Bab 02 Mitigate Threats Using Microsoft Defender For Endpoint
Bab 02 Mitigate Threats Using Microsoft Defender For Endpoint
Bab 02 Mitigate Threats Using Microsoft Defender For Endpoint
• When a threat is detected, alerts are created in the system for an analyst to investigate. Alerts
with the same attack techniques or attributed to the same attacker are aggregated into an
entity called an incident. Aggregating alerts in this manner makes it easy for analysts to
investigate and respond to threats collectively.
• Inspired by the "assume breach" mindset, Defender for Endpoint continuously collects
behavioral cyber telemetry. This includes process information, network activities, deep optics
into the kernel and memory manager, user sign in activities, registry and file system changes,
and others.
Windows
macOS
Linux
Android
iOS
● Control who can take specific ● Control who can see information on
actions: a specific device group or groups:
○ Create custom roles and control ○ Create device groups by specific
what Defender for Endpoint criteria such as names, tags,
capabilities they can access with domains, and others, then grant role
granularity. access to them using a specific
Azure Active Directory (Azure AD)
user group.
Permission options:
• View data
• Active remediation actions
• Alerts investigation
• Manage portal system settings
• Manage security settings in Security
Center
• Live response capabilities
Limit access to related alerts and data to specific Set the automated remediation level for that
Azure AD user groups with assigned RBAC roles group.
Assign specific remediation levels to apply Select the Azure AD user group that should have
during automated investigations access to the device group.
In an investigation, filter the Devices list to just Rank the device group relative to other groups
specific device groups by using the Group filter. after it is created.
Network protection
Scenario:
You are a Security Operations
Analyst working at a company Task 1 Discover devices
that is implementing Microsoft
365 Defender solutions. You
need to discovery devices in
your on-premise network. Task 2 Assess and Onboard
Unmanaged Devices
Bab 2
Sub-bab 4
Melakukan Actions
pada Sebuah
Perangkat
Introduction
Response actions:
• Manage tags
• Initiate Automated Investigation
• Initiate Live Response Session
• Collect investigation package
• Run antivirus scan
• Restrict app execution
• Isolate device
• Contain device
• Consult a threat expert
• Action center
• Autoruns
• Installed programs
• Network connections
• Prefetch files
• Processes
• Scheduled tasks
• Security event log
• Services
• Windows Server Message Block (SMB) sessions
• System information
• Temp directories
• Users and groups
• WdSupportLogs
IP worldwide
IP in organization
Prevalence
5 No automated response
1 Turn on the Microsoft Intune connection from Microsoft 365 Defender portal
Suppress alert in my Alerts with the same alert title on • A benign administrative
organization any device will be suppressed. tool is used by everyone in
your organization.
Dashboard Get a high-level view of the organization exposure score, threat awareness, Microsoft
Secure Score for Devices, top security recommendations, top remediation activities, and
top exposed device data.
Recommendations See the list of security recommendations and related threat information. When you select
an item from the list, a flyout panel opens with vulnerability details, a link to open the
software page, and remediation and exception options. You can also open a ticket in
Intune if your devices are joined through Azure Active Directory and you've enabled your
Intune connections in Defender for Endpoint.
Remediation See remediation activities you've created and recommendation exceptions.
Inventories Discover and assess all your organization's assets in a single view.
Weaknesses See the list of common vulnerabilities and exposures (CVEs) in your organization.
Event timeline View events that may impact your organization's risk.
Baselines assessment Monitor security baseline compliance and identify changes in real-time.