How to administer Microsoft Defender for Endpoint

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] microsoft 365 defender for endpoint what is it how does it work it's time to learn [Music] hi everyone ali malone microsoft mvp as well as a microsoft certified trainer welcome back to the channel um thank you so much for coming by um this time i've got a session which is a specific request from one of you guys um microsoft 365 defender for endpoint so i thought that's a good suggestion so i thought we'll take a look at it and we'll talk about exactly what it is and how it works okay now just before we start if you've not subscribed go ahead click on that subscribe button ring that bell and you won't miss out on anything in the future and as always if you've got any comments suggestions or even feedback i would love to hear about it and of course please give this a good thumbs up please like my video and please go ahead and share it okay so are we ready to begin let's learn okay so let's get started with a little tour of defender for endpoint so i'm kicking off in microsoft azure here and the first thing i'll say is if i go into the security center in microsoft azure you can see that we get a nice kind of overview of our entire organization now whether you're using microsoft 365 or microsoft azure for virtual machines containers and so on the great thing about the defender suite of protection is that it covers all of these and they fully integrate with each other's technologies so you can see down here i've got things like azure defender here so it gives me a nice kind of overview of absolutely everything now excuse me we can go into the defender dashboard here so this is the microsoft defender security center and the first thing you'll notice is that it's actually moving so it's moving uh to the microsoft 365 security center the new security portal there and if i click onto this you can see it now takes me there and now you can see that we have this additional menu in the 365 security admin center which says endpoints and you can see that pretty much everything is here uh although i will say not everything at the moment so it's kind of in transition i would say so not everything is here so i'm finding that i'm having to go back and forth a little bit between the defender security center and the new security center but as i said in time this will all of these things will move across and this portal will then be uh closed okay so what i thought we might do is take a a quick look at what we have and many of the menu options are pretty much the same so if i come down uh here into the defender admin or the endpoints area and for example go into device inventory you can see i've already gone and pre-populated a device here so i've got a a virtual machine called win1 and you can see that there's no known risks on it i can click onto this device and again if you're using intune this seamlessly will integrate into intune for things like deploying updates deploying software uninstalling and so on so you can see here that it's giving me an update it's telling me that there are currently no known risks on here um the exposure level is high so i could say well you know do i want to i could open the device page um i will manage any tags so if you're using tags to identify you know different groups of machines you can do that and i can go and hunt so if it says that there's a potential issue i can go on hunt it will take me to the advanced hunting menu and i can also if i suspect that this devices has been [Music] maliciously attacked in some way i can isolate this device and that's really nice so you can isolate the device without deleting anything and you can then study and find out what's going on with the little ellipse here as well you can also re you've got some options so for example i can restrict any applications being executed on this machine and i can uh collect an investigation package so if i want to find out more details i can initiate a response session and i can if i've got some kind of automated scripts i can go ahead and perform an automated investigation and you can see i could it will also take me to the action center as well so i can click onto the action center and it will tell me hey you know do you want to go have you done a a an antivirus scan so at the moment i'm performing an antivirus scan on this particular machine and it hasn't found anything touch wood all right so like i said that's just in the devices menu i've just put a single device in here as well and likewise if i'm monitoring any virtual networks for example in microsoft azure and you've got any kind of network devices here it will also monitor that as well all right um a common question that i get is andy how do i onboard devices well the easiest way to do this is going back into the defender security center and if i simply just scroll right down to the bottom and come into settings you can see that we've got some options here so first up then you've got things like in here it will say okay if i scroll down it says device management so for example if i click into onboard onboarding here you can see i've gone ahead already and i've onboarded one of my devices how do you want to deploy it so do you want to bring in a windows 10 device do you want to generate a script and do you want to use group policy so if you're in a hybrid mode it will show you it will take you to the group policy settings and you can configure that there if you're using a config manager current branch of course means that you're using a combination of both endpoint or in tune and configuration manager on premises and you've also got a couple of different versions of that as well um mobile device management so just purely managed machines in the cloud fantastic and again you've got vdi virtual desktop uh again for uh you've got scripts there as well and of course there are also going to be add-ons as well for the new windows 365 which is coming shortly so once you've got the script i can simply just download that script once you've run the script on that machine and you can run this little detection test and it will just double check that you've actually got the connection and that everything is fine and that's it so that's pretty much it so once you've run that script jus you just basically go and refresh this and it updates and your machine will appear here all right now um other things that we can take a look at then so um again it doesn't really matter whether i look it from here i'll tell you what i'll actually do it from the new admin center here so you can search for a particular machine here so i can search um for a specific device i can search for a file a particular user i can search for a known vulnerability so again i can search for a device and i can say you know win1 and then i can search and you can see it will locate that device and it will bring up that device information uh okay and this is very similar to the tag that i was just looking at so we can see here it tells me okay there's no i've not used any tags here at the moment unfortunately i don't have any open incidents and but you can see it gives me some information tells me that it's a 64-bit version of windows the ip address and tells me the current network activity if there are any uh uac so use it uh account access control for example um um any particular alerts on this device um any security recommendations so you can see i've got some nice security recommendations here recommending that i go ahead and update the the net framework again if i'm in outlook sorry correction in tune i can then go ahead and set that up and you can see it will then say take me to the software page and i can then pretty much just update that so you can see here i've also got a potential zero day attack okay that's not good so it tells me what is a zero day so it tells me there it's a publicly disclosed vulnerability so it's really important that you patch that and the nice thing is it really explains exactly what it is and again if you want to know more it will take you through to the links at docs.microsoft.com so it tells me what the vulnerability is and it tells me that there is an exploit a known exploit and again it tells me if there's any documentation and also again i can now go to the software page and update that and fix that problem so that's that is really nice okay so again recommendations you allows you to be proactive so here on the software inventory tab i've got a complete software inventory of all the software again that's currently running on that particular machine so again this is a great place to come and have a look and investigate a bit more just to find out if there's anything here that shouldn't be here okay then we've got the vulnerability management menu so again i can expand this menu and it shows me if i've got any potential known vulnerabilities again you also get what we call an exposure score so it looks at your organization and says okay yeah you're quite high and again it's because of that zero day uh ris that vulnerability there so immediately it's telling me hey okay what can i do how can i fix this now you also get the secure score for devices so again based on the operating system the networking applications and again it shows you the uh remediation uh activities and and it makes recommendations uh here so the recommendation of course will be to go ahead and update that zero-day vulnerability which is really important okay so remediation again takes me through to the remediation page again tells me hey if there's any remediation here that needs done or anything that you have done it will be there um a software inventory for all of your machines here of course so it shows me um the how many uh machines have actually got that um again potential vulnerabilities and potential impacts there are really important okay other thing is it also would indicate any vulnerabilities so again we get a complete library of potential vulnerabilities and again you can go into any of these and it will give you details on that vulnerability description how it would impact your organization and again then i can go to any recommendations in order to fix that potential problem that i might have um okay what else have we got here right the other things that we've got here you've also got partners so if you're working with any partner organizations you're using partner applications and there are a whole bunch of these and these seamlessly integrate into microsoft defender 365. all right now you can either just view these connectors or you can also use the api explorer as well one of the really nice the features i like as well is this is great for consultancy so again if you you know things like not just the software but also consultancy services here can be really useful as well now um again we have this in the original defender for endpoint this is great place that you can learn so we have what we call an evaluation lab and you can go ahead and you can set up a lab environment and you can say hey okay what kind of lab environment do you want to set up here so i can say yeah i want to set up for example four devices um 48 for two for a couple of days um what kind of um simulation agent is it so again you can go ahead and you can um install a an agent okay you need to accept the terms and conditions of course um so yeah i go ahead and ex you know you accept those terms and conditions and again then you'll be able to go through and do this okay so again i'll go ahead and click next and i it will then go ahead and set up a lab interface and again this is great because it gives me tutorials so it will run the simulations um it will ask me you go ahead and provision some devices and again a fantastic way to learn the product um the other thing that we've also got here as well is uh tutorials and simulations so again microsoft have you can see a back door a drop a backdoor attack we've got um an automated investigation um there's persistence methods defense evasion techniques and you can go ahead and you can get the simulation file download that simulation file and when when you open the file so if i go and say okay let's have a look at this it get not just gives you the file but it will also give you the documentation so in essence a lab guide uh to do this as well all right so definitely take a look at those tutorials and simulations they're really good okay um finally we've got the configuration manager here and this is my option if i want to go and connect to intune before you do that just make sure that you've got the appropriate licenses and also it's switched on in azure active directory if you're not sure how to do that i did a a recent video on um deploying windows 10 on intune on my youtube channel so go ahead and check that out here um we also um have so that you can see as i said that's the end point now the nice thing is that it seamlessly links in with the rest of the 365 security admin center um in a future session i'm going to cover um seams so security incident and event management with azure sentinel so watch out for that in the not too distant future as well now if you're using cloud app security also remember that this fully integrates with cloud app security as well now if i go back to the defender security admin center you can see that there are more options here now as i said um the settings are currently moving into the 365 admin center but not all of them i are there yet so personally i think you're going to be here for a little bit a little bit more time anyway okay so up here it shows me that we've got some threat analytics in here um so you know how are we where are we up to if we have any kind of known vulnerabilities such as ransomware um what kind of threats are those uh proving to have to be in our organization if we've got an alert unfortunately we don't have any alerts at the moment and of course you can uh deploy all of these threat protection you've got a whole bunch of different threat protection reportings here so things like alert trends the statuses you've got device health and also the compliance of the device so again i've just got a single device in here at the moment but you can see it's looking pretty good everything seems to be okay and unfortunately i don't have anything uh nasty there um if i did have any vulnerable devices which of course i've got one because of that zero day vulnerability um again um you can then quickly say okay i need to deal with that um again partners api same as before you've got that you've also got things like threat and vulnerability management so again you get that threat and vulnerability dashboard you get your secure score your exposure score very very similar to what i showed you in the new 365 admin center i kind of like this though because it also provides you with the kind of the top security recommendations here so it says hey you've got a zero day attack there is a software update for that so again you want to go ahead and make sure that you deploy that software update to your uh appropriate users and again you can go ahead and you can do that through in tune here so again those very same settings are in the 365 admin center as well the one thing i would say um just going into the settings here there's a lot more settings than in the 365 version of the admin center here so for for example the key things which are not in the other center yet are the onboarding scripts that i mentioned and also the off-boarding as well so if you want to take a device out or stop that device from being monitored maybe for one reason or another you're retiring that device you can do that here again just download the package run the script and it will then off board that uh device here you can also kind of uh configure things like alert suppression if you think that you're being alerted too much um there is an api so you can um enable a seam connector so you know you might say andy i'm not using the azure um event sentinel can i use a third-party one absolutely go ahead uh you can just click on that and add that in here one thing that you can also do is you can create a device group so you can see i've i've got one device group at the moment which is in there and like um for management of course you can also had have admin roles so you've got dedicated are back admin roles and you can see defender for endpoint administrator is the default role so you know you don't need to give security people you know full access you might just want to give them access for this defender admin role okay so i hope that you found this little tour interesting and there it's got you started um do remember that in terms of getting started getting help you can learn more about the 365 defender portal anything that's got a blue link will take you not just to the portal but also you've got all of those um documents so things like docs.microsoft.com so anything in here where it says learn more it will take you through to that portal and you can learn everything there so that's a great set of resources for you there so there you have it defender for endpoint which is now part of the microsoft 365 security center i really hope that you enjoyed that and you got a lot out of it of course if you've got questions i love questions so get those questions and your comments down below and i would love a big like if you wouldn't mind all right now if you've not subscribed to the channel go ahead click on that subscribe button ring that bell and you won't miss out on the good stuff in the future um if you're interested in defender for endpoint i've got some advanced topics that i'm planning in the next few weeks so watch out for that all right so in the meantime thanks so much for dropping by and i really appreciate it and you stay safe and i'll see you next time take care thanks for dropping by hope you enjoyed the video go ahead and click on the subscribe button and ring that bell and you won't miss a thing see you next time

Info

Channel: Andy Malone

Views: 717

Rating: 5 out of 5

Keywords: microsoft defender for endpoint, microsoft security, administering microsoft defender for endpoint, microsoft 365, administering microsoft 365, Andy Malone MVP, MVPBuzz, MCTBuzz, microsoft defender for endpoint deployment, microsoft defender for endpoint training, microsoft defender for endpoint tutorial, microsoft defender for endpoint demo, microsoft defender for endpoint ios, Office 365

Id: LdukNimA4r4

Channel Id: undefined

Length: 24min 30sec (1470 seconds)

Published: Fri Jul 30 2021