Products & Services
Azure Resource Manager (ARM) Quickstart Templates – Deploy Azure resources through ARM with community contributed templates to get more done. Deploy, learn, fork, and contribute back.
Best Practice, Checklists, and Recommendations
Azure Operational Security Best Practice – This Azure Operational Security Best Practices article is based on a consensus opinion, and Azure platform capabilities and feature sets, as they exist at the time this article was written. Opinions and technologies change over time and this article will be updated on a regular basis to reflect those changes.
Azure operational security checklist – Deploying an application on Azure is fast, easy, and cost-effective. Before deploying cloud application in production useful to have a checklist to assist in evaluating your application against a list of essential and recommended operational security actions for you to consider.
Deployment & Configuration
Build a multi-tenant SaaS web application using Azure AD & OpenID Connect – 11/22/2017 – This sample shows how to build a multi-tenant .Net MVC web application that uses OpenID Connect to sign up and sign in users from any Azure Active Directory tenant, using the ASP.Net OpenID Connect OWIN middleware and the Active Directory Authentication Library (ADAL) for .NET.
Azure Active Directory Developers Guide – The following guided setups walk you through building an app on your preferred platform using the Azure AD
Try Azure ATP – (Must be part of EMS E5). Trial valid for 90 days.
Azure ATP Frequently asked questions FAQ – This article provides a list of frequently asked questions about Azure ATP and provides insight and answers.
Best Practice & Recommendations
Azure ATP readiness guide – This article provides you with a readiness roadmap that gives you with a list of resources that assist you getting started with Azure Advanced Threat Protection.
Azure ATP Prerequisites – This article describes the requirements for a successful deployment of Azure ATP in your environment.
Deployment and Configuration
Special Use Cases
Configure the proxy – allow ATP sensor to report diagnostic data and communicate with Azure ATP when a computer is usually not permitted to connect to internet.
Configure Windows Event Forwarding – events can be forwarded in case the Azure ATP sensor is not deployed on endpoint
10-2-2018 – How Azure Advanced Threat Protection detects the DCShadow attack – DCShadow attack, discovered by Vincent LE TOUX and Benjamin Delpy, was presented at Microsoft BlueHat-IL in January. After the release of Azure Advanced Threat Protection (Azure ATP), and as part of our ongoing research for developing new detections, we were able to deploy this detection to the Azure ATP sensor.
Enable Azure Active Directory Identity Protection – Azure Active Directory Identity Protection is a capability of Azure Active Directory (Azure AD). With Azure AD Identity Protection, you are able to:
Get a consolidated view of flagged users and risk events detected using machine learning algorithms
Set risk-based Conditional Access policies to automatically protect your users
Improve security posture by acting on vulnerabilities
How to configure conditions for automatic and recommended classification for Azure Information Protection – For the best user experience and to ensure business continuity, we recommend that you start with user recommended classification, rather than automatic classification. This configuration lets your users accept the classification and any associated protection, or override these suggestions if they are not suitable for their document or email message.
Microsoft Security Graph API
Instructions and Guides
Code-Free options to connect with the Microsoft Graph Security API – We are happy to announce Microsoft Graph Security connectors for Azure Logic Apps, Microsoft Flow, and PowerApps, which greatly simplify the development of automated security workflows. By building playbooks that use the Microsoft Graph Security connector, you can automate common security tasks across multiple security solutions.
Office 365 Roadmap – The Office 365 Roadmap lists updates that are currently planned for applicable subscribers. Updates are at various stages from being in development to rolling-out to customers to being generally available for applicable customers world-wide.
Office 365 Exchange Online Ports and IP Ranges
Office 365 Trust Documents – information about how Microsoft cloud services protect your data, and how you can manage cloud data security and compliance for your organization. This includes Audited Controls, Compliance Guides, FAQ, White Papers, Pen Test and Security Assessments.
Licensing Terms and Documentation – SLA, terms and other agreement related documents
Best Practices and Recommendations
Office 365 Security Roadmap – Video Link – This article includes top recommendations from Microsoft’s cybersecurity team for implementing security capabilities to protect your Office 365 environment. This article is adapted from a Microsoft Ignite session — Secure Office 365 like a cybersecurity pro: Top priorities for the first 30 days, 90 days, and beyond. This session was developed and presented by Mark Simos and Matt Kemelhar, Enterprise Cybersecurity Architects.
Configure O365 for increased security – This topic walks you through recommended configuration for tenant-wide settings that affect the security of your Office 365 environment. Your security needs might require more or less security. Use these recommendations as a starting point.
Microsoft Security Guidance for Political Campaigns, Nonprofits, and Other Agile Organizations – If your organization is agile, you have a small IT team, and your threat profile is higher than average, this guidance is designed for you. This solution demonstrates how to quickly build an environment with essential cloud services that include secure controls from the start. This guidance includes prescriptive security recommendations for protecting data, identities, email, and access from mobile devices.
Protect against threats in O365 – With Office 365 Enterprise, you can help protect your organization against a variety of threats, including spoofing, malware, spam, phishing attempts, and unauthorized access to data. Use the resources on this page to learn about threat protection and actions you can take.
Connect O365 to MCAS (Cloud App Security) – Start monitoring using the default threat detection policies for O365 anomalous behaviors. (Takes around 7 days to baseline)
Instructions and Guides
O365 ATP Attack Simulator – Test Credential harvesting, internal phishing campaigns, brute force and password spray attacks. Run realistic attack scenarios in your organization. This can help you identify and find vulnerable users before a real attack impacts your bottom line.
Office 365 Attack Simulator and Mitigating Common Attacks (Part 1)
Deep Dive – How Hybrid Authentication really works – The aim of this post is to explain in more detail how this server to server communication works, and to help the reader understand what risks this poses, how these connections are secured and authenticated, and what network controls can be used to restrict or monitor this traffic.
Exchange Server Deployment Assistant – Customized step-by-step instructions to deploy Exchange Server and Exchange hybrid deployments with Exchange Online.
SIEM integration with Office 365 Threat Intelligence – If your organization is using a security incident and event management (SIEM) server, you can integrate Office 365 Threat Intelligence and Advanced Threat Protection with your SIEM server. SIEM integration enables you to view information, such as malware detected by Office 365 Advanced Protection and Threat Intelligence, in your SIEM server reports.
Enable Audit logging and Search the audit log in O365 Security and Compliance Portal – Need to find if a user viewed a specific document or purged an item from their mailbox? If so, you can use the Office 365 Security & Compliance Center to search the unified audit log to view user and administrator activity in your Office 365 organization
Configuring Safe Attachments, Safe Links, and Anti-Phishing Policies – Helpful guide to configure various Office 365 ATP policies for your tenant.
Video – Getting started with protecting your email – The following series of introductory videos will help you use Exchange Online Protection (EOP) to protect your mailboxes. These videos are applicable for EOP standalone customers who are protecting on-premises mailboxes such as Exchange Server 2013, and for Exchange Online customers whose cloud-hosted mailboxes by default are protected by EOP.
Protect against Threats in Office 365 – security features Microsoft provides for customers to secure their o365 environment.
How to securely add a sender/3rd party mail service/server to an allow list in Office 365 – Explains the right and wrong way to setup Exchange Transport Rules (ETRs) to ensure you block anything you don’t know about.
NOT Using the Additional Spam Filtering option for SPF hard fail to block apparently internal email spoofing or 3rd party – Helps you configure some advanced Exchange Transport Rules (ETRs) to whitelist known servers leveraging DMARC to check the authenticity of the message.
How to align with SPF and DMARC for your domains if you use a lot of 3rd parties to send email as you
How Office 365 uses Sender Policy Framework (SPF) to prevent spoofing – This article describes how Office 365 uses the Sender Policy Framework (SPF) TXT record in DNS to ensure that destination email systems trust messages sent from your custom domain. This applies to outbound mail sent from Office 365. Messages sent from Office 365 to a recipient within Office 365 will always pass SPF.
Setup SPF in Office 365 to help prevent spoofing – This article describes how to update a Domain Name Service (DNS) record so that you can use Sender Policy Framework (SPF) with your custom domain in Office 365. Using SPF helps to validate outbound email sent from your custom domain.
SPF Official Documentation – openspf.org – This page serves as an introduction and quick overview of SPF mechanism syntax.
Use DKIM to validate outbound email sent from your custom domain in O365 – This article describes how you use DomainKeys Identified Mail (DKIM) with Office 365 to ensure that destination email systems trust messages sent from your custom domain.
Setup DKIM so that a third-party service can send, spoof, email on behalf of your custom domain – This article describes how you use DomainKeys Identified Mail (DKIM) with Office 365 to ensure that destination email systems trust messages sent from your custom domain.
Use DMARC to validate email in Office 365 – Domain-based Message Authentication, Reporting, and Conformance DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to authenticate mail senders and ensure that destination email systems trust messages sent from your domain.
How Microsoft moved to a P=Quarantine DMARC Record? – Explains the steps Microsoft took to migrate to a P=Quarantine DMARC record in detail.
M3AAWG.org DMARC Training Series – Series of videos to help understand DMARC. Really useful for those that need more clarification.
Best Practices for implementing DMARC in O365
Best Practices for Exchange Online Protection Customers to align with DMARC
Dmarcian.com DMARC Deployment Checklist –
A way to sort of approximate DMARC aggregate reports in O365 – Shows you how to extract this information and send it off to a DMARC reporting address via powershell
Basic spam troubleshooting in O365
Troubleshooting the red (Suspicious) Safety Tip for fraud detection checks – article helps troubleshoot and investigate what could be the issue and why a particular mail is being flagged.
Spoof Intelligence – allowing or blocking a particular sender from sending spoofed email into your organization.
Anti-Spam and Anti-Malware
Anti-Spam and Anti-malware protection – If you’re an Office 365 customer whose mailboxes are hosted in Microsoft Exchange Online, your email messages are automatically protected against spam and malware.
Zero-hour auto purge – protection against spam and malware – Zero-hour auto purge (ZAP) is an email protection feature that detects messages with spam or malware that have already been delivered to your users’ inboxes, and then renders the malicious content harmless. How ZAP does this depends on the type of malicious content detected.
Getting the best connectivity and performance in Office 365 – Traditional enterprise networks are designed primarily to provide users access to applications and data hosted in company operated datacenters. A secondary use has been as a gateway for access to the Internet for communications and web browsing. In this model, there is minimal or no network security between users and the company operated datacenters, and a substantial security perimeter between users and the Internet with many network devices such as firewalls, anti-virus scanners, data loss prevention, and intrusion detection devices.
Windows Defender AV
Evaluate Windows Defender AV – Use this guide to determine how well Windows Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.
Mitigate threats by using Windows 10 security features – This topic provides an overview of some of the software and firmware threats faced in the current security landscape, and the mitigations that Windows 10 offers in response to these threats. For information about related types of protection offered by Microsoft
Manage Windows Defender AV in your business – You can manage WDAV with Group Policy, SCCM, Powershell cmdlets, WMI, and mpcmdrun.exe utility.
March-April 2018 test results: More insights into industry AV tests – we’d like to share Windows Defender AV’s scores in the March-April 2018 test. In this new iteration of the transparency report, we continue to investigate the relationship of independent test results and the real-world protection of antivirus solutions. We hope that you find the report insightful.
Windows Transparency Reports for March-April 2018
Microsoft Security Intelligence Report – The Microsoft Security Intelligence Report Volume 23 analyzes key security trends from the past year—and provides actionable recommendations on how you can respond today.
External – Av-test.org – AV-TEST Product Review and Certification Report – Mar-Apr/2018 – During March and April 2018 we continuously evaluated 15 endpoint protection products using settings as provided by the vendor. We always used the most current publicly-available version of all products for the testing. They were allowed to update themselves at any time and query their in-the-cloud services. We focused on realistic test scenarios and challenged the products against real-world threats. Products had to demonstrate their capabilities using all components and protection layers.
Best Practice and Recommendations
Windows Security Baselines – We recommend that you implement an industry-standard configuration that is broadly known and well-tested, such as Microsoft security baselines, as opposed to creating a baseline yourself. This helps increase flexibility and reduce costs.
GCHQ Windows 10 Security Guidance – National Cyber Security Centre guidance has been updated to cover the 1803 “April 2018 Update” of Windows 10 Enterprise. It builds on the previous Windows 10 ALPHA Mobile Device Management (MDM) guidance.
AUSC Windows 10 Hardening Guide – Australian Cyber Security Centre guidance. This document provides guidance on hardening workstations using Enterprise and Education editions of Microsoft Windows 10, version 1709. Some Group Policy settings used in this document may not be available or compatible with Professional, Home or S editions of Microsoft Windows 10, version 1709.
Sticking with Well-Known and Proven Solutions – I work with a lot of customers, and there are some problems I see over and over. One problem that I’ve seen and been thinking about a lot lately is the way that a number of customers paint themselves into a corner through excessive customization of their environment. Lately I’ve been making the case that they would be much better off by sticking with defaults or broadly known and well-tested configurations, and with proven enterprise solutions over home-grown tools.
Application whitelisting with “AaronLocker” – AaronLocker is designed to make the creation and maintenance of robust, strict, AppLocker-based whitelisting rules as easy and practical as possible. The entire solution involves a small number of PowerShell scripts. You can easily customize rules for your specific requirements with simple text-file edits. AaronLocker includes scripts that document AppLocker policies and capture event data into Excel workbooks that facilitate analysis and policy maintenance.
Microsoft Safety Scanner – Microsoft Safety Scanner is a scan tool designed to find and remove malware from Windows computers. Simply download it and run a scan to find malware and try to reverse changes made by identified threats.
Malicious Software Removal Tool – Windows Malicious Software Removal Tool (MSRT) helps keep Windows computers free from prevalent malware. MSRT finds and removes threats and reverses the changes made by these threats. MSRT is generally released monthly as part of Windows Update or as a standalone tool available here for download.
Device Guard and Credential Guard hardware readiness tool – use this tool to see if you’re ready for Device Guard and Credential Guard.
Security Compliance Toolkit (SCT) – a set of tools that allows enterprise security administrators to download, analyze, test, edit, and store Microsoft-recommended security configuration baselines for Windows and other Microsoft products.
Microsoft Exploitability Index – helps customer prioritize their deployment of the monthly security updates.
Getting Started with Security Update Guide
MSRC Security Update Guide – investigates all reports of security vulnerabilities affecting Microsoft products and services, and provides the information here as part of the ongoing effort to help you manage security risks and help keep your systems protected.
Protect against Rapid Cyber Attacks (Petya, WannaCrypt, and similar variants) – Webinar – Rapid cyberattacks like Petya and WannaCrypt were able to take down all IT systems at global enterprises in about an hour, creating a new challenge for IT and Security leadership and practitioners to manage. Join us to learn about these attacks and Microsoft’s prescriptive roadmap of recommended mitigations to protect your organization against this type of attack.
Customize the Windows Defender Security Center app for your organization – You can add information about your organization in a contact card to the Windows Defender Security Center app. This can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
Attack inception: Compromised supply chain within a supply chain poses new risks – A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case. Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload. The attack seemed like just another example of how cybercriminals can sneak in malware using everyday normal processes.
Windows Defender ATP Links
Windows Defender ATP Homepage – Homepage for Windows Defender ATP. Also you can start your free trial here.
Video – ATP & WDATP detection sharing – shows how Microsoft 365 Threat Protection shares signals through the Intelligent Security Graph (ISG) to better protect our customers.
Supported Windows Versions
Connectivity Verification Tool – verify client connectivity to WDATP service URLs
Product Area & Features
Automated Investigation & Response – Hexadite
Video – Windows Defender ATP investigation and Response – This animation shows Windows Defender ATP automated investigation and response – how these capability help security teams with their security incidents and how it frees up time for them to do more advanced hunting and strategic work.
Use Automated investigations to investigate and remediate threats
Overview of Automated investigation
Advanced Threat Hunting (Mine data with custom queries)
Getting Started with WDATP Advanced Hunting – Intro to Advanced Threat Hunting article
Using WDATP Advanced Threat Hunting to find powershell scripts that have been executed
Windows Defender ATP Hunting Queries GitHub Repo – This repo contains sample queries for Advanced hunting on Windows Defender Advanced Threat Protection. With these sample queries, you can start to experience Advanced hunting, including the types of data that it covers and the query language it supports. You can also explore a variety of attack techniques and how they may be surfaced through Advanced hunting.
How to query Advanced Threat Hunting for ASR Rules
Kusto Query Language Reference Documentation – Learn how to write advanced hunting queries using this reference guide
M365 Conditional Access based on device-risk with Windows Defender ATP – This video shows how the machine risk level constantly evaluated by WDATP is being used with conditional access. Microsoft Intune will receive the device risk level from Windows Defender ATP and CA will block access to business applications if the value is not conform with company policies.
Windows Defender ATP Secure Score – This animation vide shows Windows Secure Score – how it helps organizations to stay more secure, PowerBI reports to easily looks for CVE’s and how our new Emergency Outbreak Updates get pushed automatically. (The video has references to the new “Microsoft Secure Score” and “emergency outbreak updates” which have not been disclosed yet.)
3rd party integration
Ziften Demo with WDATP – In less than 3 minutes Ziften CPO Mike Hamilton demonstrates the Dynoroot Vulnerability Exploit as well as a quick demo of the advanced hunting feature in the Microsoft Windows Defender ATP advanced hunting feature set.
Various conference and Windows Defender ATP Videos
Windows Defender ATP – Unified platform for endpoint security, RSA Conference 2018
Taking Ransomware to task with Windows Defender ATP, RSA Conference 2018
Windows Defender ATP Machine Learning: Detecting new and unusual breach activity, Ignite Sep-2017
Windows Defender ATP Lessons from the Field, TechReady 02-2017
Related Blog Articles
Hunting tip of the month: Downloads originating from email links – 08/30/2018 – In this August post, we are going to build on top of that and discuss more complex queries that join several noisy signals into stronger signals that you can use to hunt.
Protecting Windows Servers with Windows Defender ATP – This blog is for enterprise customers who want to use the Windows Defender ATP platform on Windows Server and need practical guidance on what needs to be in place for licensing and infrastructure.
Windows 10 to offer application developers new malware defenses – Application developers can now actively participate in malware defense – in a new way to help protect customers from dynamic script-based malware and non-traditional avenues of cyberattack.
Windows Defender ATP integrates with Microsoft Information Protection to discover, protect, and monitor sensitive data on Windows devices – by integrating with Azure Information Protection, Microsoft’s data classification, labeling, and protection solution. This integration empowers Windows to natively understand Azure Information Protection sensitivity labels, to provide visibility into sensitive data on endpoints, to protect sensitive data based on its content, and to detect and respond to post-breach malicious activity that involves or affects sensitive data
WDATP API “Hello World” (using a simple powershell script to pull alerts via WDATP API) – we will walk you through common automation scenarios that you can achieve with Windows Defender ATP to optimize workflows