Blogs by Ashwin

  To read part 1 please click  here Track Emerging Threats with Threat Analytics Increase in the sophisticated adversaries as well as new threats emerging frequently and continuously, it is critical to be able to quickly: Assess the impact of the new threats Review your resilience against or exposure to the threats Identify the actions you can take to stop or contain the threats Threat analytics is known as a set of reports from the expert Microsoft researchers covering the most relevant threats, including: Active threat actors and their campaign Popular and new attack techniques Critical vulnerabilities Common attack surfaces Prevalent malware It also incorporates the data from your network, indicating whether the threat is active and if you have applicable protections in place. View a threat analytics dashboard The threat analytics dashboard is a great jump-off point to the reports that are the most relevant to your organization which summarizes the threats in the following sections:

  To read part 2 please click  here Threat and Vulnerability Management Threat and vulnerability management serves as an infrastructure for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. It prioritizes vulnerabilities based on the threat landscape, detection in your organization, sensitive information on vulnerable devices, and business context.  Bridging the workflow gaps Threat and vulnerability management is built in, in real time, and cloud-powered. Vulnerability management is the industry's first solution to bridge the gap between the security administration and IT administration during the remediation process. You can create a security task or ticket by integrating with the Microsoft Intune and Microsoft Endpoint Configuration Manager. Real-time discovery To discover endpoint vulnerabilities and misconfiguration, threat and vulnerability management uses the same agentless built-in Defender for Endpoint sensors to r

  Configure Advanced Features The Advanced features area in the General Settings area provides an on/off switch for features within the product. The following are the settings that are automation focused: Feature Description Automated Investigation Enables the automation capabilities for investigation and response. Enable EDR in block mode When turned on, Microsoft Defender for Endpoint uses behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors observed through post-breach Endpoint Detection and Response (EDR) capabilities. Automatically resolve alerts Resolves an alert if Automated investigation finds no threats or has successfully remediated all the malicious artifacts. Allow or block file Make sure that Windows Defender Antivirus is turned on and the cloud-based protection feature is enabled in your organization to

  Configure Advanced Features The Advanced features area in the General Settings area provides many an on/off switch for features within the product. The following are the settings that are alert focused:  Feature Description Live Response Live Response Live Response unsigned script execution Enables using unsigned scripts in Live Response. Custom network indicators Configures devices to allow or block connections to IP addresses, domains, or URLs in your custom indicator lists. Share endpoint alerts with Microsoft Compliance Center Forwards endpoint security alerts and their triage status to the Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.     Configure Alert Notif

To read part 1 please click  here   Investigate a User Account You can easily identify the user accounts with the most active alerts (displayed on the dashboard as "Users at risk") and investigate the cases of potentially compromised credentials, or pivot on the associated user account when investigating an alert or device to identify possible lateral movement between the devices with that user account. You can find user account information in the following views: Dashboard Alert queue Device details page A clickable user account link is available in these views, which will take you to the user account details page where more details about the user account are shown and when you investigate a user account entity, you will see: User details The User details pane on left provides information about the user, like the related open incidents, active alerts, SAM name, SID, Azure ATP alerts, number of devices the user is logged on to, when the user was first and last seen, role, and

  To read part 2 please click  here Investigate a File Investigating the details of a file is associated with a specific alert, behavior, or event to help determine if the file exhibits malicious activities, identify the attack motivation, and understand the potential scope of the breach. Actions you can perform here includes: Stop and quarantine Add/edit indicator Download file Consult a threat expert Action center  Detailed Profile Page File details, malware detection, and file prevalence The file details, incidents, malware detection, and file prevalence cards display various attributes about the files and the details are such as the file's MD5, the virus Total Detection Ratio, and the Microsoft Defender AV detection if available, and the file's prevalence, both worldwide and within your organizations. Alerts The Alert tab provides a list of alerts that are associated with the file which covers much of the same information as the Alerts queue, except for the device group tha

  Device Actions While investigating a device you can perform actions, collect data or remotely access the machine including the following containment actions: Isolate device Restrict app execution Run antivirus scan  You can perform the following investigation actions: Initiate Automated Investigation Collect investigation package Initiate Live Response Session The action center provides information on the actions that were taken on a device or file. Isolate devices from networks This action can help you to prevent the attacker from controlling the compromised device as well as performing the further activities such as data exfiltration and lateral movement and its isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device. Once you have selected the isolate device on the device page, type a comment and select confirm after which the Action Center will show you the scan

  To read part 1 please click  here Behavioral Blocking Today's threat landscape is full of fileless malware that lives off the land, highly polymorphic threats that mutates faster than the traditional solutions can keep up with, as well as human-operated attacks that adapt to what the adversaries find on compromised devices and the traditional solutions are not sufficient to stop such attacks. Behavioral blocking and containment capabilities can help you to identify and stop the threats based on their behaviors and process trees even when the threat has already started. The next-generation protection, EDR, and the Defender for Endpoint components and features works together with behavioral blocking and containment capabilities.   It works with the multiple components and features of Defender for Endpoint to stop attacks immediately as well as prevent the attacks from progressing. Next-generation protection (which includes Microsoft Defender Antivirus) can easily detect threats by

  To read part 2 please click  here The Device Inventory List The device inventory page shows a list of the devices in your network where alerts were generated. By default, the queue displays the devices with alerts seen in the last 30 days and the device page can also be accessed from the various investigation pages like Incidents and Alerts. At a glance, you will see the information such as domain, risk level, OS platform, and the other details for easy identification of the devices mostly at risk.  Risk Level The risk level reflects the overall risk assessment of the device based on a combination of the factors, including the types and severity of the active alerts on the device and by resolving the active alerts, approving remediation activities, and suppressing the subsequent alerts can lower the risk level. Exposure Level The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations and if the exposure level

  To read part 1 please click  here To read part 2 please click  here Perform Advanced Hunting Advanced Hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data while allowing you to proactively inspecting the events in your network to locate threat indicators as well as entities which enables unconstrained hunting for both the known and potential threats. Data freshness and update frequency Advanced hunting data can be categorized into two different types, each consolidated differently: Event or activity data- it populates tables about alerts, security events, system events, and routine assessments. Advanced hunting receives this data almost immediately after the sensors that collects them successfully transfer them to the Defender for Endpoint. Entity data- it populates tables with consolidated information about the users and the devices and to provide fresh data, tables are updated with any new information in every 15 minutes, adding rows that mig