General Hints
If the browser is not displaying what you expect then make sure you refresh the entire browser window (Ctrl+F5). The Sentinel pages, in particular, seem bad at refreshing.
Have you tried turning it off and on again? :-)
Lab Hints
Restarting
After restoring saved labs, restart all of the Arc-connected machines.
Azure Pass
When setting up the Azure Pass:
• Enter your country.
• Enter your actual name (the web page says that the name "MOD Administrator" is not valid).
• Enter your actual phone number, just in case MFA requires it.
• Enter the MOD Administrator account (admin@wwlx##.onmicrosoft.com) in the email address for important notifications field.
• Leave the GST number blank.
• Enter a valid street address (for example the street address of the Auldhouse branch where you are attending this course).
Office Professional reactivation
Do this at the start of the course, on WIN1 and on WIN2.
1. Run Windows Explorer. Navigate to
C:\Program Files (x86)\Microsoft Office\Office16
2. Right-click OSPPREARM.EXE, choose Run as administrator.
3. Select Yes at the UAC prompt.
Learning Path 1: Mitigate threats using Microsoft 365 Defender
Note that these learning path numbers and titles might not appear in the learn.microsoft.com content. It seems that Microsoft have two different paths to get to learning content, and the two are inconsistent.
Ive included the titles and numbers in this document to help me deliver the course, since the learning paths are each a separate PPT slide deck.
Module: Introduction to Microsoft 365 threat protection
General Notes
What is XDR?
https://www.microsoft.com/en-us/security/business/security-101/what-is-xdr
What is an incident?
https://learn.microsoft.com/en-us/microsoft-365/security/defender/incidents-overview?view=o365-worldwide
The names of the Defender products don’t make a lot of sense.
https://craigb-mct.blogspot.com/2022/03/microsoft-defender.html
Note that Microsoft Defender for Endpoint is singular, not "Microsoft Defender for Endpoints" as is used several times in this course.
TODO: What does the line colour in the Microsoft Sentinel investigation graph denote?
Many features require auditing to be turned on.
https://learn.microsoft.com/en-us/microsoft-365/compliance/turn-audit-log-search-on-or-off?view=o365-worldwide
Commonly Confused
Workbook: something that goes in a dashboard.
Playbook: an automated response to something (usually an alert). They are Logic App workflows.
Notebook: a script that is run against a data warehouse. They are Jupyter Notebooks, running against either Azure ML or Azure Synapse.
Analytics: rules that correlate alerts into incidents.
Guided demonstration
https://aka.ms/M365Defender-InteractiveGuide
Azure Lighthouse
What is Azure Lighthouse? - Azure Lighthouse | Microsoft Learn
Azure Lighthouse | Microsoft Azure
Note that Azure Lighthouse is free. :-)
Module: Mitigate incidents using Microsoft 365 Defender
Use the Microsoft 365 Defender portal
Investigate Azure AD sign-in logs
To see the SigninLogs table in Sentinel, you need to send the Azure AD diagnostic data to your Log Analytics workspace (Azure Active Directory portal > Diagnostic settings -> Add diagnostic setting).
Module: Protect your identities with Azure AD Identity Protection
Detect risks with Azure AD Identity Protection policies
You can’t have multiples of the risk policies. For example, you can’t have two or more sign-in risk policies. These three are the default policies. For more granular policies use Conditional Access (Azure Active Directory portal > Security > Conditional Access).
Module: Remediate risks with Microsoft Defender for Office 365
This module gives the impression that MDO is just for email. It’s not - it also applies to documents stored in SharePoint (which includes OneDrive for Business and Teams). Some of its protection also applies to locally-running Office apps on Windows, iOS, and Android devices.
Microsoft’s getting started guide breaks MDO down into four main chunks. The "anti" stuff (anti-malware, anti-phishing, anti-spam, etc), the "safe" stuff (safe links, safe attachments), the workload stuff (SPO, OneDrive, Teams), and zero-hour auto purge.
Guided demonstration
Module: Safeguard your environment with Microsoft Defender for Identity
Microsoft Defender for Cloud Apps integrates with Microsoft Defender for Identity to provide user entity behavioral analytics (UEBA) across a hybrid environment.
https://learn.microsoft.com/en-us/defender-cloud-apps/tutorial-ueba
Review compromised accounts or data
The Cyber Kill Chain model, developed by Lockheed Martin, has 7 phases: reconnaissance, weaponization, delivery, exploitation, installation, command and control (C2), and actions on objectives.
https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
https://www.sans.org/blog/cyber-kill-chain-mitre-attack-purple-team/ for a discussion of several models, including MITRE ATT&CK.
The MITRE tactics are used in Microsoft Sentinel, for example in scheduled rules.
Guided demonstration
https://aka.ms/MSDefenderforIdentity-IG
Module: Secure your cloud apps and services with Microsoft Defender for Cloud Apps
Three parts: Discover, Investigate, Control. These are seperate parts of the classic portal.
Note that as well as integrating with Defender for Endpoint to block unsanctioned apps, Defender can generate block scripts for firewalls.
Guided demonstration
https://aka.ms/DetectThreats-ManageAlerts-MCAS_InteractiveGuide
Module: Respond to data loss prevention alerts using Microsoft 365
Module: Manage insider risk in Microsoft Purview
Non-IT People
The point of the Insider Risk Management Analysts and Insider Risk Management Investigators roles is that non-IT and/or non-admin accounts will be assigned those roles. For example, HR/Personnel people, Legal people, Security people.
Typo
Replace
"Two of the insider risk management templates have dependencies that must be configured…"
with
"All of the insider risk management templates have dependencies that must be configured…"
Demo Hint
Do the "Explore how to minimize internal risks interactive" guide.
Guided demonstration
https://mslearn.cloudguides.com/guides/Minimize%20internal%20risks%20with%20insider%20risk%20management%20in%20Microsoft%20365 (note that this uses the old portal)
Learning Path 2: Mitigate threats using Microsoft Defender for Endpoint
Module: Protect against threats with Microsoft Defender for Endpoint
Defender for Endpoint (often abbreviated MDE) is not just antimalware. It also does inventory and patch management, process and dll monitoring, and more, all under the general topic of reducing the surface area of attack. There is a sizeable AI/ML system behind it all.
Review questions
I’m not sure I’d use the word "proactive" when describing hunting. We can’t query things that haven’t happened yet. Microsoft are using it in the same sense as "proactive problem management" in ITIL4 - finding the security issue before any threat actors actually exploit it.
Module: Deploy the Microsoft Defender for Endpoint environment
It all starts with onboarding.
Onboard devices
The data storage location can be seen in Defender portal: Settings > Microsoft 365 Defender > Account. It cannot be changed.
The data retention cannot be changed.
https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide#how-long-will-microsoft-store-my-data-what-is-microsofts-data-retention-policy
Microsoft 365 Defender preview features can be seen and enabled/disabled in Defender portal: Settings > Microsoft 365 Defender > Preview features. MDE features are in Defender portal: Settings > Endpoints > General section > Advanced features .
"The Microsoft Defender for Endpoint sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender for Endpoint service." This is set up on the client, by GPO or scripts or other management tool.
Module: Implement Windows security enhancements with Microsoft Defender for Endpoint
Module: Perform device investigations in Microsoft Defender for Endpoint
Module: Perform actions on a device using Microsoft Defender for Endpoint
mpcmdrun.exe command-line tool
Initiate live response session
Note that Live Response is not a cmd, powershell, or pwsh shell - it is its own shell. It can, however, run PowerShell scripts via its library.
Module: Perform evidence and entities investigations using Microsoft Defender for Endpoint
Module: Configure and manage automation using Microsoft Defender for Endpoint
Module: Configure for alerts and detections in Microsoft Defender for Endpoint
Module: Utilize Vulnerability Management in Microsoft Defender for Endpoint
Learning Path 2 - Lab 1
The big steps in this lab often confuse people.
You must create security groups (not M365 groups) and assign roles to these.
You also must create device groups. These are for scoping rules and for levels of automatic response.
A device is a member of only one device group (the Rank controls this). Annoyingly, the "preview" of a group does not honour the rank.
Learning Path 3: Mitigate threats using Microsoft Defender for Cloud
What is CSPM?
Cloud security posture management (CSPM) identifies and remediates risk by automating visibility, uninterrupted monitoring, threat detection, and remediation workflows to search for misconfigurations across diverse cloud environments/infrastructure…
Delivery Hints
Might need to teach/refresh Management Group, Subscription, Resource Group, Resource here.
Might need to teach/refresh what a Log Analytics Workspace is. "A place where logs land and you can run queries against."
Might need to teach/refresh here what Azure Arc is, though it is covered in the module Connect non-Azure resources to Microsoft Defender for Cloud.
Module: Plan for cloud workload protections using Microsoft Defender for Cloud
Module: Connect Azure assets to Microsoft Defender for Cloud
Auto provisioning is now found in Defender Plans, the Settings link in the Monitoring coverage column.
Module: Connect non-Azure resources to Microsoft Defender for Cloud
Module: Manage your cloud security posture management
Module: Explain cloud workload protections in Microsoft Defender for Cloud
Module: Remediate security alerts using Microsoft Defender for Cloud
Learning Path 3 - Lab 1 - Exercise 1 - Enable Microsoft Defender for Cloud
Lab Steps
Please do:
Learning Path 3 - Lab 1 - Exercise 1 - Enable Microsoft Defender for Cloud
- Task 1: Access the Azure portal and set up a Subscription
- Task 2: Create a Log Analytics Workspace
- Task 3: Enable Microsoft Defender for Cloud
Then:
Learning Path 5 - Lab 1 - Exercise 1 - Configure your Microsoft Sentinel environment
- Task 1: Initialize the Microsoft Sentinel Workspace using the *same* Log Analytics Workspace you created above
Then:
Open the Entra admin center (entra.microsoft.com). In the Identity section of the menu, choose Monitoring & Health > Diagnostic settings.
Select +Add diagnostic setting.
Give the setting a name, select all the checkboxes on the left, send the data to the Log Analytics workspace you created above.
Then:
Learning Path 3 - Lab 1 - Exercise 1 - Enable Microsoft Defender for Cloud
- Task 4 onwards
Learning Path 3 - Lab 1 - Exercise 2 - Mitigate threats using Microsoft Defender for Cloud
- All tasks
Bonus Activities
Create an Azure virtual machine and/or an Azure SQL Server and protect it using Defender for Cloud.
Learning Path 4: Create queries for Microsoft Sentinel using Kusto Query Language (KQL)
Delivery Hints
Stress that KQL is used throughout Microsoft Azure. This course can give the (incorrect) impression that it is just for Microsoft Sentinel.
KQL is the query language for Azure Data Explorer, a "a fast, fully managed data analytics service for real-time analysis on large volumes of data streaming from applications, websites, IoT devices, and more."
Note that some of the examples, especially in the lab, are way too complex for an intro class.
Demo
Get the students to load the demo (https://aka.ms/lademo, does require a signin) before the lecture, that way they can run the code in the modules.
Module: Construct KQL statements for Microsoft Sentinel
Links
https://learn.microsoft.com/en-us/azure/sentinel/kusto-overview
https://ds.squaredup.com/blog/kusto-101-a-jumpstart-guide-to-kql/
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/datatypes-string-operators
Case-sensitivity
== is case-sensitive equality
=~ is case-insensitive equality
!= is case-sensitive inequality
!~ is case-insensitive inequality
Annoyingly, operators like contains are case-insensitive, the case-sensitive versions are contains_cs.
Include/Exclude
Click the > symbol in the result list to expand the columns, right-click an item to include or exclude it (which adds a where caluse to the statement).
More generally, that > symbol is really useful because a lot of columns in Sentinel have dynamic content and/or JSON sub-attributes, which the > expands for you (using the parsejson expression).
Saved Queries
https://learn.microsoft.com/en-us/azure/azure-monitor/logs/query-packs
Module: Analyze query results using KQL
Module: Build multi-table statements using KQL
Module: Work with data in Microsoft Sentinel using Kusto Query Language
Learning Path 4 - Lab 1 - Exercise 1 - Create queries for Microsoft Sentinel using Kusto Query Language (KQL)
Task 2
https://learn.microsoft.com/en-us/azure/data-explorer/kusto/query/searchoperator
Task 6
Some people, when confronted with a problem, think "I know, I’ll use regular expressions." Now they have two problems.
Jamie Zawinski
Learning Path 5: Configure your Microsoft Sentinel environment
A lot of marketing about Microsoft Sentinel… :-)
Module: Introduction to Microsoft Sentinel
Module: Create and manage Microsoft Sentinel workspaces
Module: Query logs in Microsoft Sentinel
Module: Use watchlists in Microsoft Sentinel
The lab is not kidding when it says watchlists take 10 minutes or more to actually load after you have imported the csv file.
let clienthostnames = (
_GetWatchlist("clientcomputers")
| project CompromisedEntity = tolower( Hostname )
);
SecurityAlert
| join (clienthostnames) on CompromisedEntity;
Module: Utilize threat intelligence in Microsoft Sentinel
Learning Path 6: Connect logs to Microsoft Sentinel
Module: Connect data to Microsoft Sentinel using data connectors
Module: Connect Microsoft services to Microsoft Sentinel
Module: Connect Microsoft 365 Defender to Microsoft Sentinel
Plan for Microsoft 365 Defender connectors
I have no idea what a legacy connector is or why it is important. Oh, wait, yes I do - it is explained 4 pages after this one.
Module: Connect Windows hosts to Microsoft Sentinel
Module: Connect Common Event Format logs to Microsoft Sentinel
Module: Connect syslog data sources to Microsoft Sentinel
Module: Connect threat indicators to Microsoft Sentinel
Learning Path 7: Create detections and perform investigations using Microsoft Sentinel
Module: Threat detection with Microsoft Sentinel analytics
Types of analytics rules
For a more comprehensive (and up to date) list of connectors required for Fusion, see https://learn.microsoft.com/en-us/azure/sentinel/fusion.
Manage analytics rules
I don’t understand question 2. Surely the most efficient way to edit a rule is to, you know, edit it?
Module: Automation in Microsoft Sentinel
Module: Threat response with Microsoft Sentinel playbooks
Module: Security incident management in Microsoft Sentinel
Module: Identify threats with Behavioral Analytics
Module: Data normalization in Microsoft Sentinel
Module: Query, visualize, and monitor data in Microsoft Sentinel
This module seems like just a review of the last three days.
Monitor and visualize data
Question 1 is wrong. Query Explorer no longer exists.
Module: Manage content in Microsoft Sentinel
Learning Path 7 - Lab 1
Delivery Hint
Long lab. 11 exercises.
Learning Path 7 - Lab 1 - Exercise 2 - Create a Playbook
Lab Hints
Task 2, Step 11. Double check that you are installing the alert triggered playbook, not the incident triggered one.
Learning Path 8: Perform threat hunting in Microsoft Sentinel
Module: Explain threat hunting concepts in Microsoft Sentinel
Module: Threat hunting with Microsoft Sentinel
Module: Use Search jobs in Microsoft Sentinel
Delivery Hint
Demo this! The saving of searches is not obvious because the Search Mode slider is hidden behind an ellipsis.
Module: Hunt for threats using notebooks in Microsoft Sentinel
Delivery Hint
Probably have to briefly teach Jupyter Notebooks, Azure Machine Learning, Synapse Workspaces, Apache Spark, etc.
Learning Path 8 - Lab 1 - Exercise 2 - Threat Hunting using Notebooks with Microsoft Sentinel
Delivery Hint
Do this as instructor-led lab or demo. Note that this Notebook hasn’t been updated in a while.
Delivery Hints
Demo Setup
Before the start of the course, do labs 1 through 3 so there are some alerts and incidents to show off.
Maybe connect AzureAD to the LAW so that you can demo the SigninLogs table (used in the Intro to KQL page).
Timing
From Marie’s teach: Module 1 on day 1. Modules 2 and 3 on day 2, with perhaps starting module 4 (we didn’t start M4 because we had a student leave really early on Tuesday). Modules 4, 5 and 6 on day 3. Modules 7 and 8 on day 4. Marie said this is not a time-crunched course, nice to have a chance to breathe while teaching.
Of course, now that Microsoft have rearrranged it again, who the heck knows…
Ways to cause security events
(From Marie’s teach.)
- Attempt to download Eicar test virus
- run the defender powershell script
- Install TOR browser - login to office / Azure
- Pick a user , login with the wrong password many times
- Pick a user - in AzureAD, Edit properies "block sign in" - disabled logins
Lab Setup & Onboarding Summary
Virtual Machines
- LIN1 - Ubuntu
- LIN2 - Ubuntu
- WINServer - Windows Server 2019 Datacenter
- WIN1 - Windows 10 Enterprise
- WIN2 - Windows 10 Enterprise
All are Workgroup members.
LP 2 - Lab 1 - Ex 1
Defender for Endpoint:
Onboard WIN1 using a downloaded package.
LP 3 - Lab 1 - Ex 1
Defender for Cloud:
Create a Log Analytics Workspace.
Enable D4Cloud on the subscription and the LA Workspace.
At this time, leave auto-provisioning off.
Azure Arc:
Onboard WINSERVER.
Defender for Cloud:
Onboard WINSERVER, connect it to the LA Workspace.
LP 6 - Lab 1 - Exercise 1
Sentinel
Create connectors to Azure AD and Defender products.
LP 6 - Lab 1 - Exercise 2
Create an Azure VM called AZWIN01.
Azure Arc:
Onboard WIN2.
Sentinel:
Create connectors from AZWIN01 and WIN2.
LP 6 - Lab 1 - Exercise 3
Sentinel:
Create connectors from LIN1 and LIN2.