Endpoint Detection and Response (EDR)

or

eXtended Detection and Response (XDR)

MICROSOFT DEFENDER FOR ENDPOINT
 Why EDR?

What is the event ID for new process creation? By default process creation and termination do not generate logs

The value we get out of end-user machine logs is not worth the budget it requires to
Should we onboard end-user machine logs? onboard them . Also several logs are collected from centralized servers like AD, AV server,
Web Gateway, DNS etc.

SOC wont know. Because, log will be generated, but it wont reach
How do we get to know when a local user is created on a computer.? SIEM.

If we get to know data exfiltration has happened? Can we learn how much data has gone out? No

LACK OF VISIBILITY or BLINDSPOT on host activities.

Levels of Scan – for Malware

1. Antivirus Signature based Known Malware

2. Threat Intelligence IOC based New or Zero-day Malware

3. Sandbox Behavior based New or Targeted Malware

 Malware Behaviors

Invoice.pdf

Start/Stop/Cross-process Injection
Acrobat.exe imhts.exe

Network Activity (C2 communication)

Modify registry key to disable AV

Create/Modify/Delete Registry Keys or Values

20.30.40.50
https://callhome.cg/winxupdater

Put
C:\Users\AppData\Local\Temp\winxupdater.exe
in
Creating/Modifying/Deleting Files Download winxupdater.exe HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Persistence Mechanisms
 EDR

• EDR à Endpoint Detection & Response

• Detection of new/unknown malware in real-time Creating/Modifying/Deleting Files

Start/Stop/Cross-process Injection
Create/Modify/Delete Registry Keys or Values
Network Activity (C2 communication)
• Based on the behaviors exhibited by the file
Persistence Mechanisms

• Detection happens using the AI/ML models

• Through EDR we can also Respond to (remediate) malware

Stop execution of a file

Isolate machine
Get file (without remote session)
 EDR vs XDR

EDR works at Endpoint layer only

Most vendors fall in between the 2 capabilities

XDR works at Endpoint, Network, Identity Management, Email and Cloud layers
 General EDR/XDR Architecture

Alert/Incident Info
Monitoring
Analysis
Hunting

etry
Te le m
rt io n
Cloud based EDR Manager
Ale c t
n seA
po
AI Based detection logics Res
Observe Behavior

Sensor/Agent

Company Instance
Admin Console
 How it relates to SOC?

• XDR is monitored by SOC team (besides SIEM).

• XDR gives greater visibility in to host activities.

• Helps in investigating suspicious/malicious activities on host. (without need of other teams & tools OR need of end-user participation)

• Helps the SOC team in taking remediation actions quickly. (the R part of XDR)

• XDR can be an effective threat hunting tool.

Microsoft Defender for Endpoint
 Azure Architecture

Microsoft Azure Portal Microsoft Endpoint Manager MDE Tenant

https://portal.azure.com https://endpoint.microsoft.com https://security.microsoft.com

More than 200 products and cloud services:

• Active Directory Management platform to
• Virtual Machines
manage all cloud and on- MDE Console
• Databases premises endpoints and servers.
• Firewall
• WAF Administration + Monitoring and
Used for managing some Analysis
• Sentinel (SIEM) configuration (Traditional
capabilities)of MDE
 MDE Architecture

Microsoft Azure

Microsoft Endpoint Manager MDE Tenant

Configuration Mgmt.
Deployment Policy

Monitoring &
Analysis
Sensor deployment
Aler t
Telem
e tr y

Endpoint Security Engineer SOC Analyst

On-prem Infra
 Microsoft Defender for Endpoint

Typical AV features | Signature based detection | Asset visibility | Intelligent Assessments | Built-in
Heuristic based detection Remediation | Breach likelihood prediction

Host firewall Observe & record what is happening in the

machine | Passed on to MDE Tenant in Cloud

MICROSOFT
DEFENDER FOR ENDPOINT
Whitelisting of application - Only trusted apps can Isolation | Quarantining | Investigation package |
run or make modification to critical files Restrict app execution | Run a scan | Live
Response Session

Hardening | Block certain application behaviors

 MDE – Configuration Management

MDE configuration is done through Microsoft Endpoint Manager

MDE – Configuration from Endpoint Manager

The typical AV settings

MDE – Configuration from Endpoint Manager

Not related to EDR. BitLocker Configuration

MDE – Configuration from Endpoint Manager

Control settings of Host Firewall

MDE – Configuration from Endpoint Manager
MDE – Configuration from Endpoint Manager
 MDE
for Monitoring and Analysis
 Incidents

What you see What you can do

Manage Incident
Alerts
• Assign to
Incidents
• Status à Active, In Progress, Resolved
• Classification
Alerts
• Comment
 Alerts

What you see What you can do

Alert Story Manage Alert

• Status à New, In Progress, Resolved
Holds all relevant information about the • Assign to
triggered alert, like: • Classification
• Comment
• Alert Name
Alerts
• File name
• Hash value
• Size • See in Timeline
• VT detection ratio • Create Suppression Rule
• Threat Name • Link alert to another Incident
• Remediation Status • Open File Page
• Add Indicator
• Download File
• Submit for Deep Analysis (Sandbox)
• Stop and Quarantine File
Alert Story and Alert Actions

What you see What you can do

Next Page
Alert Story and Alert Actions
 Submit for Deep Analysis

The selected file will be analyzed in Microsoft’s Sandbox. Once analyzed it gives details about the behaviors and observables.
Device Page
 Device Page

What you see What you can do

• Go Hunt
• Device Summary • Isolate Device
OS | IP | Open Incidents | Exposure Level | • Restrict App Execution
Risk Level Logged on User | Security
Intelligence updates • Run Antivirus scan
• Collect Investigation Package
• Discovered Vulnerabilities
• Software Inventory • Initiate Live Response Session
• Security Recommendations
• Initiate Automated Investigation

Take response actions on a device

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/respond-machine-alerts?view=o365-worldwide
 Isolate Device

This device isolation feature disconnects the compromised device from the network while retaining connectivity to the Defender
for Endpoint service, which continues to monitor the device.

On Windows 10, version 1709 or later, you'll have more control over the network isolation level.
You can also choose to enable Outlook, Microsoft Teams, and Skype for Business connectivity (a.k.a 'Selective Isolation').

End user will see this notification

 Investigation Package

Folder Description Folder Description

Contains a set of files that each represent the content of the Services Contains a .CSV file that lists services and their states.
Autoruns registry of a known auto start entry point (ASEP) to help
identify attacker's persistency on the device. Lists shared access to files, printers, and serial ports and
Windows Server
Installed This .CSV file contains the list of installed programs that can miscellaneous communications between nodes on a
Message Block
programs help identify what is currently installed on the device. network. This can help identify data exfiltration or lateral
(SMB) sessions
movement.
ActiveNetConnections.txt
Arp.txt System Contains a SystemInformation.txt file that lists system
Network DnsCache.txt Information information such as OS version and network cards.
connections IpConfig.txt Contains a set of text files that lists the files located in
FirewallExecutionLog.txt %Temp% for every user in the system. This can help to track
pfirewall.log Temp Directories
suspicious files that an attacker may have dropped on the
Windows Prefetch files are designed to speed up the system.
application startup process. It can be used to track all the files Provides a list of files that each represent a group and its
Prefetch files recently used in the system and find traces for applications Users and Groups
members.
that might have been deleted but can still be found in the
prefetch file list. WdSupportLogs Provides the MpCmdRunLog.txt and MPSupportFiles.cab
Contains a .CSV file listing the running processes and provides
This file is a summary of the investigation package
the ability to identify current processes running on the device.
Processes CollectionSumma collection, it contains the list of data points, the command
This can be useful when identifying a suspicious process and
ryReport.xls used to extract the data, the execution status, and the error
its state.
code if there is failure.
Contains a .CSV file listing the scheduled tasks, which can be
Scheduled used to identify routines performed automatically on a chosen
tasks device to look for suspicious code that was set to run
automatically.
Contains the security event log, which contains records of
Security event
login or logout activity, or other security-related events
• Initiate from Device Page
log
specified by the system's audit policy.
• Download from Action Center
 Live Response

Live response is a capability that gives you instantaneous access to a device by using a remote shell connection. This gives you the
power to do in-depth investigative work and take immediate response actions to promptly contain identified threats in real time.

Live response is designed to enhance investigations by enabling you to collect forensic data, run scripts, send suspicious entities for
analysis, remediate threats, and proactively hunt for emerging threats.

Commands supported by live response: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/live-response?view=o365-worldwide

 Auto Investigation

• Automation works on AI based playbooks.

• Automation levels

Not protected
Semi - require approvals for all folders
Semi - require approvals for non-temp folders
Semi - require approvals for core folders
Full - remediate threats automatically

• All automated investigations will be listed.

• Each Investigation has Investigation Graph - Entities

Analyzed, Machines Involved, Pending approval

• Pending Actions --> Approve, Decline (can be done

individually or in bulk)
 MDE – Analyst Actions
1. Status à New, In Progress, Resolved
Manage Alert 2. Assign to
3. Classification
4. Comment

Alert Story 1. Process Tree

1. Activities before and after the suspicious/malicious

See in timeline
event

1. Add Indicator
MDE Incidents Alerts 2. Download File
File Page
3. Submit for Deep Analysis (Sandbox)
4. Stop and Quarantine File

1. Go Hunt
2. Isolate Device
3. Restrict App Execution (Put device into safe mode)
Device Page 4. Run Antivirus scan
5. Collect Investigation Package
6. Initiate Live Response Session
7. Initiate Automated Investigation

Auto Investigations 1. Pending Action

 MDE - Alerts

1. Office process dropped and executed a PE file

2. Windows defender AV detected Malware_Name malware
3. Suspicious process injection observed
4. Suspicious service registration
5. Multiple threat families detected on one endpoint
6. Unexpected behaviour observed by a process run with no command line argument
7. An anomalous scheduled task was created
8. Suspicious task scheduler activity
9. ‘Malware_Name' malware was detected
10. PowerShell dropped a suspicious file on the machine
11. Suspicious behaviour by Microsoft Word was observed
12. ‘ApplicationName' unwanted software was prevented
13. Detecting users adding themselves to local administrators group with details
14. Startup Registry Key MITRE ATT&CK T1060
15. Horizontal port scan initiated
16. Suspicious System Network Connections Discovery
17. Suspicious LDAP query
 MDE
Advanced Hunting
Advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data.

Kusto Query Language (KQL) is used for querying.

KQL Commands Splunk Equivalent Important Tables (schema) and Field Names
where search AlertInfo
extend eval DeviceInfo
summarize stats DeviceFileEvents
project table DeviceProcessEvents
render chart DeviceRegistryEvents
order Sort DeviceNetworkInfo
distinct dedup

You can use the same threat-hunting queries to build custom detection rules. These rules run automatically to check for and then
respond to suspected breach activity, misconfigured machines, and other findings.
 MDE
Administration
 MDE - Settings

Data Retention – The default data retention in MDE tenant is 180 days.

Advance Features – Discussed in further slides

Roles - Different roles can be created to give different access to different teams
The usual roles crated include: Security Analyst, Senior Security Analyst, MDE Admin

Device Groups – A group of computers having common features like location, OS, department etc. can be
grouped together in Device Group. It will help in applying different automation levels to different groups.

Indicators – All the indicators (file, IP, URL/Domain) will be appearing here

Onboarding/Offboarding – Discussed in further slides

 Onboarding

Deployment Planning

POC/Evaluation 5 – 50 devices (different platform) Test by enabling all important features

Different method of deployment

Pilot Deployment 200 – 500 devices
Issues that can occur

Organization wide rollout All possible devices Based on the learnings from POC and Pilot deployment

Consideration before deployment

• Endpoint count & Server Count

• Platforms (operating systems)
• Windows, Linux, Mac
• Deployment and management by?
• GPO, SCCM, Microsoft Endpoint Manager
 Onboarding

Deployment Steps

Step 1. Select target platform (OS)

Step 2. Select Deployment Method

Step 3. Download onboarding package and install using the selected deployment method
Advance Features
 Additional Resources

Become a Microsoft Defender for Endpoint Ninja (watch the Security Operations Fundamental, Intermediate and Expert videos)
https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/become-a-microsoft-defender-for-endpoint-ninja/ba-p/1515647#_Toc45281213

Short & sweet educational videos on Microsoft Defender for Endpoint

https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/short-amp-sweet-educational-videos-on-microsoft-defender-for/ba-p/1021978

Ninja Show
https://adoption.microsoft.com/en-us/ninja-show/

MDE Trial
https://aka.ms/MDETrial

Log Analytics demo for KQL Practice

https://aka.ms/lademo
 Additional Resources

• Design of the service architecture for endpoint detection and response service using / utilizing Microsoft Defender Portfolio (Microsoft Defender for
Endpoint, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Defender for Cloud App).
• Must have strong knowledge in Windows Server, Windows Client, Active Directory and, or Azure Active Directory.
• Performing migration of legacy endpoint security technologies to Microsoft technology stack for all the endpoint security modules of a suite (Endpoint
detection and response, Antivirus, DLP, Encryption)
• Must have working knowledge on MS Defender for Cloud (Security Center) and MS Admin Center.
• Must have device(s) onboarding and off-boarding experience.
• Must have experience on AIR (Automated Investigations and Remediation) based on the alerts received.
• Must have knowledge on Attack Surface Reduction (ASR) capabilities for the alerts received.
• Integration of EDR with Customer’s Incident Response processes.
• Performing Threat Hunting and EDR assessments.
• Developing EDR strategic advisory and roadmap to Clients
• Supporting Sales related activities such as Proof-of-Concept, proposal presentations, Due-Diligence, solution campaigns, etc.
• Connect with other EDR colleagues through collaboration and mentoring.
• Defining maturity model and conducting maturity assessments.