Isolate device – SEC-LABS R&D

Containing unmanaged Devices in Defender

SEC-LABS R&D 2022-06-20 0 Comments

For a long time we have been able to isolate onboarded devices in Microsoft Defender for Endpoint. But if a device is not onboarded we could not take any response actions to an eventual threat.

Microsoft has released a feature called Contain device which basically makes the opposite, instead of isolating the compromised device, we can tell all managed devices that they cannot communicate with the specific unmanaged device.

If a contained device changes IP address, the blocking will be updated and changed to the new IP address and the old will be “released” from block.

Detect, Protect, Respond

Contain device, Defender for Endpoint, Isolate device, MDE, Microsoft 365 Defender, Network Discovery

Take actions from Threat Hunting in M365 Defender

SEC-LABS R&D 2022-03-26 0 Comments

We wrote a blog post earlier about the news in threat hunting

New features in Advanced Hunting – Microsoft 365 Defender – SEC-LABS R&D

Another feature in hunting, which will speed up responses from a threat hunting scenario is Take Action

When selecting a record in the result, the Take Action button will be visible as seen in below picture

So instead of just creating a new incident or adding events to an existing incident we can take actions from the hunting experience.

In the Take actions experience we have actions grouped by Devices, Files and Users.

The action options available is dependent on the data in the result. For instance, file information like checksum is required to being able to quarantine a file.

When clicking Next we can see the target selected and click Next