# Microsoft Defender ###### tags: `microsoft` `office 365` `defender` `cybersecurity` ## MS Defender for office 365 * cloud based email filtering service * protects from unknown alware and viruses + zero day protection * real time * rich reporting and url trace capabilities ## Automated investigation and response (AIR) * includes a set of security playbooks that can be launched automatically e.g when an alert is triggered or manually from explorer. * AIR saves the soc team time and effort ### AIR Work flow: * An alert is triggered which initiates a security playbook * Depending on the alert and security playbook, automated investigation begins immediately. An analyst can start an automated investigation manually from a value in a report such as explorer * While an automated investigation runs, the scope increases as new related alerts are triggered. * During and after an automated investigation, details and results are available to view. * Results include recommended actions for response and remediation. * A playbook log is available that tracks all investigation activity. * You can leverage the Office 365 Management Activity API to view info about automated investigations and threats if your org is using custom reporting tools * Your soc team reviews the results and recommendations and approves remediation actions. * Remediation actions are taken only upon approval by your org's soc team #### remediation actions include: 1. soft delete email messages or clusters 1. block URL (time of click) 1. Turn off external mail forwarding 1. Turn off delegation An org can set fine-grained threat protection at the user, organization, recipient and domain level. ## Safe Attachments * protects against unknown malwares and viruses and provides zero-day protection to safeguard your messaging system. * All messages and attachments that don't have a known virus/malware signature are routed to a special environment where MDfO365 uses a variety of ML and analysis techniques to detect malicious intent. * If no suspicious activity is detected, the message is released for delivery to the mailbox. * You can create a transport rule / mail flow rule in the Exchange admin Center to bypass safe attachments scanning. * As part of the mail flow rule, modify the message properties to set a message header with the X-MS-Exchange-Organization-SkipSafeAttachmentProcessing as the header name to bypass the safe attachment policy. ## Safe links Is a feature that **proactively protects users from malicious URLS** in a message or in an office doc. Safe links is available for URLs in the following apps: * Microsoft 365 apps for enterprise on Windows or Mac * Office for the web * Word, Excel, Powerpoint and visio on windows, Office apps on iOS and Android devices * MS Teams channels and chats Safe links is both **client and location agnostic** in that the location and device being used will not affect the behavior of wrapped links. It is recommended to apply MDf0365 safe links policies to all users in your org. ## Microsoft Defender for Identity Is a cloud based security solution that **leverages your on-prem AD signals to identify, detect, and investigate advanced threats, compromised identities, and malicious insider actions** directed at your oganization. Benefits: * monitor users, entity behavior, and activities with learning-based analytics * Protect user identities and credentials stored in AD * Identify and investigate suspicious user activities and advanced attacks through the kill chain * Provide clear incident information on a simple timeline for fast triage  #### Recon Stage detection * LDAP reconnaissance can be used by attackers to gain critical information about the domain environment. * Information that helps attackers map the domain structure, and identify privileged accounts for use later. * Microsoft Degender for Identity would trigger a detection based on computers performing suspicious LDAP enumeration queries or queries targeting sensitive groups. #### Compromised Credential detection * A Brute force attack is when an attacker attempts to authenticate with multiple passwords on different accounts until a correct password is found or by using one password in a large-scale password spray that works for at least one account. * Once found, the attacker logs in using the authenticated account. * Microsoft Defender for Identity can detect this when it notices multiple authentication failures occurring using Kerberos, NTLM, or use of a password spray. #### Lateral Movement detection When attackers attempt to move laterally through your environment, using **pass-the-ticket**, a lateral movement technique in which attackers steal a Kerberos ticket from one computer and use it to gain access to another computer by reusing the stolen ticket, Microsoft Defender for Identity detects that a Kerberos ticket is being used on two (or more) different computers. #### Domain Dominance detection * A way to establish domain dominance is the **DCShadow attack.** * This attack is **designed to change directory objects using malicious replication.** * It can be performed from any machine by creating a rogue domain controller using a replication process. * In such a scenario, Microsoft Defender for Identity triggers an alert when a machine in the network tries to register as a rogue domain controller. Note that **Defender won't detect a hash passed on a local resource**. **It detects when a hash is used from one resource to access another resource or a service.** Note that similar to pass the hash, **Defender does not know when a ticket is passed based on local client activity.** However, it detects activity once a ticket is used to access another resource or service. Just to emphasize: * **Safe Attachments** - Protect against unknown malware and viruses by opening attachments in cordoned-off virtual environments to detect malicious behavior. * **Safe Links** - Provide real-time, time-of-click protection against malicious URLs by wrapping external links in special URLs that check the destination URL for threats before opening them. * **Click Trace** - Provides rich reporting and URL trace capabilities by keeping a record of every user who has clicked on a Safe Link-wrapped URL for additional protection. * **Windows Hello** is a more personal, more secure way to get instant access to your Windows 10 devices using fingerprint or facial recognition. * **Credential Guard** uses virtualization-based security to isolate secrets so that only privileged system software can access them. Unauthorized access to these secrets can lead to credential theft attacks, such as Pass-the-Hash or Pass-The-Ticket. Windows Defender Credential Guard prevents these attacks by protecting NTLM password hashes, Kerberos Ticket Granting Tickets, and credentials stored by applications as domain credentials. * **Microsoft Defender Application Guard** designed for Windows 10 and Microsoft Edge, Application Guard helps to isolate enterprise-defined untrusted sites, protecting your company while your employees browse the Internet. * **Device Guard** is a group of key features designed to harden a computer system against malware. Its focus is preventing malicious code from running by ensuring only known good code can run. * **Windows Defender Antivirus** delivers comprehensive, ongoing, and real-time protection against software threats like viruses, malware and spyware across email, apps, the cloud, and the web. ### ASR You can use **attack surface reduction(ASR)** in the Microsoft 365 Defender portal to help reduce your Windows 10 attack surfaces. Its rules help prevent actions and apps that are typically used by exploit-seeking malware to infect machines. In the context of ASR: * Detected file – the file, typically a script or document, whose contents triggered the suspected attack activity * Rule – name describing the attack activities the rule is designed to catch * Source app – the application that loaded or executed content triggering the suspected attack activity. This could be a legitimate application, such as web browser, an Office application, or a system tool like PowerShell. * Publisher – the vendor that released the source app A digital estate is a collection of tangible owned assets such as virtual machines, servers, applications, data, and so on. Essentially, a digital estate includes the IT assets that power business processes and operations. ## DLP * Use DLP policies to block the sending of emails that contain bank account information or Social Security numbers, or optionally apply encryption automatically to the messages. * Use Microsoft Defender for Cloud Apps to block the upload, download, or sharing of sensitive information that resides in a cloud repository * Consider applying Rights Management service (RMS) on the SharePoint library hosting the documents. There are four key areas for preventing data loss and managing the data lifecycle. * Detect/Discover. Identify the data you want to protect. To detect sensitive data, you can use a content scan, such as Azure Information Protection (AIP) unified labeling scanner, and define data through data classification. * Protection. Consider the range of DLP enforcement actions you can apply to documents and emails containing sensitive information, such as block sending, block sharing, warning end-users or auditing activity. * Visibility. Protect sensitive data while keeping its visibility for appropriate uses such as: * Forensics * Risk management reporting * Compliance * Data immunization. When you apply security controls based on classification at the source (moment of creation), you can: * Minimize data exposure time * Provide context to help ensure that the data classification is correct **Defender for Cloud** Reports inform you about: * Users with the most shared files * Matches from DLP Policies * False positives and overrides of the DLP Polices * Integration of third-party DLP Policy matches **Label Analytics show**: * How your organization uses retention and sensitivity labels to classify, retain, and protect cloud content. * How your organization labels content, including frequently used labels, who's applied them, which emails and files they're applied to, and more. **Azure Information Protection analytics** helps you track adoption of your data classification labels. It also enables you to: * Monitor labeled and protected documents and emails. * Identify documents that contain sensitive information. * Monitor user access to labeled documents and emails, and track document classification changes. * Identify unprotected documents with sensitive information and offer recommendations to mitigate risk. * Identify when internal or external users access protected documents and whether they were granted access. ## Microsoft 365 Compliance Center The compliance center home page displays the following sections: * Assess. Shows how well your organization is doing with respect to data protection and compliance. * Protect. Contains cards that provide high-level information about labels, data loss prevention, third-party apps in use, shared files, shadow IT apps, and more. * Respond. Surfaces alerts and pending dispositions for review and possible action. Other areas of the Microsoft 365 compliance center can help you gain further insights and protect your data. * Alerts to view and resolve alerts * Reports to view data about label usage and retention, DLP policy matches and overrides, shared files, third-party apps in use, and more. * Classification to access your labels, label policies, sensitive information types, and label analytics. * Policies to view alerts and to access your DLP and retention policies. * Solutions contains links to access your organization's compliance solutions. These include: * Data governance > dispositions * eDiscovery * Supervision * Data investigations * Data subject requests