When the TAXII server is configured, click “Next steps”
In this step we will get recommended workbooks, sample queries and analytic rules we can use to monitor and alert on the data we ingest from the TAXII server.
Provided sample queries gives us access to the data
ThreatIntelligenceIndicator | where SourceSystem != "SecurityGraph" and SourceSystem != "Azure Sentinel"
From the connector configuration, we can also see the related analytics rule templates
Some times you might want to split the time stamp of an event into smaller pieces, like month, day, hour etc.
For instance, you might want to see if you have more alerts during some specific hours of the day or if anyone is using RDP in the middle of the night.
To achieve this we use the function datetime_part which can split the time stamp to the following parts
Year
Quarter
Month
week_of_year
Day
DayOfYear
Hour
Minute
Second
Millisecond
Microsecond
Nanosecond
This data could, of course, be used to further analysis and joined with other events.
A new connector for Microsoft 365 Defender is in public preview in Azure Sentinel. This connector makes it possible to ingest the hunting data into Sentinel
Currently, the Defender for Endpoint Data is available
To enable
Go to you Azure Sentinel Instance and select Connectors
Search for Microsoft 365 Defender
Click Open Connector Page
Select which Events you want to ingest
Click Apply Changes
Example queries
//Registry events
DeviceRegistryEvents
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "DefaultPassword"
| where RegistryKey has @"SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp
//Process and Network events
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient",
"DownloadFile",
"DownloadData",
"DownloadString",
"WebRequest",
"Shellcode",
"http",
"https")
| project Timestamp, DeviceName, InitiatingProcessFileName,
InitiatingProcessCommandLine,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
If we look at the tables we can see the new created tables
One of the benefits of using a cloud service backend instead of on-prem appliance boxes is that we can get new features without doing anything except for “enable” depending on feature.
One feature I like is the “flag event” feature in the timeline.
In the machine timeline view there is a “flag” we can enable on each event we find interesting. This will make it easier to go back and further investigate suspicious activities.
In the overview we can see where the flags are located in the timeline and if we want, we can also filter on flagged events
As companies raise their bars and protect more and more accounts with Multi-factor Authentication the attacks are twisting with new angles. The method of using Application Consent is nothing new but attackers haven’t had a need to use it as a stolen password is normally less friction.
So what is Application Consent, Application consent is a way to grant permissions to Applications to access your data that they need to perform their specific Task. An example could be a be a Travel App that needs to read your Travel itinerary so that it can automatically update your Calendar with Flight Data or other information.
I am sure everyone has seen a App Consent Screen
Source: Microsoft docs
Kevin Mitnick did a malicious Ransomware PoC roughly with Application Consent two years ago around this, feel free to watch the demo on the youtube link.
Application ControlProtect
The first thing you should ask your selves, do you allow your users to Grant Permissions themselves of their data or have you as an organization centrally taken this control?
The settings can be configured under your Azure Active Directory
First off can your users Register Applications themselves or is this under central control?
AAD > User Settings > Enterprise Applications
So if you do not allow this the users would never be able to allow an App consent either, but if you do you can control how much data they can share and under what circumstances, you will find a few options in the detailed settings below.
AAD > Enterprise Applications > User Settings
AAD > Enterprise Applications > Consent and Permissions > User Consent Settings (Preview at the time of writing)
Do not allow user consent
Allow user consent for apps from verified publishers
Allow user consent for Apps
Allowing users to allow Apps will put you at risk as they can be lured into accepting an Application Consent. This is not only sensitive from a Security Threat perspective, but also from a privacy / secrecy perspective where third party apps malicious or not are for an example being granted access to PII or Customer Data.
Here you need to find the balance between control and risk on how much you can detect. With the “Allow user consent for apps from verified publishers” you also have the option to control what data and methods are being granted as well. Not that the offline_access is something you need to review thoroughly as that opens up your exposure.
Another possibility that exists is also to user a Admin Consent Requests, in this case a User can request a consent that an Admin will have to review and approve or deny.
AAD > Enterprise Applications > User Settings
Application Control Detection
There are a few ways to see and detect Application Consent, either you create a manual process to review this on a schedule or you use the tools you have at hand. Some examples on what you can use below depending on how you are licensed and how you have integrated Logs.
So what can you do if you find Applications that you suspect are doing malicious activities or is putting your data at risk.
You have a few options, start with documenting and putting a timeline with all the activities you are taking, its easy to forget when you need to go back in time.
Block Sign-in to Application
Remove Users from the Application
Remove the Application Completely
Ban/Block Application in MCAS
Review Permissions under the App in AAD
I wouldn’t recommend removing the app until your investigations is complete, id rather block the Login. Depending on that tools you have you can start going through your audit logs in relation to this app.
One thing we usually discuss with customers is the workload. Everyone has too much to do and it can, sometimes be difficult to prioritize investigations.
Especially
now, where you might be short on staff, and the Covid-19 virus can strike at
the SOC organization or reduce the numbers of available people.
Of course,
this does not only apply during the world crisis of Covid-19. Automation is
also a help in the normal day to day work.
There are benefits
of being able to automate responses and we have these discussions with many
customers.
MDATP
Automatic self-healing is built-in into Defender ATP and is mimicking these
ideal steps a human would take to investigate and remediate organizational
assets, impacted by a cyber threat.
This is
done using 20 built-in investigation playbooks and 10 remediation actions
Increased Capacity
Respond
at the speed of automation
Investigate
and remediate all alerts automatically
Free
up critical resources to work on strategic initiatives
Cost implications
It
will drive down the cost per investigation and remediation
Takes
away manual, repetitive tasks
Automated
remediation eliminates downtime
Get full
value of your protection suite and people, quick configuration and you are up
and running
SecOps Investigation (Manual)
Sometimes
it will take some time from the alert being triggered until someone has the
time to start looking at it. Manual work
also requires more resources for review and approval for each action
From a
SecOPs perspective, an initial response involves information gathering.
Collecting:
Process list
Services
Drivers
Network connections
Files created
Where did the file originate from?
etc
Based on
our results, we will decide the remediation steps (if we do not follow a
playbook here, the catch will be different result depending on who makes the
response).
Remediation:
The
remediation will include connecting remotely or manually collect the device and
then launch tools for the remediation process.
Automatic response with Auto IR
Fast time
to respond which will avoid additional damage and compromise of additional devices,
when attackers will start moving lateral in the environment.
It’s our
24/7 buddy who assists the SOC staff to remediate threats so the human staff can
focus on other things
MDATP is sending telemetry data to
the cloud
MDATP cloud continuously analyzes
the data to detect threats
Once a threat is identitfied an
alert is being raised
The alert kicks off a new automated
investigation
AIRS component asks Sense client to
initiate SenseIR
SenseIR is then orchestrated by AIRS
on what action should be executed (Collection/Remediation)
Based on the data collected from the
machine (current and historical) AIRS decides what actions should be taken
For every threat identified, AIRS
will automatically analyze the best course of action and tailor a dedicated
surgical remediation action to be executed using on device components (e.g.
Windows Defender Antivirus)
Playbook is executed
“suspicious host” playbook is just an example of “catch all” playbook that is applied after detailed AutoIR investigation for evidences raised by alerts / incident to ensure that nothing is missed.
Data Collection
Volatile
data
All
processes list – main image, loaded modules, handles, suspicious memory
sections
All
services list
All
drivers list
All
connections
None-Volatile
data
Recently
created files – x minutes febore / after alert
All
persistence methods
Recently
executed files
Download
location
Incrimination
Microsoft
Security Graph eco system – DaaS, AVaaS, TI, TA, Detection engine, ML
infrastructure etc.
Custom
TI indicators – for allow / block list
Remediation
How?
By
leveraging OS components (e.g. Defender Antivirus) to perform the remediation
(prebuilt into the system, low level actions (driver), tried and tested)
What?
File
actions
Process
actions
Service
actions
Registry
actions
Driver
actions
Persistency
methods (Reg, Link files, etc.) actions
As we have been reading about many of the advanced threats we see today do try to turn off and tamper with protections that are active on our endpoints.
With Windows Defender you have the option to enable Tamper Protection to make your Windows Defender configuration more safe.
With the protection the client is safeguarded from attempts to disable
Virus and Threat Protection and IOAV
Real-time Protection
Cloud-delivered protection
Behavior monitoring
Removal of Security Intelligence Updates
Of course you should not run as local admin as you expose your machine to other risks but this protection helps in some of those scenarios, there are of course other means an attacker can circumvent being detected and that why we strongly recommend adding EDR capabilities to your endpoint security strategy.
To turn this on you simply make sure your machines are managed
You can find the setting under Windows 10 and later > Endpoint Protection and Category > Microsoft Defender Security Center > Tamper Protection
Once you have enabled Tamper Protection assign it to your Endpoints.
On the endpoint you should be able to see that Tamper Protection is turned on in the Windows Security Center
If you are running a early version of Windows 10 you need to have atleast 1709 for this to work and for 1709-1809 you will not see this in the Security Center and need to verify this with powershell and look for the value “isTamperProtected” set to True
Yes you read that right, its now possible to block unsanctioned apps in Microsoft Cloud App Security directly at your Windows 10 Endpoints. Moving towards a Zero-Trust network away from the corporate firewalls and proxies you still want to maintain network control from the endpoint side, this new feature will give you the possibility to block applications, this is a great step forward in the area and its clear that Microsoft is taking Zero-Trust and Security seriously.
(Its important to note if you have marked apps as unsanctioned in the MCAS Portal already they will automatically be marked as blocked so before turning this on review your unsanctioned apps.)
Configuring Unsanctioned Apps
Once you have your requirements in-place we can start to configure unsanctioned apps, You can either select to maintain this manually or configure a policy to set all apps matching a certain criteria to be blocked. An example could be block all apps with a Risk Score Lower than 3.
Manually
If you go to your Cloud App Dashboard and find the App you want to block just click on the App and select unsanctioned.
Automatically
To have apps marked as unsanctioned automatically can be done with a Policy. Below we have an example of blocking apps that meet the criteria Risk Score 1-3.
Its also possible to add other types of criteria if you want to refine your policy. It all depends what you want to limit and the purpose, is it to control Shadow IT or is it from a Security perspective. Some examples below of other criteria that could be useful depending on the use case.
App Category Productivity
Daily Traffic Below 5 MB
Number of Users Below 5
PRO TIP: When building your Policy its very good that you can play with the Preview Results, that gives you instant feedback on how well your query will perform so try that out.
Back-end Integration
When the unsanctioned app is marked as unsanctioned the back end integration between MCAS and MDATP exchanges data and Custom Indicators are being populated. You can find these under Settings > Indicators > URLs/Domains
Like in this example we did block WhatsApp and that would replicate over to the Indicators in MDATP. The whole flow depending on sync should not take longer than 3 hours. From that you have blocked in MCAS to that the Endpoint has the blocking instruction.
Once its available in MDATP the Endpoints should update their Indicators and should start blocking.
End User Experience
At the moment the end user experience is fairly limited the user would get a Toast Notification that something has been blocked unless you have turned notifications off.
Depending on the App you are trying to communicate with the blocked app/url the behavior would occur differently.
For WhatsApp it would look like this when Launching it (sorry message in Swedish)
And a Default Notification Message like this below
Reporting
At the moment the tracking and reporting is also limited to whats available in MCAS and MDATP and its supported retention times.
Future Asks
Things I want to see and I have fed back to the Product groups I want this to evolve to going forward.
Support for X-Platform Devices
Block without Alerting like Block and Report
Having the possibility to do Exclusions and Custom Targeting of Devices/Users
Expand this to URL Categories Block / Monitor
Better Historical Reporting
Customize Messages
End User Coaching
End User Exclusion Request
If you have other ideas feel free to tweet me at @stefanschorling and I will relay.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept”, you consent to the use of ALL the cookies.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
