Ninja Cat Giveaway: Episode 7 | Defender for Identity and Defender for Endpoint: Better to together

Microsoft

For this episode, your opportunity to win a plush ninja cat is the following -

Tell us about an alert that started either from Defender for Endpoint or Defender for Identity and what additional information from the other product (Defender for Endpoint or Defender for Identity) helped you get more details about that alert?
Or share your favorite KQL query with tables from both products.

 

This offer is non-transferable and cannot be combined with any other offer. This offer ends on April 14th, 2023, or until supplies are exhausted and is not redeemable for cash. Taxes, if there are any, are the sole responsibility of the recipient. Any gift returned as non-deliverable will not be re-sent. Please allow 6-8 weeks for shipment of your gift. Microsoft reserves the right to cancel, change, or suspend this offer at any time without notice. Offer void in Cuba, Iran, North Korea, Sudan, Syria, Region of Crimea, Russia, and where prohibited.

12 Replies

my favourite alert to see is the Suspicious activity - for Atypical Travel. I absolutely love the ability to drill done and track all of the activity of that specific user ( device, location, IP, previous log ins)  that led to the Alert being flagged as high risk.  @HeikeRitter 

Defender for Endpoint is my hero. It helps our company to run an audit request in hours and not in weeks. How to make a full scan on 150+ device easy peasy... love it!
Active Directory attributes reconnaissance using LDAP, this alert detect the enumeration techniques using suspicious LDAP queries, for further investigation it provides rich information on sensitive enumeration on the AD which was searched for using LDAP queries by the attacker.

@HeikeRitter I think a good example of the MSDI and MSDE integration, is when you can see an Incident that has an alert or activity such as a suspicious login event, and then go into the user's page, and get a detailed breakdown of the user's threat exposure, as well as any endpoints that user is associated with. You can then assess the users' threat level, dive deep into any active automatic investigations, as well as lock down the user (via AD or AAD or both), the devices that may have been compromised, or both depending on the threat, and activity. 

It is really good to see how we can integrate these two amazing tools, MDE and MDI, and get all the information about users' activities and specifically suspicious activities and how we can monitor these suspicious activities and alerts to keep us informed and take action on the compromised users' account. It is a very useful and comprehensive video to understand the use of both services and how the integration between them works. I love to use the KQL suggested queries and community queries, like Command and Control, Lateral Movement and Privilege escalation. Thanks for share @HeikeRitter 

@HeikeRitter I would like to say that I have a favourite, but for me is just getting alerts and know that most of the time Defender for Endpoint takes care of business by it self.

Absolutely useful to find and kill NTLM in Environments:

IdentityLogonEvents
| where TimeGenerated > ago(7d)
| where ActionType == "LogonSuccess"
| where Protocol == "Ntlm"
| where LogonType == "Credentials validation"
| summarize ['Target Device List']=make_set(DestinationDeviceName), ['Target Device Count']=dcount(DestinationDeviceName) by DeviceName, AccountName
| sort by ['Target Device Count'] desc

@HeikeRitter

@HeikeRitter The experience I want to describe comes from using Defender for Cloud Apps through the enrichment of alerts by Defender for Identity and Defender for Endpoint. Having fun with the product, I created a policy that was able to identify the massive download of data by a user on vacation, who accessed the system from an unusual location after several failed sign ins [Defender for Identity] from a device not managed by the organization and with an outdated browser [Defender for Endpoint]. The integration of the two products with each other has allowed the in-depth study of the case which otherwise would have been limited to a medium severity alert in the DFCA.
It was fun!

The suspicious LDAP query from MDI led him to see the correlated events from MDE of Suspicious RDP sessions.
An excellent case where information from both tools helped figure out what was going on for me was - MDI had a high severity alert for LDAP enumeration, and after examining the source system in MDE, we were able to identify the activity as bloodhound being run as the last stage of a red team penetration test.
I find it great that when a suspicious login is detected in the microsoft security console can follow up the case and analyze every action of the user and the affected PC.
In a previous role, we had numerous alerts flowing into Sentinel from both MDE and MDI. Based on severity, my investigation start with the MDI alerts regarding Pass the hash attacks occurring multiple times, indicating lateral movement on the clients servers. Through MDI investigations we were able to identify the initial device, which was a windows 10 endpoint being monitored through MDE, which tied back to the MDE alerts we originally saw. Thanks to the capabilities within MDE and MDI, we were able to identify the compromised endpoints, servers, and identities in an efficient manner and respond accordingly, to include leveraging Indicators of Compromise to block the files that originated the attack, and identify the vulnerabilities that allowed for the lateral movement once the attacker had access so we could take the appropriate actions with the client to better secure their environment.