Bab 2

Mitigasi Ancaman dengan menggunakan

Microsoft Defender for Endpoint
 Daftar Isi

1. Menyebarkan environment Microsoft Defender

for Endpoint
2. Menerapkan peningkatan keamanan
Windows
3. Melakukan investigasi perangkat
4. Melakukan actions pada sebuah perangkat Insert picture/chart
5. Melakukan investigasi pada evidence dan
entities
6. Mengkonfigurasi dan mengolah automation
7. Mengkonfigurasi untuk alerts dan detections
8. Memanfaatkan Microsoft Defender
Vulnerability Management
 Bab 2
Sub-bab 1
Menyebarkan
Environment pada
Microsoft Defender
for Endpoint
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Membuat environment pada Microsoft Defender for Endpoint
2. Onboard devices yang akan dipantau oleh Microsoft Defender
for Endpoint
3. Mengkonfigurasikan aturan dari environment pada Microsoft
Defender for Endpoint
Explain security operations in Microsoft
Defender for Endpoint
• Defender for Endpoint detection and response capabilities provide advanced attack
detections that are near real-time and actionable.

• When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts
with the same attack techniques or attributed to the same attacker are aggregated into an
entity called an incident. Aggregating alerts in this manner makes it easy for analysts to
investigate and respond to threats collectively.

• Inspired by the "assume breach" mindset, Defender for Endpoint continuously collects
behavioral cyber telemetry. This includes process information, network activities, deep optics
into the kernel and memory manager, user sign in activities, registry and file system changes,
and others.

© Copyright Microsoft Corporation. All rights reserved.

Create your environment
Microsoft 365 Defender portal https://security.microsoft.com

● Data storage location: ● Data retention: ● Enable preview

○ Determine where ○ The default is six features:
you want to be months. ○ The default is on,
hosted. You can be changed
cannot change later.
the location after
this set up.

© Copyright Microsoft Corporation. All rights reserved.

Onboard Devices

You'll need to go to the

onboarding section of the
Defender for Endpoint portal to
onboard any of the supported
devices. Depending on the
device, you'll be guided with
appropriate steps and
provided management and
deployment tool options
suitable for the device.

© Copyright Microsoft Corporation. All rights reserved.

Understand compatible operating systems

Windows

macOS

Linux

Android

iOS

© Copyright Microsoft Corporation. All rights reserved.

Manage access
Defender for Endpoint RBAC is designed to support your tier- or role-based
model of choice and gives you granular control over what roles can see,
devices they can access, and actions they can take.

● Control who can take specific ● Control who can see information on
actions: a specific device group or groups:
○ Create custom roles and control ○ Create device groups by specific
what Defender for Endpoint criteria such as names, tags,
capabilities they can access with domains, and others, then grant role
granularity. access to them using a specific
Azure Active Directory (Azure AD)
user group.

© Copyright Microsoft Corporation. All rights reserved.

Create and manage roles for role-based access control

Permission options:
• View data
• Active remediation actions
• Alerts investigation
• Manage portal system settings
• Manage security settings in Security
Center
• Live response capabilities

© Copyright Microsoft Corporation. All rights reserved.

Configure device groups
As part of the process of creating a device group,
Create device groups and use them to:
you'll:

Limit access to related alerts and data to specific Set the automated remediation level for that
Azure AD user groups with assigned RBAC roles group.

Specify the matching rule that determines which

Configure different auto-remediation settings for
device group belongs to the group based on the
different sets of devices
device name, domain, tags, and OS platform.

Assign specific remediation levels to apply Select the Azure AD user group that should have
during automated investigations access to the device group.

In an investigation, filter the Devices list to just Rank the device group relative to other groups
specific device groups by using the Group filter. after it is created.

© Copyright Microsoft Corporation. All rights reserved.

 Bab 2
Sub-bab 2
Menerapkan
Peningkatan
Keamanan Windows
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Memahami attack surface reduction pada Windows
2. Mengizinkan aturan attack surface reduction pada
perangkat Windows
3. Mengkonfigurasikan aturan attack surface reduction
pada perangkat Windows
Understand attack surface reduction capabilities

Attack surface reduction rules Windows Defender Firewall

Hardware-based isolation Web protection

Application control Controlled folder access

Exploit protection Removable storage protection

Network protection

© Copyright Microsoft Corporation. All rights reserved.

Enable attack surface reduction rules

● Sample ASR Rules: ● Rule options: ● Deployment options:

• Block executable content from ○ Disable = 0 • Microsoft Endpoint
email client and webmail ○ Block • Configuration Manager
• Block all Office applications from (enable • Group Policy
creating child processes ASR rule) = • PowerShell cmdlets
• Block Office applications from 1 • Microsoft Intune
creating executable content ○ Audit = 2 • Mobile Device Management
• Block Office applications from ○ Warn = 6 (MDM)
injecting code into other
processes
• Block execution of potentially
obfuscated scripts
• Use advanced protection against
ransomware

© Copyright Microsoft Corporation. All rights reserved.

 Bab 2
Sub-bab 3
Melakukan
Investigasi Perangkat
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Menggunakan halaman perangkat pada Microsoft Defender
for Endpoint
2. Menjelaskan device forensics information yang terkumpul
oleh Microsoft Defender for Endpoint
3. Menjelaskan behavioral blocking oleh Microsoft Defender for
Endpoint
Use the device inventory list
The Device inventory page shows a list of the devices in your network where alerts were
generated. By default, the queue displays devices with alerts seen in the last 30 days.

© Copyright Microsoft Corporation. All rights reserved.

Investigate the device

© Copyright Microsoft Corporation. All rights reserved.

Use behavioral blocking
Behavioral blocking and containment capabilities:
• Credential dumping from LSASS
• Cross-process injection
• Process hollowing
• User Account Control bypass
• Tampering with antivirus (such as disabling it
or adding the malware as exclusion)
• Contacting Command and Control (C&C) to
download payloads
• Coin mining
• Boot record modification
• Pass-the-hash attacks
• Installation of root certificate
• Exploitation attempt for various vulnerabilities

© Copyright Microsoft Corporation. All rights reserved.

Demonstration – Detect devices with
device discovery

Scenario:
You are a Security Operations
Analyst working at a company Task 1 Discover devices
that is implementing Microsoft
365 Defender solutions. You
need to discovery devices in
your on-premise network. Task 2 Assess and Onboard
Unmanaged Devices
 Bab 2
Sub-bab 4
Melakukan Actions
pada Sebuah
Perangkat
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Melakukan actions pada sebuah perangkat dengan
menggunakan Microsoft Defender for Endpoint
2. Melakukan forensics data collection dengan menggunakan
Microsoft Defender for Endpoint
3. Mengakses perangkat dari jarak jauh dengan menggunakan
Microsoft Defender for Endpoint
Explain device actions
When investigating a device, you can perform actions, collect data, or remotely access the
machine. Defender for Endpoint provides the device control required.

Response actions:
• Manage tags
• Initiate Automated Investigation
• Initiate Live Response Session
• Collect investigation package
• Run antivirus scan
• Restrict app execution
• Isolate device
• Contain device
• Consult a threat expert
• Action center

© Copyright Microsoft Corporation. All rights reserved.

Collect investigation package from devices
As part of the investigation or response process, you can collect an investigation
package from a device that contains:

• Autoruns
• Installed programs
• Network connections
• Prefetch files
• Processes
• Scheduled tasks
• Security event log
• Services
• Windows Server Message Block (SMB) sessions
• System information
• Temp directories
• Users and groups
• WdSupportLogs

© Copyright Microsoft Corporation. All rights reserved.

Initiate live response session

Live response gives security operations teams instantaneous access to a

device (also referred to as a machine) using a remote shell connection.

Live response commands (examples):

● Basic commands: ● Advanced commands:

○ connections ○ analyze
○ fileinfo ○ getfile
○ persistence ○ run
○ processes ○ library
○ registry ○ putfile
○ scheduledtasks ○ remediate
○ services

© Copyright Microsoft Corporation. All rights reserved.

 Bab 2
Sub-bab 5
Melakukan
Investigasi pada
Evidence dan Entities
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Menginvestigasi berkas pada Microsoft Defender for Endpoint
2. Menginvestigasi domains dan IP addresses pada Microsoft
Defender for Endpoint
3. Menginvestigasi akun pengguna pada Microsoft Defender for
Endpoint
Investigate a file

Investigate the details of a

file associated with a
specific alert, behavior, or
event to help determine if
the file exhibits malicious
activities, identify the
attack motivation, and
understand the potential
scope of the breach.

© Copyright Microsoft Corporation. All rights reserved.

Investigate a user account
Identify user accounts with the most active alerts (displayed on the dashboard as "Users at
risk") and investigate cases of potentially compromised credentials, or pivot on the associated
user account when investigating an alert or device to identify possible lateral movement
between devices with that user account.

© Copyright Microsoft Corporation. All rights reserved.

Investigate an IP address

IP worldwide

Reverse DNS names

Alerts related to this IP

IP in organization

Prevalence

© Copyright Microsoft Corporation. All rights reserved.

Investigate domains and URLs

You can see information

from the following
sections in the URL and
domain view:
• Domain details,
registrant contact
information
• Microsoft verdict
• Incidents related to
this URL or domain
• Prevalence of the URL
or domain in the
organization
• Most recent observed
devices with URL or
domain

© Copyright Microsoft Corporation. All rights reserved.

 Bab 2
Sub-bab 6
Mengkonfigurasi dan
Mengolah Automation
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Mengkonfigurasikan fitur terbaru dari Microsoft Defender
for Endpoint
2. Mengolah pengaturan automation pada Microsoft
Defender for Endpoint
Configure advanced features (Part I)
The Advanced
features area
provides many an
on/off switch for
features within the
product. The
following are
settings that are
automation focused.

© Copyright Microsoft Corporation. All rights reserved.

Manage automation upload and folder settings

File Content Analysis: Memory Content Analysis: Automation folder

Enable the File Content Enable the Memory exclusions:
Analysis capability so that Content Analysis capability Automation folder
certain files and email if you would like Microsoft exclusions allow you to
attachments can Defender for Endpoint to specify folders that the
automatically be uploaded automatically investigate Automated investigation
to the cloud for additional memory content of will skip. You can control
inspection in Automated processes. When enabled, the following attributes
investigation. memory content might be about the folder that you'd
uploaded to Microsoft like to be skipped:
Defender for Endpoint
during an Automated • Folders
investigation. • Extensions of the files
• File names

© Copyright Microsoft Corporation. All rights reserved.

Configure automated investigation and remediation
capabilities

1 Full - remediate threats automatically

2 Semi - require approval for any remediation

3 Semi - require approval for core folders remediation

4 Semi - require approval for non-temp folders remediation

5 No automated response

© Copyright Microsoft Corporation. All rights reserved.

Block at risk devices with Microsoft Endpoint Manager

1 Turn on the Microsoft Intune connection from Microsoft 365 Defender portal

2 Turn on the Defender for Endpoint integration in Endpoint Manager

3 Create the compliance policy in Endpoint Manager

4 Assign the policy

5 Create an Azure AD Conditional Access policy

© Copyright Microsoft Corporation. All rights reserved.

 Bab 2
Sub-bab 7
Mengkonfigurasi untuk
Alerts dan Detections
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Mengkonfigurasikan pengaturan pemberitahuan pada
Microsoft Defender for Endpoint
2. Mengolah indikator pada Microsoft Defender for Endpoint
Configure advanced features (Part II)

The Advanced features

area provides many an
on/off switch for
features within the
product. The following
are settings that are
alert and detection
focused.

© Copyright Microsoft Corporation. All rights reserved.

Configure advanced features (continued)

Microsoft Defender for Identity integration

Office 365 Threat Intelligence connection

Microsoft Defender for Cloud Apps

Microsoft Intune connection

Microsoft Secure Score

© Copyright Microsoft Corporation. All rights reserved.

Configure Email notifications

© Copyright Microsoft Corporation. All rights reserved.

Manage alert suppression
You can create suppression rules for specific alerts known to be innocuous, such as known
tools or processes in your organization. You can use the examples in the following table to
help you choose the context for a suppression rule:

Context Definition Example scenarios

Suppress alert on this Alerts with the same alert title and • A security researcher is
device on that specific device only will be investigating a malicious
suppressed. All other alerts on that script that has been used
device will not be suppressed. to attack other devices in
your organization.
• A developer regularly
creates PowerShell scripts
for their team.

Suppress alert in my Alerts with the same alert title on • A benign administrative
organization any device will be suppressed. tool is used by everyone in
your organization.

© Copyright Microsoft Corporation. All rights reserved.

Manage Indicators
Indicator of compromise (IoC) matching is an essential feature in every endpoint protection
solution. This capability gives SecOps the ability to set a list of detection indicators and for
blocking (prevention and response)

IoC type Available actions

Files Allow, Audit, Block and remediate

IP addresses Allow, Audit, Block execution

URLs and domains Allow, Audit, Block execution

Certificates Allow, Block and remediate

© Copyright Microsoft Corporation. All rights reserved.

 Bab 2
Sub-bab 8
Memanfaatkan
Microsoft Defender
Vulnerability
Management
Introduction

Setelah menyelesaikan modul ini, kamu dapat melakukan:

1. Menjelaskan Vulnerability Management pada Microsoft
Defender for Endpoint
2. Identifikasi kerentanan pada perangkat Anda dengan
Microsoft Defender for Endpoint
3. Melacak ancaman yang muncul pada Microsoft
Defender for Endpoint
Explain Threat and Vulnerability Management
Defender Vulnerability Management uses built-in and agentless scanners to continuously monitor
and detect risk in your organization even when devices aren't connected to the corporate network.

© Copyright Microsoft Corporation. All rights reserved.

Explore vulnerabilities on your devices
Vulnerability Management Navigation pane
Area Description

Dashboard Get a high-level view of the organization exposure score, threat awareness, Microsoft
Secure Score for Devices, top security recommendations, top remediation activities, and
top exposed device data.
Recommendations See the list of security recommendations and related threat information. When you select
an item from the list, a flyout panel opens with vulnerability details, a link to open the
software page, and remediation and exception options. You can also open a ticket in
Intune if your devices are joined through Azure Active Directory and you've enabled your
Intune connections in Defender for Endpoint.
Remediation See remediation activities you've created and recommendation exceptions.
Inventories Discover and assess all your organization's assets in a single view.
Weaknesses See the list of common vulnerabilities and exposures (CVEs) in your organization.
Event timeline View events that may impact your organization's risk.
Baselines assessment Monitor security baseline compliance and identify changes in real-time.

© Copyright Microsoft Corporation. All rights reserved.

Remediation steps

● Select ● Submit request ● Review requests

recommendation

© Copyright Microsoft Corporation. All rights reserved.

Akhir dari Bab 2