MDE Tutorial -13 - Endpoint Detection and Response (EDR) in Microsoft Defender for Endpoints
Summary
TLDRThis video tutorial delves into Microsoft Defender for Endpoint's Endpoint Detection and Response (EDR) feature. It explains EDR's role in identifying and responding to threats on various devices, including laptops and servers. The tutorial covers creating an EDR policy in block mode, testing it on a device, and validating EDR and antivirus status. It also discusses the process of alerts converting to incidents and the importance of keeping antivirus software up to date. Viewers are guided through policy creation in the Microsoft Endpoint Manager and testing the policy's effectiveness.
Takeaways
- π The video is a tutorial on Microsoft Defender for Endpoint, focusing on Endpoint Detection and Response (EDR).
- π EDR stands for Endpoint Detection and Response, a security solution that prioritizes alerts and provides visibility into malicious attacks on devices like laptops, desktops, and servers.
- π‘οΈ EDR operates in block mode to provide additional protection when other antivirus solutions are active, even if Microsoft Defender Antivirus is not running.
- π The tutorial covers creating a policy for EDR in block mode, testing the policy on a device, and validating EDR and antivirus status.
- π¨ EDR can trigger alerts based on the severity of the threat, categorizing them as high, medium, or non-impactful, and providing full visibility into the attack process.
- π EDR automatically takes action to remediate threats detected by security analytics, creating incidents when similar alerts occur from multiple machines.
- π The video explains the process of how EDR works, moving from detection to response, prediction, and prevention of threats.
- π EDR in block mode allows Microsoft Defender Antivirus to take action on breach behavior detections and respects existing exclusions set in the antivirus.
- π» The tutorial demonstrates creating an EDR policy in the Microsoft Endpoint Manager console, including settings for sample sharing and telemetry reporting.
- π The presenter shows how to validate the EDR and antivirus status using command prompts and PowerShell, including checking the running mode of EDR.
- π The video concludes with practical steps to sync the policy on a test machine and verify the EDR block mode settings in the Microsoft Security Center.
Q & A
What does EDR stand for and what is its primary focus?
-EDR stands for Endpoint Detection and Response. Its primary focus is on detecting and responding to threats on endpoint environments such as laptops, desktops, servers, and tablets.
How does EDR prioritize alerts when a malicious attack occurs?
-EDR prioritizes alerts based on the level of threat, categorizing them as high, medium, or low impact, and provides visibility into the full scope of the breach.
What actions does EDR take when a threat is detected?
-When a threat is detected, EDR triggers an alert and can take automatic actions to remediate the threat, providing complete visibility into how the attack happened and what processes were involved.
Can EDR work alongside other antivirus solutions?
-Yes, EDR can work with other antivirus solutions, including Microsoft Defender Antivirus, providing additional protection when the primary antivirus solution misses something or in case of post-breach detection.
What is the purpose of EDR block mode?
-EDR block mode provides additional protection against malware when the primary antivirus is running in passive mode or if another antivirus is active on the machine.
How can existing exclusions in antivirus software affect EDR?
-Existing exclusions in antivirus software will be respected during EDR scanning. If a file or application is excluded in the antivirus settings, EDR will not affect those exclusions.
What command can be used to check the status of Microsoft Defender Antivirus and EDR?
-The command 'sc query windefend' can be used in the command prompt to check if the Microsoft Defender Antivirus service is running. For EDR status, PowerShell command 'Get-MpComputerStatus | Select AVRunningMode' can be used.
How long does it take to disable EDR block mode once the decision is made?
-It takes 30 minutes to disable EDR block mode once the decision to disable it has been made.
What is the process for creating an EDR policy in Microsoft Endpoint Manager?
-To create an EDR policy, navigate to Endpoint Security in Microsoft Endpoint Manager, select Endpoint Detection and Response, and follow the steps to create a policy, including naming it, setting options, assigning it to a group, and validating the policy.
How can you test if EDR block mode is enabled on a device?
-You can test if EDR block mode is enabled on a device by using the PowerShell command mentioned earlier. If EDR is in block mode while another antivirus is running, the command will output 'EDR in block mode'.
What is the role of scope tags in EDR policy creation?
-Scope tags in EDR policy creation allow administrators to define specific groups or organizational units to which the policy should apply, ensuring that the policy is targeted to the correct devices or users.
Outlines
π‘οΈ Endpoint Detection and Response (EDR) Overview
This paragraph introduces the concept of Endpoint Detection and Response (EDR), emphasizing its focus on detecting and responding to threats on endpoint devices such as laptops, desktops, and servers. EDR prioritizes alerts based on the severity of threats and provides full visibility into the attack's scope, processes involved, and remediation actions. It operates automatically to remediate threats and can work alongside other antivirus solutions, even when they are not active, offering additional protection. The paragraph also explains how EDR generates alerts and incidents from similar alerts, with a promise to cover incident handling in an upcoming video.
π EDR in Block Mode and Policy Validation
The second paragraph delves into how EDR operates in block mode, providing extra security when the primary antivirus solution might have missed something or in the case of a post-breach detection. It explains that EDR can work with other antivirus software, including Microsoft Defender, and respects existing exclusions set in those programs. The paragraph also covers how to validate the EDR and antivirus status using command prompt and PowerShell commands, providing specific examples of the commands and expected outputs based on the configuration.
π Creating and Assigning EDR Policies
This paragraph outlines the process of creating an EDR policy within the Microsoft Endpoint Manager console. It details navigating to the endpoint security section and selecting the appropriate options for creating an EDR policy, including choosing the correct platform version. The paragraph discusses settings such as block sample sharing, telemetry reporting frequency, and the use of scope tags. It also explains how to assign the policy to specific groups and validate the policy deployment, including waiting for the policy to sync with end-user devices and checking the policy status in the security center console.
π Testing EDR Policy and Syncing Settings
The final paragraph focuses on testing the deployed EDR policy and ensuring it is synced on test machines. It describes syncing the policy through account settings and checking the security center console to verify if EDR is enabled in block mode. The paragraph provides PowerShell commands to check the status of EDR and the running mode of the antivirus, explaining the expected outputs for different antivirus configurations. It concludes with an invitation for viewers to comment with any questions and a teaser for the next video on a different topic.
Mindmap
Keywords
π‘EDR
π‘Antivirus
π‘Endpoint
π‘Security Analytics
π‘Alerts
π‘Incidents
π‘Block Mode
π‘Policy
π‘Microsoft Endpoint Manager
π‘Sync
π‘Telemetry Reporting
Highlights
Introduction to Microsoft Defender for Endpoint and the EDR (Endpoint Detection and Response) feature.
Explanation of EDR's focus on critical detection and response in endpoint environments like laptops, desktops, and servers.
How EDR security analytics prioritize alerts based on the severity of the threat.
Visibility into the full scope of breach when a malicious attack occurs, including the processes involved.
EDR's automatic action to remediate threats detected by the system.
The creation of alerts in the system for further analysis when a threat is detected.
Conversion of similar alerts into incidents for continuous or widespread threats.
Understanding the logical workflow of EDR from detection to response, prediction, and prevention.
How EDR in block mode provides additional protection when the primary antivirus solution is passive or active.
The compatibility of EDR block mode with other antivirus solutions, including third-party options.
Instructions on how to enable EDR block mode and its implications for existing exclusions.
The importance of keeping the antivirus up to date when using EDR.
The process to disable EDR block mode and the time it takes for the change to take effect.
Validation methods for EDR and antivirus status using command prompt and PowerShell.
Demonstration of creating a policy for EDR in the Microsoft Endpoint Manager console.
Details on policy settings, including block mode, sample sharing, and telemetry reporting.
Assignment of the EDR policy to specific groups and validation of policy application.
Practical lab demonstration of syncing the policy on a test machine and checking the EDR status.
How to enable EDR in block mode from the Microsoft Defender Security Center settings.
Testing the EDR status using PowerShell commands to confirm the operational mode.
Transcripts
hi guys welcome back to my other YouTube
channel for mde tutorial Microsoft
Defender for endpoint and today we are
going to cover up the endpoint detection
and the response that's called the EDR
so let's get started this video
now here is the content the EDR feature
what we're going to cover up in this
video that is EDR features EDR in a
block mode create a PDR task policy then
uh we'll test the policy on a device and
finally we'll validate the EDR and the
antivirus status and we will see the
smoke that troubleshooting steps so
let's understand what is the EDR first
so EDR stands for the end point
detection and response the EDR is
focused on crit detection and their
response on the endpoint environment
especially such as on a uh laptop
desktop servers tablet and the other
devices so what we understood on this
sentence especially it EDR work on the
end user tab prices
if there is any malicious the EDR
security analytics can prioritize the
alert very efficiently the gain
visibility into the full scope of the
bridge when there is any malicious
attack happen then it will trigger an
alert and that alert also can be the
prioritize whether it's a high level
high alert low medium or like a
non-impactic and it will gain the
visibility in the into the full scope of
the preach so whatever preaches happen
it will give you the complete visibility
in the intact how that malicious attack
happened and what are the process was
involved in that
and to take the action to remediate the
truth so this EDR will take at
automatically action to remediate the
threat
now when it Creed is detected alerts are
created into the system foray analytics
to investigate so when any malicious
attack happen or the any threats is
detected only the machine then
automatically alerts will check need in
the system and then that the alert will
send you to for the investigation
the similar alerts will convert into
incidence when we have the similar
alerts from the many machines or the one
machine is continuously sending the
similar alerts then that alerts will
convert into a incidents so for this
Allied anti incidents I will be covering
up in my upcoming video in the very in
depth to understand how the Allies
generated how to fix it and evolve the
incidence as well
so now let's understand how this uh this
logically works so when any malicious or
any three that attacked so first this
will go to the detect mode then it will
uh go to the respond then predict and
then it will prevent that means
remediate and prevent your extra
foreign
so now let's understand the EDR in block
mode how the EDR in block mode is
working so EDR in a block mode will
provide the additional protection for
the malicious when the defender
antivirus in or running or the passive
mode in in running on the passive mode
or on the active mode that means is if
you have the Microsoft Defender EDR
activated on your machine and suppose
your Defender antivirus is not working
any of the cement Type marker Cloud
strike or any other antivirus is working
in that scenario also your EDR can work
with the other my uh other antivirus
like a known Microsoft antivirus so in
the EDR uh block mode will provide you
the additional protection when you are
the malicious malicious happen and you
are any other antivirus is working
either it can be Microsoft defender or
any other antivirus
so EDR block mode work if the primary
antivirus solution missed something or
if there is any post breach deduction
happen so that means EDR can work if
you're the primary antivirus as I
explained primary antivirus can be a
Microsoft defender or can be a third
party solution like the cement tecma
cafe or any other thing in that scenario
also if you are the primary antivirus is
missed something then you are the EDR
will take that
now EDR in a block mode allow Defender
antivirus to take action on the breach
Behavior area detections
no existing now let's I write it here
the few answers like the existing
exclusions will work in the EDR if the
ADR in block mode suppose you are
running a Microsoft Defender and you put
it some exclusion so that exclusion with
Implement during the EDR uh scanning and
when you are the EDR in a block mode and
the similar way if you have uh semantic
antivirus my cafe or trying micro or any
other thing and you put some exclusion
in that so EDR will exclude that
particular files
EDR will not effect with the existing
antivirus if it is a defender or any
other antivirus so EDR is not going to
touch the antivirus part
it won't be different
in fact
EDR Defender antivirus detect and the
remediate malicious itself it important
to keep it up to date so you are if you
are using the Microsoft antivirus so
it's mandatory your antivirus should be
in up to date
if you used to disable the EDR mode EDR
in a block mode if you choose to disable
and if you want to disable the EDR uh in
a block mod to be disabled then it will
take 30 minutes to disable that
now here is a validation of your the
validate the EDR and the antivirus
status so you can uh just simply go to
the command prompt CMT and type the SC
query uh the wind Defender that if the
service is sold is running that means
you are the defender antiviruses or
running mode
and here is a command with the
Powershell so get a MP computer status
select MP running mode so this will give
you the EDR status uh mode whether the
EDR is running in a normal or not if you
have the defender antivirus and you are
checking the uh EDR block mode then it
will give you the is output normal if
suppose you enable the EDR on that
machine and you are running a different
antivirus like semantic time Micromax if
you or any other thing then it will give
you the output EDR in a block mode
so that's how you can test it
now let's move it to the Practical lab
and uh we'll start to creating a policy
so now I am in the mem console Microsoft
endpoint manager and here let's go to
the endpoint security portion
and here will be creating the policy
okay so I am under the endpoint security
and here is the option endpoint
detection and the response so first
let's create a EDR policy here and then
we'll go to the EDR in a plot mode so
now go to the
create policy and here we have the three
options
Windows 10 servers Windows 10 and letter
window 10 and the for the SQ so let's
take a Windows 10 and the letters we are
not going to implement on the servers
and now let's select this Windows 10 and
later and the endpoint detection
response if you want to implement on
Windows 10 11 and the servers you can
select this if you have the SCM then you
can select this so let us go with the
Windows 10 and letters now created
and here let me just copy paste and
named it and you can give the name based
on your convenience now let's go to the
next
and see what are the settings we have
over here
it's loading
so now here we have the two options only
if you select the servers as well then
this console is changed now block uh
sample sharing or all the files so that
means is your security center from the
security Center you cannot see are the
all the files if you say yes and uh that
will block your the files
why because might you have the some
sensitive application running in your
info and due to your policy you don't
want to see are all the files with the
Microsoft so you can block that and here
is a expedite in the Telemetry reporting
the frequently so if you have selected
then the uh your the logs frequency
frequency will increase to Central locks
in the security Center
so if you want to increase it you can
increase expedite uh the Microsoft
Defender security Telemetry reporting
frequently the very frequently it will
send a lot and here is a block if you
click on the iconic button it will be a
return or the setup of the Microsoft the
Microsoft for the endpoint sample
sharing the configuration parameters so
if you don't want to share all the
applications to Microsoft then it just
say yes the most of the infrastructure
choose a CS why because the all the
files is not meant to send whichever
file is impacted and you want to share
you can send it to manually for the
website investigation
so that's how you can follow now let's
go to the next
if you are using any scope tags so you
can Define it here I don't have any
scope tab it's it's by default so you
can use the scope of tags
now let's go to the next and we are
under the assignment so just include a
group where you want to enable this
policy so now let's go
and just select the other group here
okay so here I created a uh EDR activate
group now go and just select it
foreign
the size of members on where you want to
apply this
now it's going to be applied here okay
so now here it calculated like one
device or and the user zero users I have
added only the one user in my the core
of the ETR activate now let's go to next
and here is your the overview
and now here it's going to create the
policy so here is a message like a
policy uh the profile created and now
you can go back to again your endpoint
security
go here
and you can validate your policies
let's create it or not
so now after assigning this policy uh
just wait for couple of minutes or the
hours when this policy is reached to the
end user typewise so here you can go to
the property
um sorry let's go to the overview and
here we'll get the uh your report status
via this policies applied or not so just
let's wait for some time
okay so here data will be populated on
in after couple of hours and meanwhile
let's go to the our test machine and uh
let's sync the policy so here I have a
my windows 11 machine where I activated
my the defender so let's go to the
account settings and sync the policy so
immediate uh policy will sync and that
will get the latest policy from the
defender
so now here go to the accounts
and here is a access work or school
let's go here
and now here's the account go to the
info
and here you can sync your the device
and once this device is synced then we
can test it over the policy
so let's wait for some time okay so we
have the one more Point uh to show you
about the EDR so this policy has synced
up and let's go to the uh the security
center console and let's see about our
the defender PDR in a block mode so
let's go to the SEC settings I am under
the security.microsoft DOT
and here go to the settings under the
settings we have the end points so let's
go to here and check the EDR in a plot
mode how you can activate that
so just wait for some time
console has
so now this Advanced feature is on uh go
to the under Advanced feature and here
let's uh search for the EDR uh enable
the EDR in a block Mark it's already
enabled I enabled it the last time but
if it is in in off mode then you just
click and enable
enable this PDR in a block mode so once
you've done it then save the preferences
and that's all so this only the one
settings which you can do it
uh from this add one security so once
you've done it that means is you are the
EDR uh will work in a block mode as well
and now let's move it quickly to the our
test machine let me do the sync again
it's already it was synced and my the
EDR was in a block mode so now let's
test it or we can test it from the Power
share so this is the command which will
show you uh get MP status select AV
running mode so it will show you uh is
your the EDR in a block mod or not so
it's showing in this is a normal why
because I have the defender antivirus on
this machine what if if it is if they
are any some other antivirus like
cementec McAfee train micro clouder
strike then it will Source uh it will
give you an output uh this uh Defender
is in a oh sorry EDR in a block mode so
you will be getting the output like that
and if you want to test it you are the
antivirus so here I chose the command uh
SC with Defender so this will give you
the status whether your Defender client
is running or not so client Defender is
running on this machine and you are
another block mode that's why you have
the output as in normal if not you
should get the output uh the EDR in a
block mode as I showed you in mega PPD
here
so you will be getting the output here
if there's some third party uh antivirus
is running on this
so guys if you have any any problem you
can give me the comment and uh once this
policy has succeed uh actually already I
deployed it and I deleted so that's why
uh it was showing that in that way
so now uh guys if you have any questions
please comment on my the in this video
and then I can answer you the pattern
so guys thank you for watching this
video see you soon in my the next video
with some uh other topic in tip type
thank you see you soon in my next
Browse More Related Video
Complete Guide to SentinelOne EDR (Endpoint Detection and Response): Exploring the Console in Part 1
Uncovering Cyber Threats: EDR vs SIEM Comparison #cybersecurity #cyber #risk #threats #detective
What is XDR vs EDR vs MDR? Breaking down Extended Detection and Response
Kernel Karnage: Patching EDR in Kernel Space
1.5.7 Packet Tracer - Network Representation
XDR Implementation And AI Use Cases
5.0 / 5 (0 votes)