Perform Actions On A Device

By Ashwin Venugopal -

 



Device Actions

While investigating a device you can perform actions, collect data or remotely access the machine including the following containment actions:

  • Isolate device
  • Restrict app execution
  • Run antivirus scan 

You can perform the following investigation actions:

  • Initiate Automated Investigation
  • Collect investigation package
  • Initiate Live Response Session

The action center provides information on the actions that were taken on a device or file.

Isolate devices from networks

This action can help you to prevent the attacker from controlling the compromised device as well as performing the further activities such as data exfiltration and lateral movement and its isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender for Endpoint service, which continues to monitor the device.

Once you have selected the isolate device on the device page, type a comment and select confirm after which the Action Center will show you the scan information and the device timeline will include a new event. When a device is being isolated, a notification is displayed to inform the user that the device is being isolated from the network.

Restrict app execution

This action is available for devices on Windows 10, version 1709, or later and also if your organization uses Microsoft Antivirus Defender Antivirus and to restrict an application from running, a code integrity policy is applied that only allows files to run if they are signed by a Microsoft issued certificate which can help you to prevent an attacker from controlling compromised devices as well as performing further malicious activities.

You will be capable to reverse the restriction from applications running at any time and the button on the device page will change to say Remove app restriction, after which you have to take the same steps as restricting app execution. When an app is restricted, a notification is displayed to inform the user that an app is being restricted from running. 

Collect investigation package from devices

As a part of the investigation or response process, you can easily collect an investigation package from a device and can identify the current state of the device as well as further understand the tools and techniques used by the attacker. To download the package (zip file) and investigate the events that occurred on a device:

  • Select Collect investigation package from the row of response actions at the top of the device page.
  • Specify in the text box why you want to do this action. Select Confirm.
  • The zip file will download.   

Alternate way:

  • Select Action center from the response actions section of the device page.
  • In the Action center fly-out, select Package collection package available to download the zip file. 

Initiate live response session

Live response gives security operations teams instantaneous access to a device (also referred to as a machine) by using a remote shell connection which gives you the power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time.

Live response is designed to enhance the investigations by enabling your security operations team to collect forensic data, run scripts, send suspicious entities for analysis, remediate threats, and proactively hunt for the emerging threats.

With live response, analysts can do all of the following tasks:

  • Run basic and advanced commands to do the investigative work on a device. 
  • Download files such as malware samples and outcomes of the PowerShell scripts. 
  • Download files in the background (new).
  • Upload a PowerShell script or executable to the library or run it on a device from a tenant level.
  • Take or undo remediation actions. 

 Prerequisites

Before you can initiate a session on a device, make sure you fulfill the following the requirements:

Verify that you are running a supported version on Windows 10- You will also need to enable the live response capability in the Advanced features settings page. 

Only users with manage security or global admin roles can edit these settings. 

Ensure that the device has an Automation Remediation level assigned to it- You'll need to enable, at least, the minimum Remediation level for a give Device Group, otherwise you won't be able to establish a Live Response session to a member of that group. 

Enable live response unsigned script execution (optional) - Allowing the use of unsigned scripts may increase your exposure to threats and running them is not recommended. But if you must use them, then you will need to enable the setting in the Advanced features settings page. 

Ensure that you have the appropriate permissions- Only the users who have been provisioned with the appropriate RBAC permissions can initiate the session. Depending on the role that's being granted to you, you can easily run basic and advanced live response commands. Users' permissions are controlled by the RBAC custom role. 

Limitations:

Live response has the following limitations:
  • Live response sessions are limited to 10 live response sessions at a time.
  • Large-scale command execution is not supported.
  • Live response session inactive timeout value is 5 minutes.
  • A user can only initiate one session at a time.
  • A device can only be in one session at a time. 

  The following file size limits apply:

  • getfile limit- 3 GB
  • fileinfo limit- 10 GB
  • library limit- 250 MB







Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more