Join Pete Zerger for an in-depth discussion in this video Taking response actions in Defender ATP, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Windows Defender Advanced Threat Protection, or ATP, is a cloud service that includes a portal, where we can investigate alerts that are affecting our network, what they mean, and how to resolve them. We'll start by browsing to the WindowsDefenderATP Portal at securitycenter.windows.com, and logging in with our kinetECO energy, as your AD user account. This will bring me to the Security operations dashboard in the WindowsDefenderATP Portal. I'm going to select a recent alert related to suspected credential theft activity.
It appears as if someone has installed Mimikatz on a workstation in our environment, a tool commonly associated with credential theft. Now in the WindowsDefenderATP Portal, we can quickly respond to the detected attacks, by taking actions on suspicious files, or compromised machines where they reside. We're going to look at file actions and machine actions in DefenderATP. So I'll begin by clicking on Mimikatz in the Alert process tree, which will take me to the details of the file.
So I'm going to see some file metadata, but I also have a File, Actions menu. You'll notice here the Stop and Quarantine action, which will stop running processes, quarantine the files, and delete persistency, such as registry keys. This action, takes affect on Windows 10 machines where the file was observed in the last 30 days, and when I select Stop and Quarantine, I'll be prompted for a reason, and then I can submit, by clicking the Yes, stop and quarantine option.
You'll also notice the Block File option, and in my case, the Block File option is unavailable, that's because, Block Files is not enabled by default, so I'll click the wrench here, which takes me to the settings page where I enable this feature, and I notice here it mentions that WindowsDefender must be turned on, and cloud-based protection, within Defender, enabled in my organization in order to use that feature. You'll also notice some other features, such as Skype integration, and Office 365 Threat Intelligence integration, for connecting with users more quickly, or in the case of Office 365, stretching my security investigations across Windows machines and into mailboxes.
Now if your organization uses Windows Defender Antivirus and cloud-based protection is enabled, we can prevent further propagation of an attack by blocking potentially malicious files, or suspected malware from being read, written, or executed, while we're investigating, and when a file is blocked, they'll be a new event in the machine timeline and a toast notification will be presented to the user, on the effected workstation. Now I'll return to my File view, and here you'll see there's a Deep analysis option, which is available in DefenderATP to submit executable files for deeper analysis.
So you can see that I've previously hit the Submit button, and received already, a deeper analysis of this file, and the details are right here. I can click on the plus symbol to expand the description, and you'll notice here, I'm given a list of behaviors, some of which can indicate malicious activities, as well as observables, which includes contacted IP addresses, and files that are created on disks. When the sample is collected, and submitted, WindowsDefenderATP runs the file in a secure environment, and it creates this detailed report of observed behaviors and associated artifacts, such as files dropped on machines, communications to external IPs, and registry modifications.
A progress bar is displayed on the different stages of analysis, and then, once it's available, we get the Results available message that you see here. Sample collection time can definitely vary, depending on whether or not a machine is online. There is a three hour timeout limit at present. So let's pivot and talk about machine actions. So I'll go back to my Alert view here, and you'll notice in the Alert context box I also have links to my computer and my user, so I'm going to click on the desktop here, and we're going to have a look at machine actions, and there are a few machine actions available to me.
So, for example, I can Manage tags, which allows me to group machines. Machine group affiliation can represent geographic locations, specific activities, importance level, really anything I defined. Grouping machines with similar attributes can be handy when you need to apply contextual action to a specific list of machines. The Collect investigation package option, as part of an investigation or response, we can gather a package from a machine for our own analysis.
The package will contain several folders. It's going to have autoruns, processes, scheduled tasks, the security event log, temporary directories, a list of users, and groups. So, quite a bit of information to assist in looking at the current state of that machine. If I have WindowsDefender actively running, I should see, in many cases, an option to initiate an Antivirus scan as well. And, perhaps most interestingly, the Isolate machine option, so when I select the Isolate machine option, this will actually isolate this workstation from the network entirely.
It will only remain connected to the WindowsDefenderATP service, so it's effectively quarantining the machine, while I perform my investigation. So I'll supply a comment. In this case, I'm currently investigating, and when my investigation is complete, and I'm confident this machine has been restored to normal health, I can actually come back and reverse that flow. So as you can see, Windows Defender is another layer of security that can be immensely helpful in post breach scenarios.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure