Deploy the Microsoft defender for Endpoint Environment (part 1)

By Ashwin Venugopal -

 


To read part 2 please click here


Create Your Environment

When accessing your Microsoft Defender Security Center for the first time, a wizard will guide you through some initial steps. On Set up preference page, you can set the:

  • Data storage location- Determine where you want your tenant to be primarily hosted. You cannot change the location after this setup and the Microsoft will not transfer the data from the specified geolocation.
  • Data retention- The default is six months.
  • Enable preview features- The default is on, and can be changed later.  

At the end of the setup wizard, there will be a dedicated cloud instance of Defender for Endpoint created. 

Onboard Devices

You'll need to go to the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. In general, to onboard devices to the service:

  • Verify that the device fulfills the minimum requirements.
  • Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal.
  • Use the appropriate management tool and deployment method for your devices.
  • Run a detection test to verify that the devices are properly onboarded and reporting to the service. 

In settings, Device Management, Onboarding select operating system dropdown to see the supported options and then the supported deployment options are outlined. 

Manage Access

Using Role-based Access Control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Defender for Endpoint RBAC is designed to support your tier- or role-based model of choice and gives granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:

  • Control who can take specific actions- You can create custom roles and control what Defender for Endpoint capabilities they can access with granularity.
  • Control who can see information on a specific device group or groups- You can create device groups by specific criteria such as names, tags, domains, and others, then grant role access to them by using a specific Azure AD user group.

To implement role-based access, you will need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles.

Create and manage roles for RBAC

The following steps will guide you on how to create roles in Microsoft Defender Security Center:

  1. Access the Microsoft Defender Security Center using an account with the Security administrator or Global administrator role assigned. 
  2. In the navigation pane, select Settings > Roles.
  3. Select Add item.
  4. Enter the role name, description, and permissions you'd like to assign to the role.
  5. Select Next to assign the role to an Azure AD Security group.
  6. Use the filter to select the Azure AD group that you would like to add to this role to.
  7. Save and close.
  8. Apply the configuration settings.  

Note- After creating the roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.

Permission Options:

  • View data
           Security Operations- View all security operations data in the portal
           Threat and Vulnerability management- View threat and vulnerability management data in the                   portal.
  • Active remediation actions 
           Security Operations- Take response actions, approve or dismiss pending remediation actions,                   managed allowed/blocked lists for automation and indicators.
          Threat and Vulnerability management- Exception handling- Create new exceptions and manage               active exceptions. 
          Threat and Vulnerability management- Remediation handling- Submit new remediation requests,            create tickets and manage existing remediation activities.
  • Alerts investigation- Manage alerts, start automated investigations, run scan, collect investigation packages, manage device tags, and download only Portable Executable (PE) files.

  • Manage portal system settings- Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups.

  • Manage security settings in security center- Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications as well as evaluation lab.

  • Live response capabilities        

          Basic Commands- Start a live response session and perform read-only live response commands              on remote device (excluding file copy and execution).

          Advanced Commands- Download a file from the remote device via live response, download PE              and non-PE file from the file page, upload a file to the remote device, view a script from the files            library, execute a script on the remote device from the files library.    



To read part 2 please click here










Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more