A new connector for Microsoft 365 Defender is in public preview in Azure Sentinel. This connector makes it possible to ingest the hunting data into Sentinel
Currently, the Defender for Endpoint Data is available
Go to you Azure Sentinel Instance and select Connectors
Search for Microsoft 365 Defender
Click Open Connector Page
Select which Events you want to ingest
Click Apply Changes
| where ActionType == "RegistryValueSet"
| where RegistryValueName == "DefaultPassword"
| where RegistryKey has @"SOFTWAREMicrosoftWindows NTCurrentVersionWinlogon"
| project Timestamp, DeviceName, RegistryKey
| top 100 by Timestamp
//Process and Network events
union DeviceProcessEvents, DeviceNetworkEvents
| where Timestamp > ago(7d)
| where FileName in~ ("powershell.exe", "powershell_ise.exe")
| where ProcessCommandLine has_any("WebClient",
| project Timestamp, DeviceName, InitiatingProcessFileName,
FileName, ProcessCommandLine, RemoteIP, RemoteUrl, RemotePort, RemoteIPType
If we look at the tables we can see the new created tables
One thing we usually discuss with customers is the workload. Everyone has too much to do and it can, sometimes be difficult to prioritize investigations.
now, where you might be short on staff, and the Covid-19 virus can strike at
the SOC organization or reduce the numbers of available people.
this does not only apply during the world crisis of Covid-19. Automation is
also a help in the normal day to day work.
There are benefits
of being able to automate responses and we have these discussions with many
Automatic self-healing is built-in into Defender ATP and is mimicking these
ideal steps a human would take to investigate and remediate organizational
assets, impacted by a cyber threat.
done using 20 built-in investigation playbooks and 10 remediation actions
at the speed of automation
and remediate all alerts automatically
up critical resources to work on strategic initiatives
will drive down the cost per investigation and remediation
away manual, repetitive tasks
remediation eliminates downtime
value of your protection suite and people, quick configuration and you are up
SecOps Investigation (Manual)
it will take some time from the alert being triggered until someone has the
time to start looking at it. Manual work
also requires more resources for review and approval for each action
SecOPs perspective, an initial response involves information gathering.
Where did the file originate from?
our results, we will decide the remediation steps (if we do not follow a
playbook here, the catch will be different result depending on who makes the
remediation will include connecting remotely or manually collect the device and
then launch tools for the remediation process.
Automatic response with Auto IR
to respond which will avoid additional damage and compromise of additional devices,
when attackers will start moving lateral in the environment.
24/7 buddy who assists the SOC staff to remediate threats so the human staff can
focus on other things
MDATP is sending telemetry data to
MDATP cloud continuously analyzes
the data to detect threats
Once a threat is identitfied an
alert is being raised
The alert kicks off a new automated
AIRS component asks Sense client to
SenseIR is then orchestrated by AIRS
on what action should be executed (Collection/Remediation)
Based on the data collected from the
machine (current and historical) AIRS decides what actions should be taken
For every threat identified, AIRS
will automatically analyze the best course of action and tailor a dedicated
surgical remediation action to be executed using on device components (e.g.
Windows Defender Antivirus)
Playbook is executed
“suspicious host” playbook is just an example of “catch all” playbook that is applied after detailed AutoIR investigation for evidences raised by alerts / incident to ensure that nothing is missed.
processes list – main image, loaded modules, handles, suspicious memory
created files – x minutes febore / after alert
Security Graph eco system – DaaS, AVaaS, TI, TA, Detection engine, ML
TI indicators – for allow / block list
leveraging OS components (e.g. Defender Antivirus) to perform the remediation
(prebuilt into the system, low level actions (driver), tried and tested)
methods (Reg, Link files, etc.) actions
Yes you read that right, its now possible to block unsanctioned apps in Microsoft Cloud App Security directly at your Windows 10 Endpoints. Moving towards a Zero-Trust network away from the corporate firewalls and proxies you still want to maintain network control from the endpoint side, this new feature will give you the possibility to block applications, this is a great step forward in the area and its clear that Microsoft is taking Zero-Trust and Security seriously.
(Its important to note if you have marked apps as unsanctioned in the MCAS Portal already they will automatically be marked as blocked so before turning this on review your unsanctioned apps.)
Configuring Unsanctioned Apps
Once you have your requirements in-place we can start to configure unsanctioned apps, You can either select to maintain this manually or configure a policy to set all apps matching a certain criteria to be blocked. An example could be block all apps with a Risk Score Lower than 3.
If you go to your Cloud App Dashboard and find the App you want to block just click on the App and select unsanctioned.
To have apps marked as unsanctioned automatically can be done with a Policy. Below we have an example of blocking apps that meet the criteria Risk Score 1-3.
Its also possible to add other types of criteria if you want to refine your policy. It all depends what you want to limit and the purpose, is it to control Shadow IT or is it from a Security perspective. Some examples below of other criteria that could be useful depending on the use case.
App Category Productivity
Daily Traffic Below 5 MB
Number of Users Below 5
PRO TIP: When building your Policy its very good that you can play with the Preview Results, that gives you instant feedback on how well your query will perform so try that out.
When the unsanctioned app is marked as unsanctioned the back end integration between MCAS and MDATP exchanges data and Custom Indicators are being populated. You can find these under Settings > Indicators > URLs/Domains
Like in this example we did block WhatsApp and that would replicate over to the Indicators in MDATP. The whole flow depending on sync should not take longer than 3 hours. From that you have blocked in MCAS to that the Endpoint has the blocking instruction.
Once its available in MDATP the Endpoints should update their Indicators and should start blocking.
End User Experience
At the moment the end user experience is fairly limited the user would get a Toast Notification that something has been blocked unless you have turned notifications off.
Depending on the App you are trying to communicate with the blocked app/url the behavior would occur differently.
For WhatsApp it would look like this when Launching it (sorry message in Swedish)
And a Default Notification Message like this below
At the moment the tracking and reporting is also limited to whats available in MCAS and MDATP and its supported retention times.
Things I want to see and I have fed back to the Product groups I want this to evolve to going forward.
Support for X-Platform Devices
Block without Alerting like Block and Report
Having the possibility to do Exclusions and Custom Targeting of Devices/Users
Azure Sentinel—the cloud-native SIEM that empowers defenders is now generally available
Some of the new features are:
Workbooks are replacing dashboards, providing for richer analytics and visualizations
New Microsoft and 3rd party connectors
Detection and hunting:
Out of the box detection rules: The GitHub detection rules are now built into Sentinel.
Easy elevation of MTP alerts to Sentinel incidents.
Built-in detection rules utilizing the threat intelligence connector.
New ML models to discover malicious SSH access, fuse identity, and access data to detect 35 unique threats that span multiple stages of the kill chain. Fusion is now on by default and managed through the UI
Template playbooks now available on Github.
New threat hunting queries and libraries for Jupyter Notebooks
The interactive investigation graph is now publicly available.
Incidents support for tagging, comments, and assignments, both manually and automatically using playbooks.
When working with Incident Response you from time to time find artifacts that you need to block, IP Addresses or specific URLs. Instead of doing this on the proxies or firewalls its often more efficient to do this on the endpoint level to catch roaming machines where ever they are. In some cases you also work with other TI vendors and get IPs and URLs you want to block and build automation around. This feature is currently in preview
WDATP you can now block or allow IPs and Urls.
feature to work you need to have some prerequisites
10 1709 Pro, E3/E5 or Edu
Defender Network Protection
Delivered Protection Enabled
possible to enable Network Protection in several ways
There are still many companies using forward proxies and when analyzing traffic from endpoints this can be a bit challenging. This due to that the client connects to the forward proxy instead of the public endpoint like http://blog.sec-labs.com.
So instead of the public endpoint you would see that the process is connecting to the proxy.
Microsoft have engineers around this and by enabling the Network Protection feature in either Audit Mode or Block mode you can now see the public endpoint the process is actually communicating with behind the forward proxy.
Events that is coming from this type of detection is flagged with the a “NetworkProtection” tag.
If you want to use thees events generated when you do Hunting they are found under Network CommunicationEvents and if you know your proxy ip address you can get everything that has gone via the proxy with the following query.
| where ActionType == “ConnectionSuccess” and RemoteIP != “ProxyIP”
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.