Perform Device Investigations (part 1)

By Ashwin Venugopal -

 



To read part 2 please click here


The Device Inventory List

The device inventory page shows a list of the devices in your network where alerts were generated. By default, the queue displays the devices with alerts seen in the last 30 days and the device page can also be accessed from the various investigation pages like Incidents and Alerts. At a glance, you will see the information such as domain, risk level, OS platform, and the other details for easy identification of the devices mostly at risk. 

Risk Level

The risk level reflects the overall risk assessment of the device based on a combination of the factors, including the types and severity of the active alerts on the device and by resolving the active alerts, approving remediation activities, and suppressing the subsequent alerts can lower the risk level.

Exposure Level

The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations and if the exposure level says, "No data available", there are a few reasons why this may be the case:
  • The device stopped reporting for more than 30 days- in that case, it is considered inactive, an the exposure isn't computed
  • The device OS is not supported- see minimum requirements for the Microsoft Defender for Endpoint
  • The device has a stale agent (very unlikely) 

 Health State

The following device health states:
  • Active- devices that are actively reporting sensor data to the service
  • Inactive- devices that have stopped sending signals for more than seven days
  • Misconfigured- devices that impaired communications with service or are unable to send sensor data. These devices can be further classified to no sensor data and impaired communications.  

Antivirus Status

The antivirus status for Windows 10 devices only:
  • Disabled- Virus and threat protection is turned off
  • Not reporting- Virus and threat protection not reporting
  • Not updated- Virus and threat protection is not up to date 

Investigate the device

You should investigate the details of an alert raised on a specific device to identify the other behaviors or events that might be related to the alert or the potential scope of the breach. Affected devices are identified in the following cases:
  • Devices list
  • Alerts queue 
  • Security operations dashboard
  • Any individual alert
  • Any individual file details view
  • Any IP address or domain details view
Whenever you investigate a specific device. you will see:
  • Device details
  • Response actions
  • Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs)
  • Cards (active alerts, logged on users, security assessment)



To read part 2 please click here





Comments

Post a Comment

Popular posts from this blog

Query, Visualize, & Monitor Data in Azure Sentinel

By Ashwin Venugopal -
Image
  Azure Sentinel Workbooks Several ready for use templates are provided by the Azure Sentinel that can be used to create your own workbook and then modify them as needed for Contoso. Most of the data connectors it uses to ingest data come with their own workbooks, but better insight can be obtained by simply looking into the data that is being ingested by using tables and visualizations, including bar and pie charts. You can also make your own workbook easily by using this data from the beginning instead of using the predefined templates. Workbook Page You can easily access the workbook page from the Azure Sentinel from the navigation pane which consists of the: Workbook header- You can add a new workbook and review the saved workbooks as well as templates that are available on the workbook page. Templates section- You can access existing workbook templates on the Templates tab. You can save some of the workbooks for quick access and they will appear on the My Workbooks tab.  From the
Read more

Planning for Implementing SAP Solutions on Azure (Part 2 of 5)

By Ashwin Venugopal -
Image
  To read part 1 please click  here To read part 3 please click  here To read part 4 please click  here To read part 5 please click  here Load Balancing The load balancer uses probe ports to determine as well as route the traffic to an active DBMS node, but of there's any failover then the most common SAP application architecture can automatically reconnect against the private virtual IP address without the need for the SAP application to reconfigure it, while the load balancer redirect the traffic against the private virtual IP address without any need for the SAP application to reconfigure. The loaf balancer also offers an option of DirectServerReturn which if configured, can help in directing the traffic from the DBMS VM to the SAP application layer directly to the application layer without routing through the load balancer. But, if it isn't configured, then the return traffic to the SAP application layer is routed through the load balancer. You can also use Azure Load Balan
Read more

Work with String Data Using KQL Statements

By Ashwin Venugopal -
Image
  Extract Data from Unstructured String Fields Unstructured string fields often contains the Security log data and requires parsing to extract data. There are multiple ways of pulling information from string fields in KQL and the two primary operators used are extract and parse.  Extract It gets a match for a regular expression from a text string. You can convert the extracted substring to the indicated type.  Arguments regex- A regular expression. captureGroup- A positive int constant indicating the capture group to extract. 0 stands for the entire match, 1 for the value matched by the first '('parenthesis')' in the regular expression, 2 or more for subsequent parenthesis.  text- A string to search. typeLiteral- An optional type literal. If provided, the extracted substring is converted to this type.  Returns If regex finds a match in text- the substring matched against the indicated capture group captureGroup, optionally converted to typeLiteral. If there's no mat
Read more