Mastering Microsoft 365 Defender

Mastering Microsoft 365 Defender

by Ru Campbell, Viktor Hedberg
Released July 2023
Publisher(s): Packt Publishing
ISBN: 9781803241708

Read it now on the O’Reilly learning platform with a 10-day free trial.

O’Reilly members get unlimited access to books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial

Book description

Get to grips with Microsoft's enterprise defense suite and its capabilities, deployments, incident response, and defense against cyber threats Purchase of the print or Kindle book includes a free PDF ebook

Key Features

  • Help in understanding Microsoft 365 Defender and how it is crucial for security operations
  • Implementation of the proactive security defense capabilities of Microsoft Defender for Endpoint, Identity, Office 365, and Cloud Apps so that attacks can be stopped before they start
  • A guide to hunting and responding to threats using M365D’s extended detection and response capabilities

Book Description

This book will help you get up and running with Microsoft 365 Defender and help you use the whole suite effectively.

You’ll start with a quick overview of cybersecurity risks that modern organizations face, such as ransomware and APT attacks, how Microsoft is making massive investments in security today, and gain an understanding of how to deploy Microsoft Defender for Endpoint by diving deep into configurations and their architecture.

As you progress, you’ll learn how to configure Microsoft Defender Antivirus, and onboard and manage macOS, Android, and Linux MDE devices for effective solutions. You’ll also learn how to deploy Microsoft Defender for Identity and explore its different deployment methods that can protect your hybrid identity platform, as well as how to configure Microsoft Defender for Office 365 and Cloud Apps, and manage KQL queries for advanced hunting with ease. Toward the end, you’ll find out how M365D can be integrated with Sentinel and how to use APIs for incident response.

By the end of this book, you will have a deep understanding of Microsoft 365 Defender, and how to protect and respond to security threats.

What you will learn

  • Understand the Threat Landscape for enterprises
  • Effectively implement end-point security
  • Manage identity and access management using Microsoft 365 defender
  • Protect the productivity suite with Microsoft Defender for Office 365
  • Hunting for threats using Microsoft 365 Defender

Who this book is for

You’re a security engineer, incident responder, blue teamer, or an IT security professional who wants to deploy and manage Microsoft 365 Defender services and successfully investigate and respond tocyber threats You have a basic understanding of networking, vulnerabilities, operating systems, email, Active Directory, and cloud apps

Table of contents

  1. Mastering Microsoft 365 Defender
  2. Foreword
  3. Contributors
  4. About the authors
  5. About the reviewer
  6. Preface
    1. Who this book is for
    2. What this book covers
    3. To get the most out of this book
    4. Download the color images
    5. Conventions used
    6. Get in touch
    7. Share your thoughts
    8. Download a free PDF copy of this book
  7. Part 1: Cyber Threats and Microsoft 365 Defender
  8. Chapter 1: Microsoft and Modern Cybersecurity Threats
    1. The cybersecurity threat landscape
    2. The cyber kill chain and MITRE ATT&CK
      1. Cyber kill chain
      2. MITRE ATT&CK
    3. Microsoft and Zero Trust
      1. Microsoft as a security company
      2. Zero Trust
    4. Summary
    5. Questions
    6. Further reading
  9. Chapter 2: Microsoft 365 Defender: The Big Picture
    1. Microsoft Defender for Endpoint
      1. Endpoint protection evolves into extended detection and response
      2. Multi-platform protection
      3. Comparing MDE plans
    2. Microsoft Defender for Identity
      1. The rise and risks of Active Directory
      2. Understanding Microsoft Defender for Identity
    3. Microsoft Defender for Office 365
      1. Protection for inbound email
      2. Extended Office 365 protection
      3. Comparing MDO plans
    4. Microsoft Defender for Cloud Apps
      1. Discovery
      2. Investigation
      3. Alert and control
    5. Microsoft 365 Defender XDR – centralizing investigation and response
      1. Incidents and alerts
      2. Automated investigations
      3. Advanced hunting
      4. Threat analytics
      5. Threat Experts
    6. Summary
    7. Questions
    8. Further reading
  10. Part 2: Microsoft Defender for Endpoint
  11. Chapter 3: The Fundamentals of Microsoft Defender for Endpoint
    1. An overview of MDE deployment
      1. Onboarding
      2. Service and client settings
      3. Choosing your path
    2. Exploring the Microsoft 365 Defender portal
      1. Device Inventory
      2. Device page
      3. Advanced features
      4. Managing permissions
    3. Navigating Microsoft Intune
      1. MDE settings in Intune
      2. Security baselines
      3. Tenant settings
    4. Understanding and enabling Security Management
    5. Summary
    6. Questions
    7. Further reading
  12. Chapter 4: Onboarding Windows Clients and Servers
    1. Onboarding Windows clients
      1. Windows 7 SP1 and 8.1
    2. Onboarding Windows Server
      1. Windows Server 2008 R2
      2. Windows Server 2012 R2 and 2016
      3. Windows Server 1803, 2019, and 2022
      4. Microsoft Defender for Cloud
      5. Azure Arc
    3. Summary
    4. Questions
    5. Further reading
  13. Chapter 5: Getting Started with Microsoft Defender Antivirus for Windows
    1. Exploring MDAV interfaces
      1. Windows Security
      2. PowerShell
    2. Exploring MDAV components
      1. Scanning
      2. Remediation
      3. Exclusions
      4. Updates
    3. Summary
    4. Questions
    5. Further reading
  14. Chapter 6: Advanced Microsoft Defender Antivirus for Windows
    1. Cloud-delivered protection
    2. Block at first sight
      1. Intune
      2. Configuration Manager
      3. Group Policy
      4. Confirming BAFS is active on clients
    3. Always-on protection
    4. Potentially unwanted application protection
      1. Intune
      2. Configuration Manager
      3. Group Policy
    5. Running modes
    6. Tamper protection
    7. Ongoing management of MDAV
      1. Troubleshooting
      2. Understanding reports
    8. Summary
    9. Questions
    10. Further reading
  15. Chapter 7: Managing Attack Surface Reduction for Windows
    1. Understanding ASR rules
      1. ASR rules overview
      2. Deploying ASR rules
      3. Monitoring ASR rules
    2. Controlled folder access
      1. Deploying CFA
      2. Monitoring CFA
    3. Exploit protection
      1. Deploying exploit protection
      2. Monitoring exploit protection
    4. ASR at the network layer
      1. SmartScreen
      2. Network protection
      3. Web protection
    5. Summary
    6. Questions
    7. Further reading
  16. Chapter 8: Managing Additional Capabilities for Windows
    1. Device discovery
      1. Distributed device discovery
      2. Network device discovery
    2. Device control
      1. Before you start
      2. Removable storage access control
      3. Device installation
      4. Printer protection
    3. WFAS
      1. Recommended practices
      2. Configuring WFAS
      3. Monitoring WFAS
    4. Summary
    5. Questions
    6. Further reading
  17. Chapter 9: Onboarding and Managing macOS
    1. Onboarding macOS
      1. Intune onboarding
      2. Manual onboarding
    2. Managing macOS protection settings
      1. Understanding MDE configuration profile files
      2. Scanning and remediation
      3. Exclusions
      4. Managing updates
      5. Potentially unwanted application protection
      6. Tamper protection
      7. Device control
    3. Summary
    4. Questions
    5. Further reading
  18. Chapter 10: Onboarding and Managing Linux Servers
    1. Onboarding Linux
      1. Script onboarding
      2. Microsoft Defender for Cloud onboarding
      3. Azure Arc onboarding
    2. Managing Linux protection settings
      1. Understanding MDE configuration profile files
      2. Scanning and remediation
      3. Exclusions
      4. Managing updates
      5. PUAs
    3. Summary
    4. Questions
    5. Further reading
  19. Chapter 11: Onboarding and Managing iOS and Android
    1. Onboarding mobile devices
      1. iOS
      2. Android
    2. Working with mobile protection features
      1. Integration with app protection policies
      2. Web protection
      3. Vulnerability assessment of apps
      4. Phish and malware report privacy
    3. Summary
    4. Questions
    5. Further reading
  20. Part 3: Microsoft Defender for Identity
  21. Chapter 12: Deploying Microsoft Defender for Identity
    1. Why is MDI important?
    2. Deploying MDI
      1. Getting on-premises AD ready for MDI
      2. Configuring MDI in Microsoft 365 Defender
      3. Installing the MDI sensor
    3. Summary
    4. Questions
    5. Further reading
  22. Chapter 13: Managing Defender for Identity
    1. Implementing RBAC
      1. Leveraging PIM to govern access to MDI
    2. Managing MDI security alerts
    3. Managing MDI exclusions
    4. Introducing entity tags
      1. Configuring honeytokens
      2. Tagging sensitive accounts
    5. Managing MDI health issues
    6. Summary
    7. Questions
    8. Further reading
  23. Part 4: Microsoft Defender for Office 365
  24. Chapter 14: Deploying Exchange Online Protection
    1. Understanding the importance of EOP
    2. Understanding how EOP works
    3. Deploying EOP
      1. Managing the Allow/Block list in your tenant
      2. Managing malware policies in EOP
      3. Managing transport rules in EOP
      4. Configuring content filtering policies
    4. Summary
    5. Questions
    6. Further reading
  25. Chapter 15: Deploying Defender for Office 365
    1. What is Microsoft Defender for Office 365?
    2. Exploring the features of MDO
      1. Safe Links
      2. Safe Attachments
      3. Impersonation protection
      4. How do they all work together?
    3. Exploring preset security policies
      1. Configuring preset security policies
      2. Different settings in preset policies for EOP and MDO services
    4. Deploying custom policies in MDO
      1. Configuring the Safe Links policies
      2. Configuring Safe Attachments policies
      3. Configuring impersonation protection settings
    5. Summary
    6. Questions
    7. Further reading
  26. Part 5: Microsoft Defender for Cloud Apps
  27. Chapter 16: Implementing and Managing Microsoft Defender for Cloud Apps
    1. Exploring MDA settings
      1. Customizing system settings
      2. Customizing Information Protection settings
    2. Discovering and managing shadow IT
      1. Cloud Discovery and the Cloud App Catalog
      2. Reviewing and managing cloud app access
    3. Managing cloud apps with policies
    4. Governing OAuth apps
      1. Managing OAuth apps and policies
      2. App governance
    5. Summary
    6. Questions
    7. Further reading
  28. Part 6: Proactive Security and Incident Response
  29. Chapter 17: Maintaining Security Hygiene and Threat Awareness
    1. Introducing Secure Score
      1. Understanding the score
      2. Improving the score
    2. Exploring the basics of MDVM
    3. Understanding your MDVM inventories
      1. Exploring software inventories
      2. Exploring browser extension inventories
      3. Exploring certificate inventories
    4. Establishing compliance with security baseline assessments
    5. Addressing security vulnerabilities and recommendations
      1. Identifying vulnerabilities and recommendations
      2. Managing security recommendations
    6. Using Threat Analytics
    7. Summary
    8. Questions
    9. Further reading
  30. Chapter 18: Extended Detection and Response with Microsoft 365 Defender
    1. Introducing XDR
    2. How M365D works as an XDR
    3. Understanding incident response and management
      1. Responding to incidents in M365D
      2. Managing AIR
      3. Managing automated attack disruption
    4. Real-time response with device, file, and user actions
      1. Device response actions
      2. File response actions
      3. Stop and Quarantine
      4. Add Indicator
      5. Download file
      6. Submit for deep analysis
      7. User response actions
      8. Confirm user compromised
      9. Suspend user in AAD and Suspend user in AD
      10. Force password reset
      11. Require user to sign in again
    5. How does M365D differ from a traditional SIEM or niche SOAR solution?
    6. Summary
    7. Questions
    8. Further reading
  31. Chapter 19: Advanced Hunting with KQL
    1. Understanding advanced hunting
      1. Why hunt when we can use automation?
      2. Best practices for advanced hunting
    2. Constructing KQL queries to hunt
    3. Creating custom detections
    4. Summary
    5. Questions
    6. Further reading
  32. Chapter 20: Microsoft Sentinel Integration
    1. Understanding Microsoft 365 Defender’s relationship with Sentinel
    2. Connecting Microsoft 365 Defender to Sentinel
      1. Using incidents and alerts
      2. Using advanced hunting data
      3. Enabling the UEBA feature
    3. Summary
    4. Questions
    5. Further reading
  33. Chapter 21: Understanding Microsoft 365 Defender APIs
    1. Making sense of the different APIs
      1. Microsoft Graph security API
      2. Microsoft 365 Defender APIs
      3. Microsoft Defender for Endpoint APIs
      4. Microsoft Defender for Cloud Apps API
      5. Office 365 Management Activity API
    2. Accessing the APIs
      1. Creating an app registration for API access
      2. Using the app registration for API access
    3. Summary
    4. Challenges
    5. Further reading
  34. Part 7: Glossary and Answers
  35. Chapter 22: Glossary
  36. Chapter 23: Answers
    1. Chapter 1
    2. Chapter 2
    3. Chapter 3
    4. Chapter 4
    5. Chapter 5
    6. Chapter 6
    7. Chapter 7
    8. Chapter 8
    9. Chapter 9
    10. Chapter 10
    11. Chapter 11
    12. Chapter 12
    13. Chapter 13
    14. Chapter 14
    15. Chapter 15
    16. Chapter 16
    17. Chapter 17
    18. Chapter 18
    19. Chapter 19
    20. Chapter 20
  37. Index
    1. Why subscribe?
  38. Other Books You May Enjoy
    1. Packt is searching for authors like you
    2. Share your thoughts
    3. Download a free PDF copy of this book

Product information

  • Title: Mastering Microsoft 365 Defender
  • Author(s): Ru Campbell, Viktor Hedberg
  • Release date: July 2023
  • Publisher(s): Packt Publishing
  • ISBN: 9781803241708