MS-102 GĐ6
Module 39
Zero Trust & M365 Defender Suite
Ba trụ cột Zero Trust, kiến trúc XDR của M365 Defender, quản lý Incidents, Attack Simulation Training và tích hợp SIEM với Microsoft Sentinel.
Tình huống – VinaCorp
SOC team VinaCorp nhận alert: 3 user click link phishing từ email giả mạo CFO trong 10 phút. Cần: investigate incident trên M365 Defender portal, xác định scope, isolate device, reset password — tất cả trong <30 phút.
Ba trụ cột Zero Trust
Verify Explicitly
Luôn xác thực và uỷ quyền dựa trên tất cả dữ liệu có sẵn: identity, location, device health, service/workload, data classification, anomalies.
Least Privilege Access
Giới hạn quyền user bằng JIT (Just-In-Time), JEA (Just-Enough-Access), risk-based adaptive policies, và data protection.
Assume Breach
Giả định vi phạm đã xảy ra: segment network, encrypt end-to-end, analytics để detect, improve response time.
Zero Trust Pillars – M365 Mapping
| Pillar | Microsoft Solution | Key Controls |
|---|---|---|
| Identity | Entra ID | MFA, CA, PIM, Identity Protection |
| Devices | Intune + MDE | Compliance policy, EDR, Conditional Access device filter |
| Applications | Entra App Proxy, MDCA | App Conditional Access, CASB, OAuth governance |
| Data | Purview | Sensitivity labels, DLP, encryption, eDiscovery |
| Infrastructure | Defender for Cloud | CSPM, workload protection, hardening |
| Network | Entra Private Access / Global Secure Access | ZTNA, microsegmentation, encrypted tunnel |
M365 Defender – XDR Architecture
| Defender Product | Bảo vệ | Portal |
|---|---|---|
| Defender for Endpoint (MDE) | Windows/macOS/Linux endpoints | security.microsoft.com |
| Defender for Office 365 (MDO) | Email, Teams, SharePoint, OneDrive | security.microsoft.com |
| Defender for Identity (MDI) | AD DS / AD FS on-prem | security.microsoft.com |
| Defender for Cloud Apps (MDCA) | SaaS apps, Shadow IT | security.microsoft.com |
| Entra ID Protection | Identity risk (user/sign-in risk) | entra.microsoft.com |
| Microsoft Sentinel | SIEM + SOAR | portal.azure.com |
XDR: eXtended Detection & Response — tự động correlate signals từ tất cả Defender products thành 1 Incident thay vì nhiều alerts rời rạc.
Lab A – Investigate Phishing Incident (Portal)
Portal: security.microsoft.com → Incidents & alerts → Incidents
1Mở incident "Multi-stage attack involving phishing and credential theft" → xem Attack story (timeline đầy đủ)
2Tab Entities: xác định 3 users bị ảnh hưởng, 2 devices, 1 malicious URL, 1 email sender
3Click device bị nghi → Actions → Isolate device (giữ kết nối tới MDE nhưng cắt network)
4Click user bị compromise → Actions → Reset password + Revoke sessions
5Tab Evidence: soft-delete malicious email từ tất cả mailboxes → Purge email
6Update incident status: In progress → assign to SOC Analyst → add comment
Advanced Hunting – Tìm thêm scope
// Tìm tất cả user click URL trong email phishing (24h)
EmailUrlInfo
| where Url contains "malicious-domain.xyz"
| join kind=inner EmailEvents on NetworkMessageId
| project Timestamp, RecipientEmailAddress, SenderFromAddress, Url
| order by Timestamp desc
Timestamp RecipientEmailAddress SenderFromAddress Url
2026-04-20 07:12 [email protected] [email protected] http://malicious-domain.xyz/login
2026-04-20 07:14 [email protected] [email protected] http://malicious-domain.xyz/login
2026-04-20 07:15 [email protected] [email protected] http://malicious-domain.xyz/login
Lab B – Xử lý Incident via Graph & MDE API
Connect-MgGraph -Scopes "SecurityIncident.ReadWrite.All","User.ReadWrite.All"
# Xem incidents mức cao trong 24h
$incidents = Get-MgSecurityIncident -Filter "severity eq 'high'" -Top 10
$incidents | Select-Object Id, DisplayName, Severity, Status, CreatedDateTime
# Revoke sessions cho 3 user bị compromise
$users = @("[email protected]","[email protected]","[email protected]")
foreach ($u in $users) {
Revoke-MgUserSignInSession -UserId $u
Write-Host "Sessions revoked: $u"
}
# Reset password (require change at next login)
foreach ($u in $users) {
$pwd = [System.Web.Security.Membership]::GeneratePassword(16,4)
Update-MgUser -UserId $u -PasswordProfile @{
Password = $pwd
ForceChangePasswordNextSignIn = $true
}
Write-Host "Password reset: $u → Temp: $pwd"
}
Sessions revoked: [email protected]
Sessions revoked: [email protected]
Sessions revoked: [email protected]
Password reset: [email protected] → Temp: K#9mP2xR@qL5nTdW
Password reset: [email protected] → Temp: J$7vN3yS!wM8kUeQ
Password reset: [email protected] → Temp: F%4bH6zA#rX1jCpG
Attack Simulation Training
security.microsoft.com → Email & collaboration → Attack simulation training — gửi phishing simulation để đo lường awareness.
1Simulations → Launch a simulation → Technique: Credential Harvest
2Payload: chọn template tiếng Việt hoặc clone template → tuỳ chỉnh tên, logo VinaCorp
3Target: All users / specific group → Schedule: 9:00 AM ngày làm việc
4Training: auto-assign Phishing awareness module cho user bị click
5Sau 2 tuần: Reports → xem click rate, compromise rate, training completion
Yêu cầu: Defender for Office 365 Plan 2 (hoặc M365 E5). Click rate trung bình ngành <3% sau training tốt.
Microsoft Sentinel – SIEM Integration
| Tính năng | M365 Defender XDR | Microsoft Sentinel |
|---|---|---|
| Scope | M365 workloads only | Multi-cloud, on-prem, 3rd party |
| Incidents | Auto-correlated từ M365 signals | Custom analytics rules, ML, UEBA |
| Retention | 90 ngày (Advanced Hunting) | Tuỳ chỉnh (mặc định 90 ngày, tối đa 7 năm) |
| SOAR | Automated investigation | Playbooks (Logic Apps) |
| Threat Intelligence | Built-in MSTIC feeds | TAXII / STIX, custom TI |
| Cost | Included trong E5 | Pay-per-GB ingestion |
# Kết nối M365 Defender data connector vào Sentinel
# portal.azure.com → Sentinel → Data connectors → Microsoft 365 Defender
# → Connect all M365 Defender products → Enable
# KQL query trong Sentinel: tìm sign-in từ impossible travel
SigninLogs
| where TimeGenerated > ago(1d)
| where RiskLevelDuringSignIn in ("high","medium")
| summarize count() by UserPrincipalName, Location, bin(TimeGenerated, 1h)
| order by count_ desc
Tổng kết M39
Kiến thức cốt lõi
- ✅ Zero Trust: Verify Explicitly, Least Privilege, Assume Breach
- ✅ XDR: correlate signals → 1 incident thay vì nhiều alerts rời
- ✅ M365 Defender = MDE + MDO + MDI + MDCA + Entra ID Protection
- ✅ Advanced Hunting KQL để scope phishing campaign
- ✅ Sentinel = SIEM cho multi-cloud, custom analytics, playbooks
Lab đã thực hành
- 🔬 Lab A: Investigate incident portal — isolate, reset, purge email
- 🔬 Lab B: Graph API — revoke sessions, reset password hàng loạt
- 🔬 Attack Simulation Training — credential harvest simulation