Endpoint on Adrenaline 3

Introduction

Now that I have covered the advanced features obtained from Defender for Cloud and the complexities of Defender for Endpoint with the objective of delivering as much protection as possible to the endpoint, I will now explore how to expand on this greatly and open up even more use cases.





Microsoft Sentinel

This technology will allow us to unify and correlate data generated by other controls. I have decided to deploy Microsoft Sentinel into 4 primary categories :

  • System Administrator - Asset Uptime, Application Inventory, Device configuration and Troubleshooting
  • Network Engineers - Netflow and session traffic, violations and alerts for potential issues
  • Threat Detection - Analytics and playbooks
  • Threat hunting - Workbooks & Machine learning
Using Microsoft Sentinel we can achieve a plethora of incredibly powerful use cases with Defender 365 endpoint data. Below is an illustration of how my SIEM works to enable analysts to prevent and detect threats










Data Sources

In order to give Microsoft Sentinel the ability to produce powerful use cases we must first feed it data sources rich in telemetry. I have selected the following for their verbosity and correlation to the data analytics I want to achieve.

Windows Firewall

This can be enabled via a domain policy through Policies > Windows Settings > Security Settings > Windows Defender and Firewall with Advanced Security > Windows Defender Firewall Properties. Ensure you establish the logging for dropped packets and successful connections. In addition you will need to set the total size of the log to 1,000KB forcing the firewall to write a new log once it reaches capacity otherwise the AMA connector will fail.


Once this is properly configured you will get verbose network session information as illustrated below:



Defender 365

This source will provide most the telemetry we need to detect and prevent threats on our adrenaline-fueled endpoints. Within Microsoft Sentinel utilize the content hub and enable to the following tables 

Defender for Endpoint

Device Info - Audit information for what assets are presently protected and their metadata

Device Process Information - threat hunting and detection analytics

Device File Events -  threat hunting and detection analytics

Device Registry Events - threat hunting and detection analytics

Device Logon Events - threat hunting and authentication graphs

Device Image Load Events - threat hunting and detection analytics

Device Events - Troubleshooting and reporting

Defender for Office 365

Email Events - Threat Hunting
   
Email URL Info - Threat Hunting

EmailAttachmentsinfo - Threat Hunting

URL Click Events - Threat Hunting


Defender Alerts

Alert Evidence - Correlation to other data sources

Alert Evidence - Correlation to other detections

User Behaviour Entity Analytics 

UEBA is an incredibly powerful tool within Microsoft Sentinel and we can utilize it for the following use cases.

  • Detections for repeated high investigation score authentication attempts
  • Workbooks to highlight accounts that may be under repeated attack
  • Correlations to other data sources to increase the fidelity of a given detection
To enable UEBA simply navigate to Entity Behaviour > Entity Behaviour Settings > Enable all available settings.

This will generate the following tables@

Behaviour Analytics - Enriched events for activity tracked by the EUBA engine 



Identity Info - User information required for correlation by hte UEBA engine but also useful for custom analytics
    



User Peer Analytics - Used to store ranked associations to other users to determine how anomalous an action is relative to a peer



Threat Detection

The threat detection and alerting capability within the cortex is divided into three sections or 'lobes'. Each lobe has a different responsibility and helps generate a wider image as to what threat has been observed by the cortex.


Contextual Analytics

These analytics identify behaviour that is benign on its own but would add up to what would likely be a true positive if enough of a certain type occurred. As an example the below contextual analytic identifies when file extensions never before seen appear in a user downloads folder 

let start = ago(14d);
let end = ago(1d);
let lookback = DeviceFileEvents
| where Timestamp between (start .. end)
| extend extensions = extract(@"\.[^\.]+$", 0 , FileName)
| where isnotempty(extensions)
| where FolderPath !has "NetFramework"
| distinct extensions;
let lookup = DeviceFileEvents
| where Timestamp >= end
| extend extensions = extract(@"\.[^\.]+$", 0 , FileName)
| where isnotempty(extensions)
| where FolderPath !has "NetFramework"
| distinct extensions;
let newextensions = lookback
| join kind=leftanti lookup on (extensions);
DeviceFileEvents
| extend extensions = extract(@"\.[^\.]+$", 0 , FileName)
| where isnotempty(extensions)
| where extensions in (newextensions)
| project-reorder extensions
| where FolderPath matches regex @"(.*?)Downloads(.*?)"

Individually, this detection might not indicate a threat. However, when combined with additional contextual detections, such as new network connections originating from a user's download folder, the associated level of risk becomes elevated.

This is the role of the contextual analytic lobe, to identify activity not inherently malicious but to write a record of its happening for correlation later

Correlation Analytics

These lobes have been particularly described above, they monitor what detections are firing and look for three sets of criteria:

  • The volume of detections becomes too great for a single given user
  • The volume of detections becomes too great for a single given asset
  •  An assigned numerical value ranking a contextual detection to likely adversarial behaviour exceeds a threshold
  • An analyst marks a single contextual detection as malicious revealing all other associated detections
Correlation analytics allow for several thousand detections to be generated a day but only those that hold meaning be presented to a human.



Sysmon

Sysmons primary role is to fill in gaps left by Defender 365 and the EventIDs collected by the AMA agent. It drives much of the data analytics as the data is easier to work with and I can customize how much or how little I send to my workspace.

Data Analytics

As this post is getting too long I will not cover the data analytics and dashboards generated and maintained by the cortex however the general premise is to ensure the human the most powerful tool we have is not removed from the detection lifecycle

Popular

Endpoint on Adrenaline : One

Brilliance in the Basics

Investigate

Writing detections when stuck with EDR

Endpoint on Adrenaline Two

Why you need to be purple!

Standardized Note Taking Format For Analysts

Investigate Two

Securing your estate: The First Step