Blog Post

Microsoft Defender for Endpoint Blog
8 MIN READ

Microsoft Defender ATP 'Ask Me Anything' August 2019 - Summary

HeikeRitter's avatar
HeikeRitter
Icon for Microsoft rankMicrosoft
Aug 15, 2019

On Tuesday, August 13, we, the Microsoft Defender ATP team, hosted our first Ask Me Anything (AMA) on Twitter. Various team members across the globe participated and eagerly answered questions that were sent to @WindowsATP or using the hashtags #MDATP and #MDATPAMA. You can find a list of the team members that participated in this AMA at the end of the blog so you can start following them.

 

 

I hope many of you participated in our first AMA live, got to ask questions (and got an answer 😉), and connected with the team!

 

If not, Jan Geisbauer did a great job summarizing the AMA hour for us! Thank you, Jan!

You can find Jan on Twitter

 

@janvonkirchheim and sign up for news on his blog:scroll: https://emptydc.com/.

 

Below are some of the questions we received and answered during the one-hour AMA. We did not modify these questions and answers; we only removed greetings like “Hello” and “Thank you”:

 

Q: In some threats in the “Threat analytics” you provide Advanced Hunting queries. How do you decide if (and at what point in time) such a Threat automatically triggers an alert (System default) or if it’s up to the customers to run those queries and maybe create custom detections?

A: While we track these threats and make sure we detect them, using generic behavioral detection capabilities, we also provide queries that allow you to hunt for threat's behavior. You don't have to make these into custom alerts of your own. you can just HUNT 🙂 makes sense?

 

Q: What exactly is NOT done during automatic investigation, when I add a certificate to the allowed list?

A: The only difference is that during the file incrimination process, any file that is signed by the certificate that you added to the allowed list will be considered safe

 

 

Q: How do you ensure an attacker cannot circumvent “isolation” on a machine?

A: The isolation is built to be secure. Attacker will not be able to circumvent it with standard firewall rule manipulations even as administrator.

 

Q: Some of our customers already utilize the mdatp api in order to do some automation based on alert (client isolation) - are you considering to enhance the api features, to for instance, trigger actions based on the "risk level" a machine has?

A: Interesting. Are you looking for selective triggers? Please explain why not to use the API to decide about the risk level. Meaning, trigger alert>Get related machine> check risk> take actions.

 

Q: it's more related to the "states" the api currently provides - correct me if I'm wrong, but as of today, I can initiate action items (like client isolation) based only on alerts status/severity of a machine, not for instance on the "risk level"

A: You can isolate machine based on anything you have in mind as long as you know the machine identifier. For example you can query the machine risklevrl via api and isolate if meet any criteria. Does that address the ask?

 

Q: Any plans to add scheduled e-mail reports over machine states, for example "all machines with outdated AV definitions"? Or make such data accessible through the API?

A: Super simple to achieve with Microsoft Flow. DM if need assistance with it.

 

Q: What are the criteria to get trial access? 🙂 (Because there is obviously a manual check when applying)

A: In general, we are looking for genuine corporate mail accounts. It would be helpful if you explain the concern so we can supply a better answer.

 

Q: one simple question - when working with machine groups and tags, how is the logic within here? first match picks up the machine and the others are ignored?

A: No limit to tags, you can add as many as you want and all will apply. Machine Groups are stack ranked, the first hit will win. Read more at

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/machine-groups

 

Q: mdatp onboarding on windows 10 (AAD join / Intune managed) still takes around 20-30 minutes until a "valid" compliance state is evaluated - will you reduce this latency to let's say "no latency"?

A: we definitely know about this one and that it's not ideal, we are investigating how to make this lag minimal or non-existent.

 

Q: Which apps are not covered by TVM reports (Windows Store? Portable Apps? More?)

A: TVM currently supports Windows OS and Win32 applications. Store and Portable/Utilities apps are planned (also run-time libraries and apps extensions)

 

Q: great to have this opportunity. My first questions: Will TVM support Servers too - and when? Is Windows Server 2019 Core supported with MDATP? Does onboarding Servers in MDATP need an extra license? Of course it works without.

A: TVM server support is currently in limited private preview and will go public preview in the coming weeks. If you would to participate please PM me for more details.

 

Q: how Can I run custom detection queries in say 5-10 min intervals currently it looks like they run once every 24 hours?

A: you're right, custom detection feature executes you're queries every 24h, but we know how useful this capability is and we're ON IT! 🙂

 

Q: Any solutions for small business / non profit coming up? Would love to see it in the non profits package.

A: This is great feedback and something we are looking into. Nothing to share at this point. Thanks for asking!

 

Q: Will it be possible to delete test machines from MDATP portal?
A: Currently it's not possible to delete machines from MDATP portal, but they will be filtered out after a while. Can you share more about the reasons to delete a test machine?

 

Q: Is there a way to inventory or query for browser extensions on a system? Like potentially unwanted Chrome extensions for a blocklist?

A: Inventory and discover vulnerabilities in browser extensions is part of our TVM roadmap.

A: wanted to mention a few other options in case you haven't considered them. You can enable the PUA feature to block potentially unwanted applications. Also, if you already have a list of extensions you want to block, you can add them to the custom blocklist in the console.

 

Q: Will there be an api to add contextual data to a machine (even a tag), for example from an inventory system for machines that have sensitive data or classified in a specific way, other than GPO.

A: You can do that, check out: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags

 

Q: Any chance Yara would be added to defender to allow for memory hunting?

A: we've heard this request before and are considering the feature. Would love it if you can tell us what scenarios you would use this in (beyond collected telemetry and live response)? Also if others here are interested in this feature, please shout! 🙂

 

Q: Is there an option to release a file from quarantine on the central portal instead of from the client?

A: Not today Nick but we are evaluating what it will take to enable this functionality.

 

Q: What's the best way to add exclusions for things like backup software?

A: I may not understand the full scope of your question but are process exclusions:

https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/configure-process-opened-file-exclusions-windows-defender-antivirus

or suppressions not sufficient for your software?

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/manage-alerts. If so, let me know how it can be improved.

 

Q: Do you have plans for ATP for MacOS to get same EDR, automated remediation and vulnerability management with Win10?

A: Yes, we intend to provide similar capabilities per platform as appropriate.

 

Q: Is it possible to monitor SCEP/Defender clients on Windows Servers with MDATP? Any dashboard/notifications available if SCEP or Defender AV signatures on Servers are outdated? Is it possible that Windows 1903 Defender tamper protection is not supported yet with MDATP?

A: Windows Servers can be monitored with the MDATP downlevel client:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints

 

Q: I have 2016 and 2012R2 servers onboarded but can't see any AV status of them. Secure score does not include AV status, just checked this, only AV settings recommendations. Any plans to add AV status for Servers?

A: Secure score does show the status for the setting "Update Microsoft Defender Antivirus definitions" and provides the list of machines that don't have it up to date:

 

Q: Will there be an option to inventory or provide recommendations on Windows Firewall? Confirm that it's on or make rule recommendations based on traffic flows?

A: Secure Score already supports some Windows Firewall settings.

 

Q: Any future possibilities for more visibility regarding PowerShell, for those who dont have extended powershell-logging enabled? Im already seeing some powershell cmdlets etc in the timeline in ATP

A: MDATP actually has amazing visibility into PowerShell code and as a result some advanced detection capabilities in this space too. MDATP has visibility into obfuscated or dynamically generated scripts as well, or those downloaded during execution.

 

Q: What would your n°1 tip be to get started with #MDATP? #MDATPAMA

A: there are too many 🙂 but my first would be - use our Evaluation lab! it will give you everything you need in order to get to know #MDATP better, with minimum time and effort: https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-Evaluation-lab-is-now-available-in-public/ba-p/770271

 

Q: Would love to see a possibility to customize the investigation package. Or maybe I should use a custom script over Live Response?

A: second option would work!

 

Q: can advanced hunting see more than last 32 days off history?

A: Advanced hunting is currently limited to 30 days of data.

 

Q: Is servers covered by #Azure Security Center will automatically be onboarded to Defender ATP?

A: Yes

 

Q: How can I build better Reporting on top of MDATP, Like ASR Rules covering last 12 months to identify trends of applictions being blocked over time?

A: Great question Stefan - You can create custom reports using PowerBI:

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/run-advanced-query-sample-power-bi-app-token

Some samples are available here:

https://github.com/microsoft/MDATP-PowerBI-Templates/tree/master

Also for ASR, M365 SCC has a built-in report as well as an impact simulator, to predict user impact before configuration deployment:

https://docs.microsoft.com/en-us/office365/securitycompliance/monitor-devices#monitor-and-manage-asr-rule-deployment-and-detections

 

Q: Will there be any configuration options to manage the Mac Agent centrally from the securitycenter or how do you envision managing these Agent settings.

A: You can use Microsoft Intune to manage the Mac agent today. The future will show what else we will have for you 🙂

It is definitely in our plan to improve management for both Windows and Mac agents. If you had to prioritize, what would be the top configurations you would like to see here?

 

Q: where can we store community developed hunting queries?

A: Advanced hunting has a GitHub page

tons of super useful queries are already there, feel free to share yours and help AH community grow:

https://github.com/microsoft/WindowsDefenderATP-Hunting-Queries

 

Q: Are there any plans to align all Security Workloads in M365 /Azure to map to the MITRE Framework?

A: https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-alert-categories-are-now-aligned-with/ba-p/732748 Alert categories in MDATP are now already aligned to MITRE ATT&CK tactics, and mapping of alerts to MITRE ATT&CK techniques is following shortly!

 

Please watch this Tech Community blog and follow our Twitter accounts to keep updated on future AMAs :megaphone:

 

We want to continue hosting Ask Me Anything sessions, give you the opportunity to directly ask your questions, and allow the growing Microsoft Defender ATP community to directly connect with each other!

Updated Aug 15, 2019
Version 2.0
  • thehadricus's avatar
    thehadricus
    Brass Contributor

    Following up on the request for Yara Rule support, we receive yara rules from our national Cyber service for APTs and other threats - it would be great if we could use these with Defender ATP without relying on other tools like Tenable.

  • HeikeRitter SHOUTING IN BOLD CAPS TO ASK FOR YARA RULE SUPPORT!!!  :xd::xd::xd:

     

    08.12.2020 -- FireEye released https://github.com/fireeye/red_team_tool_countermeasures in response to APT hack where their custom Red Team tools were stolen. The whole point to their release was to help us detect employment in our environments. It seems to me that enabling YARA rule creation/ingestion/export would be something that MS should see as an OBVIOUS feature request with value and benefit.

     

    As paying customers or as members of the security profession, do we really need to keep asking?

     

  • Dear Santa,

    How are things at the North Pole? I've been a good boy in this crappy year of COVID. I hope you and Mrs. Claus and the elves are doing well and staying safe and healthy.

     

    Just writing to ask if you could help MS deliver YARA rule support to Defender.

     

    We'll leave milk and cookies out for you!

     

    Your friend,

    Edwin

  • multicom's avatar
    multicom
    Copper Contributor

    HeikeRitter Hi, I am in the middle of a deployment, the client subscribed for Wine5 (for kiosk devices) and EMS E5 (for users). What's the best way of assigning the licenses?

    Also, what's the best way of getting swift support from Microsoft??

  • Rebel_Army's avatar
    Rebel_Army
    Copper Contributor

    Microsoft Please, Please PLEASE give us the ability to create and utilize YARA rules.....

     

    I am SHOUTING OUT LOUD as well for YARA support.

     

    I have many tomes of YARA rules that I would love to be able to use in ATP but have no way to as of yet.

     

    Please, Please, Please help us simple Threat Hunting folks......

     

    We don't want much, just YARA.

     

    (PS... I set up my account just for this post)