7.10 Module Assessment

75 minutes · Module 7

Module 7 — Final Assessment

Key takeaways

Unonboarded devices are invisible — no telemetry, no alerts, no investigation. Run the coverage gap query weekly.
Track EffectiveCoverage (healthy+active/total), not just CoveragePercent (onboarded/total) — the gap between them is false confidence
Intune is the recommended onboarding method — automatic for new enrollments, no scripts or GPO
macOS System Extension approval is the #1 Mac onboarding failure — deploy approval profiles via Intune or Jamf
Tamper protection prevents attackers from disabling Defender with a single command — enable it tenant-wide
Network protection blocks connections to known-malicious domains — disabled by default, enable on every device
ASR rules prevent high-risk behaviors (macro execution, LSASS access, email executables). Enable in audit mode first, analyze for 2-4 weeks, create exclusions, then block.
The five critical ASR rules: Office child process, email executable, LSASS credential theft, WMI/PSExec, JavaScript downloads
Start AIR on semi-auto. Full automation only after 90+ days of data proving low false positive rates.
Custom indicators operationalize investigation findings — attacker IPs, domains, and file hashes become fleet-wide automated protection
Live response provides remote shell access — restrict to Tier 2+ analysts to prevent accidental damage
Read the device timeline as a process tree: parent spawns child, child spawns grandchild. Malicious chains have Office apps spawning cmd/PowerShell.
Collect investigation package BEFORE isolating a device — isolation drops active connections you need for evidence
The Defender management channel survives device isolation — you can still run live response on an isolated device
Device groups control both policy targeting and RBAC scope. Order matters: most specific first, default last.
Device compliance + conditional access = the AiTM killer. Unenrolled device = non-compliant = blocked. MFA claims in stolen tokens are irrelevant.
TVM provides continuous vulnerability assessment from the sensor — no separate scanning tool needed
Prioritize patching by: exploit available > critical severity > high device count. Emergency patching for exploitable criticals.

Final assessment (12 questions)

1. CoveragePercent shows 99.2% but EffectiveCoverage shows 98.2%. What does the gap represent?

Devices onboarded but not healthy — sensors installed but not reporting. These are blind spots disguised as coverage. An attacker on one of these devices operates undetected despite the device appearing in your inventory.

Rounding error

Devices that do not support Defender

False confidence is the most dangerous state. You believe you have coverage when you do not. Track EffectiveCoverage as the true metric.

2. Tamper protection is disabled on 18 devices. An attacker gains local admin on one. What happens?

The attacker disables real-time protection with one PowerShell command. All detection stops on that device. The attacker operates freely — executing payloads, dumping credentials, moving laterally — with zero endpoint alerts.

Nothing — Defender cannot be disabled

Defender self-heals

Without tamper protection, Defender is as vulnerable as any other service. One command disables it. Enable tamper protection tenant-wide — no exceptions.

3. You enable "Block Office child processes" in block mode without audit testing. Monday morning result?

Legitimate Office macros and plugins that launch PowerShell or cmd.exe are blocked. Finance cannot run reporting macros. HR mail merge fails. Help desk floods with tickets. Always audit first, create exclusions, then block.

Only malware is blocked

No impact — ASR only logs

ASR rules are behavior-based, not intent-based. They cannot distinguish legitimate from malicious Office child processes. Audit reveals the legitimate cases for exclusion.

4. You see winword.exe -> cmd.exe -> powershell.exe -enc [base64] in the device timeline. Interpretation?

Macro-based malware delivery. Office spawning cmd/PowerShell is the textbook chain. The -enc flag hides the payload in Base64. Containment: collect investigation package, isolate device, revoke user sessions. Decode the Base64 to understand the payload.

Normal Office behavior

A Windows update

Office applications do not legitimately launch cmd.exe or encoded PowerShell. This is the exact chain that the "Block Office child processes" ASR rule prevents.

5. Why collect the investigation package BEFORE isolating?

The package captures live network connections, running processes, and active sessions. Isolation drops all connections — the C2 IP and active exfil channels disappear from the evidence. 30 seconds of collection preserves critical investigation data.

Packages cannot be collected after isolation

Isolation takes longer

Live state is perishable evidence. Collect first, contain second. The 30-second window does not meaningfully increase risk.

6. An isolated device — can you still investigate it?

Yes. The Defender management channel survives isolation. Live response commands, file collection, and remediation all work. The attacker loses their channel; you keep yours.

No — all connections are cut

Only for 30 minutes

Isolation is surgical — it cuts attacker access while preserving defender access. This is the key advantage over network-level blocking.

7. After the Module 13 AiTM investigation, you have 5 phishing domains. How do you operationalize them?

Create custom indicators: alert-and-block for all 5 domains. Any device connecting to these domains generates an alert and is blocked. Investigation findings become fleet-wide automated protection.

Email the IOCs to the team

Update the firewall block list only

Custom indicators close the loop from investigation to prevention. Firewall blocks only work at the perimeter — indicators protect roaming devices too.

8. An attacker replays a stolen token from their laptop. "Require compliant device" is active. Result?

Blocked. The laptop is not in Intune. Device compliance evaluates the physical device, not the token. The MFA claim is irrelevant.

Allowed — valid MFA in token

Prompted for MFA

The AiTM countermeasure. Deploy device compliance + CA before FIDO2 — it is a configuration change, not a hardware procurement.

9. TVM shows a critical CVE with a public exploit on 342 devices. Correct urgency?

Emergency patching. Public exploit + critical + high device count = attackers can use this today. Monthly patch cycles are for CVEs without exploits.

Monthly patch cycle

Monitor for exploitation first

Exploit availability is the dividing line between routine and emergency. A critical CVE without an exploit can wait. A critical CVE with a public exploit cannot.

10. Device group evaluation order: VIP-Devices is listed after Workstations-Standard. A VIP laptop matches both. Which policy applies?

Both — policies merge

VIP — tags always win

Workstations-Standard — it is evaluated first. The VIP laptop gets the generic workstation policy, not the VIP priority policy. Fix: reorder groups so VIP-Devices evaluates before Workstations-Standard. Most specific first, most general last.

Group evaluation is ordered, not merged. A device belongs to exactly one group — the first match. Misconfigured order silently applies the wrong policy. Audit your group order after any change.

11. Semi-auto AIR has run for 30 days with 0 false positives. Full automation next?

Yes — proven safe

Never automate

Not yet — 30 days is insufficient sample size. Low-frequency false positives may only appear quarterly. Wait 90+ days and assess environment tolerance for automated remediation errors.

Sample size drives confidence. Rare false positives — the most damaging kind — may not appear in 30 days.

12. Network protection is disabled by default. What does enabling it in block mode do?

Blocks connections to domains and IPs in Microsoft threat intelligence from the endpoint. Works everywhere — office, home, public Wi-Fi. Unlike firewall rules (perimeter only), network protection travels with the device. Malware on a roaming laptop cannot reach C2 servers.

Blocks all network traffic

Only blocks downloads

Network protection is host-level network intelligence. It uses the same threat intelligence as Defender SmartScreen but applies at the OS level — covering all processes, not just browsers. Critical for roaming devices outside the corporate perimeter.

← 7.9 Threat and Vulnerability Management