Staying on the pre-breach side of things is the main goal in IT security. How can you achieve this state on Windows clients? A large amount of malicious software relies on unpatched vulnerabilities or misconfiguration that can be abused. A few months back, Microsoft added Threat & Vulnerability Management to Microsoft Defender Advanced Threat Protection…
Tag: MDATP
Microsoft Defender ATP – network control made easy
Controlling clients at the network level has been a use case for many companies for the last decades. In most cases, local network infrastructure like proxies or firewalls are used to control which resources can be accessed by a client. What if devices are on the road? In the cloud, this concept has been adapted…
Microsoft Threat Protection – unified incidents
Note This post is part of a series about Microsoft Threat Protection. You can find part 1 about unified hunting here: https://chrisonsecurity.net/2019/12/15/microsoft-threat-protection-unified-hunting/ In my last post about Microsoft Threat Protection (MTP) I talked about unified hunting where you can use data signals from Defender ATP, Office ATP, and (coming soon) MCAS / Azure ATP to…
Microsoft Threat Protection – unified hunting
Note This post is part of a series about Microsoft Threat Protection. You can find part 2 about unified incident management here: https://chrisonsecurity.net/2020/01/24/microsoft-threat-protection-unified-incidents/ When you work on security incidents, information is key. What is just as important: correlation. The value of data heavily increases if it can be associated with other signals. At Ignite 2018,…
MDATP + Azure Logic Apps: Default connectors vs. HTTP REST
Automating security rocks! In a previous post I showed how to get started with Microsoft Defender ATP and Microsoft Flow: https://chrisonsecurity.net/2019/10/22/automate-mdatp-response-with-microsoft-flow/ Now, lets get a bit more into detail about automating security workflows. Unlike last time, I will use Azure Logic Apps instead of Flow. Both technologies are quite similar, however, they differ in licensing…
Automate MDATP response with Microsoft Flow
I recently met with a customer to discuss their migration from Kaspersky to Microsoft Defender ATP. They also use macmon to query the AV’s database to detect alerts and move affected clients to an isolated VLAN. Although MDATP is capable of handling incidents itself, the customer wanted to retain the capability to auto-isolate machines. At…
Cloud configuration of AppLocker using Intune and MDATP
In this post I will give you a quick overview about cloud configuration of AppLocker using Intune and MDATP. AppLocker has been with us for quite some time now reaching back all the way to good old Windows 7. Although it is not the best solution from a technical point of view (there’s Windows Defender…