Deploy the Microsoft defender for Endpoint Environment (part 1)

By Ashwin Venugopal -

 


To read part 2 please click here


Create Your Environment

When accessing your Microsoft Defender Security Center for the first time, a wizard will guide you through some initial steps. On Set up preference page, you can set the:

  • Data storage location- Determine where you want your tenant to be primarily hosted. You cannot change the location after this setup and the Microsoft will not transfer the data from the specified geolocation.
  • Data retention- The default is six months.
  • Enable preview features- The default is on, and can be changed later.  

At the end of the setup wizard, there will be a dedicated cloud instance of Defender for Endpoint created. 

Onboard Devices

You'll need to go to the onboarding section of the Defender for Endpoint portal to onboard any of the supported devices. In general, to onboard devices to the service:

  • Verify that the device fulfills the minimum requirements.
  • Depending on the device, follow the configuration steps provided in the onboarding section of the Defender for Endpoint portal.
  • Use the appropriate management tool and deployment method for your devices.
  • Run a detection test to verify that the devices are properly onboarded and reporting to the service. 

In settings, Device Management, Onboarding select operating system dropdown to see the supported options and then the supported deployment options are outlined. 

Manage Access

Using Role-based Access Control (RBAC), you can create roles and groups within your security operations team to grant appropriate access to the portal. Defender for Endpoint RBAC is designed to support your tier- or role-based model of choice and gives granular control over what roles can see, devices they can access, and actions they can take. The RBAC framework is centered around the following controls:

  • Control who can take specific actions- You can create custom roles and control what Defender for Endpoint capabilities they can access with granularity.
  • Control who can see information on a specific device group or groups- You can create device groups by specific criteria such as names, tags, domains, and others, then grant role access to them by using a specific Azure AD user group.

To implement role-based access, you will need to define admin roles, assign corresponding permissions, and assign Azure AD user groups assigned to the roles.

Create and manage roles for RBAC

The following steps will guide you on how to create roles in Microsoft Defender Security Center:

  1. Access the Microsoft Defender Security Center using an account with the Security administrator or Global administrator role assigned. 
  2. In the navigation pane, select Settings > Roles.
  3. Select Add item.
  4. Enter the role name, description, and permissions you'd like to assign to the role.
  5. Select Next to assign the role to an Azure AD Security group.
  6. Use the filter to select the Azure AD group that you would like to add to this role to.
  7. Save and close.
  8. Apply the configuration settings.  

Note- After creating the roles, you'll need to create a device group and provide access to the device group by assigning it to a role that you just created.

Permission Options:

  • View data
           Security Operations- View all security operations data in the portal
           Threat and Vulnerability management- View threat and vulnerability management data in the                   portal.
  • Active remediation actions 
           Security Operations- Take response actions, approve or dismiss pending remediation actions,                   managed allowed/blocked lists for automation and indicators.
          Threat and Vulnerability management- Exception handling- Create new exceptions and manage               active exceptions. 
          Threat and Vulnerability management- Remediation handling- Submit new remediation requests,            create tickets and manage existing remediation activities.
  • Alerts investigation- Manage alerts, start automated investigations, run scan, collect investigation packages, manage device tags, and download only Portable Executable (PE) files.

  • Manage portal system settings- Configure storage settings, SIEM, and threat intel API settings (applies globally), advanced settings, automated file uploads, roles, and device groups.

  • Manage security settings in security center- Configure alert suppression settings, manage folder exclusions for automation, onboard and offboard devices, and manage email notifications as well as evaluation lab.

  • Live response capabilities        

          Basic Commands- Start a live response session and perform read-only live response commands              on remote device (excluding file copy and execution).

          Advanced Commands- Download a file from the remote device via live response, download PE              and non-PE file from the file page, upload a file to the remote device, view a script from the files            library, execute a script on the remote device from the files library.    



To read part 2 please click here










Comments

Post a Comment

Popular posts from this blog

Deployment (Part 3)

By Ashwin Venugopal -
Image
  To read part 1, please click  here To read part 2, please click  here Microsoft Monitoring Agent (MMA) MMA is used across multiple Microsoft solutions and has undergone a few name changes as its features and functionality have evolved. If it is being considered to be used, then following areas should be covered during a Microsoft Sentinel deployment project: Consider the timelines and the strategy for a migration to AMA (Azure Monitor Agent) before the MMA end-of-life.  Consider the central deployment and management methodology for MMA. Determine which endpoints are in scope for deployment as these affect the log ingestion volume significantly.  Azure Monitor Agent (AMA) Organizations with MMA as the main Microsoft Sentinel agent should start planning the migration to AMA as soon as possible to avoid a rushed migration. One of the main advantages of AMA is the ability to control the log collection policy centrally and apply different policies against different...
Read more

Deployment (Part 1)

By Ashwin Venugopal -
Image
  To read part 2, please click  here To read part 3, please click  here Azure Resources Microsoft Sentinel needs following resources to be created: Subscription (if a dedicated subscription(s) will be used) Resource group(s) Log Analytics workspace(s) Automation rules/playbook Alert rules Workbooks Microsoft Sentinel offers hundreds of alert rules, workbooks, and automation playbook templates along with hunting scripts. The templates can be used to activate/deploy schedule alerts, create customized dashboards, create automation playbooks and perform threat-hunting activities. Generally, once deployed, the resources created have to be adjusted to match the existing environment, configure local credentials, etc. Methods of deployment: Manual- Administrator can manually configures the Microsoft Sentinel resources with the help of Azure portal. Any manual process has the inherent risks of human operator error, lack of compliance with potential change control procedures, and u...
Read more

Project Resourcing (Part 2)

By Ashwin Venugopal -
Image
  To read part 1, please click  here Engineering - SIEM The SIEM engineers configures Microsoft Sentinel, including Log Analytics, Logic Apps, workbooks, and playbooks. They are also responsible for the following high-level tasks: Initial configuration of Azure tenant, including provisioning required resources, assigning access roles, and configuring workspace parameters like log retention, resource tagging, and blueprints.  Deployment and configuration of syslog/CEF log collection agents in appropriate locations to collect logs from on-premises devices. Generally, it will be joint effort of both system engineer and SIEM engineer, involving configuration and potential troubleshooting.  Working with system owners to enable log forwarding and configuring any required parsing of log data in Log Analytics.  Working with security operations to create and deploy KQL analytic rules to offer detections for SOC/Computer Security Incident Response Team (CSRIT) use. Tuning...
Read more