Defender Lab Notes 1 (Mgmt & Config, RBAC, Prevention, ASR&NGP, Detection, Invesitigation, Response)

That is the submit to gather some Notes from a lab observe.

Administration

Endpoint Safety Stack:

Antivirus
Disk Encryption
Firewall
Endpoint Detection & Response
Assault Floor Discount
Machine Management
Net Safety
Community Safety

Administration Structure

Microsoft Endpoint Supervisor (MDM) = Microsoft Intune admin Heart

Antivirus
Disk Encryption
Firewall
Endpoint Detection and Response
Endpoint Privilege Administration
Account Safety
App Management
Assault floor discount
Machine Compliance
Conditional Entry

MDE Configuration Administration:

Combine with Intune

If MDE was not configured correctly to hook up with Intune, you’ll get following screenshot to point out no connection and no final sync.

From : https://safety.microsoft.com/securitysettings/endpoints/

From Intune: https://intune.microsoft.com/#view/Microsoft_Intune_Workflows/SecurityManagementMenu/

RBAC

Instance:

Group Chart with RBAC Position, Machine Tag, Machine Identify

1. RBAC

Greatest observe:

1. Create Azure AD Person Teams

2. Configure MDE RBAC

3. Create Machine Tags

4. Create Machine Teams

Microsoft Defender – System – settings – Endpoints – Permissions – Roles

Machine Group

Microsoft Defender – System – settings – Endpoints – Permissions – Machine teams

It’s going to take a while to point out the system numbers within the group.

Onboarding

Auto Enroll for Azure Surroundings:

Azure AD / Entra ID – Handle – Mobility (MDM and WIP) – Microsoft Intune

Machine onboarded by MDE

https://safety.microsoft.com/

Use Intune endpoint safety insurance policies to handle Microsoft Defender for Endpoint on gadgets not enrolled with Intune

https://be taught.microsoft.com/en-us/mem/intune/defend/mde-security-integration

How does it work?

Gadgets onboard to Microsoft Defender for Endpoint.
Gadgets talk with Intune. This communication allows Microsoft Intune to distribute insurance policies which might be focused to the gadgets after they examine in.
A registration is established for every system in Microsoft Entra ID:
- If a tool beforehand was absolutely registered, like a Hybrid Be part of system, the prevailing registration is used.
- For gadgets that aren’t registered, an artificial system id is created in Microsoft Entra ID to allow the system to retrieve insurance policies. When a tool with an artificial registration has a full Microsoft Entra registration created for it, the artificial registration is eliminated and the gadgets administration continues on uninterrupted by utilizing the complete registration.
Defender for Endpoint reviews the standing of the coverage again to Microsoft Intune.

Machine onboarded by Intune

https://intune.microsoft.com/#house

Create a

Assign to all customers or particular group(s):

Add all customers and all gadgets for project.

Manually onboarding single system / person.

We will use SCCM, MDE, Intune to push deployment packages to endpoints.

For these orphan gadgets, there may be native script for various OS to be downloaded and put in on them.

Off-boarding

As soon as onboarded, it would present final report time and can turn out to be inactive standing after 7 days.

Inactive system

however can’t delete it

It is going to be auto-purged in 6 months.

Command line:

PS C:Usersnestorw> Get-MpPreference

AllowDatagramProcessingOnWinServer : False
AllowNetworkProtectionDownLevel : False
AllowNetworkProtectionOnWinServer : False
AllowSwitchToAsyncInspection : False
ApplyDisableNetworkScanningToIOAV : False
AttackSurfaceReductionOnlyExclusions : {N/A: Should be an administrator to view exclusions}
AttackSurfaceReductionRules_Actions : {1, 1, 1, 1…}
AttackSurfaceReductionRules_Ids : {01443614-cd74-433a-b99e-2ecdc07bfc25,
01443614-CD74-433A-B99E2ECDC07BFC25,
26190899-1602-49e8-8b27-eb1d0a1ce869,
3B576869-A4EC-4529-8536-B80A7769E899…}
AttackSurfaceReductionRules_RuleSpecificExclusions : {N/A: Should be an administrator to view exclusions}
AttackSurfaceReductionRules_RuleSpecificExclusions_Id : {N/A: Should be an administrator to view exclusions}
BruteForceProtectionAggressiveness : 0
BruteForceProtectionConfiguredState : 0
BruteForceProtectionExclusions : {N/A: Should be an administrator to view exclusions}
BruteForceProtectionLocalNetworkBlocking : False
BruteForceProtectionMaxBlockTime : 0
BruteForceProtectionSkipLearningPeriod : False
CheckForSignaturesBeforeRunningScan : False
CloudBlockLevel : 2
CloudExtendedTimeout : 50
ComputerID : 53478E7B-6656-4EC1-AC79-1BDE55590FE3
ControlledFolderAccessAllowedApplications : {N/A: Should be an administrator to view exclusions}
ControlledFolderAccessDefaultProtectedFolders : {N/A: Should be an administrator to view default protected
folders}
ControlledFolderAccessProtectedFolders :
DefinitionUpdatesChannel : 0
DisableArchiveScanning : False
DisableAutoExclusions : False
DisableBehaviorMonitoring : False
DisableBlockAtFirstSeen : False
DisableCacheMaintenance : False
DisableCatchupFullScan : True
DisableCatchupQuickScan : True
DisableCoreServiceECSIntegration : False
DisableCoreServiceTelemetry : False
DisableCpuThrottleOnIdleScans : True
DisableDatagramProcessing : False
DisableDnsOverTcpParsing : False
DisableDnsParsing : False
DisableEmailScanning : False
DisableFtpParsing : False
DisableGradualRelease : False
DisableHttpParsing : False
DisableInboundConnectionFiltering : False
DisableIOAVProtection : False
DisableNetworkProtectionPerfTelemetry : False
DisablePrivacyMode : False
DisableQuicParsing : False
DisableRdpParsing : False
DisableRealtimeMonitoring : False
DisableRemovableDriveScanning : False
DisableRestorePoint : True
DisableScanningMappedNetworkDrivesForFullScan : True
DisableScanningNetworkFiles : False
DisableScriptScanning : False
DisableSmtpParsing : False
DisableSshParsing : False
DisableTamperProtection : False
DisableTlsParsing : False
EnableControlledFolderAccess : 1
EnableConvertWarnToBlock : False
EnableDnsSinkhole : True
EnableEcsConfiguration : False
EnableFileHashComputation : False
EnableFullScanOnBatteryPower : False
EnableLowCpuPriority : False
EnableNetworkProtection : 1
EnableUdpReceiveOffload : False
EnableUdpSegmentationOffload : False
EngineUpdatesChannel : 3
ExclusionExtension : {N/A: Should be an administrator to view exclusions}
ExclusionIpAddress : {N/A: Should be an administrator to view exclusions}
ExclusionPath : {N/A: Should be an administrator to view exclusions}
ExclusionProcess : {N/A: Should be an administrator to view exclusions}
ForceUseProxyOnly : False
HideExclusionsFromLocalUsers : True
HighThreatDefaultAction : 0
IntelTDTEnabled :
LowThreatDefaultAction : 0
MAPSReporting : 2
MeteredConnectionUpdates : False
ModerateThreatDefaultAction : 0
NetworkProtectionReputationMode : 0
OobeEnableRtpAndSigUpdate : False
PerformanceModeStatus : 1
PlatformUpdatesChannel : 3
ProxyBypass :
ProxyPacUrl :
ProxyServer :
PUAProtection : 1
QuarantinePurgeItemsAfterDelay : 90
QuickScanIncludeExclusions : 0
RandomizeScheduleTaskTimes : True
RealTimeScanDirection : 0
RemediationScheduleDay : 0
RemediationScheduleTime : 02:00:00
RemoteEncryptionProtectionAggressiveness : 0
RemoteEncryptionProtectionConfiguredState : 0
RemoteEncryptionProtectionExclusions : {N/A: Should be an administrator to view exclusions}
RemoteEncryptionProtectionMaxBlockTime : 0
RemoveScanningThreadPoolCap : False
ReportDynamicSignatureDroppedEvent : False
ReportingAdditionalActionTimeOut : 10080
ReportingCriticalFailureTimeOut : 10080
ReportingNonCriticalTimeOut : 1440
ScanAvgCPULoadFactor : 50
ScanOnlyIfIdleEnabled : True
ScanParameters : 1
ScanPurgeItemsAfterDelay : 15
ScanScheduleDay : 0
ScanScheduleOffset : 120
ScanScheduleQuickScanTime : 00:00:00
ScanScheduleTime : 02:00:00
SchedulerRandomizationTime : 4
ServiceHealthReportInterval : 60
SevereThreatDefaultAction : 0
SharedSignaturesPath :
SharedSignaturesPathUpdateAtScheduledTimeOnly : False
SignatureAuGracePeriod : 0
SignatureBlobFileSharesSources :
SignatureBlobUpdateInterval : 60
SignatureDefinitionUpdateFileSharesSources :
SignatureDisableUpdateOnStartupWithoutEngine : False
SignatureFallbackOrder : MicrosoftUpdateServer|MMPC
SignatureFirstAuGracePeriod : 120
SignatureScheduleDay : 8
SignatureScheduleTime : 01:45:00
SignatureUpdateCatchupInterval : 1
SignatureUpdateInterval : 3
SubmitSamplesConsent : 1
ThreatIDDefaultAction_Actions :
ThreatIDDefaultAction_Ids :
ThrottleForScheduledScanOnly : True
TrustLabelProtectionStatus : 0
UILockdown : False
UnknownThreatDefaultAction : 0
PSComputerName :

PS C:Usersnestorw>

Listed here are methods to examine the sensor to see if system is offboarded. I’ve not run these to double examine. For Home windows:

C:Usersnestorw>sc question sense

SERVICE_NAME: sense
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 1077  (0x435)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

C:Usersnestorw>



If the sense service will not be discovered or is stopped, the system could be off-boarded.


Verify the Registry:

Open Registry Editor (regedit).
Navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Superior Risk ProtectionStatus.
Search for the OnboardingState worth. Whether it is set to 0, the system is off-boarded.


Occasion Logs:

Open Occasion Viewer.
Navigate to Functions and Companies Logs > Microsoft > Home windows > SENSE > Operational.
Search for Occasion ID 20 or 44, which point out off-boarding occasions.



 
Get-MpComputerStatus  Will let you understand what mode and a bunch of different info on MDE operating on the system.

Subsequent Era Safety

Assault Floor Discount

Resist assaults and exploitations

HW based mostly isolation
Utility management
Exploit safety
Community safety
Managed folder entry
Machine management
Net safety
Ransomware safety

What's used for:

Isolate entry to untrusted websites
Isolate entry to untrusted Workplace information
Host intrusion prevention
Exploit mitigation
Ransomware safety on your information
Block visitors to low repute locations
Defend your legacy purposes
Solely enable trusted purposes to run

Assault Floor Discount (ASR) Guidelines

Decrease the assault floor: Signature-less, management entry vectors, based mostly on cloud intelligence. Assault floor discount (ASR) controls, corresponding to habits of Workplace macros.

Productiveness apps guidelines

Block Workplace apps from creating executable content material
Block Workplace apps from creating baby processes
Block Workplace apps from injecting code into different processes
Block Win32 API calls from Workplace macros
Block Adobe Reader from creating baby processes

E mail rule

Block executable content material from e-mail consumer and webmail
Block solely Workplace communication purposes from creating baby processes

Script guidelines

Block obfuscated JS/VBS/PS/macro code
Block JS/VBS from launching downloaded executable content material

Polymorphic threats

Block executable information from operating except they meet a prevalence (1000 machines), age (24hrs), or trusted record standards
Block untrusted and unsigned processes that run from USB
Use superior safety in opposition to ransomware

Lateral motion & credential theft

Block course of creations originating from PSExecand WMI instructions
Block credential stealing from the Home windows native safety authority subsystem (lsass.exe)
Block persistence by means of WMI occasion subscription

Net Risk Safety Structure

Detection & Response

Endpoint Detection & Response:

Correlated post-breach detection
Investigation expertise
Incident
Superior searching
Response actions (+EDR blocks)
Deep file evaluation
Stay response
Risk analytics

Stay Response

Actual-time dwell connection to a distant system
Leverage Microsoft Defender for Endpoint Auto IR library (reminiscence dump, MFT evaluation, uncooked filesystem entry, and many others.)

Prolonged remediation command + simple undo

Full audit
Extendable (write your personal command, construct your personal software)
RBAC+ Permissions

Microsoft 365 Defender Automated Investigation & Response (AIR)

Microsoft AIR mimics these steps utilizing 15 built-in investigations playbooks and 20 remediation actions

No AIR outlined Playbook in Defender. However you'll be able to outline your personal playbook in Sentinel.

What response actions ought to be coated?

Response Actions on a Machine

1. Handle tags

2. Provoke Automated Investigation

3. Provoke Stay Response Session

4. Acquire investigation bundle from gadgets

5. Run Microsoft Defender Antivirus scan on gadgets

6. Prohibit app execution

7. Isolate gadgets from the community

8. Include gadgets from the community

9. Seek the advice of a menace knowledgeable

10. Verify exercise particulars in Motion heart

11. Activate Troubleshooting mode

Take response actions on a tool: https://docs.microsoft.com/en-us/home windows/safety/threat-protection/microsoft-defender-atp/respond-machine-alerts

Response actions on a file

1. Cease and quarantine information in your community

2. Restore file from quarantine

3. Obtain or gather file

4. Add indicator to dam or enable a file

5. Seek the advice of a menace knowledgeable

6. Verify exercise particulars in Motion heart

7. Deep evaluation

Take response actions on a file: https://docs.microsoft.com/en-us/home windows/safety/threat-protection/microsoft-defender-atp/respond-file-alerts

Options Easy methods to Exhibit

Home windows Defender Exploit Guard Assault Floor Discount Guidelines Assault Floor Discount – Microsoft Defender

Home windows Defender Exploit Guard Managed Folder Entry Managed Folder Entry – Microsoft Defender

Home windows Defender Exploit Guard Community Safety Community Safety – Microsoft Defender

Home windows Defender SmartScreen URL Popularity UrlRep – Microsoft Defender

Home windows Defender SmartScreen App Popularity AppRep – Microsoft Defender Testground

Microsoft Defender for Endpoint Net Content material Filtering Demo (Block SNS & Entry to ex. fb.com)

Microsoft Defender for Endpoint Indicators (URL / IP / Area)

Demo (Specify URL & Entry to the URL)

*There could also be as much as 2 hours of latency

Assault Floor Discount (ASR)

ASR Guidelines in Intune:

URL Filtering, and

Anti Virus

Investigation

Detection & Investigation

Assessment incident & Alerts

Outcomes of assessment:

Actions:

1. isolate system

2. Copilot for safety

3. Alerts

4. File submission as indicator

5. virustotal hash

6. Auto invesitigation

Notification

Regular Notification

Create vulnerability alert

References

Subsequent era safety

Microsoft Defender Antivirus: Your subsequent era safety
Find out about our strategy to fileless threats
Stopping assaults of their tracks by means of behavioral blocking and containment
EDR in block mode
Firmware stage safety with a brand new Unified Extensible Firmware Interface (UEFI) scanner

Structure

Perceive the structure of the service

Onboarding

Onboarding machines
Deploy Microsoft Defender ATP for Mac in just some clicks
Deploy Microsoft Defender ATP in rings
Microsoft Defender for Endpoint for iOS
Microsoft Defender for Endpoint for Linux
Onboarding and servicing non-persistent VDI machines
Configuring Microsoft Defender Antivirus for non-persistent VDI machines

Grant and management entry

Use fundamental permissions to entry the portal
Easy methods to use RBAC
Easy methods to use tagging successfully (Half 1)
Easy methods to use tagging successfully (Half 2)
Easy methods to use tagging successfully (Half 3)
Multi-tenant entry for Managed Safety Service Suppliers
Step-by-step: Multi-tenant entry for Managed Safety Service Suppliers

Safety configuration

Use Microsoft Endpoint Supervisor to handle safety configuration
Handle Microsoft Defender Firewall with Microsoft Defender ATP and Microsoft Intune
Activate tamper safety
Co-Administration

Assault Floor Discount

Find out about all of the options that can assist you cut back the assault floor
Monitor and regulate entry to web sites with internet content material filtering
Study extra about Utility management
Get a greater understanding of Community safety
Perceive assault floor discount guidelines
Easy methods to configure assault floor discount guidelines and tips on how to use exclusions
Easy methods to report and troubleshoot Microsoft Defender ATP ASR Guidelines
Migrate from a third get together HIPS answer into ASR guidelines
Popularity evaluation – Microsoft Defender SmartScreen

Subsequent era safety

Microsoft Defender Antivirus: Your subsequent era safety
Find out about our strategy to fileless threats
Stopping assaults of their tracks by means of behavioral blocking and containment
EDR in block mode
Firmware stage safety with a brand new Unified Extensible Firmware Interface (UEFI) scanner

Responding to threats

Overview of dwell response
Examine entities on gadgets utilizing dwell response
Response actions on machines
Response actions on a file

Associated

Defender Lab Notes 1 (Mgmt & Config, RBAC, Prevention, ASR&NGP, Detection, Invesitigation, Response) – 51 Safety

Powering All Ethernet AI Networking

5G is Shifting Downstream to Enterprises

AWS Summit Sydney – Accelerating AI from Prospects to Manufacturing – IT Connection

Subsequent Era Safety