Unveiling Insights with Microsoft Defender for Endpoint: Analyzing Daily Activity and Data Size

Carlos A Lopez (Twitter: @CLopezDC) Office365 , , , ,

In the dynamic landscape of cybersecurity, staying ahead of potential threats requires a keen understanding of the data generated by security tools. Microsoft Defender for Endpoint stands as a stalwart guardian, offering robust protection against evolving risks. To harness the full potential of Defender for Endpoint, we turn our attention to the power of the Kusto Query Language (KQL). In this blog post, we embark on a journey through a comprehensive KQL script meticulously crafted for hunting and analyzing data within Defender for Endpoint. This script serves as a beacon, illuminating the path to unlocking valuable insights into daily activities and data sizes across diverse tables. Join us as we dissect each section of this script, revealing the intricacies that make it an indispensable asset in the arsenal of cybersecurity professionals.

Complete KQL Script

union withsource = TableName

DeviceEvents, DeviceFileEvents, DeviceFileCertificateInfo, DeviceImageLoadEvents, DeviceInfo, DeviceLogonEvents, DeviceNetworkEvents,

DeviceNetworkInfo, DeviceProcessEvents, DeviceRegistryEvents, EmailAttachmentInfo, EmailEvents, EmailPostDeliveryEvents, EmailUrlInfo, UrlClickEvents, AlertEvidence, AlertInfo,

IdentityLogonEvents, IdentityQueryEvents, IdentityDirectoryEvents, EmailEvents, EmailAttachmentInfo, EmailPostDeliveryEvents



| where Timestamp >= ago(1d)


| summarize total = count(), DailyBytes = sum(estimate_data_size(*)) by TableName, bin(Timestamp, 1d)


| summarize DailyAvg = avg(DailyBytes), TotalTableEntries = sum(total), TotalBytes = sum(DailyBytes) by TableName


| extend TableSizeInGB = format_bytes(TotalBytes,4, "GB"),


  DailyAvgInGB = format_bytes(DailyAvg, 4, "GB")


//    TableSizeInMB = format_bytes(TotalBytes, 2, "MB"),


//    DailyAvgInMB = format_bytes(DailyAvg, 2, "MB")


| sort by TotalBytes desc


| project-away TotalBytes, DailyAvg
  • Union Operation:
    • In this section, we use the union operator to combine data from multiple tables. The withsource option adds a column named TableName to identify the source table for each record.
  • Filtering by Timestamp:
    • This line filters the records based on the Timestamp field, selecting only those that occurred within the last 1 day (ago(1d)).
  • Summarization:
    • The summarize statement calculates the total count and daily sum of estimated data size for each table. The results are aggregated by TableName and binned Timestamp into 1-day intervals.
  • Further Summarization:
    • Another summarize statement further aggregates the data, calculating the average daily bytes (DailyAvg), total table entries (TotalTableEntries), and total bytes (TotalBytes) for each table.
  • Extension with Size Formatting:
    • The extend statement adds new columns to the result, formatting the total bytes and daily average bytes into gigabytes.
  • Sorting and Projecting:
    • The sort statement arranges the results in descending order based on total bytes (TotalBytes). The project-away statement removes unnecessary columns (TotalBytes and DailyAvg) from the final output.

Conclusion:

By delving into the intricacies of this KQL script, we’ve uncovered a powerful approach to extracting valuable insights from Defender for Endpoint data. This script not only aggregates and summarizes data but also formats it for easy interpretation. Incorporate this script into your security analysis toolkit to gain a comprehensive understanding of daily activities and data sizes, empowering you to make informed decisions to enhance your organization’s cybersecurity posture.

Understanding Registry Tagging in Microsoft Defender for Endpoint

Carlos A Lopez (Twitter: @CLopezDC) Office365

Registry tagging is a method used in Microsoft Defender for Endpoint to assign a value to a machine. This value is picked up by the telemetry of Microsoft Defender for Endpoint. The process involves setting the tag value in the DeviceTagging key (HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging).

Pros and Cons of Registry Tagging

Pros

  1. Embeddable: The tag can be embedded into the onboarding script, making it easy to implement during the initial setup.

Cons

  1. Fixed Tag: Once set, the tag is fixed and cannot be changed through the portal. It can only be modified by altering the registry.
  2. Single Tag Limitation: Only one tag can be specified in the registry, limiting the flexibility of this method.

Challenges Regarding Registry Tagging

There are a couple of challenges we need to consider when discussing registry tagging:

  1. Tampering with the Registry Key: If the registry key is modified after enrollment, the tagging will get updated in the Defender Console in about 24 hours
  2. Modifying the Registry Key: Changing the registry key value, will result in a regrouping of that device if there are custom view or grouping based tag (such as RBAC permission)

These challenges highlight some of the complexities and considerations when using registry tagging with Microsoft Defender for Endpoint. Understanding these aspects can help in effectively managing and securing your devices.

For more information, please visit the Microsoft documentation at :https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machine-tags?view=o365-worldwide

Stay Informed About MDE Releases: Your Ultimate Guide (What’s new in Microsoft Defender for Endpoint

Carlos A Lopez (Twitter: @CLopezDC) Office365

I am thrilled to have you all reading my blog. As the Microsoft Defender for Endpoint Team (MDE team) continue to make significant strides in the development of Microsoft Defender for Endpoint (MDE), and as the users gear up for some exciting releases, I want to ensure you have easy access to all the updates and developments surrounding MDE. To make this journey even smoother, Microsoft has provided multiple channels that will keep you informed every step of the way.

Here are the top three options we recommend for tracking the progress of all MDE developments:

  1. M365 Security Customer Connection Program: (by MSFT approval only): The M365 Security Customer Connection Program is an exclusive platform designed to provide you with first-hand information on features currently in Private Preview. By joining this program at aka.ms/JoinCCP, you will not only gain access to valuable insights but also have the unique opportunity to participate in and provide feedback for these exclusive features. It’s your chance to be a part of shaping the future of MDE!
  2. MDE Blog in the Community Hub: The Community Hub hosts the Microsoft Defender for Endpoint Blog, where we share all major announcements, including when features reach the Public Preview stage. To stay updated, I recommend subscribing to the RSS feed for the MDE Blog. By doing so, you’ll receive instant notifications in your Outlook or preferred RSS reader. This way, you’ll never miss an important update, ensuring you’re always ahead of the curve. Microsoft Defender for Endpoint Blog – Microsoft Community Hub
  3. “What’s New in Microsoft Defender for Endpoint” RSS feed on Microsoft Learn: For a comprehensive view of everything that is currently in preview or generally available (GA) in the latest MDE release, I suggest subscribing to the “What’s New Microsoft Defender for Endpoint” RSS feed on Microsoft Learn.  What’s new in Microsoft Defender for Endpoint | Microsoft Learn This feed serves as a one-stop-shop for all the information you need, making it easy to explore the latest advancements and enhancements within MDE.

With these three powerful channels at your disposal, you’ll be at the forefront of innovation and fully equipped to maximize the potential of Microsoft Defender for Endpoint. Embrace the opportunities to shape the future of MDE by staying engaged and informed through our carefully curated platforms.

Thank you for being an essential part of our journey, and we look forward to sharing more exciting updates with you soon!

Stay secure, stay protected, and stay connected.