MS-101 Microsoft 365 Mobility and Security Topic: Microsoft 365 Threat Intelligence
December 15, 2022

1. Microsoft Intelligent Security Graph

Let’s talk for a minute about the Microsoft intelligence and security graph. Or you might hear a lot of people just refer to it as the Microsoft Graph, right? Microsoft has a large global footprint, and what that means is that they’re collecting data points from millions and billions of different sources. Now how does that help you? In what way does that help your organization? Well, think about it. If you have a security team that is monitoring, managing, and maintaining your identity security solution, consider the number of attacks that they may face and the responses that they may devise in response to those attacks, perhaps a couple hundred or a couple thousand in a month.

Well, compare that to Microsoft, where they’ve got over 200 different global consumer and commercial services out there. You’re talking about billions with abs, over 3 billion different authentications against Azure Active Directory per month, right? Against Xbox Live, against the Office Suite, against the consumer version of OneDrive, there are lots of different services that have authentication attempts against them, and lots of those services have hack attempts against them. So the Microsoft Intelligence Security Graph can collect all of those potential malicious attempts from around the globe, ingest them, and apply machine learning to automate some responses to them. The security graph is going to give us the ability to understand when and where attacks are coming from. You’re a U.S.-based company. Let’s say, for example, you don’t have any foreign offices whatsoever. Well, if there is an attack that is starting to hit people over in Europe, the Microsoft Intelligence Security Graph is going to pick that attack up and build protections to protect your organization long before that attack ever even hits the US. Soil.

Now, in addition to actually helping to protect you, it’s also there to help educate you. Through the Microsoft Graph, we have the ability to understand what the trends are, where the emerging threats are coming from, and what types of things we need to start building for our organization to be able to protect from them. And the education that we might need to do for our users is reeducation, which is often the case. Right. By taking and leveraging all of these different data points that Microsoft has globally, we can respond as a large global corporation would, even though we may not be quite that size.

2. Working with the Security Dashboard

With Office 365 or Microsoft 365, you can go out there and get a sense of what’s going on with the threat landscape, with the attacks that are affecting not only your tenant account but Microsoft 365 tenant accounts worldwide. And you can see all sorts of things happening. A lot of this information will actually come from the Microsoft Security Intelligence Graph. We have the ability to go out there and take a look at this. If I go into my 365 Security and Compliance Center, I’m going to scroll down to the Threat Management section and open that up.

And in the threat management section, you’ll see that we actually have a dashboard. And I’m going to click on the dashboard now. That dashboard is going to give me a lot of summary information on what’s actually happening out there on the globe. For example, I can see the global weekly threats right now, right? And I can see that right now, with over 63 billion messages scanned, they have stopped over 20 million threats. They blocked it with advanced threat protection, another eleven, or 3 million. So for organizations that didn’t have ATP, there’s the potential that malicious software would have gotten through based on the fact that it got through a virus scanner and then they removed it after delivery or they zapped another 4.3 million, right? So this dashboard is going to give me some insights into what’s actually happening out there. If there is malware that’s impacting my tenant account that’s been stopped, I would actually see it in my malware trends. I would see some malware family detections going on out here in the environment to understand exactly what’s happening, and then I could drill down into that to see what I’m up against and what I’m facing there in the environment.

One of the other nice things that they give us is the ability to see what we call threat intelligence, right? This gives me the ability to see security trends. And if I were interested in finding out a little bit more about that, I could actually click on the link, and it would open up a PDF that gave me a summary of what’s happening with this type of threat. So I can understand the threat as a whole. I can get into the details of the threat and how it might be presenting itself. And this would be ideal if I wanted to educate my users and show them what it could look like. So be cautious if you get something like this right, because we’re constantly having to reeducate our users on the fact that threats are coming in via email that may appear to be generated internally or from someone you know. And you have to be extra cautious with these types of things. So it certainly would help us educate them a little bit on what’s happening out there. It also gives us the ability to see the code in the back that would actually cause that virus to go through the environment. the behaviors that are caused by this in this case, and some actions for us to be able to go out there and actually take.

So you can drill down and actually see what’s happening within that environment by looking at your dashboard. Now, if we had a large number of threats coming through, we could actually see the origin of those messages. We would see heat maps as to where the majority of the threats are coming from. Are they all us based? Are they all coming from a foreign country into our environment out there as well? So it gives us a quick and easy glance. If you have a chief information security officer, this is a great place for them to go to get a quick sense of what’s going on with security and protection in the Microsoft 365 environment. 

3. Viewing the Threat Explorer

as part of your ability to understand what’s happening with your tenant. In Microsoft 365, you’ll get the opportunity to actually use something called the Threat Explorer. So if you have any malware that’s been sent to your organization, the Threat Explorer can let you see exactly what it is, who’s sending it, where it’s coming from, and who it’s being targeted at, so you can get a better sense of maybe some education and some responses that you might have to it. to get to the Threat Explorer. We’re going to go into the security and compliance center. I’m going to scroll down to Threat Management. Under Threat Management, I’ll open that up and go into Explorer. Now in Explorer, the default view is going to actually show me any malware that might have come into my environment. In this case, you can see I have a couple of pieces of malware that have actually shown up.

Now if I click on that, what it’s actually going to do is show me the malware family, but it’s also going to filter that, which means if there were other pieces of malware in there from other environments, they would drop off so that I could focus on one specific piece of malware at a time if I wanted to. If I scroll down a little bit further, I’m going to see a listing of the malware families—the different ones that have actually sent me malware. I have the ability to go out there and drill down into the attempts at malware delivery to actually see where it was being delivered from in our environment. Now, in this case, I get a nice summary from the Cyber Hunters of what exactly this is. This malware happens to be a test file just to test that malware is, in fact, being blocked. And we’re in good shape, right? You can see that it was, in fact, blocked. I can see where it came from. And further, if I were to go out there and actually look at it, I could see my targeted users here. And again, you can see the actual user and the activity as to when it came in. So I’d have the ability to go out there and understand where it was sent from.

In this case, it was a test file, so I’m not going to have any issues with that. But there we go. We can see the login and the IP addresses that we might have potential malware coming from and the routes that it took, as well as the recent alerts that we had there. And you can see that this gives us the ability to go out there and look at some of the concerns that we have for that as well. But it gives me the ability to go out there and see that malware. And one of the other things we can actually look at, which is interesting, is that we got the email, so we can see the messages that they came in on, but we also have the email origin that’s actually going to give us a map where we can actually see where the malware originated from. If you’re being targeted from one specific region, again, we might have the ability to start changing some of our malware filters to kind of take that into account. So the explorer is going to give you a lot of insight into the malware that’s actually impacting your Microsoft 365 environment.

4. What is the Microsoft Advanced Threat Analytics?

Microsoft has a lot of experience understanding what types of threats your authentication systems would see, right. They apply a lot of machine learning and some analytics to their cloud-based environments, which gives us the ability to actually leverage that. And we can have it protect our on-premises authentication environment as well. We can do that by using what’s called Microsoft’s Advanced Threat Analytics, or Microsoft Ata. The Microsoft Advanced Threats Analytics environment is going to give us the ability to go through and actually have an on-premises system, right?

So it’s not a cloud-based system but an on-premises system to protect our on-premises environment and our authentication from various cyber attacks, whether they be from people outside the organisation or from people who are actually inside the environment as well. It’s going to look for different types of suspicious activities, right? It’s going to go out there and basically try to focus on different parts of what we call the “cyberattack kill chain,” which is usually the method that a user will use to try to gain control over your environment. With Ata, it’s going to start first with observing reconnaissance. When people are monitoring your environment, trying to collect information, trying to “footprint” your server environment, for example, collecting DNS information or collecting user information within your organization, So it’s going to try to detect that reconnaissance for you. It will look to see if someone has gained access to your environment and is attempting lateral movement by granting themselves or obtaining additional authentication credentials in order to begin moving across the organisation to other systems and servers.

Furthermore, that domain dominance, correct? where somebody now not only has the ability to log into your systems, but they also have the ability to control them. And if you were to find their account, it’s okay because they probably have three other accounts that you’re not aware of yet. And the idea there is that Ata is looking for those types of events, those types of anomalies that might happen in your environment, to be able to go out there and protect you. It actually searches for three different types of attacks in your organization. any malicious attack. So something that’s coming from an unexpected or unwanted environment, the Ata Center is going to pick that up. Any abnormal behavior, such as people trying to log in and have remote access to different machines that they otherwise shouldn’t have access to, as well as any security issues and risks The AT now includes a database that is downloaded and maintained by Microsoft. So we have the ability to understand any of those new risks or those emerging threats to our environment.

They can be kept up to date so that we have the ability to defend against them. If you want to work with ATa, there are a couple of pieces that have to be installed within Advanced Threat Analytics. You have what’s called the ATA center. Now, this is your front-end interface. This gives me the ability to see what kinds of threats have actually impacted our environment, what kinds of attacks we have seen or prevented within our organisation, and it gets that data sent to it from a gateway. Now, the gateways can be one of two types. You can have either an At lightweight or an Ata gateway. The difference really depends on where you install it. If you’re working with advanced threat analytics and you install the gateway product on a domain controller, then it installs what’s called the “lightweight gateway.” The lightweight gateway is going to go out there and be able to record event information for authentications, as well as the ability to actually track all the authentications against the domain controller.

And it does it locally. An ATAGateway is typically a standalone machine, and the difference here is that usually if we’re going to build and install an ATAGateway, we’ll do it on a nonmember server, so it is not a member of the domain that it is monitoring. By doing it that way, it actually makes it more difficult for any potential attacker to detect that it’s being monitored. So it gives us a little bit of anonymity when it comes to monitoring the environment. It then has to deal with port mirroring. We have to go out there and have some data from our DC sent over to it, as well as some event subscriptions, so it can collect the event data, and then it can process all of that information and send it to the Ata Center, where we can actually analyse it for any threats that might be happening against our organization.

5. Configuring ATA

To work with advanced threat analytics, you need to actually go out there and configure it in an on-premises system, right? So it’s going to be an on-premises installation, not necessarily a cloud-based environment. So what you have to do is make sure that your systems, which you’re going to install it on, meet the requirements for it. Now, the prerequisites are not that tough. Server 2012 R2 is the system’s most recent version. In addition to that, you’re going to need to make sure that you have Net Framework 4, 6, 1, or higher installed. And it needs to be a member of a domain or a work group. Because, keep in mind, the gateway itself, if we’re going to install the full gateway, is best served on a standalone machine as opposed to a member of the domain because it’ll be further isolated and harder for somebody to detect. Then all that remains is for us to install the Ata Center. You’ll download and run the Ata Center set up.

You’ll connect it to your domain by logging in with domain credentials. And then after you do that, you’ll have the ability to go out there and download and install the gateway. You actually install just one gateway setup environment. But the question you have is, do you install it on a server or on a DC? If you install it on DC, it will be a lightweight gateway. And if you install it on a domain or a workgroup server, it will be the full gateway, right?

So you don’t have to make a choice at the installation. It just determines where you’re installing it, and then it installs the appropriate part based on that location. If we were to go out here and take a look at this, the first thing we need to do is actually go through the process of downloading the gateway. You can get a copy of it from the evaluation centre here. So if we go into the evaluation centre and see, “I want to download the advanced threat analytics here for a 90-day trial,” I’ll just click “Continue.” To do that, I have to fill in some information here. So we’ll just have our good friend Ethan Cain download this from Aroma, make him in charge of [email protected], put in a phone number, put in the country, and click Continue. Now we will actually download and save the ISO file for the Ata.

Let’s go ahead and let that download. Now that the ISO has been completely downloaded, I can go into my downloads folder on the server, and you’ll see that I have the Ata ISO file there. If I double-click it, it’ll go ahead and mount that for me. Now I’m going to go ahead and right-click and copy the Ata setup file out of here. And I prefer to have that actually install from a separate folder. So I’ll click here and create a new folder. We’ll just call it something like “install,” and I’ll paste the setup file into there. Once that’s done copying, the next step is to actually go through the installation of the Ata Center. So I’m going to right-click on it, choose Run as administrator, and we’re going to run the installation for the Ata Center itself. After we go through this process, the next step would actually be to set up the gateways that are going to control it. So in the Ata Center, we’ll accept our language as English here.

We’ll accept the end-user license agreement. There, click next there. And we’ll continue with the updates. We’ll just use Microsoft Update to keep it current. Notice here that there is an SSL certificate requirement. But you do have the ability to command it to create, right? You can have it create a self-signed certificate for you. so you don’t have to install one in your environment. You don’t have to go out there and get one. You have the ability to choose that. And we’ll click on the install button and let it actually install and configure the Ata Center for us. Okay, so now that the installation has been completed, we’re just going to go and click the launch button to launch the Ata Center. Now, when the Advanced Threat Analytics Center opens up for us here, we actually have to sign into our domain, right? So it’s going to get us to sign into our domain. Now remember, I told you that it would create a self-signed certificate. So this warning here is not something that you should be surprised by. The fact is, we’re going to a page that has a certificate that is a self-signed certificate and isn’t trusted. But we can go ahead and continue on the website. So it’s not a problem for us at all.

Now that we’re on that website, we’ll have the ability to log in with the domain-based account, so we can go out there and register the Ata Center within the domain so it has access to the information. And not only that, it’s going to give us access to the installer for the ATA gateway. So that’s going to be the next part that we’ll actually need. So, now that the Advanced Threat Analytics Center has appeared, we’re going to sign in as administrators. So we’ll go into our aromaradministrator account, login with that password, and put in our domain. In this case,, right? We’ll test the connection and make sure that we’re able to connect to that domain without any problem. Everything is great. And now we can save that configuration. So it has the ability now to connect to my domain environment to start monitoring and be able to collect information. But you’ll notice at the top there that I’ve got this new option here: download the gateway set up.

So now that the centre is installed, it’s giving us a link, so we have the ability to go out there and install the gateway. So let’s go ahead and click on that to download the gateway setup itself. Notice we’ve got a gateway set up here. Download the package to install it. And there’s one package. It doesn’t matter whether you’re going to install the gateway or the lightweight gateway. It’s one single package that we’re downloading here, right? So we’re going to go get that one download, and then we have the ability to run that executable on another server to be able to connect it to our actual advanced threat analytics environment. Switching over to the DC Now I’m going to go ahead and browse over to the server where we downloaded the gateway, and I’ve got the actual package saved in a share. So we’ll go over and grab it from Aramar server two. And right there in the install directory, you can see we have the AT&T gateway setup package. So we’ll go ahead and copy that onto the local system here, right? We’ll just create a new folder, call it GatewaySetup, and we’ll paste that right in there. Now, with that installed there, we’ll go ahead and extract everything out.

Once we’ve got the folder open and ready to go, the next step is for us to run the ATa gateway. So I’m going to run this as an administrator and run the ATAP gateway setup. It’s not going to ask me if I’m going to install this as a full gateway or a lightweight gateway. I’m installing it on a DC, so by default, it will install the lightweight gateway for me, and then that gateway will start sending its information into the ATACentre so that we can start seeing any problems we may have with our authentications or other issues going on in that environment. So we’ll accept the English lightweight gateway. You notice it’s because this is a domain controller, right? We’re going to go out there and install that. It’s going to install it in that installation path, and then we click install and let it install the lightweight gateway. Okay, so my installation has now been completed successfully. We’ll click on the finish button there. And now I have an Ata lightweight gateway installed, sending all of that traffic for authentications for the event logs from the DC into the Ata Center, where it can be analysed in case there’s any malicious attempt going on in the organization.

6. Managing ATA

Now when I edit that file, what I’m going to do is I’m going to change the configuration path for MongoDB. Now, MongoDB is running as a service on that server. So if I wanted to modify it and then move it somewhere else, what I would need to do is stop the MongoDB service and stop the Ata service. Then I would have the ability to edit the file, put it on a new path, copy everything over to the new location, and then start the new service. Start MongoDB, start the Ata service, and everything would be in its new location. So you have the ability to go out there and move it. And if you needed to, you could actually restore it by going through and using the mongo import command to restore the database. If it happens to become corrupt, some other problem may occur with your database.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!