Tag Archive: SOAR

Gartner EPP Magic quadrant 2019 – Defender in the leading quadrant

gartnereppmq2019

The 2019 version of the Gartner Magic Quadrant clearly shows that Microsoft is in the game to provide extremely powerfull Endpoint protection platform (EPP).
Microsoft is named a leader!

With built-in powerful capability which ties to Protect, Detect and respond, they have given us great tools for our security work.

Microsoft is unique in the EPP space, as it is the only vendor that can provide built-in endpoint protection capabilities tightly integrated with the OS. Windows Defender Antivirus (known as System Center Endpoint Protection in Window 7 and 8) is now a core component of all versions of the Windows 10 OS, and provides cloud-assisted attack protection.

Microsoft Defender Advanced Threat Protection (ATP) provides an EDR capability, monitoring and reporting on Windows Defender Antivirus and Windows Defender Exploit Guard (“Exploit Guard”), vulnerability and configuration management, as well as advanced hardening tools.

The Microsoft Defender ATP incident response console consolidates alerts and incident response activities across Microsoft Defender ATP, Office 365 ATP,
Azure ATP and Active Directory, as well as incorporates data sensitivity from Azure information protection.

Microsoft is much more open to supporting heterogeneous environments and has released EPP capabilities for Mac. Linux is supported through partners, while native agents are on the roadmap.

Microsoft has been placed in the Leaders quadrant this year due to the rapid market share gains of Windows Defender Antivirus (Defender), which is now the market share leader in business endpoints.

In addition, excellent execution on its roadmap make it a credible replacement for competitive solutions, particularly for organizations looking to reduce complexity.

Gartner

The benefit of the insights and protection these tools, and ability to use built-in SOAR capabilities, gives security teams around the globe a better and much faster understanding of the attacks for much fast response.

Many features like Exploit Protection, Network Protection, Attack Surface reduction, Firewall and more will provide a more reliable platform which is easy to manage.

The enriched alerts and incidents gives security teams a chance to put their effort to the critical incidents and avoid spending time trying to fight the noice in all different tools and manual tasks.

Automated investigations

Build your playbooks

Take back the control with live response

We also have the threat and vulnerability management feature which gives you visibility on vulnerable software in your estate

Threat hunting

Full gartner report:
https://www.gartner.com/doc/reprints?id=1-1OCBC1P5&ct=190731&st=sb&fbclid=IwAR3G9Otpxuc52bi0hpFE4-iGv8uhvgnxtSl0boqAU7-R4aw5MyLsuyy0fLg

Congratulations Microsoft, we’re looking forward for all coming features

Happy Hunting!

Automate response with Defender ATP and Microsoft Flow

So now when we have cool products (more or less builtin) we need to start working with them and not be required to look in the portals 24/7.

This post will demonstrate an example on how to use approval in email to isolate machines with new alerts.

Microsoft Flow is very easy to use to create business flows for all kind of products. You can manage anything which has an API.

Microsoft has released connectors for many solutions and by drag n drop you can create flows to make your life a lot easier.

This flow used in this blog post is just to be able to show something useful.

  • Start by browsing to https://flow.microsoft.com and create a new flow
  • Search for WDATP and select the Trigger “Triggers when a Windows Defender ATP alert accurs (preview)”

We will then add an action to “Get single alert preview”, this will give us more information to use later.

In below picture we can see some of the dynamic content we can add to next step in the flow

We can also add a condition. In this example we use condition for alert severity (high or medium).

We also want to add an approver step.

For some reason the Approval type is in Swedish for me. You have 2 default options and one custom option
Options are “Everyone must approve” or “First one to approve”.

Based on the response from the approval step we continue the flow with a condition to go ahead if the responder choose to approve the action.


We add the action “Isolate machine (preview)” and configure that along with a send email action.

Running the Flow

If you need to change your flow you can re-run it using the same data as used previously

After the approval we get the status message send to all approvers

We can see that our test machine was successfully isolated

In the flow test overview

From the ATP console we now have the option to release the machine from isolation, collect investigation package etc

Dynamic content

Actions

Pro tips:

  • Use get alert to be able to add more dynamic content to use in subsequent steps
  • Use get machine to be able to get more information like IP, Computername etc
  • Start building your automated playbooks. This will save you time