MDE Tutorial -13 - Endpoint Detection and Response (EDR) in Microsoft Defender for Endpoints

00:00

hi guys welcome back to my other YouTube

00:02

channel for mde tutorial Microsoft

00:05

Defender for endpoint and today we are

00:08

going to cover up the endpoint detection

00:09

and the response that's called the EDR

00:12

so let's get started this video

00:16

now here is the content the EDR feature

00:19

what we're going to cover up in this

00:21

video that is EDR features EDR in a

00:24

block mode create a PDR task policy then

00:28

uh we'll test the policy on a device and

00:31

finally we'll validate the EDR and the

00:34

antivirus status and we will see the

00:36

smoke that troubleshooting steps so

00:39

let's understand what is the EDR first

00:41

so EDR stands for the end point

00:44

detection and response the EDR is

00:47

focused on crit detection and their

00:50

response on the endpoint environment

00:53

especially such as on a uh laptop

00:57

desktop servers tablet and the other

00:59

devices so what we understood on this

01:01

sentence especially it EDR work on the

01:05

end user tab prices

01:07

if there is any malicious the EDR

01:11

security analytics can prioritize the

01:13

alert very efficiently the gain

01:16

visibility into the full scope of the

01:18

bridge when there is any malicious

01:21

attack happen then it will trigger an

01:23

alert and that alert also can be the

01:27

prioritize whether it's a high level

01:29

high alert low medium or like a

01:32

non-impactic and it will gain the

01:34

visibility in the into the full scope of

01:36

the preach so whatever preaches happen

01:39

it will give you the complete visibility

01:41

in the intact how that malicious attack

01:45

happened and what are the process was

01:48

involved in that

01:50

and to take the action to remediate the

01:53

truth so this EDR will take at

01:55

automatically action to remediate the

01:57

threat

01:58

now when it Creed is detected alerts are

02:01

created into the system foray analytics

02:04

to investigate so when any malicious

02:07

attack happen or the any threats is

02:09

detected only the machine then

02:12

automatically alerts will check need in

02:14

the system and then that the alert will

02:17

send you to for the investigation

02:19

the similar alerts will convert into

02:22

incidence when we have the similar

02:25

alerts from the many machines or the one

02:27

machine is continuously sending the

02:29

similar alerts then that alerts will

02:33

convert into a incidents so for this

02:35

Allied anti incidents I will be covering

02:37

up in my upcoming video in the very in

02:40

depth to understand how the Allies

02:43

generated how to fix it and evolve the

02:46

incidence as well

02:47

so now let's understand how this uh this

02:52

logically works so when any malicious or

02:56

any three that attacked so first this

02:58

will go to the detect mode then it will

03:00

uh go to the respond then predict and

03:04

then it will prevent that means

03:06

remediate and prevent your extra

03:10

foreign

03:11

so now let's understand the EDR in block

03:14

mode how the EDR in block mode is

03:17

working so EDR in a block mode will

03:20

provide the additional protection for

03:23

the malicious when the defender

03:24

antivirus in or running or the passive

03:27

mode in in running on the passive mode

03:30

or on the active mode that means is if

03:34

you have the Microsoft Defender EDR

03:36

activated on your machine and suppose

03:39

your Defender antivirus is not working

03:41

any of the cement Type marker Cloud

03:44

strike or any other antivirus is working

03:46

in that scenario also your EDR can work

03:50

with the other my uh other antivirus

03:54

like a known Microsoft antivirus so in

03:57

the EDR uh block mode will provide you

04:00

the additional protection when you are

04:04

the malicious malicious happen and you

04:06

are any other antivirus is working

04:08

either it can be Microsoft defender or

04:10

any other antivirus

04:12

so EDR block mode work if the primary

04:15

antivirus solution missed something or

04:19

if there is any post breach deduction

04:21

happen so that means EDR can work if

04:25

you're the primary antivirus as I

04:27

explained primary antivirus can be a

04:29

Microsoft defender or can be a third

04:31

party solution like the cement tecma

04:34

cafe or any other thing in that scenario

04:36

also if you are the primary antivirus is

04:39

missed something then you are the EDR

04:41

will take that

04:43

now EDR in a block mode allow Defender

04:46

antivirus to take action on the breach

04:49

Behavior area detections

04:52

no existing now let's I write it here

04:56

the few answers like the existing

04:59

exclusions will work in the EDR if the

05:02

ADR in block mode suppose you are

05:04

running a Microsoft Defender and you put

05:07

it some exclusion so that exclusion with

05:10

Implement during the EDR uh scanning and

05:14

when you are the EDR in a block mode and

05:17

the similar way if you have uh semantic

05:20

antivirus my cafe or trying micro or any

05:22

other thing and you put some exclusion

05:24

in that so EDR will exclude that

05:27

particular files

05:30

EDR will not effect with the existing

05:32

antivirus if it is a defender or any

05:36

other antivirus so EDR is not going to

05:38

touch the antivirus part

05:40

it won't be different

05:42

in fact

05:43

EDR Defender antivirus detect and the

05:46

remediate malicious itself it important

05:49

to keep it up to date so you are if you

05:52

are using the Microsoft antivirus so

05:54

it's mandatory your antivirus should be

05:57

in up to date

05:59

if you used to disable the EDR mode EDR

06:03

in a block mode if you choose to disable

06:05

and if you want to disable the EDR uh in

06:09

a block mod to be disabled then it will

06:11

take 30 minutes to disable that

06:14

now here is a validation of your the

06:17

validate the EDR and the antivirus

06:19

status so you can uh just simply go to

06:22

the command prompt CMT and type the SC

06:25

query uh the wind Defender that if the

06:28

service is sold is running that means

06:31

you are the defender antiviruses or

06:33

running mode

06:34

and here is a command with the

06:37

Powershell so get a MP computer status

06:39

select MP running mode so this will give

06:43

you the EDR status uh mode whether the

06:46

EDR is running in a normal or not if you

06:50

have the defender antivirus and you are

06:52

checking the uh EDR block mode then it

06:56

will give you the is output normal if

06:59

suppose you enable the EDR on that

07:01

machine and you are running a different

07:03

antivirus like semantic time Micromax if

07:05

you or any other thing then it will give

07:07

you the output EDR in a block mode

07:11

so that's how you can test it

07:14

now let's move it to the Practical lab

07:17

and uh we'll start to creating a policy

07:21

so now I am in the mem console Microsoft

07:24

endpoint manager and here let's go to

07:28

the endpoint security portion

07:32

and here will be creating the policy

07:35

okay so I am under the endpoint security

07:38

and here is the option endpoint

07:40

detection and the response so first

07:43

let's create a EDR policy here and then

07:46

we'll go to the EDR in a plot mode so

07:49

now go to the

07:52

create policy and here we have the three

07:55

options

07:56

Windows 10 servers Windows 10 and letter

08:00

window 10 and the for the SQ so let's

08:03

take a Windows 10 and the letters we are

08:05

not going to implement on the servers

08:09

and now let's select this Windows 10 and

08:11

later and the endpoint detection

08:13

response if you want to implement on

08:15

Windows 10 11 and the servers you can

08:17

select this if you have the SCM then you

08:20

can select this so let us go with the

08:22

Windows 10 and letters now created

08:26

and here let me just copy paste and

08:29

named it and you can give the name based

08:33

on your convenience now let's go to the

08:35

next

08:36

and see what are the settings we have

08:38

over here

08:43

it's loading

08:46

so now here we have the two options only

08:49

if you select the servers as well then

08:52

this console is changed now block uh

08:56

sample sharing or all the files so that

08:59

means is your security center from the

09:02

security Center you cannot see are the

09:04

all the files if you say yes and uh that

09:08

will block your the files

09:10

why because might you have the some

09:13

sensitive application running in your

09:16

info and due to your policy you don't

09:18

want to see are all the files with the

09:21

Microsoft so you can block that and here

09:23

is a expedite in the Telemetry reporting

09:26

the frequently so if you have selected

09:29

then the uh your the logs frequency

09:32

frequency will increase to Central locks

09:35

in the security Center

09:37

so if you want to increase it you can

09:40

increase expedite uh the Microsoft

09:42

Defender security Telemetry reporting

09:44

frequently the very frequently it will

09:47

send a lot and here is a block if you

09:50

click on the iconic button it will be a

09:52

return or the setup of the Microsoft the

09:55

Microsoft for the endpoint sample

09:57

sharing the configuration parameters so

10:01

if you don't want to share all the

10:02

applications to Microsoft then it just

10:06

say yes the most of the infrastructure

10:08

choose a CS why because the all the

10:11

files is not meant to send whichever

10:14

file is impacted and you want to share

10:16

you can send it to manually for the

10:18

website investigation

10:20

so that's how you can follow now let's

10:23

go to the next

10:25

if you are using any scope tags so you

10:28

can Define it here I don't have any

10:30

scope tab it's it's by default so you

10:33

can use the scope of tags

10:35

now let's go to the next and we are

10:37

under the assignment so just include a

10:40

group where you want to enable this

10:42

policy so now let's go

10:45

and just select the other group here

10:49

okay so here I created a uh EDR activate

10:53

group now go and just select it

10:57

foreign

11:00

the size of members on where you want to

11:03

apply this

11:08

now it's going to be applied here okay

11:10

so now here it calculated like one

11:13

device or and the user zero users I have

11:16

added only the one user in my the core

11:19

of the ETR activate now let's go to next

11:21

and here is your the overview

11:24

and now here it's going to create the

11:26

policy so here is a message like a

11:28

policy uh the profile created and now

11:31

you can go back to again your endpoint

11:33

security

11:34

go here

11:36

and you can validate your policies

11:41

let's create it or not

11:48

so now after assigning this policy uh

11:52

just wait for couple of minutes or the

11:55

hours when this policy is reached to the

11:58

end user typewise so here you can go to

12:00

the property

12:04

um sorry let's go to the overview and

12:06

here we'll get the uh your report status

12:09

via this policies applied or not so just

12:14

let's wait for some time

12:19

okay so here data will be populated on

12:23

in after couple of hours and meanwhile

12:26

let's go to the our test machine and uh

12:29

let's sync the policy so here I have a

12:33

my windows 11 machine where I activated

12:36

my the defender so let's go to the

12:38

account settings and sync the policy so

12:41

immediate uh policy will sync and that

12:44

will get the latest policy from the

12:47

defender

12:50

so now here go to the accounts

12:55

and here is a access work or school

12:59

let's go here

13:01

and now here's the account go to the

13:03

info

13:05

and here you can sync your the device

13:12

and once this device is synced then we

13:16

can test it over the policy

13:20

so let's wait for some time okay so we

13:23

have the one more Point uh to show you

13:26

about the EDR so this policy has synced

13:28

up and let's go to the uh the security

13:32

center console and let's see about our

13:36

the defender PDR in a block mode so

13:39

let's go to the SEC settings I am under

13:41

the security.microsoft DOT

13:44

and here go to the settings under the

13:48

settings we have the end points so let's

13:50

go to here and check the EDR in a plot

13:54

mode how you can activate that

14:00

so just wait for some time

14:05

console has

14:16

so now this Advanced feature is on uh go

14:20

to the under Advanced feature and here

14:22

let's uh search for the EDR uh enable

14:27

the EDR in a block Mark it's already

14:28

enabled I enabled it the last time but

14:31

if it is in in off mode then you just

14:34

click and enable

14:36

enable this PDR in a block mode so once

14:39

you've done it then save the preferences

14:41

and that's all so this only the one

14:44

settings which you can do it

14:46

uh from this add one security so once

14:49

you've done it that means is you are the

14:51

EDR uh will work in a block mode as well

14:55

and now let's move it quickly to the our

14:58

test machine let me do the sync again

15:00

it's already it was synced and my the

15:03

EDR was in a block mode so now let's

15:06

test it or we can test it from the Power

15:08

share so this is the command which will

15:11

show you uh get MP status select AV

15:14

running mode so it will show you uh is

15:18

your the EDR in a block mod or not so

15:20

it's showing in this is a normal why

15:23

because I have the defender antivirus on

15:26

this machine what if if it is if they

15:28

are any some other antivirus like

15:31

cementec McAfee train micro clouder

15:33

strike then it will Source uh it will

15:36

give you an output uh this uh Defender

15:41

is in a oh sorry EDR in a block mode so

15:45

you will be getting the output like that

15:47

and if you want to test it you are the

15:49

antivirus so here I chose the command uh

15:52

SC with Defender so this will give you

15:55

the status whether your Defender client

15:58

is running or not so client Defender is

16:01

running on this machine and you are

16:04

another block mode that's why you have

16:06

the output as in normal if not you

16:10

should get the output uh the EDR in a

16:13

block mode as I showed you in mega PPD

16:16

here

16:17

so you will be getting the output here

16:19

if there's some third party uh antivirus

16:22

is running on this

16:25

so guys if you have any any problem you

16:29

can give me the comment and uh once this

16:32

policy has succeed uh actually already I

16:35

deployed it and I deleted so that's why

16:37

uh it was showing that in that way

16:41

so now uh guys if you have any questions

16:43

please comment on my the in this video

16:47

and then I can answer you the pattern

16:51

so guys thank you for watching this

16:53

video see you soon in my the next video

16:55

with some uh other topic in tip type

16:58

thank you see you soon in my next