
close
close
In this article, I’m going to describe how to use Microsoft 365 Defender Threat Analytics to improve security in your organization. Over three Petri articles, we’ve dived into what Microsoft Defender for Endpoint (MDE) is, how you can migrate to it, and how it should be configured.
Part 1: Understanding Microsoft Defender for Endpoint and How It Protects Your Data
advertisment
Part 2: How to Plan for Microsoft Defender Endpoint Deployments and Migrations
One thing remains: how you should use it in your ongoing security operations. This is where things extend beyond ‘just’ MDE and onto Microsoft 365 Defender as the larger extended detection and response (XDR) platform and security portal. This is important because to truly leverage MDE’s capabilities, we must understand how it integrates with the rest of the platform, and protect against threats as they move across the environment.
Extended Detection and Response (XDR) is a feature in Microsoft 365 Defender that unifies the protection, response, and protective capabilities of four core security services:
advertisment
By combining signals across these, attacks that transverse just one “entity” can be monitored for a big picture view of what’s going on, with improved response capabilities. Additionally, Exchange Online Protection and Azure Active Directory (AD) Identity Protection are integrated, providing signals and remediation. These XDR capabilities are then managed in the Microsoft 365 Defender portal at security.microsoft.com.
Think of a Microsoft 365 Defender alert as the lowest level of something worth knowing about. For example, a single instance of a suspicious Task Scheduler entry being created, or an abnormal number of files being deleted in Office 365. Alerts can be across the list of services described above. On their own, alerts may not mean much and, at any great scale, would become hard to manage and correlate.
This is where incidents come into play. These are aggregations of alerts into a container that associates them all, using threat intelligence, for easier management and response. For example, if the same user is involved in the alerts for suspicious Task Scheduler items and abnormal levels of file deletion, and these alerts happen in close succession, this might form an incident.
Using the example of a malicious Word document that has dropped a trojan and created a scheduled task, the graph does the job of painting the picture of what’s happened. It presents this in chronological order via the attack story and visualizes it by depicting the evidence, entities, and how they relate to each other in the attack.
advertisment
Then, based on discoveries, the investigation system can remediate by killing processes, quarantining dangerous files, or, in the case of our example, removing a scheduled task. The work the investigation does is logged for you to review the evidence, and a log that contains what was investigated and done.
Advanced threat hunting is a term used to describe a feature in Microsoft 365 Defender that allows SecOps (Security and Operations) teams to use a database query to search the raw data collected by the protection, response, and protective capabilities in Microsoft 365. Instead of relying on just the incidents and alerts provided by Microsoft 365 Defender, security teams can look at the actual data collected to surface threat indicators and entities. If your investigation requires you to go beyond the alert and investigation functions, you can leverage advanced hunting.
Advanced hunting gives you almost raw access to the telemetry gathered by and stored in Microsoft 365 Defender. Using Kusto query language (KQL), you’ll have thirty days of log information to investigate with. Note that these thirty days cannot be changed and differ from the up to six months available for alerts and investigations.
While a full dive into how KQL works to build such queries deserves its own blog (and is used in Microsoft 365/Azure elsewhere; not just Defender), here’s an introduction to the advanced hunting schema. Within Microsoft 365 Defender, you’ll find a number of tables that build up what’s available to be queried. For example, the alerts table, EmailEvents, DeviceFileEvents, and DeviceTvmSoftwareVulnerabilities tables. These mostly do what they say on the tin, containing columns relevant to that area of the XDR. Of course, with database tables we don’t always find what we need in one, so we can leverage KQL to combine tables and do all sorts of transformations to get the investigative results we’re after.
Of particular interest to beginners may be the shared queries within advanced hunting, which include community-created queries and are useful for understanding how you can leverage them for your bespoke needs.
These queries can be used to further automate your security processes. Using the custom detection rules capability, a security administrator/operator can have queries run on a schedule (every 1, 3, 12, or 24 hours) and create alerts based on the results. For this to work, you’ll need it to report back both the timestamp and report ID, and also an entity to associate it with, such as the device, email address, or account. As well as just alerting, you can automate an action based on the entity. For example, if you specify something like a file hash as the impacted entity, you can quarantine it or create an indicator; specifying a device opens up options such as antivirus scans or restricting app execution; and users can be marked as compromised.
Microsoft 365 Defender Threat Analytics is a security feature that tracks prevalent threats that have been discovered or are making the news, and gets you up to speed on them. Look at Microsoft 365 Defender Threat Analytics as providing two key benefits:
Reviewing and responding to incidents and leveraging advanced hunting are likely to be daily tasks for security teams. Additionally, those teams should be checking out Microsoft 365 Defender’s Threat Analytics feature.
Threat Analytics is one way of proactively protecting your environment, and it leverages a feature of Microsoft Defender for Endpoint, managed via Microsoft 365 Defender, that requires additional explanation: threat and vulnerability management (TVM). It’s a given that unpatched software poses a risk, and TVM helps here by surfacing what software is outdated across our onboarded devices and what to do about it. TVM goes a step beyond just out-of-date or CVE-attached software, though, and also reports on the security posture of things like OS defaults.
What this translates to is a very useful page in Microsoft 365 Defender called vulnerability management recommendations. This provides you with a to-do list on hardening and updating your environment. The recommendations tell you what to do rather than just telling you what the problem is. For example, you’ll see hardening recommendations such as disable ‘always install with elevated privileges’, as well as patching recommendations like update Adobe Acrobat Reader DC. If the software is recognized as at end of life, you’ll even get advice to completely uninstall it.
Within recommendations, you can harness Endpoint Manager integration with the request remediation option. This creates a ticket for Azure AD joined devices in Microsoft Endpoint Manager (MEM) to manage the recommendation through to completion: particularly useful in environments where different teams manage different elements.
Managing your security posture and responding to threats is an ongoing operation. Deploying Microsoft Defender for Endpoint and starting with Microsoft 365 Defender is just that: the start. There are no “install it and its done” solutions to the ongoing security problems our industry faces.
Through this blog series, however, you’ve hopefully learned how to start with Microsoft Defender for Endpoint. Alerts and investigations will keep you in the loop with what threats MDE has identified (and, potentially, auto-remediated), but you’ll probably need to go one step further and dive into advanced hunting to stay ahead of the game. Be proactive, leveraging capabilities like Threat Analytics and TVM too: the easiest threats to manage are ones you’ve already mitigated against.
More from Ru Campbell
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Security
Build 2022: Microsoft Boosts Data Analytics and Cybersecurity in New Training & Certifications
May 24, 2022 | Rabia Noureen
Microsoft Defender for Office 365 to Get Preset Security Policy Improvements In June
May 23, 2022 | Rabia Noureen
CISA Warns Federal Agencies to Mitigate Critical VMware Vulnerabilities by May 23
May 20, 2022 | Rabia Noureen
CISA Warns Windows Admins Against Applying May Patch Tuesday Updates on Domain Controllers
May 17, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group