Defender for Endpoint

What is Microsoft Defender for Endpoint?

Microsoft Defender for Endpoint is an endpoint security service that offers advanced protection, both proactively and reactively based on a combination of known threats and vulnerabilities, endpoint behavioural analysis and cloud security analytics. Threats can be remediated automatically or manually depending on both the automation level configuration and the vulnerability itself. There is a large scope for reporting, data analysis and further education on the vulnerabilities to make informed decisions on the best way forward.

Defender for Endpoint offers not only proactive and reactive automated protective actions in response to what could otherwise be business paralysing malicious attacks and vulnerabilities, but offers insight and recommendations to proactively maintain a secure environment. This could be highlighting recently known about vulnerable software versions that are installed on devices, or highlighting missing Windows updates, leaving the device open to attack. Data collected provides very granular, historical timeline detail of events leading up to and in response to potentially malicious actions, that are either intentional or unintentional.

The data collected from the devices in scope of Defender for Endpoint offers insight into the health state of the devices, exposure scores, risk levels, communication reporting such as the last time the device was active, IP address values, logged on users, software inventory and missing updates to mention a few.

Defender for Endpoint offers a lot in terms of visibility into the security standing of in scope, onboarded devices and subsequent actions that can be taken to remediate vulnerabilities, or immediate administrative actions for devices such as temporarily isolating the device from the network (except for the Defender for Endpoint service, and if required Outlook/Teams), collecting logs from the device, executing an anti-virus scan, speaking with a Microsoft threat expert regarding the security state of the device and much more.

This blog post will provide an overview covering an onboarded, Intune managed Windows 10 device, but Defender for Endpoint has a lot more coverage than just this scenario. There is support for Windows Server, MacOS, Android, iOS, Linux and older Windows desktop OS versions as far back as Windows 7. There are no requirements on the domain join status of the device, they can be AD domain joined, AAD joined, or independent of any organisational directory as workgroup joined devices. There are caveats and prerequisites to some of these as you’d expect, but this post will be focusing on Windows 10 specifically, and the management of a single demonstration device.

Portal

Defender for Endpoint configuration and data is available from the Microsoft 365 Defender portal at https://security.microsoft.com. The portal itself provides management and insight into much more than just the Defender for Endpoint service, but for the purpose of this blog post the focus will be Defender for Endpoint. There is a subsection specific to Defender for Endpoint under the ‘Endpoints’ section in the left hand pane.

At the ‘Device Inventory’ section there is a summary of the endpoints in scope which depending on the device discovery configuration can be either both onboarded and available to be onboarded devices, or just onboarded devices.

The following information is displayed here –

Device Name	The hostname of the device
Domain	The domain value, workgroup, or AAD join status.
Risk Level	The risk level of the device in terms of active alerts, remediation responses and so on.
Exposure Level	The current exposure level of the device in terms of how the combined state of the active alerts and overall vulnerability of the device translate to risk and impact.
OS Platform	Operating System value e.g. Windows 10, iOS etc.
Windows Version	Version of Windows currently installed e.g. 1909, 20H2, 21H1 etc. (if Windows device)
Health State	Active, Inactive or Misconfigured depending on the current state of the device.
Last device update	Time and date of the last full report received by Defender for Endpoint by the device. Expected once every 24 hours.
Tags	Tags offer a means of additionally identifying devices for the purposes of filtering.

Selecting a device via the radio button the left hand side will provide more device specific information including the following –

Administrative management options
Logged on user detail
Device specific detail
- Domain join configuration
- OS version
- Device Group membership
- Health State
- IP addresses
- AAD value
- Last seen date & time
Active Alerts

So as you can see, it gives a slightly more detailed insight into the device beyond the broader device inventory displaying all devices.

Selecting a device outside of the radio button, (for example by selecting the hostname) will take you through to a much more detailed page that will contain vast levels of detail should the device have active alerts, be considered exposed etc. If there are no active alerts, then the page will appear fairly dull and empty in presentation, but this is a good thing. Deep ambers or reds and high numbers of alerts and vulnerabilities indicate remediation is required and that the device is at risk.

No alerts –

With alerts –

From this point you can drill down deeper into the other areas for more granular detail –

Alerts
Timeline
Security Recommendations
Software Inventory
Discovered vulnerabilities
Missing KBs

Additionally you can also execute the administrative actions from here; Isolating the device, running an AV scan, threat hunting and so on.

Alerts

The Alerts section will detail any alerts relevant to the device itself, along with further detail such as –

The severity of the alert
The current status of the alert (from a Defender for Endpoint management perspective)
The date of the activity
Assignment (from a Defender for Endpoint management perspective)
The current investigation status

Selecting an individual alert expands on this further to provide additional detail and avenues for getting further insight and management options. For this example, you can see that Defender for Endpoint prevented execution of the software.

At this point action should be taken to review the content of the alert, action a suitable response to the alert e.g. classify the alert is a true or false positive, review the action (if any) that Defender for Endpoint has taken and reactively complete remediation to resolve the alert for the device in question, and all other potentially at risk devices. If necessary, further administrative action can be taken such as isolating the device, suppressing the alert and consulting a Microsoft threat expert.

Defender for Endpoint provides a large amount of detail on recommendations to resolve the issue or provide reference to 3^rd party information with reference to CVEs (Common Vulnerabilities and Exposures).

In the example here, Defender for Endpoint prevented execution of the unwanted software. Further detail and a timeline of the investigation is detailed in the ‘Investigation’, ‘Incident’ and ‘Alert’ sections with clear to view insight into the data including detail such as the user, the threat source, the time of execution and much more. Visually these are clear, well presented and easy to read, with intuitive options to look into and analyse the detail further.

Investigation –

Incident –

Alert (example taken from another incident to show the level of detail)-

Timeline

The Timeline section details events and actions from the device over a selected period of time that help to build a picture of the usage of the device and any advisories based on the action. Items logged here aren’t necessarily going to have associated alerts or malicious content, but can help to build a picture and history of events on the device and detail techniques seen elsewhere which have lead to malicious activity. The default filter with ‘Only flagged events’ set to false will show all of the following event group types –

ASR events
Alert related events
Antivirus events
Application Guard events
Device Guard events
File events
Firewall events
Network events
Other events
Process events
Registry events
Response actions events
Scheduled task events
Smart Screen events
User activity events

From the screenshot below you can see that a relatively large and detailed amount of data is collected over a short period of time that can be useful in piecing together actions that could be the basis for incidents.

Selecting any of these events will provide a complete history and timeline of the event, options to categorise the event, offer hunting for related events and recommendations including references to attack technique detail and subsequent risk information.

Security Recommendations

Included in the ‘Security Recommendations’ are items specific to the device such as software update recommendations and configuration changes. Each recommendation contains information about the associated CVEs, a description of the recommendation, affected components, known threats within the environment and administrative actions such as requesting remediation. As an administrator this flags the recommendation as requiring action to remediate against and the recommendation then has a full historical timeline until it is resolved. Similar to logging a service desk support ticket this allows you to manage the request and maintain an audit trail from request through to completion.

Items here aren’t going to be items that Defender for Endpoint can remediate, and will require other departments such as the Endpoint administrator to issue a software update, the Active Directory administrator to tweak a GPO etc.

Drilling further down into each recommendation presents additional insight such as the total number of exposed devices in the environment, associated CVEs related to the recommendation and the impact score attached to the recommendation. For example, the following screenshot details that Adobe Acrobat needs updating to resolve 65 vulnerabilities which are currently present on 51 devices out of 73 that have the software installed.

Software Inventory

The Software Inventory section is just that; it details an inventory of the software installed on the selected device. It does also include security specific information such as highlighting weaknesses and threats, the total number of devices where the application is installed and total number of exposed devices.

Additional information is displayed such as version number, detail of end of life support notices, and the subsequent upgrade requirements, such as the following Windows 10 example (Windows 10 is included in the software inventory) –

Discovered Vulnerabilities

The Discovered Vulnerabilities section details all of the known vulnerabilities in relation to the selected device. Each vulnerability has the associated CVE reference, and a large amount of detail is usually included with each vulnerability explaining the vulnerability itself, the severity, the published date, affected software, additional references, affected software and additional further insight. This information provides the administrator with all the necessary detail which could otherwise take quite some time to research and troubleshoot independently whilst also knowing that it is a recommendation not only from Microsoft, but other well respected and impartial 3^rd party security organisations.

It is not uncommon to see multiple vulnerabilities affecting the same piece of software. In the following case for example, Adobe Acrobat has 65 associated vulnerabilities of differing severity levels.

Missing KBs

The ‘Missing KBs’ section details the missing updates on the device which are causing the device to be flagged with a or multiple vulnerabilities.

Action can be taken off the back of this via the software update solution in use, such as Windows Update for Business, WSUS, or independently.

Summary

The above provides a very high level overview of Defender for Endpoint in relation to a single Windows 10, managed device but without looking at the underlying configuration, onboarding, ongoing management of alerts and additional feature availability. Onboarding a device is straight forward and is available via several different methods and configuration of the service is also relatively light, but can be more complex depending on the organisational requirements and integration with other M365 services. Automated actions are hugely beneficial and provide an enhanced level of security self management, but it’s important to note that Defender for Endpoint is not a hands off or fully autonomous solution. It does require ongoing management to get the most out of it and not addressing alerts and vulnerabilities will only lead to a less than ideal looking dashboard with potentially many thousands of alerts needing attention and most importantly, an environment with vulnerable endpoints. Where the service cannot provide automated remediation, for example updating software versions on endpoints or OS setting configuration, it presents in the information in a lot of detail, often with step by step instructions.

It is well worth the effort of conscientiously administering the solution on an ongoing basis and provides organisations with an enhanced level of security which is now considered to be 1 of the best endpoint security solutions on the market.