July 22, 2020 Product updates
Keith McCammon

How to gain 24/7 detection and response coverage with Microsoft Defender ATP

Red Canary’s partnership with Microsoft Threat Protection continues to provide exceptional security solutions for Defender ATP customers.

This article originally appeared on the Microsoft blog in May, 2020. Since that time, we’ve performed over 10,000 investigations on behalf of our Microsoft Defender Advanced Threat Protection (ATP) customers, helping organizations of all sizes improve their ability to operationalize the ATP platform and data.

We’ve also partnered closely with the Microsoft Defender ATP product team to provide feedback based on our insights and use cases, leading to significant product improvements and strengthening our unique partnership. Some of the early successes that have come as a result of our collaboration include:

  • Use of Red Canary’s deep integration with the Microsoft Defender ATP API to provide feedback on every alert so that the Microsoft team can gain visibility into the results of our team’s investigations, understand true vs. false positives, and ultimately improve the quality of the signal that Defender ATP provides.
  • Improvements to the ATP APIs, enabling faster and more effective investigations, automated containment and response to confirmed threats, and improved reporting.
  • Open exchange of threat intelligence and trends, helping Microsoft to better understand the needs of our security operations team and helping our team to understand and fully utilize the power of the ATP agent and platform.

Overall, we appreciate and continue to find tremendous value in the partnership between Microsoft and Red Canary. Both teams have unique capabilities and strengths but are deeply aligned in our shared mission to improve security outcomes for our customers. We look forward to sharing more about what we’ve learned, what we’ve accomplished, and things to come. Stay tuned!

 

Whether you’re a security team of one or a dozen, detecting and stopping threats around the clock is a challenge. Security incidents don’t happen exclusively during business hours: attackers often wait until the late hours of the night to breach an environment. At Red Canary, we work with security teams of all shapes and sizes to improve detection and response capabilities. Our Security Operations team investigates threats in customer environments 24/7/365, removes false positives, and delivers confirmed threats with context. We’ve seen teams run into a wide range of issues when trying to establish after-hours coverage on their own, including:

  • For global enterprises, around-the-clock monitoring can significantly increase the pressure on a U.S.–based security team. If you have personnel around the world, a security team in a single time zone isn’t sufficient to cover the times that computing assets are used in those environments.
  • In smaller companies that don’t have global operations, the security team is more likely to be understaffed and unable to handle 24/7 security monitoring without stressful on-call schedules.
  • For the security teams of one, being “out of office” is a foreign concept. You’re always on. And you need to set up some way to monitor the enterprise while you’re away.

Microsoft Defender Advanced Threat Protection (ATP) is an industry-leading endpoint security solution that’s built into Windows with extended capabilities to Mac and Linux servers. Red Canary unlocks the telemetry delivered from Microsoft Defender ATP and investigates every alert, enabling you to immediately increase your detection coverage and waste no time with false positives.

Here’s how those who haven’t started with Red Canary yet can answer the question, “How can I support my 24/7 security needs with Microsoft Defender ATP?”

No matter how big your security team is, the most important first step is notifying the right people based on an on-call schedule. In this post, we’ll describe two different ways of getting Microsoft Defender ATP alerts to your team 24×7 and how Red Canary has implemented this for our customers.

Basic 24/7 via email

Microsoft Defender Security Center allows you to send all Microsoft Defender ATP alerts to an email address. You can set up email alerts under Settings → Alert notifications.

Microsoft Defender ATP Security Center
Email notification settings in Microsoft Defender Security Center

These emails will be sent to your team and should be monitored for high severity situations after-hours.

If sent to a ticketing system, these emails can trigger tickets or after-hours pages to be created for your security team. We recommend limiting the alerts to medium and high severity so that you won’t be bothered for informational or low alerts.

Microsoft Defender ATP ticketing system
Setting up alert emails in Microsoft Defender ATP to be sent to a ticketing system

Now any future alerts will create a new ticket in your ticketing system where you can assign security team members to on-call rotations and notify on-call personnel of new alerts (if supported). Once the notification is received by on-call personnel, they would then log into Microsoft Defender’s Security Center for further investigation and triage.

Enhanced 24/7 via APIs

What if you want to ingest alerts to a system that doesn’t use email? You can do this by using the Microsoft Defender ATP APIs. First, you’ll need to have an authentication token. You can get the token like we do here:

Microsoft Defender ATP API call
API call to retrieve authentication token

Once you’ve stored the authentication token you can use it to poll the Microsoft Defender ATP API and retrieve alerts from Microsoft Defender ATP. Here’s an example of the code to pull new alerts:

Microsoft Defender ATP API call
API call to retrieve alerts from Microsoft Defender ATP

The API only returns a subset of the data associated with each alert. Here’s an example of what you might receive:

Microsoft Defender ATP API alert
Example of a Microsoft Defender ATP alert returned from the API

You can then take this data and ingest it into any of your internal tools. You can learn more about how to access Microsoft Defender ATP APIs in the documentation. Please note, the limited information included in an alert email or API response is not enough to triage the behavior. You will still need to log into the Microsoft Defender Security Center to find out what happened and take appropriate action.

24/7 with Red Canary

By enabling Red Canary, you supercharge your Microsoft Defender ATP deployment by adding a proven 24×7 security operations team who are masters at finding and stopping threats, and an automation platform to quickly remediate and get back to business. Red Canary continuously ingests all of the raw telemetry generated from your instance of Microsoft Defender ATP as the foundation for our service. We also ingest and monitor Microsoft Defender ATP alerts. We then apply thousands of our own analytics to identify potential threats that are sent 24/7 to a Red Canary detection engineer for review.

Here’s an overview of the process (to go behind the scenes of these operations check out our detection engineering blog series):

Microsoft Defender ATP Red Canary MDR
Managed detection and response with Red Canary

Red Canary is monitoring your Microsoft Defender ATP telemetry and alerts. In the event of a confirmed threat, our team creates a detection and sends it to you using a built-in automation framework that supports email, SMS, phone, Microsoft Teams, Slack, and more. Below is an example of what one of those detections might look like.

Microsoft Defender ATP Red Canary Portal detection
Red Canary confirms threats and prioritizes them so you know what to focus on

At the top of the detection timeline you’ll receive a short description of what happened. The threat has already been examined by a team of detection engineers from Red Canary’s Cyber Incident Response Team (CIRT), so you don’t have to worry about triage or investigation. As you scroll down, you can quickly see the results of the investigation that Red Canary’s detection engineers have done on your behalf, including detailed notes that provide context to what’s happening in your environment:

Microsoft Defender ATP Red Canary detection timeline
Notes from Red Canary senior detection engineers (in light blue) provide valuable context

You’re only notified of confirmed threats and not false positives. This means you can focus on responding rather than digging through data to figure out what happened.

What if you don’t want to be woken up, you’re truly unavailable, or you just want bad stuff immediately dealt with? Use Red Canary’s automation to handle remediation on the fly. You and your team can create playbooks in your Red Canary portal to respond to threats immediately, even if you’re unavailable.

Microsoft Defender APT Red Canary automated detection
Red Canary automation playbook

This playbook allows you to isolate the endpoint (using the Machine Action resource type in the Microsoft Defender ATP APIs) if Red Canary identifies suspicious activity. You also have the option to set up Automate playbooks that depend on an hourly schedule. For example, you may want to approve endpoint isolation during normal work hours, but use automatic isolation overnight:

Microsoft Defender ATP Red Canary Automate playbook
Use the Red Canary Automate playbook to automatically remediate a detection.

 

 

Getting started with Red Canary

Whether you’ve been using Microsoft Defender ATP since its preview releases or if you’re just getting started, Red Canary is the fastest way to accelerate your security operations program. Immediate onboarding, increased detection coverage, and a 24/7 CIRT team are all at your fingertips.

Terence Jackson, CISO at Thycotic and Microsoft Defender ATP user, describes what it’s like working with Red Canary:

“I have a small team that has to protect a pretty large footprint. I know the importance of detecting, preventing, and stopping problems at the entry point, which is typically the endpoint. We have our corporate users but then we also have SaaS customers we have to protect. Currently my team tackles both, so for me it’s simply having a trusted partner that can take the day-to-day hunting/triage/elimination of false positives and only provide actionable alerts/intel, which frees my team up to do other critical stuff.”

Red Canary is the fastest way to enhance your detection coverage from Microsoft Defender ATP so you know exactly when and where to respond. Contact us to see a demo and learn more.

 

Zero in on the alerts that matter with Red Canary’s Alert Center

 

Red Canary launches new MDR offering powered by Microsoft Defender ATP

 

Our Automation Solution Now Features Forensics, Human Approvals, and More

 

Introducing Red Canary Automate, a New Security Automation Solution

Subscribe to our blog