Mitigate threats using Microsoft Defender for Endpoint

1. Protect against threats with Microsoft Defender for Endpoint

In this section we will discuss Microsoft Defender for Endpoint, formerly called Microsoft Defender Advanced Threat Protection.Now let's see what we are going to go through in this section. So in this first short lesson we'll explain what Microsoft Defender for Endpoint is. Then we'll learn how to implement Windows SecurityEnhancement device investigations, perform actions on devices,evidence and entities in investigations, configure and manage automation, configure alerts. And lastly, we'll talk about threat and vulnerability management. So let's dive into the first lesson and discuss protecting against threats with Microsoft Defender for Endpoint. First of all, what is Microsoft Defender for Endpoint? Microsoft Defender for Endpoint is a platform designedto help enterprise networks prevent, detect, investigate andrespond to advanced threats on their endpoints.So it is an endpoint solution.Now the following capabilities are enabledin Microsoft Defender for Endpoint.First of all, we have threat andvulnerability management over here and this basicallyprovides real time visibility and helps identifyways to improve your security posture.Then we have a tax surface reduction, atech surface reduction, basically eliminates risky or unnecessarysurface areas and restricts dangerous code from running.And we'll see in detail in theupcoming lesson how that can be done.Then we have the capability of next generationprotection and this uses machine learning and deepanalysis to protect against filebased malware.Then we have endpoint protection.And basically here we have, when I sayprotection, I mean both detection and response becausethis monitors the behaviours and attackers techniques todetect and respond automatically respond to advanced attacks.Of course, depending on how you have thesolution configured, then we have the automated investigationand remediation and in conjunction with being ableto quickly respond to advanced attacks, microsoft Defenderfor Endpoint also offers automatic investigation and remediationcapabilities that basically help reduce the volume ofalerts in minutes at scale.And lastly, we have the capability ofMicrosoft threat experts and this basically bringsdeep knowledge and proactive threat hunting toyour security Operations center.Now, Microsoft Defender for Endpoint uses the followingcombination of technologies, let's say, built into WindowsTen and Microsoft robust cloud service.First of all, Endpoint behavioural sensors.These are sensors embedded inWindows Ten or later versions.And these sensors basically collect and processbehavioral signals from the operating system.The sensors send the data to your privateisolated cloud instance of Microsoft Defender for Endpoint.Then we have the cloud security analytics capabilityand this basically is leveraging big data, machinelearning and let's say unique Microsoft topics acrossthe Windows ecosystem such as Office 365 forexample, and online assets, behavioural signals.And then all of these signalsare translated into insights, detections andrecommendations, responses to advanced threats, andof course the threat intelligence piece.And this is generated by Microsoft Hunterslet's say and security teams and augmentedby the threat intelligence provided by partners.Threat Intelligence basically enables Microsoft Defender forEndpoint to identify attacker tools, techniques, proceduresand of course generate alerts when theseare observed in the collected sensor data.Now next let's talk about the security operations,let's say in Microsoft Defender For Endpoint.First of all MD detection and response capabilitiesagain provide advanced attack detections and that arebasically near realtime and actionable security.Analysts can prioritise alerts effectively, can gain visibility inthe full scope of a breach and can takethe response actions to remediate the threat.Now when a threat is detected alerts arecreated in the system for analysts to investigate.Alerts with the same attack techniques or attributedto the same attacker are basically aggregated intoan entity called an incident Aggregating.Alerts in this manner basically makes it easierfor analysts to investigate and respond to threatscollectively of course this technology is inspired bythe assumed breach mindset and Defender for Endpointcontinuously collects behavioural cyber telemetry.This includes process information, network activities, dip opticsinto the kernel and memory manager, user insightactivities, user signin activities registry and file systemchanges and many many other telemetries.Now the information is stored for six monthsenabling an analyst let's say to travel backin time to the start of the attack.The analysts can then pivot in various viewsand approach an investigation through multiple vectors.The response capabilities give analysts the powerto promptly remediate, let's say threats byacting on the affected entities.Now let's talk about the Defender for Endpointterminology because it is important to understand thedifferent components and how they work together.First of all we have the device andto start with each endpoint in Microsoft Defenderfor Endpoint is considered a device.Then we have the evidence and MDEbasically collects forensics information on artefacts includingaccounts, processes, network information and others.And all of these collectedinformation is called evidence. Then there's the alert.Of course, given that MDE uses detection rules based on Microsoft's, say, backandexpertise and that are constantly updated, it looks for suspicious activities and generates an alert if found. Then, based on the alerts previously generated, Defender for Endpoint actually groups the alerts into incidents, and an incident displays a roll up of alerts, evidence, and investigations.

2. Deploy the Microsft Defender for Endpoint environment

And welcome back to my coursemicrosoft Security Operations Analyst SC 200.Now in this lesson we are going to discussabout deploying the Microsoft Defender for Endpoint environment.First of all, when you deploy theMicrosoft Defender for Endpoint environment, this involvesconfiguring your tenant, configuring the option onboardingdevices and configuring access for your securityteam to access Microsoft Defender for Endpoint.When accessing Microsoft Defender for Endpoint when accessingactually the Microsoft 365 Defender portal for thesettings, for the first time you will beable to configure many attributes.First of all, you must be a global administratoror a security administrator for the tenant in orderto be able to perform these tasks.First of all, you can set the data storage locationand this basically determines where you want to be primarilyhosted, US, European Union, UK and so on.You cannot change the location after thisis set up and Microsoft will nottransfer data from the specified geo location.So bear this in mind.You can also configure data retentionand the default is six months.Then you can enable the preview feature bygoing to the portal Security Microsoft, Security Microsoft.comand clicking on Settings and Endpoints.And from here you can enable the preview features andyou have lots and lots of other settings to configure.Now, before we go on, I just want to quicklytouch on the network configuration because there might be organizationsthat require a proxy on their endpoints for the usersto be able to access the Internet.So just to give you a high leveloverview, microsoft Defender for Endpoint sensor requires theMicrosoft Windows Http protocol to report sensor dataand communicate with the Defender for Endpoint service.Now this is shortly called Winhtp.Now the embedded Defender for Endpoint sensorruns in the system context using thelocal system account the sensor uses.Again Winhtp protocol to communicatewith the Endpoint cloud service.And one more thing here theWinHTTP configuration settings is independent ofthe Windows Internet Browsing proxy.That's the win.Inat browsing proxy.And the settings can only discover a proxy serverby using one of the following discovery methods.And these are the two one sothe transparent proxy or the Web proxyauto discovery protocol shortly called WPAD.Okay, now the first step after you access theenvironment is of course to onboard your devices.To start onboarding your devices, right? So first of all, you'll need to go tothe onboarding section of the Microsoft 365 Defender portalto onboard any of the supported devices.Now depending on the device, you'll be guidedwith the appropriate steps and let's say, provideda deployment tool option suitable for the deviceand for your environment in general.You want more devices by youwant more devices to the service.First of all, you need to verify that thedevice fulfils the minimum requirements and you will havelinks in the resource files for this lesson withdocumentation with all these minimum requirements, all the let'ssay onboarding options and step by step instructions onhow to do them.Then depending on the device of course you need tofollow the steps in the portal to perform the onboarding.Then you need to use the appropriate tools to managethe deployment because there are several other options and I'llshow you in a moment in the portal and thenyou need to run a detection test to actually verifyif the device is onboarded properly and accordingly.Now, first of all, let's get into the portal and let'stake a look at how we can onboard the device.So we are in the Microsoft Three six, five portal overhere and if we go down to settings and click onthe End point settings as soon as it loads up, ofcourse clicking on the Endpoint settings over here we scroll downto the bottom and we have Onboarding and Offboarding.Now clicking on Onboarding you have lotsand lots of options over here.First of all you can select the operatingsystem that you want to onboard and youhave Windows Seven with Service Pack One.This is the minimum OS version that's supportedWindows Eight 1110 and eleven you have WindowsServer from 2008 or two up until 2016.Then you have the 18 three build ofthe 2016 server and up until Server 2022.You can also see that you can onboardMac OS, Linux, iOS, and lately they've enabledthe option to onboard Android devices as well.Now for the deployment method, for the deploymentmethod, as you can see here, you canmanually onboard devices using a local script.Basically you download the script from hereon the device and you run thescript and that basically onboards the device.But this is supported up to ten devices.If you want to do a scale deployment,you can either use Group Policy if you'rein an onpremise environment with an Active directorydomain, right, then you can use Microsoft EndpointConfiguration Manager current branch or later.This is basically the way to deploy Endpoint, theDefender for Endpoint on all of your devices inyour organisation using Microsoft Endpoint Configuration Manager.You can use Sccm to deploy Defender forEndpoint on your devices or you can useMobile device management like Microsoft Intune and ofcourse the VDI onboarding script for nonpresent devices.This is for devices that are partof a VDI infrastructure, virtual Desktop infrastructure.OK, then of course as I've mentioned, youdownload the onboarding script if you choose thelocal script option and you run it onthe device, the device is onboarding.And then you run a detection testby actually just running this command overhere on the actual device that's onboarded.And that is how you basically onboarddevices into Microsoft Defender for Endpoint.Now don't worry, you will have a lab available at theend of the section in which you will do just that.You will actually onboard your device and of course thereare more devices that you will onboard during the lab,but you will go through this process on your own.Okay, now that being said, let's actually talk aboutthe access part of the Microsoft Defender Endpoint.How to manage access toMicrosoft Defender for Endpoint.This can be done using role based access Control RBAC.And you can create roles and groups withinyour security operations team to basically grant theappropriate access to the portal based on thoseroles and groups you create.You have let's say, a fine grained control over whatusers with access to the portal can see and do.The Defender for Endpoint RBAC is designed to supportyour tier or role based model of choice andgives you granular control over what roles can see,devices they can access and actions they can take.First of all, you can controlwho can take specific actions.This is you can create custom rules and controlwhat defender for amp capabilities the users from thatgroup will have and you can control who cansee information for specific device groups.Now to implement role based access controls, you willneed to basically define admin roles and assign thecorresponding permissions and of course assign Azure ad groupuser groups to those roles that you create.So now let's get into the portal andactually let me show you how to createa role and assign permissions to it.So back in the portal over here if we goto roles so let me just scroll up a littlebit in the settings of course of the Endpoints.If we click on Roles, you need to first turn them on.So we click on Turn on Rolesand by default as you can see,this role microsoft Ten Four Endpoint Administrator.This role is created by default and hasfull permissions to the Defender for Endpoint Portal.And of course any global administratorwill have full permissions to theMicrosoft Defender for Endpoint Portal.But first of all, before we deploy this role,we need a group in Asia Active Directory sowe can assign permissions to the group.So back here under Portal Azure.com, click on Azure ActiveDirectory and of course you can go to the Groupssection over here and create a new group.Now let's call this group for example, SGIT because thiswill also be the group that you will use inyour lab environment to complete the lab with no description.Let's add a bunch of members over here.These are from the users who have importedin the first lab in the environment.In the introductory section, let's say this one and thisone, and click select and then click on Create.Now as soon as we create this group, we can actuallygo back to the Microsoft Founder Endpoint Portal and click onadd an item here to create our new role.So let's specify a role name.So let's call this test role, oryou can call it whatever you want.And from here we can assign theactual permissions that this role will have.So let's say this role will be able toview the security operations data, to view the threatand vulnerability management, and to view alerts investigation.Now let's click on Next, okay? And here it has a little bit of lag.And here we can assign users and groups.You can assign user groups to this role.So we'll select our newly created group, we'll select add selected group over here, and then we can just click on Save.And from now on, any member of this SG It group will have the test roleassigned to Microsoft Defender for Endpoint, and thus it will have the permissions that we gave to this role. Because you might have a global infrastructure and you want each team to have access to the devices in their own area. Let's see, right? So these devices can be grouped together based on a set of attributes such as their domain, computer names, or even set tags.Because you can tag devices in Microsoft Defender for Endpoint, you can create device groups and use them for a variety of purposes such as the ones I've mentioned over here, such as limiting access to related alerts and data, configuring different auto remediation settings, assigning specific remediation levels, or in an in-place remediation scenario. So, to finish this lesson, let's go back into the portal and I'll show you how to actually create a device group. I already have a device on board in my Microsoft and Endpoint trial subscription, and you'll do the same during the lab available at the end of this section. This is the recommended option. Of course, if you have specific requirements in your environment and folders, you can choose any of these options above. And the next thing we need to do is select a condition based on which devices will be added to this group.You can do this by device name.For example, if a device name starts with and you give a certain value, the device will be added to the group.Or you can do this by tag. If you tag devices in your environment.In my case, I will do this by operating system.We'll select our SGIT group.

3. Implement Windows Security Enhancements

And welcome back to my course,microsoft Security Operations Analyst SC 200.In this lesson, we are going to discussabout implementing Windows security enhancements because sometimes whenyou work as a Security Operations Analyst, youmight want to reduce the attack surface onthe end points so that you can basicallyharden your endpoints to the best possible posture.So that being said, we are going to talkabout the attack surface reduction in this lesson.And attack surface reduction means that you are hardeningthe places where a threat is likely to attack.Again, as a Security Operations Analyst, itis your role to understand the protectionoptions and provide the necessary recommendations.While you are performing the alert investigation,you should know the events generated bythe attack surface reduction on the host,which might provide forensic evidence.And basically these are all the enhanced controlshere that fall into the attack surface reductioncategory that you need to be aware of.I'm going to just enumerate them, but please youcan pause the video, take a moment, go throughthem so you can understand what each one does.So we have the attack surface reductionrules, then we have hardware based isolationin Windows, operating system application control, exploitprotection, network protection, web protection, controlled folderaccess and device control.Okay, let's talk about theattack surface reduction rules.Basically, the attack surface reduction rules meansthe following your attack surface includes allthe places where an attacker could compromiseyour organization's devices or networks.Reducing your attack surface means protecting your organization'sdevices and network, which leaves the attackers with,let's say, fewer ways to perform attacks.Attack surface reduction rules target certain softwarebehaviors that are often abused by attackers.Such behaviours include launching executable files andscripts, attempt to download or run files,running obfuscated or otherwise suspicious scripts, orperforming behaviours that apps don't usually initiateduring a normal day to day work.Now, the attack Surface reduction rules are currentlysupport all of these rules below, over here.Again, pause the video.Please go through them.These are the titles of the rules in the resource file.For this lesson.You will have detailed documentation in regardsto what exactly each rule does.So again, I strongly recommend togo through the documentation as well.Now, when you enable attack Surface reductionrules, you can basically set them toone of the following not configured.And this means that the attackSurface reduction rule is disabled.You can set it to block.And this means that you enable thespecific attack surface reduction rule and itwill block what is supposed to block.You can set it to audit.And this means that you want to evaluate howthe attack Surface reduction rule would impact your organization.If you set it to audit, you can go through thelogs after that and see what that rule would have blockedand you can set it to learn and you enable theattack surface Reduction rule here, but you allow the end userto bypass the block by overriding the block.Now the Attack Surface Reduction rule can bedeployed, let's say, or enabled in several ways.You can use Microsoft Intune.You can use Mobile Device Management, you canuse Microsoft Endpoint Configuration Manager, you can useGroup Policy or you can even use PowerShell.Let's say if you want to deploy a tax SurfaceReduction rule on single end points manually, don't worry.Again in the resource files you will have linkswhich take you to detailed step by step guidesto deploy Attack Surface Reduction rules for each andone of all of these methods, right? So, let's go to the Security Microsoft365 Defender Portal and I'll show you how to enable the Attack Surface Reduction rules from Microsoft Endpoint Manager because it's probably the easiest way to do it, but please read the documentation for each method. And here we can specify the configuration settings. So these are all the Attack Surface Reduction rules that I've mentioned earlier on the slides. And for each one we can select Block Audit Mode or Disabled. right? So, let's say we want to use this one block to enable, block, and so on.My advice would be to first test all the rules in audit mode to see how they would impact your devices in your organization, what they would block, and so on.And then, when you feel comfortable with the configuration, you can deploy it to all devices in your organization. I don't have such tags deployed, soI will click on Next and Assignments.Here you can select groups of users orgroups of devices for which you want toapply this policy with the current Attack SurfaceReduction rules configuration, as I've mentioned earlier here,you can basically do a scoped assignment.So you can group some devices or some usersin a group and you can apply the policyto that group only to pilot the attack Surfacereduction rules to see how they impact.Or you can add all users or add all devices.I will click on all devices.For example, at this particular policy you canexclude groups from being from being applied thispolicy of Attack surface reduction rules.These can be groups of usersor groups of devices, of course.And click on Next and you create therule and then it is in place.I won't create it because I don'tactually need it in my environment.But this is how you can deploy attack surfacereduction rules, shortly called ASR in your environment.This also concludes the discussion for our lesson and Iwill see everyone in the next lesson where we'll startdiscussing about how to perform device investigations, then how toperform actions on devices and so on.So until then, I hope this has beeninformative for you and thank you for.

4. Device Investigations

And welcome back to my coursemicrosoft Security Operations Analyst SC 200.In this lesson we are going to discussabout device investigations in Microsoft Defender for Endpoint.First of all, we've established that MicrosoftDefender for Endpoint provides many, many details,sales and information, including forensic information.So the first thing I want to talk toyou about is the device inventory list because hereyou can find a list of all of yourdevices in your organisation and of course, let's sayan overview of all of the onboarded devices.So the device inventory page shows alist of devices in your network wherebasically alerts were generated by default.The Q displays devices with alertsseen in the last 30 days.You can select a device to open the devicepage and the device page is also accessed fromvarious investigation pages like incidents or alerts.Now, at a glance here on the deviceinventory page you will see information such asdomain, risk level, OS platform and other details.During the onboarding process, the device listis gradually populated with devices as theybegin to report sensor data.Now, what we can find on this device listpage over here so first of all, you cansee that we find the risk level and therisk level reflects the overall risk assessment of thedevice based on a combination of factors including thetypes and severity of active alerts on the device.Resolving active alerts of course, will orapproving remediation activities or suppressing subsequent alertswill influence this risk level and itwill actually lower it.Then we can find the exposure level.And the exposure level reflects the currentexposure of the device based on thecumulative impact of its pending security recommendations.So the possible levels are low, medium or highlow exposure means your devices are less vulnerable toexploitation if the exposure level says no data available.Like here for example.There are a few reasons why this may happen.One of them is the device has stopped reporting formore than 30 days and in this case it isconsidered an inactive device and the exposure isn't computed.Another reason might be that the operating system ofthat device is not supported and you can checkthe minimum requirements for Microsoft Defender for Endpoint.Or a third reason might be that thedevice has a stale agent that is notupdated and of course, again not reporting.Then the next thing we can see hereon this page is the health state, right? And the health state of thedevice has the following state active.This means that the devices are currently reportingsales or data to the service inactive.This means that the devices that have stoppedsending signals for more than seven days.So if a device is not sending sensor data formore than seven days, it will go into an inactivestate and then you have another state called Misconfigured.And this can be either nosensor data or impaired communications.It means that devices that have impaired communicationswith the service or are unable to sendcells or data for any reason this fallinto the misconfigured devices category.Now let's talk about actually investigating the device.So investigate the details of an alert.You can investigate the details of an alertraised on a specific device to actually identifyother behaviours or events that might be relatedto that alert or potential scope of breach.You can select affected devices whenever yousee them in the portal to opena detailed report about that particular device.Now, affected devices can be selectedfrom any of these areas.So from the devices list, from the alerts queue,from the security operations dashboard, any individual alert, anyindividual file details or any IP address.Again, when you investigate a specific device, you willsee that device details, the response actions, the tabsand we'll discuss about the tabs in a moment.We will actually go into the Portland check adevice to show you exactly what it looks like,or from the cards of the active alerts loggedon users or a security assessment.Okay, so now let's actually get into the portaland let's check out the device investigation page.So let me open up my trial tenant over hereand again, let's go to the device inventory to showyou how that looks like in real time. So here we go.This is the device inventory with the risklevel, exposure level, OS, health state and other information that I've talked about.So let's select our Win One device over here and this will basically take us to the device overview page.Now on the top over here, we have several actions that we can perform, let's say. We can manage the tags of the device,we can hunt for events on the device, we can isolate the device, we can restrict application execution on this device, we can trigger an antivirus scam.And if we click these three dots over here, we have additional actions that we can perform, like collecting investigation package, initiating an automated investigation, consulting a threat expert, or increasing the device value. Now, we can take all of these responses in the action centre as well. We can see all of these, let's say, right? Basically, Microsoft Defender for Endpoint will display these cards over here. So first of all, we have the active alerts card, right? And basically this card will display ahigh level overview of active alerts relatedto the device and their risk level.If of course you have the Defender forcloud feature enabled in your talent and we'lldiscuss about that a little bit later on.As you can see, this spans of timeframe of 180 days.Now the next one, we have the log on usersover here and the log on user card shows howmany users have logged on in the past 30 days.As you can see here on this particular deviceand the most and the least frequent users.Now again, selecting all users will open upa detailed pane which display all the userstypes that have signed into the device.And let me actually click this and as you can see, wehave an admin user and another user over here and if wescroll down you can see that this is the standard user.Then this is a local administratorand the type of logon performed.Now on the security assessment card.Basically here we can see theoverall exposure level, the security recommendations,the installed software and the discoveredvulnerabilities on this particular device.A device's exposure level is determined by thecommunity of impact of its pending security recommendations.And if we click here, we will seeall the security recommendations for this device.Actually it will take us to this tab.So let me get back to the Overview tab.Now, going to the Alerts tab here.This tab provides a list of alerts that areassociated with the device and this list is filtered,is, let's say a filtered version of the alertsqueue and shows a short description of the alert.As you can see severity of the alertstatus in the queue, classification and other information.If we click on the circle here, wecan actually see an overview of the specificalert that we are interested in.Now the Timeline tab here in the Timelinetab, basically we can see a chronological viewof the events and the events and associatedalerts that have been observed on the device.This can help you actually correlate any eventsfiles or IP addresses related to this device.The timeline also enables you to selectivelydrill down into events that occurred, let'ssay within a given time period.Right, as you can see here, you can viewthe events by the time that they actually happened.And I'm going to just scrolldown here just a little bit.Some of the functionality on this timeline page here onthis Timeline tab can include you can search for specificevents by going here and typing the event name right,or the file that you're interested in.You can filter events from a specific date.So by default the Timeline tab showsthe events from the last 30 days.But you can change that from here,one day, one week, 30 days.Or you can actually enter a custom range witha start date and hour and date and hour.Then you can actually export all of these timelineevents by clicking on the export button over here.Now, more details about certain events will be provided,but they vary depending on the type of event.So for example, if I click on the circle orif you click on any of the circle, besides anyevents that you're interested in, you can see that, forexample, this application created this application and it gives youa detailed overview of events and even to the commandline that happened in the backend over here.Now you can flag events that you're interested in.So while navigating the advice timeline, you canactually search for and filter for specific events.And then you can actually flag the eventsby clicking the flag button over here.So let's say that we flagged these three events andthen you can view only the flagged events to basicallysee only the events that you're interested in.And you can do that by clicking on the filters overhere and clicking on the Toggling on the only flag events.And this will actually showyou only these three events.I'm not going to do that here, so let mecancel out of this and unflag these three events.Now again, as I mentioned, any event thatyou're interested in, if you click on it,you will see the details of this event.And this goes very, very deep down to thecommand line as I showed you over here.Okay, now let's close this and go to the next tab.The security recommendations. Tab.And the Security Recommendations tab shows you actuallythe security recommendations for this specific device.And these recommendations are generated fromthe Microsoft Defender for endpoint threatand vulnerability management capability.Selecting a recommendation will show you a panel whereyou can view the relevant details such as descriptionof the recommendations, remediation actions and so on.So let me just select one of these recommendationsand here you can see the description of therecommendation, the associated CSV, you can open the softwarepage and open the full recommendation.This is just an overview.Now let me click out ofthis the Software Inventory tab.The Software Inventory tab lets you basically view thesoftware that is installed on the device along withany weaknesses or threats that the software might pose.Now selecting the name of the software willtake you to the Software Details page whereyou can view the security recommendations.So let's say, for example, VirtualBox, herewe go, this is an overview.And you can open the software page from here,which will take you to the full description ofthis particular software that's installed on the machine.Okay, then we have theDiscovered Vulnerability page tab. Sorry.And this shows the name severity, as youcan see, the name, the severity and threateningsites of the discovered vulnerabilities on the device.Selecting a specific vulnerability again, here we go.We'll show you basically the descriptionand details of this particular vulnerability.Here we go.And you can also directly from here,go to the Related Security Recommendation tosee how you can mitigate this vulnerability.Okay, closing this down again, we haveanother tab here with missing KB's.This tab shows you the missing knowledge base, missingKBS, missing updates, patches, whatever you want to callthem that are not installed on the device.Okay, now let's quickly get back toour slides and talk about our nexttopic here, that is behavioural blocking.Now in today's threat landscape basically is overrunby far less malware that lives off theland, highly polymorphic threats that mutate faster thantraditional solutions, and humanoperated attacks that adapt towhatever adversaries find on compromised device.Behavioral blocking and containment capabilities basically canhelp identify and stop threats based ontheir behaviours and process trees, even whenthe threat has already started.Behavioral blocking and containmentagain can block this.Let's see three types of attacks from happeningor even after they started as I mentioned.So the next generation protection capability, whichincludes Microsoft Defender Antivirus, can detect threatsby analysing behaviours and stop the threatsthat have started running.The other capability, the endpoint detection andresponse, basically receives security signals across yournetwork devices and kernel behavior.As the threats are detected, alerts are created,multiple alerts of the same type are aggregatedinto incidents, which makes it easier for yoursecurity operations team to basically investigate and respond.And then the Defender for Endpoint, as it sayshere, has a wide range of optics across identities.All of these domains here basically identities, email,apps, data and network endpoints and kernel.So here as threads are detected, again, basically theyare correlated and the signals from all of thesedomains that I've mentioned here are correlated and detectionalerts are raised and connect related alerts are basicallyaggregated into incidents as well.Now, you can imagine that with thesecapabilities, more threats can be prevented, blocked,even if they start running.Whenever suspicious behaviour is detected, the threatis contained, alerts are created and thethreats are stopped in their attacks.Now, let's take the following example.This basically shows an example ofan alert that was triggered bybehavioral blocking and containment capabilities.So as you can see, an initial access alert hasbeen triggered, it has been formed part of an incidentover here, and this alert has been automatically resolved.And if I just go to the next page you willsee the alert process tree here with exactly what happened.So it started from here, it went allthe way here where the file and attackbasically was actually blocked by behavioural blocking.Now, let's talk about the client behavioural blocking.Client behavioural blocking is a component of behavioralblocking and containment capabilities in Defender for Endpoint,as suspicious behaviours are detected on devices, alsoreferred to as clients or endpoint, artefacts suchas files or applications are blocked, checked andremediated automatically, right? So basically how client behavioural blocking works.Well, Microsoft Defender for Endpoint, as you can seehere in this very detailed slide, microsoft Defender Antivirus,first of all that runs over here on thesite on the client can detect suspicious behavior, maliciouscode file less than in memory attacks, and moreand more on the device.When suspicious behaviours are detected.Microsoft Defender antivirus monitors and sendsthose suspicious behaviours and their processtrees to the Cloud Protection Service.Machine learning differentiates between maliciousapplications and good behaviours withinmilliseconds and classifies each artifact.As soon as an artefact is found tobe malicious, it's blocked on the device.Whenever suspicious behaviour is detected, an alertis generated and is of course visiblein the Microsoft 365 vendor portal.Now, client behavioural blocking is effective because itnot only helps you prevent attack from starting,but it can help stop an attack thathas already begun executing with feedback loop blockingand other capability of behavioural blocking and containment.Attacks are prevented on other devices inorganization, in your organisation as well.Now let's take a look at the followingtable basically, which shows the naming conversion ofthe behavioural base detections because these are namedaccording to the Martyr Attack metrics for Enterprise.And this naming convention can help identify theattack stage where the malicious behaviour was observed.So please take a moment, pause the videoand take a look on this table comparingthe tactic with the detection threat name asper the Miter Attack Metrics for Enterprise.Now, let's talk about endpoint detection andresponse in block mode because this iswhat actually makes this happen.So when an endpoint detection and response isin block mode and is turned on, basicallydefender for endpoint blocks and malicious sound effectsand behaviours that are observed through postbreak detection.Now, EDR in block mode works behind the scenesto remediate malicious artefacts that are detected post breach.EDR in block mode is alsointegrated with threat and vulnerability management.So your organization's security team will getsecurity recommendations to turn EDR in blockmode on if it's not already enabled.So this slide, this picture basically showsyou what happens when something is detected.So when EDR in block mode isturned on and malicious artefacts are detected,blocking and remediation actions are taken.So you will see a detection status as blockedor prevented as completed actions in the Action Center.Again, the following image shows an instanceof unwanted software that was detected andblocked through EDR in blocked mode.And now before I finish this lesson, let meget back to the portal and show you whereyou can enable EDR in block mode.So, getting back to the portal, we would need toscroll down to settings over here and then we needto, as soon as it loads up, of course, weneed to select the end point settings.And then from the advanced features over here, ifwe scroll down a little bit, we can turnon EDR in block mode from here.And you have an explanation of what exactly thisdoes and you have again two articles that gointo more deep details about this feature.That being said, this concludes our lesson.I am going to see everyone in the nextlesson where we'll discuss about performing actions on devices.Until then, I hope this has been informativefor you and thank you for viewing.

ExamSnap's Microsoft SC-200 Practice Test Questions and Exam Dumps, study guide, and video training course are complicated in premium bundle. The Exam Updated are monitored by Industry Leading IT Trainers with over 15 years of experience, Microsoft SC-200 Exam Dumps and Practice Test Questions cover all the Exam Objectives to make sure you pass your exam easily.