Implement and manage threat protection Flashcards
How do you set up Azure ATP?
After you enter your info in the ATP Portal, you can download the sensor setup file. This zip file will install the Azure ATP agent on a DC or the Azure ATP Standalone agent on a non-domain controller, it contains the installer and a configuration file. you will also have to copy the Access Key which is used to establish the initial connection to your Azure ATP instance.
How is Azure ATP authentication managed?
Once installed all authentication is through certificates
How does Azure ATP establish its connection?
An Access Key is used to establish the initial connection to your Azure ATP instance
In Azure ATP, where is it managed?
Workspace Health - where issues such as connectivity, disconnected sensors, or service account authentication are reported. The Health icon will indicate whether there is any detected problem by displaying a red dot.
What happens when you log in to ATP Portal for the first time?
You will create the instance of Azure ATP for your environment, you will be prompted for the username (NETBIOS) password, Active Directory domain name for the service account you will use, this account should only have read-only access to your environment
What is involved to install and configure ATP?
involved connecting to the portal, providing information for your setup, downloading the install pkg, and deploying it to the servers
How do you plan for capacity when planning Azure Advanced Threat Protection? (ATP)
You need to download and run the Azure ATP sizing tool,
-> TriSizingTool.exe from Microsoft
What 4 report types are in Azure ATP reports?
- > Summary
- > Modifications to Sensitive Groups
- > Password Exposed in clear text
- > Lateral Movements Paths to Sensitive Accounts
How do you enable Azure ATP integration with Microsoft Defender ATP?
You must do so in both Azure ATP Portal and Microsoft Defender ATP Security Center
What alerts are included in the Azure ATP Portal Security Alerts Timeline?
- > User, computer, and/or resources involved
- > The time of the activity
- > Severity
- > Staus
How are ATP alerts categorized?
Alerts align with the phases in an attack-kill chain:
- > Reconnaissance
- > Compromised Credentials
- > Lateral Movement
- > Domain Dominance
- > Data Exfiltration
What licensing is required for Microsoft Defender ATP?
Microsoft Defender ATP is licensed as part of the M365 E5 suite and is also available with Windows Enterprise E5 (and the educational versions)
With Microsoft Defender ATP how do you protect servers?
To protect servers, you must onboard them to the Azure Security Center, which charges based on a consumption model.
What are the 5 deployment methods for Microsoft Defender ATP?
- > Locally run script
- > Group Policy Object
- > SCCM
- > Intue
- > Third-Party MDM & Software deployment solutions
In Microsoft Defender ATP, can you change the location where your data will be stored?
Once selected, you cannot change this, if you later change your mind, you must tear down and start over again.
How do you access the Microsoft Defender ATP portal?
securitycenter.windows.com
What are the 13 areas of the Microsoft Defender ATP console?
1-> Dashboards 2-> Incidents 3-> Machines List 4-> Alerts queue 5-> Automated Investigations 6-> Advanced Hunting 7-> Reports 8-> Partners & APIs 9-> Threat & Vulnerability Mgmt Dashboard 10-> Simulations & Tutorials (Evaluations) 11-> Service Health 12-> Machine Configuration Mgmt 13-> Settings
What is the Microsoft Defender ATP area - Dashboard?
includes information you would want to see first or even to keep on display in a security operations center (SOC) offers high-level insights. The Dashboard includes Security Operations, Secure Score, Threat Analytics
What is the Microsoft Defender ATP area - Incidents?
Anything Microsoft Defender ATP detects is tracked as an incident. The incidents area allows you to view and work with incidents. You can filter, classify, and assign incidents and see details
What is the Microsoft Defender ATP area - Machines List?
Displays all machines enrolled. Allows you to see all details of the machine.
What is the Microsoft Defender ATP area - Alerts queue?
Shows all alerts in your Microsoft Defender ATP tenant.
What is the Microsoft Defender ATP area - Automated Investigations?
lists investigations automatically created by the system. Default only shows past seven days.
What is the Microsoft Defender ATP area - Advanced Hunting?
Provides an interface to create or paste queries to search data within Microsoft Defender ATP
What is the Microsoft Defender ATP area - Reports subsections?
1-> Threat Protection - view alert trends
2-> Machine Health & Compliance - you can view machine trends and machine summary for Health State, AV Status, OS & version.
What is the Microsoft Defender ATP area - Reports -subsection Threat Protection include?
Unsolved Alert summary includes Detection Source Category Severity Status Classification and Determination
What is the Microsoft Defender ATP area - Partners & APIs?
Partner Applications - displays the many 3rd party applications that can be integrated
Data Export section - is where you can choose the data export settings which are used to push data to other applications, such as SIEMs
What is the Microsoft Defender ATP area - Threat & Vulnerability Mgmt Dashboard?
Gives admins a risk-based, real-time way to discover vulnerabilities in their environments prioritize based on risk, and remediate them easily.
What is the Microsoft Defender ATP area - Simulations & Tutorials (Evaluation & Tutorials)?
includes the Evaluation Lab and a set of tutorials with simulations so admins can work in the environment without exposing machines to actual malicious files.
What is the Microsoft Defender ATP area - Service Health?
Where admins go to check on the overall health of the Microsoft Defender ATP service. You can see active incidents and find historical information
What is the Microsoft Defender ATP area - Machine Configuration Management?
You can onboard machines and configure and apply security baselines to enrolled machines through Intune.
What is the Microsoft Defender ATP area - Settings?
Where settings are configured, broken up into several categories: General APIs Rules Machine Management
What is the Microsoft Defender ATP area - Settings category - 2 Machine Mgmt options?
Onboarding - you can download onboarding scripts or the installers for downstream clients
Offboarding - you can download offboarding scripts
What is the Microsoft Defender ATP area - Settings category - 6 Rules options?
- Custom Detections
- Alert Suppression
- Indicators
- Automation Allowed/Blocked Lists
- Automation Uploads
- Automation Folder Exclusions
What is the Microsoft Defender ATP area - Settings category 2 API’s options?
- Threat Intel
2. SIEM
What is the Microsoft Defender ATP area - Settings category 2 permission options?
- Roles
2. Machine Groups
What is the Microsoft Defender ATP area - Settings category 5 General options?
- Data Retention
- Alert Notifications
- Power BI Reports
- Secure Score
- Advanced Features
Monitoring Microsoft Defender ATP, what can you see?
The Security Operations Dashboard is designed to surface the most useful information, making it easy to determine at a glance if any actions are required.
What are the 3 sections in the Device Security Dashboard?
- Core Isolation
- Security Processor
- Secure Boot
What does Windows Defender Application Guard (WDAG) do?
uses hardware isolation to protect against attacks that start when a user visits a website hosting malware.
How are Windows Defender Application (WDAC) policies created?
WDAC policies are created using PowerShell and can be deployed using any method that can deploy MSIs or it can use the Intelligent Security Graph, Intune, or Group Policy.
What will WDAC prevent you from doing?
It will prevent you from installing any MSI directly from the Internet. To work around this, download the MSI and run it locally.
What are the 4 components that makeup Windows Defender Exploit Guard (WDEG)?
- Attach Surface Reduction (ASR)
- Network Protection
- Controlled Folder Access
- Exploit Protection
What is required for Secure Boot?
Requires hardware that supports, and it needs to be enabled in the UEFI BIOS before the operating system is installed, if not you will need to reinstall the OS after you make the change
What encryption is available with Windows 10 device encryption? What is the best thing?
Device Encryption XTS-AES128 & XTS-AES256.
The best thing is that with Azure AD joined machine, they will automatically encrypt drives and store the recovery keys in Azure AD.
What is MDM vs MAM?
MDM - Mobile Device Mgmt is for company-owned devices
MAM - Mobile Application Mgmt is used to secure the application and enable secure access even when supporting a BYOD environment, you are protecting the managed app rather than the overall devicd
What is MAM?
Mobile Application Mgmt (MAM) uses Intune to manage applications, publishing, pushing, configuring, security, monitoring, and updating enrolled mobile devices.
What is WiP?
Windows Information Protection (WIP) is the MAM mechanism for Windows 10 devices. WIP is useful for laptops and Windows tablets.
What 3 benefits does WIP provide?
Separation between personal data and enterprise data that is enforced.
Existing applications can be protected without requiring an update or rewrite
Corporate data can be wiped without wiping personal data
How do you access MAM?
Azure Portal -> access Intune blade
What are the 4 sections of the Intune blade?
- Manage
- Monitor
- Setup
- Help and Support
What are the 4 different protection/mgmt modes for WIP policies?
- Block
- Allow Overrides
- Silent
- Off
How do you create WIP policies?
By using Microsoft Intune
- > Access Client Apps in the Intune blade
- > clock Ap Protection Policies
- > click Create Policy
What does Office 365 ATP provide?
One part of the Microsoft Threat Protection.
It provides advanced threat protection for the SaaS applications and data that enterprises use with O365
What does O365 ATP include?
Anti-Phishing Protection
Safe Attachments -> Protections against zero-day & advanced malware
Safe Links -> Protection against malicious links in email, instant msgs and files
How do you configure O365 ATP anti-phishing policies?
Go to Security & Compliance Portal protection.microsoft.com
- > click Threat Management
- > click Policy
- > click ATP Anti-Phishing tile
What are 3 sections for any anti-phishing policy?
- Impersonation
- Spoof
- Advanced Settings
What 6 actions can be configured against impersonation? Which is recommended by Microsoft?
- Quarantine message - Recommended
- Redirect Msg to other Email Addresses
- Move msgs To the Recipients Junk Email Folders
- Deliver the Msg and Add other Addresses to BCC line
- Delete The Message Before it’s Delivered
- Don’t Apply Any Action
What is Impersonation Safety Tips?
Recommended should be enabled. if a msg is released from quarantine or otherwise delivered to the user, the user will see visual warnings indicating that the message is an impersonation attempt.
What license is required for O365 ATP anti-spam?
O365 ATP P2 - you will see the Spoof Intelligence Policy
To Access -> Security & Compliance -> Policy
What are the 4 groups of Policies setting for ATP anti-spam?
- Spam Filter Policy
- Connection Filter Policy
- Outbound Spam Filter Policy
- Spoof Intelligence Policy
In Spam Properties, which 3 settings should be adjusted to block more spam?
- SPF Record: Hard Fail
- Conditional Sender ID Filtering: Hard Fail
- NDR Backscatter
What is O365 ATP Safe Attachments?
check attachments in email and files shared through SharePoint Online, OneDrive for Business, and Teams to ensure they are not malicious by evaluating how the attachments act when opened in a hypervisor environment. Rather than relying on signatures ATP analyses the attachment.
O365 ATP Safe Attachment policies can be configured to take which 5 actions?
- Off -> No action taken
- Monitor -> detections are logged, but malicious files are still delivered
- Block - msg and attachments are blocked
- Replace - msgs are delivered but malicious attachments are replaced by text file noting files were removed.
- Dynamic Delivery - function like replace, but msg is delivered while attachment is scanned
What is O365 ATP Safe Link?
checks links in emails and attachments to ensure that they do not link to a malicious site
What are 2 types of O365 ATP Safe Link Policies
- Policies that Apply to the Entire Organization
2. Policies that Apply to Specific Recipients
What does O365 Threat Intelligence include? What are the 5 sections?
It includes both threat investigation and response capabilities.
- Threat Mgmt - Dashboard
- Investigation - view Automated investigations
- Explorer - view & analyze threats
- Submission - submit mail & files to Microsoft
- Review
What license & Roles are required for O365 Threat Intelligence (TI)?
included in )365 ATP Plan 2
required Global Admin, Security Admin or a Security Reader, or custom RBAC role
you can access TI in Security & Compliance protectoin.office.com
How do you integrate O365 Threat Intelligence with Microsoft Defender ATP?
In Security & Compliance Portal
- > choose Threat Mgmt -> Explorer
- > in upper-right corcer
- > click WDATP Settings
- > set Connect to Windows ATP switch to “On”
