Ransomware detection – looking for initial compromise
When looking for a compromised endpoint, account, or server, we might need to have multiple data sources available to see what is going on.
So far, we have only seen two data sources – Security events and VM insights – both of which are only collecting data from one machine. Depending on what kind of systems we are looking at, we need to investigate collecting data from the sources we have accessible.
A typical setup I do with customers is to look at commonly used systems (identity, collaboration, VPN, VDI, web applications, and supported SaaS services), which for most cases are Azure AD, Office 365, AVD, and other available sources.
As I mentioned in Chapter 1, Ransomware Attack Vectors and the Threat Landscape, many of the attack vectors are aimed at or usually start at the endpoint, so having some security mechanisms there as well, such as Defender for Endpoint, which can also feed data into Microsoft...
