you will be taken to the familiar Incident page
Under Users you can expand the User information page
From there you will see all the activities the user has done and their status in the organization
Including their location and the activities done in that location, you can start a new query based on the location and see all the activities for all users
From the timeline, you will see all actions done by that specific user
From Incident main page, you can see Evidence and Response activities, in this case all the details of the public IP-address
And you can add it to Cloud apps IP ranges
Or go hunt some more and also investigate Activity logs
Finally you can assign forward, with a reason, classification and comments
See here for the full documentation from Learn
Mitigate endpoint threats by using Microsoft Defender for Endpoint
Getting your trial
Microsoft has good material for the process
In short, just click the following link to get your 90 days 25 seat trial
Another side note is that you can redirect the traffic to Defender for Office 365 also from Defender for Endpoint
The table below provides the various tools based on the endpoint that needs to be onboarded.
Microsoft has made an presentation on how and when to use what onboarding model.
How the signals are transferred to Defender from different sources
|1||Devices are on-boarded through one of the supported management tools.|
|2||On-boarded devices provide and respond to Microsoft Defender for Endpoint signal data.|
|3||Managed devices are joined and/or enrolled in Azure Active Directory.|
|4||Domain-joined Windows devices are synchronized to Azure Active Directory using Azure Active Directory Connect.|
|5||Microsoft Defender for Endpoint alerts, investigations, and responses are managed in Microsoft 365 Defender.|
This what the script looks like
Once Onboarded you will them under Assets and Devices
Now when that’s done, let’s see how it works
Simulations & tutorials
I will use the simulation templates for generating alerts. You standalone ones under Tutorials
See more here on the evaluation lab itself
Manage data retention, alert notification, and advanced features
The Defender for Endpoint service makes use of cutting-edge data protection solutions built on Microsoft Azure infrastructure.
Our service takes care of a variety of data protection-related issues. One of the most important is encryption, which includes data encryption at rest, encryption in flight, and key management via Key Vault.
In all scenarios, data is encrypted using 256-bit AES encryption at the minimum.
At service onboarding
Data from Microsoft Defender for Endpoint is maintained for 180 days after service onboarding and is viewable across the portal. Yet, it is accessible via a query in the advanced hunting research experience for a period of 30 days.
When a contract expires or is terminated
While the license is in grace period or suspended mode, your data will be saved and accessible to you. No later than 180 days after contract termination or expiration, such data will be wiped from Microsoft’s systems, rendering it unrecoverable.
Data on Advanced Hunting
Advanced hunting is a threat-hunting technology that uses queries to search through up to 30 days of raw data.
You can configure the vulnerability events that trigger notifications and add or remove email notification recipients using the notification rules. After vulnerabilities are added, new recipients are notified.
If you use RBAC, receivers will only get notifications based on the device groups specified in the notification rule. Only users with the appropriate authorization can create, update, or delete notifications that are exclusive to their device group management scope. Only users with the Global administrator role have access to the notification rules that are set up for all device groups.
The vulnerability incident is described briefly in the email notification. There are additional links to filtered views on the Defender Vulnerability Management Security suggestions and Weaknesses sections in the portal to help you dig deeper. You may, for example, obtain a list of all affected devices or other information about the vulnerability.
You can access advanced features from here https://security.microsoft.com/preferences2/integration
See more from this Learn documentation
Recommend security baselines for devices
There is couple of ways to work here, Intune baselines and Defender security recommendations. They don’t overtake the other one but they will have duplicates in some cases
Intune Security baseline
Intune has Security baselines for devices and you access them from here https://endpoint.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/~/securityBaselines
It will suggest the optimal baseline for you
Defender Security recommendations
To get proactive you can use Secure score connector for devices
You can access the recommendations from https://security.microsoft.com/security-recommendations
And you can request a remediation directly from the recommendations
And it will show you what will be done
And more details here
Respond to incidents and alerts
You will the the alerts and can create incidents from them
Or you can Block an app or the complete device and also start hunting
When you open the device you will see what Defender has done, risk levels and the recommendations mentioned earlier
Manage automated investigations and remediations
You can start Automated Investigation and Live Response. With Live response you can run on-demand activities to the devices
When the device is tagged for risks, you can initiate automated investigation
The automated investigation process
An alert generates an event, which can be used to initiate an automated inquiry. Each piece of evidence receives a verdict as a consequence of the automatic investigation. Verdicts can include:
- No threats found
Remediation actions are identified for harmful or questionable organizations. Examples of corrective interventions include:
- Sending a file to quarantine
- Stopping a process
- Isolating a device
- Blocking a URL
- Other actions
Analysts can perform the following activities using live response:
- Run basic and advanced commands to do investigative work on a device.
- Download files such as malware samples and outcomes of PowerShell scripts.
- Download files in the background (new!).
- Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
- Take or undo remediation actions.
Assess and recommend endpoint configurations to reduce and remediate vulnerabilities by using the Microsoft’s threat and vulnerability management solution
Built-in and agentless Defender Vulnerability Management scanners continuously monitor and detect risk in your business, even when devices are not connected to the corporate network.
A single inventory with an unified real-time picture of your organization’s software programs, digital certificates, network shares, and browser extensions aids in the discovery and assessment of all assets.
Examine extension permissions and risk levels, find certificates before they expire, detect potential vulnerabilities caused by poor signature methods, and check misconfigurations in internal network shares.
Start your trial here https://security.microsoft.com/tvmPremiumTrial180daySolution
It will take some time, in my setup not 6hrs but be prepared for it
How it will compare to others solutions
|Defender Vulnerability Management||Defender Vulnerability Management add-on||Defender Vulnerability Management Standalone|
|Core capabilities part of Defender for Endpoint Plan 2||Additional capabilities for Defender for Endpoint Plan 2||Full vulnerability Management capabilities|
|Device discovery||Security baselines assessment||Device discovery|
|Device inventory||Block vulnerable applications||Device inventory|
|Vulnerability assessment||Browser extensions||Vulnerability assessment|
|Configuration assessment||Digital certificate assessment||Continuous monitoring|
|Risk based prioritization||Network share analysis||Risk based prioritization|
|Remediation tracking||Remediation tracking|
|Continuous monitoring||Configuration assessment|
|Software assessment||Software assessment|
|Software usages insights||Software usages insights|
|Security baselines assessment|
|Block vulnerable applications|
|Digital certificate assessment|
|Network share analysis|
Once done you can access TVM here https://security.microsoft.com/tvm_dashboard
You will see those recommendations and your organizational Exposure score
If you drill down deeper, you will be weaknesses and which devices are exposed
And see more information here
Manage endpoint threat indicators
You can create Threat indicators under settings page https://security.microsoft.com/preferences2/custom_ti_indicators
You will see the File hashes, IP’s, URLs / domains and Certificates
Labs and deep dive content
|Learning Path 2 – Mitigate threats using Microsoft Defender for Endpoint||Exercise 1 – Deploy Microsoft Defender for Endpoint|
|Learning Path 2 – Mitigate threats using Microsoft Defender for Endpoint||Exercise 2 – Mitigate Attacks with Microsoft Defender for Endpoint|
If you want to have a serious deep dive for Defender for Endpoint, you really should see Jeffreys Appel’s series on it!
Some things to remember for the test.
- The new portal and how does it look like, remember that redirection!
- What types of different policies there is and how you can trigger them.
- Alerts in different portals
- What action you can take when investigating and remediating
Defender for Endpoint:
- Ways to onboard you device and why to use each one?
- Simulation and how use them
- Data retention and governance with Defender for Endpoint
- How to setup Advanced features, remember that EDR in Block mode!
- Security baselines in Intune and Security recommendations inside Defender portal
- What is Defender threat and vulnerability management solution (TVM) and how it works as an agentless solution?
Hopefully you found this useful, then to the next one with the following topics:
- Identify and remediate security risks related to events for Microsoft Azure Active Directory (Azure AD), part of Microsoft Entra
- Identify and remediate security risks related to Azure AD Identity Protection events
- Identify and remediate security risks related to Azure AD Conditional Access events
- Identify and remediate security risks related to Active Directory Domain Services using Microsoft Defender for Identity
Link to main post