All Microsoft Security SC-200 certification exam dumps, study guide, training courses are Prepared by industry experts. PrepAway's ETE files povide the SC-200 Microsoft Security Operations Analyst practice test questions and answers & exam dumps, study guide and training courses help you study and pass hassle-free!

Mitigate threats using Microsoft Defender for Endpoint

5. Perform actions on a device

And welcome back to my course, Microsoft Security Operations Analyst SC 200. Now, in this lesson, we'll talk about limitations and how to perform while researching a course. Incident, of course. So, first, when you invest in a device, you can collect data, similar to how collect data on machines works. I've summarized the actions you can take to activate an investigation and, of course, ring an investigation device on a device. So, while using an antivirus, you can perform the following containment actions: containment act device, isolation of the execution, and execution check. These can also be accomplished through investigation actions. So the a) containment actions, b) investigation actions (automated investigation), c) initiating a package, d) response sessions, and e) response packages are as follows. And we'll get there shortly. the last two shortly. But first of all, let's talk about this one.

The containment device isolates the device So, depending on the severity of the attack and the target's sensitivity, you may want to disconnect from the network. We can now assist in preventing the attacker-compromised device and perform other tasks such as data movement or lateral movement. The device isolation feature disconnects the infected device while maintaining connectivity and transferring control to Defender, which continues to monitor the infected device. 10 debater ten versions, you'll have another level control. Level of work isolation To connect Teams, Look, Microsoft Business, and Skype for Business, enable Outlook Choice. is device. the device. Once you have selected Isolate page, from the device page, you need to type an action and confirm the action. Then the action will be in the center.

in the Action Center. When a device is isolated, a notification appears informing the user that the device is no longer connected to the network. Ate off the network “Restrict App Execution," which is the following section, "Execution. “In addition to counterattacking, say, an attack by stopping malicious processes, you can also lock down the device and prevent potentially harmful attempts by maliciously designed programs. This action is now available on Windows 10 devices running ion 17, nine, or later. If your company uses antivirus, this is your organization. So there is Defender Antivirus. As a result, there is no other option. Thanks for the antivirus solution. And meet the action requirements to ensure Windows control code integrity. Control code integration requirements. signing requirements The remainder of your application time will be restricted. m running at any time. As a result, the page will include the phrase "age will change app restrictions. You can take the same execution step. restricting app execution Let us now proceed to the final action, which is, of course, running an antivirus scan. When you activate anit, you actually activate an antiviral. On the device itself. Initiate and carry out investigative actions now—investigation.tomated investigation. This does exactly what it says, launching an automated investigation device. That particular device. However, now that collection a ban investigation package, investigation package slide. Let me change the slide. So as part of the inveprocess, you or your response process can collect an invedevice package from a device. Pace of investigation by collecting packages The current attacker must identify the device's current state and comprehend the tools or techniques used by the attacker. These are the steps for creating an investigation package, so click the "create" button. You select the "Investigation Pac" package. You specify why you want to collapse the package, then you investigate the package, and finally you begin downloading the package file and the package itself with the files in this investigation. does this investing a contain? kage actuallall,ontain? So, first and foremost, it contains all of these, let's say, autopilot folders. So autocross are a collection of files that each represent the registry of a k-point.

As a result, the commands in the principles below are similar to Windows commands. The advanced command set, or robust set of actions, is more powerful and enables more powerful actions such as loading files, loading scripts, running script actions, and performing remediation actions. Now, when you get a device and say, "le, file," this command gets file, but be aware of the following limitations: The get file limit is 3 GB, the file info limit is 10 GB, and the library limit is 250 MB. You can, of course, download the file in the background. You can put a file in the library by uploading it, and I'm going to show you in the portal how you can do that. because you might want to run a custom script on your live response session. And you, of course, need to have the ability to actually upload the script and then run it at any time.

You can cancel a command by pressing the Control C buttons or the key combination Control C exactly like in the command prompt or Windows PowerShell. You can automatically run prerequisite commands by using, for example, the auto parameter. And of course, these are some examples of commands like the help command, which presents you with basically all of the commands available here. Again, when applying parameters to a command, parameters are handled based on the fixed order. So first parameter one, then parameter two. These are just some guidelines when using the live response session that you might want to go through. Now again, here are some command examples. For example, if you want to analyse a file, you would use the analyse command, and here is an example of how to use it for a malware TXT file on the user's desktop, for example. And then you can analyse processes as well, not just files, and these are again just some example commands. You will have links to documentation in regards to all the necessary details for live session commands in the resource files for this particular lesson. And now that we've talked about this, let's talk about the limitations that you have during the live response session. So there are some limitations, and these are the ones.

So live response is limited to ten live response sessions at a time. Large-scale execution commands are not supported. The live response timeout value is five minutes. So if you're inactive for five minutes during the live response session, you will be disconnected. A user can only initiate one session at a time. A device can only be in one session at a time. Very important. And we've talked about the limits of 3 GB for getting files, 10 GB for file info, and 250 megabytes for the library limit. That being said, let's get into the portal, and let me show you how to initiate a live response session before concluding this lesson. So here we are on the device inventory page. But first of all, let me show you where you need to enable the live response feature. So again, going back to settings and endpoints, we need to go to the advanced features over here, and as you can see, this one shows live response for servers and live response. You need to enable live response, and optionally, of course, if you have onboarded servers in your environment.

You also might want to enable the LiveResponse for Servers feature and the one we talked about, which is optional live response for unsigned scripts. This enables you to use unsigned PowerShell scripts, like scripts created by you that you might want to run against specific devices during the live response session. So let's get back to our device inventory over here. Let's select our "win one" machine. And once the machine page loads up, you can go to these three dots over here and initiate a live response session. Once I click on this, depending on your network, it will load the system again. As I mentioned during the slide, it will take some time for the live response session to load up. Here we go. It is connecting. And this is the live response dashboard. So from here, you can see some device details. You can see all of the device details by clicking on this button, and you can also disconnect the session. You can upload the file to the library. So this is the one I was talking about. So you might need to upload a custom partial script to run it in this console here.So this is what you use.

You choose the file and upload it to the library. Now, this is where you type your commands, the ones that I've left you in the tables over there and for which you'll have links to further documentation. I will only type one single command here, and that is the help command to see what commands we have available. So here we go. We have all of these commands available, right? And of course, on the command log over here, you can actually see what is happening during the live response session or what has happened during the live response session. You can click on the circle to see more details about the actual lock going back to the console. This is what I wanted to show you—how to actually initiate a live response session on a device. I'm going to disconnect the session for now, confirm this, and, of course, this also concludes our lesson. But I'm going to see everyone in the next one, where we'll discuss performing evidence and entity investigations. Until then, I hope this has been informative for you and me.

6. Perform evidence and entities investigations

And welcome back to my course, Microsoft Security Operations Analyst SC 200. In this short lesson, we are going to discuss evidence and entities' investigations. Of course, Microsoft Defender for Endpoints provides information about forensic artefacts found in the environment. There are specific observable pages separately for files, user accounts, IP addresses, and domains.

And we will go through each of these in a moment. Now you can investigate the details of the file associated with a specific alert, behavior, or event. Let's say that you might want to help determine if the file exhibits malicious activities or if you want to identify the attack motivation or understand the potential scope of the breach. Now this is what the file entity page looks like, but it is better that we go through these in the actual portal of Microsoft 365 Defender. So let me hop on the portal over here, and let's go to our Win One machine. And first of all, if we want to quickly get to a file, we will probably do this from the alerts themselves. So let's just pick a file over here, let's say this one, and if we go to the alert, we click on the file here, and we click on the Open File page.

Now on the open file page, first of all, as you can see, we have the details of the files, the name over here, and the hashes of the file signers if there are any. Again, it was categorised as malware, and this is where you can see the details in regard to the detection of this malware. Now, over on the right hand side, we have several types, an overview of the file. So there are two active alerts and one incident in regards to this file, the malware detection status. It also provides us with a Virus Total report indicating that this particular file has been identified as malware by Virus Total as well. This file prevalence is, as you can see, present on zero email inboxes on one device in the organisation and on one device worldwide. Now, this is because we only have one device in the organization. Now over onto the Alerts tab. This will provide a list of alerts that are associated with a specific file. As you can see, in our case we have two alerts, and this list covers much of the same information as the alert queue, right? except for the device group that the affected device belongs to, if that's applicable. if the device belongs to a specific device group. The observer in the Organization tab allows you to specify a date range over here, so you can select 30 days, one week, or a custom range and see which devices have been observed having this particular file on them. Now, this tab will show a maximum of 100 devices. To see all the devices with the file, you can export it into CSV and then import it from over here.

Then you will see all the devices that have this file. Now the "Deep Analysis" tab, in our case, says "here the file is not supported," but in cases of supported files, this basically allows you to submit the file for Dip Analysis to uncover more details about the file's behaviour and its effect, let's say within the organization. After you submit the file, the Dipanalysis report will appear in this tab. So it will be available over here, and of course you can investigate the report for further details. Now again, on the file name tab, the last tab over here, we have basically the names of the file that has been observed to be used within your organisation because it might be the same file with the same hash but with a different name. Think if it comes from, let's say, an email attachment—a phishing email attachment or a malware email attachment—it might have different names, but if it's the same file, it will have the same hash. Now let's go to the user account investigation.

So if I just go back to the machine, my machine is over here, and if I check on the logged-on users, let's say I want to investigate the user admin. So we will click on this link and be taken to the user entity page. Now here you can find a dashboard and an alert queue that's over here. And as you can see, there are basically 23 alerts that have to do with this particular account, the admin account that we've selected. And of course, all of these alerts are clickable. So it will take you to the alert itself. And then we have the user details, the user summary over here on the left hand side, like what incidents were alerts this user was part of, and then the user exposure. And let me just click out of this user exposure. When was the user first seen? When was the user last seen? The log-on type specifies the number of devices that this particular user has logged on to. And if we click here, we will be taken to the Win One Device page, right, with the same account name and the actual security identifier of the user, the Sid, right? Then the same thing applies to the IP address. So if I just quickly go back on my Windows machine over here, probably in the timeline of the machine, we will probably see an event that has an IP address associated with it. So, for example, let's wait for this to load up.

It should be done fairly quickly. Okay, so here we go. Let's take this one as an example. So teams established a connection with this particular IP address. So if I click on this particular event, we can click the hyperlink that will take us directly to the IP address entity page. And here we can open the IP address page from this bottom over here on the top, and once this opens, okay, it opens. We are taken again to the IP entity overview. Right here we can see things like IP worldwide, when it has been observed, where it has been observed worldwide, and reverse DNS name alerts related to this IP. Of course, there are no alerts related to this IP observed in the organization. And of course it's been observed only on one device because I have only one device onboarded in this trial tenant. And on the left hand side, again, we have information about the IP address, open incidents and open alerts for the organization that the IP address pertains to, right, the ASN, the country, the region, and, of course, the geolocation of the IP address. So as you can see, this is the IP address page. And of course, this is a Microsoft IP address. It does not have to do with anything, let's say malicious. But if it were a known bad IP address, you would have more information over here. Directly from this page, you can add this IP address as an indicator to allow it or block it on all of the devices in your organization, or just on certain groups of devices.

And for our last topic here in our lesson, let's see how we can investigate a domain. So let me just get back to the timeline and find another network event that has to do with a domain. Let's just wait for these events to load up. So let's select this one for example, and of course, let's say presenceteams.Microsoft.com, this would be the domain. So if you click on the hyperlink and again open the URL page, we will be taken to this domain's entity, let's say a page, which I'm not sure why it doesn't want to open. Here we go again: an overview of where it has been observed in your organization—one device or more devices worldwide—and an overview of the alerts that this domain is related to. None was, of course, observed in the Organization tab again, and it gives us the particular event and the device on which this domain has been observed on. And on the right-hand side, again, we have some information about the domain. It depends on the domain because you might find various Let's see details on this left-hand side tab.

What's cool about this is that it integrates directly with who I am. So if I would like to see what this domain is and who it pertains to, we will just click on this link, and this will open up the who information. As you can see, the registrar, the DNS servers, the domain administrators, the network, and every piece of information that is available on who is It's just a click away, directly from the domain entity investigation page. So that being said, guys, this concludes the discussion for this lesson. I will see you in the next one, where we'll discuss configuring and managing automation in Microsoft Defender for Endpoint. Until then, of course, I hope this has been informative for you, and I thank you.

7. Configure and manage automation

And welcome back to my course, Microsoft Security Operations Analyst SC 200. In this lesson, we are going to discuss configuring and managing automation and what each level of automation means in Microsoft Defender for Endpoint. So again, in the Defender for Endpoint Portal, in the Settings area, you can select the advanced features, and then you can start configuring. The advanced features of Automated Investigation Enabled are in block mode.

Automatically resolve alerts and allow or block files. Now again, pause the video, take a look at the description of each and every one of these features, and in the meantime, I will hop on the portal and we'll talk about each of them. So yeah, let me just get out of this. In the Settings area, under Endpoints, if we go to the advanced feature, the first one to enable would be Automated Investigation. Now, you turn on this feature to basically take advantage of the automated investigation and remediation features of the service, and it is highly recommended to turn it on. Then you have another feature called "automatically resolve alerts." Now, this is basically for tenants who were created after Windows Ten, version 18 nine.

This feature is configured by default to resolve alerts where the automated analysis result has a status of "no threats found or remediated." If you don't want to have alerts automatically sent, you will need to turn off the feature manually. Now, the result of the Autoresolve action may influence the device's risk level calculation based on the active alerts found on the device. If a Security Operations Analyst manually sets the status of an alert to "in progress" or "resolved," the autoresolved capability will not overwrite it. Then again, we have the feature of allowing or blocking files, so let me just find that one. Here we go. Allow or block files. Now, blocking is only available if your organisation fulfils these requirements. It uses Microsoft Defender Antivirus as the active anti-malware solution, and the cloud-based protection feature is enabled; if your organisation uses another third-party antivirus solution, this feature will not work.

Now again, this feature enables you to block potentially malicious files in your network, and blocking a file will prevent it from being read, written, or executed on devices in your organization. After turning on this feature, you can block files via the Ad Indicators tab on the Files profile page, as we've discussed in the previous lesson. Now let's talk about managing automation upload and folder settings in the Manager Automation Upload basically here You can first enable the file content analysis capability so that certain files and email attachments can automatically be uploaded to the cloud for additional inspection in Automated Investigations. And you can do that by going here to "just 1 second" in the settings for the automation uploads. Now you identify the files and email attachments by specifying the file extension names and email attachment extension names. As you can see here, the feature is on, and there are extensions specified here in the below field.

So, for example, if you add "exem batfiles," or "batch files," as file or attachment extension names, then all files or attachments with those extension names will be automatically sent to the cloud for additional inspection during automated investigations. Then you also have the option to enable memory content analysis. And this capability means, if you would like, that Microsoft Defender for endpoints can automatically investigate the memory content of processes when enabled. Memory content might be uploaded to Microsoft Defender for endpoints during an automated investigation. Of course, for these capabilities, you also have the option to add file extension or attachment extension names in this option. And if we hover the mouse over the information icon over there, it gives you a pretty good explanation of the feature, right? Then you can also manage folder exclusions or file extension exclusions. So here in Automation Folder Exclusions, basically, you are allowed to specify folders that automated investigation will skip. You can control the following attributes about the folder that you'd like to skip: You can control the folders, the extensions, the file names, or the extension of the file, right? And you can do that by clicking "new folder." Exclusion. You can either specify a folder over here, you can specify an extension in the folder, which can be skipped, or you can specify a file name.

You give this folder a description, and you click on Save. And then this folder will be skipped in Automating Investigation. And this is it in regards to the automated investigation and file upload exclusions. Now, going further with our topics in the lesson, let's talk about configuring the automated investigation and remediation, right? So first of all, you can do that by going to device groups, and I've already shown you in a previous lesson how to create a device group and set the remediation level. But if I just click on this device group, you can see that we can set these remediation levels for this device group, meaning for all the devices that are members of this device group. So let's talk about what each remediation level does. So the first one, "semi-automation," also referred to as "automation," requires approval for folders. So with this one, basically approval is required for any kind of remediation action, such as pending actions, which can be viewed in the Action Center and can be approved, of course. Now, semi-permanent folders require approval for non-temporary files. Also, this type of remediation is also known as "semi automation." And with this level of semi-automation, basically, approval is required for any remediation actions needed on files or executables that are not in temporary folders.

Now temporary folders include folders like users, apps, data, documents, and settings in Windows. usersdownloads but don't worry, you'll have a linkin the resource file for this lesson inwhich you'll find details of what those nontemporary folders are and what basically Microsoft Defenderfor Endpoint considers as a known temporary folder. Then the next one will require approval for core folders. And here, with this level of semiautomatic approval, it is required for any remediation actions that are needed on files or executables that are in the core folders. Core folders include the operating system directories, such as Windows, and remediation actions can be taken automatically on files or executables that are in other folders, the non-core folders, right? And of course, the pending actions for files and executables in the core folders can be viewed and approved in the Action Center under the "Pending" tab.

And then you have the level of fully remediating threads automatically. And with this full automation, remediation actions are performed automatically, or remediation actions that are taken can be viewed in the Action Center on the History tab if necessary, of course. Now, that being said, let's get back to the slides and talk about blocking devices at risk. Because you also have this particular option, let me change the slide. You also have the option to block devices at risk. Basically, devices that contain a threat are prevented from accessing your corporate resources through a combination of Intune and Asia with conditional access control. So what you'll need to do is follow these steps over here.

They're pretty simple. First of all, you need to turn on the Microsoft Intune connection for Microsoft 365 Defender. Then you need to turn on the Defender for Endpoint Integration in Endpoint Manager. Then you need to create a compliance policy in Indian, which basically says that if a device score based on the Microsoft vendor for endpoint score is at a certain threshold, let's say, of medium and above, like medium and high, right? Then you deny that device access to your corporate resources. Then you have to assign that policy to all of the devices in your organization, or just to a scope of devices, right? And then create a Conditional Access policy in Azure AD that basically blocks access to certain applications or resources, or to all resources in the organization, for those risky devices. You will have a link with documentation in regards to a step-by-step tutorial on how to block at-risk devices. This concludes the discussion. For this lesson, I am going to see everyone in the next one, where we'll discuss configuring alerts and detections. Until then, I hope this has been informative for you.

8. Configure alerts and detections

Everyone and welcome back to my course, Security Operations Analyst SC 200. Now, Microsoft Defender for Endpoint provides configuration options for alerts and detections, and these configuration options include notifications, custom indicators, features, and detection rules. And these are what we are going to discuss in this particular lesson. So first of all, the advanced feature page in the general area of the settings for endpoints in the Microsoft Defender 365 portal, the one I've just shown you a couple of times in the previous lessons, provides the following alert and detection-related settings: So let me just bring up my pen over here. Some of them we've already discussed and sold, like the "live response" feature. And of course, you turn on this one to be able to start live response sessions on devices. And we've talked about that, the live response for unsigned script execution. And here again, we've discussed it. It basically allows you to upload custom scripts and be able to run themon devices during the live response sessions.

Custom network indicators and turning on this feature allow you to create indicators for IP addresses, domains, or URLs that determine whether they will be allowed or blocked based on your custom indicator list. and we are going to get into that a little bit later in the lesson. Additional advanced features that you can configure include turning on Microsoft One for identity integration, integrating it with Office 365 Threat Intelligence, turning on Microsoft Defender for cloud app integration, turning on Microsoft Intune Connection integration, and turning on Microsoft Secure Score. Please pause the video for a moment and go through each of these capabilities and see what they do in the description tab over here. Right, so we will get into our next section, where we'll discuss configuring email notifications. Of course, in Defender for Endpoint, you can configure to send email notification to specified recipients for new alerts. And this feature enables you to identify a group of individuals who will immediately be informed and can take action on those alerts based on their severity. an email address like a shared mailbox for your security operations team or a distribution list for your security operations team.

Now let's get into the portal, and let me show you how you would create a notification alert, an email notification rule. So back here, let's go to settings again, all the way to the bottom, and for endpoints, and here you have the email notification tab, where you can add an item. This is for alerts; this is for vulnerabilities, and we'll talk about this one when we get to it. So for alerts, you can add an item, and you can call this whatever you like: a test rule. You can include the organisation name in the email; you can include an organisation-specific portal link in the email; and you can also include the device information from the alert in the email. Now, you can notify for alerts on all devices or only for alerts on the selected device group. And if we take this here, you can select the group to which you want the notifications to be applied to.We want to be notified on all devices, and we want to receive email notification for alerts of square, medium, low, and high. So we don't want the informational alerts via email. Now, by clicking on Next, you select the recipients—like Admin Sacco, for example, an email address that is present in your organisation at test.com, let's say. And then you can click on "Add" and save the rule. And then every alert with a square of low, medium, or high will be sent via email to this email address. I'm not going to create the rule because this email address doesn't exist, but I just want to show you how you can do it.

Now let's talk about managing alert suppression because there might be scenarios where you need to suppress alerts from appearing in the portal. You can create suppression rules for specific alerts known to be false positives, for example, or expected behaviour and such. Basically, you might have alerts that involve tools, known tools, or known processes in your organization, and you might want to suppress those alerts. Well, let's see how we can do that. First of all, we need to go to the alert itself. So let me go to the alert queue over here and let's select an alert. Let's say this test alert is over here, right? Once we do this by clicking on the three dots over here, we can create a suppression rule. So we select an indicator of compromise from the alert. This alert has two files, as you can see, two exe files. Let's say that we don't want alerts regarding this one to monkey Windows again. It automatically fills in the file name, the folder path, and the hash of the file. You can hide the alert or resolve the alert. Let's say you want to resolve the alert. You can suppress alerts only on this device that the alert came from, on any device in the organization, or on a specific device group. And the suppression will be applied only to devices that are members of that group. Now, you can name your suppression rule and click Save to basically create your suppression rule. I'm not going to save this one; I just wanted to show you how to do it.

And then for all the rules in your organization, you can see them by going to Settings again, endpoints, and going all the way down to alert suppression over here, where you would see a list of your suppression rules. And of course, you will be able to disable them, delete them, or amend them in any way you see necessary. Now, indicators and how to manage them well, indicators of compromise basically are indicators like IPS, URLs, file names, and domains that are basically known to be bad or known to be good. And you might want to allow them or block them on the devices in your organization. Currently, indicators of compromise come from different sources. like the cloud detection engine of Microsoft Defender for Endpoint, like the Endpoint Prevention Engine or the Automated Investigation and Remediation Engine.

Now, where can we find these indicators? Well, under Settings, Endpoints, and Indicators, we can find the indicator file. Indicators IP addresses, indicators URLs, domains, or certificates Let's say I want to block a specific IP address from an alert because I know it's a bad IP address. We will click on "Add Item." Over here. We would specify the address, for example, right? Then we have the option to specify if this indicator will expire, and we can set a custom date. And then the indicator will be off, so nothing will be blocked or allowed anymore. But we want this indicator to never expire this indicator. We would click on "next," and we would select "action" so we could allow this IP address. We can audit this IP address so we can just receive alerts in regards to this IP address. We can learn when a connection to this IP address is seen on any device in our organization, or we can block execution for this IP address.

Again. Learn audit and allow words. We have the option to generate an alert or just check it through the Microsoft Center for Endpoint Locks. Again, we want to block execution and generate an alert. We would give an alert name, such as "test indicator" or "alert." Here we go. We specify the severity of the alert. We can categorise suspicious activity like command and control, and we can select a mitre technique if we want. But, of course, that's optional. Then we would need to set the scope. Let me select, for example, protocol tunneling. Okay, the recommended action would be to, let's say, investigate the alert. Here we go. Then we would specify the scope of the alert and a summary. Of course. Again, I'm not sure why, because probably the alert is, let's say, 192-168-0223, right? Okay, never expire. Let's block with Generate alert, Alerttitle, Test, Block Indicator, then a Priority of Highly Recommended Actions, Suspicious Activity, Command and Control, Miter Technique. This one. And of course, it doesn't let me go further because I don't actually have the network protection feature enabled on my devices, which is a prerequisite for using the IP or URL indicators for them to be blocked.

But again, you will have a link in the documentation files in regards to this, where you'll see step-by-step instructions on how to manage the indicators, how to use the indicators, and the prerequisites necessary in order for the indicators to work. Because if we go to the file indicators, for example, if we add an item, we specify a file hash and we specify an action block, Allow, Learn, or Audit. We specify a scope, like all devices in the organisation or only a group of devices in the organization. But this actually doesn't block files if you don't have the allow block file. advanced feature, enabling Microsoft Defender for endpoints. Now, for any of these types of indicators, you can add them manually or you can import them from a CSV. You can download the CSV sample from over here to see what the headers of the CSV would look like. You would put your indicators in a CSV. You would choose the file and then import the indicators. So this is about indicators. And this also concludes the discussion for this particular lesson. I'm going to see you in the next lesson, where we'll discuss a little bit about utilising the threat and vulnerability management capabilities of Microsoft Defender for Endpoint. Until then, I hope this has been informative for you, which I thank you for.

9. Threat and Vulnerability Management

And welcome back to my course, Microsoft Security Operations Analyst SC 200. In this lesson, we are going to talk about the threat and vulnerability management capabilities in Microsoft Defender for Endpoint. So Microsoft Defender for Endpoint's threat and vulnerability management capabilities basically discover vulnerable and misconfigured devices based on known attack vectors and software vulnerabilities. Now, let's talk about or try to explain threats and vulnerabilities. Management effectively identifying, assessing, and remediating endpoint weaknesses is pivotal to running a healthy security programme and reducing organisational risk.

Threat and vulnerability management serves as an infrastructure for reducing organisational exposure, hardening endpoint surface areas, and increasing organisational resilience. Now you can discover vulnerabilities and misconfigurations in real time with sensors, without the need for agents or periodic scans. It prioritises vulnerabilities based on the threat landscape detections in your organization, sensitive information on vulnerable devices, and, of course, the business context. So first of all, let's talk about bridging your workflow gaps, and let me bring up my panel here. So this is the first topic. Threat and vulnerability management is built-in in real time and cloud-powered in Microsoft Defender for Endpoints.

It's fully integrated into the service. The Microsoft Intelligence Security graph and the application analytics knowledge base So vulnerability management is the industry's first solution to bridge the gap between security administration and IT administration. During the remediation process, You can create a security task or ticket by integrating Microsoft Intune with Microsoft Endpoint Configuration Manager. The next one is the capability of real-time discovery to discover endpoint vulnerabilities and misconfiguration. Threat and vulnerability management uses the same agentless built-in Defender for endpoint sensors to basically reduce the cumbersome network scans and their overhead. It also provides all of these, let's say, features over here: real-time device inventory, visibility into software and vulnerabilities, application runtime, and configuration posture. Now, it also has intelligence-driven prioritization.

What this means is that threat and vulnerability management help basically organisations prioritise and focus on the weaknesses that pose the most urgent and highest risk to the organization. It fuses security recommendations with dynamic threat and business context, like exposing emerging attacks in the wild. So dynamically aligns the prioritisation of security recommendations and focuses on vulnerabilities currently being exploited in the wild and emerging threats that pose the highest risk. Pinpointing active breaches again, it correlates threat and vulnerability management and EDR insights to prioritise vulnerabilities being exploited in an active breach within the organization. It also protects high-value assets, and here it identifies the exposed devices with business-critical application configuration data or high-value users. Of course, depending on the configuration of Microsoft Defender for Endpoint, it also has the capability of seamless remediation. So threat and vulnerability management allows security administrators and IT administrators to collaborate seamlessly to remediate issues. A remediation request, for example, is sent to it.

You can create a remediation task in Microsoft Intune from a specific security recommendation, and basically, this capability is planned to be expanded to other IT security management platforms. You have alternate mitigations for which you can basically gain insights into more mitigation, such as configuration changes that can reduce the risk associated with a software vulnerability, and you have real-time remediation status. Basically, this is real-time monitoring of the status and progress of remediation activities across the organization. Now, let's talk about what we can find in the vulnerability and threat management area of Microsoft Defender for Endpoint, and for that, I am going to go once again to our portal and expand the vulnerability management area over here. So first of all, we have the dashboard, which presents an overview of the threat and vulnerability management solution. So you can see that you can find all of this information here, like an exposure score, the score for your devices, exposure distribution, remediation activities, and so on. Of course, we will not see much data here because it's only a trial tenant and we have only one single device onboarded. But let's go further and talk about some of these options, or "blades," or "tabs," whatever you want to call them over here under vulnerability management.

So, first of all, we have the software inventory, and the software inventory page opens with basically, as you can see, a list of software installed in your network, including the vendor name, the weakness found for that particular software, the vulnerability, the threats associated with them, exposed devices, impact, exposure score, and tags, if there are any. As you can see, we don't have any over here. Now you can of course filter this list as per your requirements based on weaknesses found in software, threats associated with them, or tags. If you implement a tagging program, let's say, right, then we have the Weaknesses tab, and here we have a list of software vulnerabilities that your devices are exposed to by listing the common vulnerabilities and exposure, as well as the CVE ID of the specific vulnerability, as you can see here. CV 202-22-1898 for example, right, you can also view the severity over on the severity column, and of course the Common Vulnerability Scoring System, the CVSS rating score, the prevalence in your organization, and much more information like the corresponding breaches, threat insights, and more. The event timeline The event timeline is basically a risk news feed; let's say that helps you interpret how risk is introduced into the organization.

Through new vulnerabilities or exploits, you can view events that may impact your organization's risk. For example, you can find new vulnerabilities that were introduced, vulnerabilities that became exploitable, exploits that were added to an exploit kit, and more. and all of these are here. But again, as I mentioned, there's not much data to view here or to work with because there's only one single device on board with the tenant. Then you can also see a vulnerability report, which is available if we just scroll down a little bit here in the reporting side of the reporting tab of the Microsoft 365 Defender. And if we look under Endpoints, you can see that we have a report called Vulnerable Devices. Now this report will bring you lots of information in regards to device vulnerability, severity, levels over time, exploit availability over time, device vulnerability, age over time, and vulnerable devices by operating system. Again, we only have one device—vulnerable devices—by the Windows 10 or 11 version over time, and here's the status of the devices with the vulnerability and lots and lots more information. Again.

We don't have much data to work with here, but don't worry if you do. In the labs, starting from the beginning with Section 2 until the end of the course, you will onboard Windows devices. You will onboard a Windows server and two Linux machines in your environment, and as data starts to fit into the environment, you will actually get to see more data and more relevant information, and it will make more and more sense. Now, let's talk about the threat analytics part of Microsoft Defender for Endpoint. And for that, I will just quickly go back to the slides, and I will quickly scroll through the slides over here and talk about tracking emerging threats with the threat analytics capability from Microsoft Defender for Endpoint. Now, again, this comes from the idea that, with more sophisticated adversaries and new threats emerging frequently and relevantly, it's critical to be able to quickly do these tasks. Assess the impact of the new threats. Review your resilience against new threats or exposure to those new threats and identify the actions you can take to stop those threats or contain those threats.

Right now, Threat Analytics is a set of reports from expert Microsoft security researchers covering the most relevant threats, including active threat actors in their campaigns, popular and new attack techniques, critical vulnerabilities, common attack surfaces, and prevalent malware. Now, each report provides a detailed analysis of a threat and extensive guidance on how to defend against the threat. It also incorporates data from your network indicating whether the threat is active and if you are applicable to that particular threat. Now let me get back in the portal, and let's go into the threat analytics over here and see what we can find there. As you can see, first of all, from the top, we have the latest threats that emerge in the threat landscape. We have high-impact threats, and we have the highest exposure threats. And here we have a list of threats by threat level, exposure, and impacted assets. You can see if you have vulnerable devices in your organisation to a particular threat. You can also see if there are any impacted assets or alerts, and if I just scroll down a little bit here, we should see that, for example, against this particular threat of ransomware, we have two alerts. Now, if we click on this thread. It's the same one here as the one here.

So if we click on it, we will be presented with the threat report. Let's say right here is an overview, a description of the threat, and what it does if you have alerts in your environment related to this threat, if you have impacted devices or incidents in your environment related to this threat, as I mentioned here, and the exposure level. Now if we go to the analyst report, you can find a very detailed report in regards to this particular threat. I'm just going to scroll down through it so you can see the level of depth it goes into. Again, other links to documentation in regards to the threat are available, and going further and further down, you can see how much information you can find here. You can also have advanced hunting querystrings available for this particular threat created by Microsoft experts or by the community. Again, there was lots and lots and lots of information. Now, if we go to the Related Incidents tab, we will see the incident that's related to this particular threat that we have in our environment. The impacted assets show what assets are impacted by this threat. And again, we have prevented emails, and because we don't have any emails in our environment, we won't see anything here, and exposure and mitigation are here; you can find the devices that are exposed to this particular threat and, of course, the secure configuration.

These are the recommendations, the security recommendations, and the vulnerabilities found on this particular device. Again, please feel free to have a look here to check out the threats that probably look interesting to you. Go through them. Go through these reports as I showed you; you can find much information on any particular threat in the threat analytics part of Microsoft Defender for Endpoint. And that being said, this concludes our discussion for this lesson, and this also concludes our section. Now, at the end of each section of the course, you have a quiz with questions meant to basically test your knowledge on the topics discussed throughout the course. And you also have a hand-held lab available. I strongly suggest that you complete the hands-on lab available at the end of each section of the course because it basically takes you through the topics and tools learned throughout the section and you have the opportunity to actually configure those tools and work with those tools hands-on in the lab. So again, I strongly recommend that you do the lab. I will see everyone in the next section, where we'll start discussing the Asian side of things, and specifically, we will start with Microsoft Defender for Cloud in the next section. Until then, as always, I hope this has been informative for you, which I thank you for.

Microsoft Security SC-200 practice test questions and answers, training course, study guide are uploaded in ETE Files format by real users. Study and Pass SC-200 Microsoft Security Operations Analyst certification exam dumps & practice test questions and answers are to help students.