Blogs by Ashwin

  To read part 1 please click  here To read part 3 please click  here Manage Automatic Investigation Security Operations teams have always faced challenges in addressing the multitude of alerts that arise from the seemingly never-ending flow of threats, but the Microsoft Defender for Endpoint includes Automated Investigation and Remediation (AIR) capabilities that can help your security operations team address the threats more effectively and efficiently. AIR capabilities significantly reduce alert volume, allowing security operations to focus on more sophisticated threats and other high-value initiatives whereas the Action Center keeps track of all the investigations that were initiated automatically, along with details, such as the investigation status, detection source and any pending or completed actions.  How the automated investigation starts? When an alert is triggered, a security playbook goes into effect and depending on the security playbook, an automated investigation can st

  To read part 2 please click  here To read part 3 please click  here Security Operations in Microsoft Defender for Endpoint Defender for Endpoint detection and response capabilities offers advanced attack detection that are near real-time and actionable and whenever a threat is detected, alerts are created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called an incident, which makes it easy for the analysts to investigate and respond to the threats collectively. Inspired by the "assumed breach mindset", Defender for Endpoint continuously collects behavioral cyber telemetry which includes process information, network activities, deep optics into the kernel and memory manager, user sign in activities, registry and file system changes, and the others. The analyst can then pivot in various views and approach the investigation through multiple vectors.  The response capabilities

  Understand Attack Surface Reduction Attack Surface Reduction is all about hardening the places where a threat is likely to attack and whenever you are performing alert investigations, you should also know the events generated by the Attack Surface Reduction on the host, which might provide forensics evidence. The following is a list of the Attack Surface Reduction components: Solution Description Attack Surface Reduction Reduce vulnerabilities (attack surfaces) in your applications with intelligent rules that helps stop malware.(Requires Microsoft Defender Antivirus). Hardware-based isolation Protect and maintain the integrity of a system as it starts and while it’s running, validate system integrity through local as well as remote attestation, and use container isolation for Microsoft Edge to help guard against malicious websites.   Application control Use application control so th

To read part 1 please click  here  Configure device groups In this one, a set of devices are grouped together based on a set of attributes such as their domains, computer names, or designated tags. In the Microsoft Defender for Endpoint, you can create device groups and use them to: Limit access to the related alerts and data to the specific Azure AD user groups with the assigned RBAC roles. Configure different auto-remediation settings for different sets of devices. Assign specific remediation levels to apply during automated investigations.  In an investigation, filter the devices list to just specific device groups by using the Group filter.  As a part of the process of creating a device group you will: Set the automated remediation level for that group. Specify the matching rule that determines which device group belongs to the group based on the device name, domain, tags, and OS platform. Select the Azure AD user group that should have access to the device group. Rank the device g

  To read part 2 please click  here Create Your Environment When accessing your Microsoft Defender Security Center for the first time, a wizard will guide you through some initial steps. On Set up preference page, you can set the: Data storage location- Determine where you want your tenant to be primarily hosted. You cannot change the location after this setup and the Microsoft will not transfer the data from the specified geolocation. Data retention- The default is six months. Enable preview features- The default is on, and can be changed later.   At the end of the setup wizard, there will be a dedicated cloud instance of Defender for Endpoint created.  Onboard Devices You'll need to go to the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. In general, to onboard devices to the service: Verify that the device fulfills the minimum requirements. Depending on the device, follow the configuration steps provided in the onboarding section

  Microsoft Defender for Endpoint explained Microsoft Defender for Endpoint is known as a platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats on their endpoints and  the following capabilities are enabled with the Microsoft Defender for Endpoint: Threat and vulnerability management provides real-time visibility and helps identify ways to improve your security posture. Attack surface reduction eliminates the risky or unnecessary surface areas and restricts any dangerous code from running. Advanced protection uses machine learning and deep analysis to protect against file-based malware. Endpoint detection and response monitors behaviors as well as attacker techniques to detect and respond to advanced attacks.  Leverage artificial intelligence to automatically investigate alerts and remediate complex threats in minutes. Microsoft threat experts bring deep knowledge and proactive threat hunting to your security operations center.    

  To read part 1 please click  here To read part 2 please click  here Connected Sources The Azure Log Analytics agent was developed for comprehensive management across virtual machines in any cloud on-premises machines, and those monitored by System Center Operations Manager and also supports insights and the other services in Azure Monitor such as Azure Monitor for VMs, Azure Security Center, and Azure Automation. Comparison to Azure diagnostics extension  The Azure diagnostics extension in Azure monitor can also be used to collect the monitoring data from the guest operating system of Azure VMs. The key differences to consider are: Azure Diagnostics Extension can be used only with Azure VMs, while the Log Analytics Agent can be used with VMs in Azure, other clouds, and on-premises. Azure Diagnostics Extension sends the data to Azure Storage, Azure Monitor Metrics (Windows only), and Event hubs, while the Log Analytics Agent collects data to Azure Monitor Logs. The Log analytics Agent

  To read part 1 please click  here To read part 3 please click  here Metrics and Logs All data that Azure Monitor collects fits into one of the two fundamental type- metrics or logs. What are metrics? Metrics are numerical values that describes some aspect of a system at a particular time and are also collected at regular intervals as well as useful for alerting because they can be sampled frequently, and an alert can be fired quickly with relatively simple logic.  Different ways of using metric data in Azure Monitor: Analyze- You can use metric explorer to analyze collected metrics on a chart and compare metrics from different resources.  Visualize- Pin a chart from metrics explorer to an Azure dashboard and create a workbook to combine with the multiple sets of the data in an interactive report. Export the results of a query to Grafana to leverage its dashboarding and combine with other data sources. Alert- Configure a metric alert rule that sends a notification or takes automated a