If you are looking for a new EDR solution, Microsoft Defender for Endpoint (MDE) should be on your shortlist. This post focuses on some of the best features that Defender for Endpoint offers, and when combined with Defender for Identity, the security correlation data is turbocharged.
In addition, while there used to be a significant feature difference between Server 2019 vs. 2016 and 2012R2, I can vouch that this feature gap has been significantly improved with the new Unified Agent (Released October 2021).
1. Fast Complex Searches in Advanced Hunting
If you have something you are trying to find, there probably is a way to search it in Advanced Hunting. The query language takes just a few minutes to learn and is so much easier than most other query languages I have used previously. In addition, there are many example queries on GitHub and in the community list within the MDE tool.
What I love the most is how quickly these results return when performing any search. It is wicked fast, and I appreciate that immensely. In addition, you can use wildcards, conduct complex investigations, and it remains fast, which makes it even better. I have often tried using wildcard-based searches in other tools only to find out it does not work, it is slow, ends up crashing the server, or only works in specific when using the API. MDE can handle all of this with ease.
If advanced hunting is not your style, do not worry; there is also a search feature that allows you to find the basics such as computer name, file-name (or hash), URL, and IP.
Find where users accounts are logging in as Local Admin
Find users/machines that have connected to any URL that contains “box.ne”
Find all the machines where a particular .config file was created by a process called setup.exe
2. Native Log Correlation & Identity Security Posture
If you have the Microsoft Defender for Identity license, make sure you take advantage of this functionality. Install the identity agent on all Domain Controllers and ADFS (Active Directory Federated Services) servers. This Agent with the MDE agent will automatically push event logs, authentication requests, and other types of information directly into the Security Console. While you still have to ensure your servers generate the necessary events, all of this data will be correlated automatically and appear in various consoles once completed.
Microsoft security teams are constantly adding new features and detections which can help improve and identify ways to harden the environment. This information will feed the Defender Console, Azure Active Directory, Defender for Identity, and Defender for Cloud App Security services. You can quickly go down different threat paths from one lead, which improves the time to resolution of the investigation process. For us, this has reduced the number of tools we need to access from several to just two. All the information you are looking for is accessible with just a few clicks. Since Microsoft owns the ecosystem, all the integrations work out of the box, and there is no need to create any custom integrations. The power of the MDE platform correlates all this data automatically. Why would you want to do this any other way?
Microsoft Defender for Cloud Apps (Identity Security Posture)
As with any report you should check the systems and test prior to modifying any systems
3. Auto Remediation & Automated Response Actions
There are several advanced features in which MDE will take action and surface the details of what the user behavior or malware did that is suspicious or malicious. Such actions include file modifications, registry events, user actions, and a lot more. Not only will MDE take action, but it will pull all of the artifact details around the action as well. It essentially filters out those items which reduce the amount of work required during the investigation process. You can still go down these different leads, but the important artifacts of the initial threat are highlighted directly for your review and provide an improved starting point most of the time.
A recently added feature also enables you to take an automated response action based on custom detections or the severity of the malware found. One such response action would be to Isolate the Device. This type of automatic response is usually found in expensive tools or requires custom integration, but MDE has this functionality natively built-in.
Note: If a SOC provider is providing enrichment to your security telemetry there may be overlap if the vendor has their own automated triggers, since their enrichment may not be pushed back down to your console as an Alert.
You can attach actions to almost any query you design.
Bonus: It is not just a Security Tool
Depending upon the subscription you choose, Defender for Endpoint can augment/replace many other tools in your current arsenal and be a source of truth for your environment. While this is a security tool, many pieces of information collected can benefit other teams involved. The number of data points collected and correlated is staggering, and this data can assist and provide insight to helpdesk, network, and server engineering teams.
Microsoft Defender for Endpoint has been around for a few years and is constantly improving. New features are added on almost a monthly cadence. I look forward to the future of the platform.