After some weeks here is the second part of my series on Microsoft Defender for Endpoint. In this pert, we delve into essential insights and best practices for Microsoft Defender for Endpoint. I will guide you through important configurations and strategies to enhance your organisations security.

Part 1 (How to enroll device to Microsoft Defender for Endpoint and how does it work)

Content

1. Content
2. How can I reach the Microsoft Defender Portal?
3. Licenses
4. Lets clarify the naming!
5. How does it work
   1. Endpoint Behavioral Sensors
   2. Cloud Security Analytics
   3. Threat Intelligence
   4. Microsoft Defender for Endpoint Main Components
   5. Onboarding and Setup Process
   6. Continuous Monitoring and Response
   7. Threat and Vulnerability Management
6. How can I create RBAC roles?
7. What data is collected?
8. Where is the data stored?
9. How to activate Advanced Features?
10. Important Features you should know
11. Auto-Resolving Alerts
12. Setting Up Alert Notifications
13. Conclusion

How can I reach the Microsoft Defender Portal?

You can find the portal via https://security.microsoft.com/

Licenses

The licensing options for Defender for Endpoint are segmented into two tiers:

• Plan 1, part of Microsoft 365 E/A3
• Plan 2, part of E5/Security

It’s also important to know that there’s a specific Defender for Endpoint Server license required when you onboard servers.

Microsoft Defender for Endpoint Plan 1 +2	Microsoft Defender for Endpoint Plan 2 only
Block at First Sight	Advanced Hunting
Cross-Platform Support	Automated Investigation & Response
Enhanced ASR	Defender for Cloud Apps Integration
Tamper Protection	Endpoint Detection & Response
Web Content Filtering	Evaluation Lab
	Microsoft Threat Experts
	MIP Integration
	Threat Analytics
	Threat & Vulnerability Management
	6-Months Searchable Data

Lets clarify the naming!

What is the different between Windows Defender and Microsoft Defender for Endpoint?
In the end it is easy. The Windows Defender is the inbuilt free feature in Windows to secure the devices e.g. protect agains virus. The Microsoft Defender for Endpoint is an product with much more advanced security features but it needs an extra license.

How does it work

Endpoint Behavioral Sensors

• Integration with Windows: Defender for Endpoint has behavioral sensors that are integrated directly into Windows. These sensors are constantly monitoring the activities on the operating system.
• Data Collection: These sensors collect a wide array of behavioral signals from the operating system. This data includes information about process executions, file activities, network communications, and more.

Cloud Security Analytics

• Data Processing: The data collected by the endpoint sensors is sent to a private, cloud-based instance of Microsoft Defender for Endpoint.
• Big Data Analysis: This cloud service utilizes big data analytics to process the information collected from all endpoints.
• Machine Learning: Alongside big data analytics, machine learning algorithms are employed to identify patterns and anomalies that might indicate a security threat.

Threat Intelligence

• Global Insight: Microsoft gathers threat intelligence from various sources, including its global security teams, third-party partners, and automated systems.
• Real-Time Updates: This intelligence is continuously updated and includes information about known threats, attacker techniques, malware signatures, and suspicious behavior patterns.
• Integration with Sensor Data: The threat intelligence is used in conjunction with the data gathered from the endpoints to identify potential threats more accurately.

Microsoft Defender for Endpoint Main Components

• Admin Portal: A centralized dashboard allows administrators to monitor endpoints, view security incidents, and manage response strategies.
• Attack Surface Reduction (ASR): ASR rules reduce the exposure of endpoints to potential attacks by controlling applications and web access.
• Endpoint Detection and Response (EDR): This component facilitates the real-time detection of threats and enables direct responses on the affected endpoints.
• Behavioral Blocking and Containment: Identifies threats based on process behaviors on endpoints, even during ongoing attacks.
• Automated Investigation and Response (AIR): This feature uses algorithms to automatically prioritize alerts and initiate response actions.
• Advanced Threat Hunting: Enables proactive searching for potential threats and threat actors within the network.

Onboarding and Setup Process

• Device Integration: Devices are onboarded using management tools like Microsoft Intune or System Center Configuration Manager or also manual via script
• Signal Transmission: Once onboarded, devices start transmitting data to Microsoft Defender for Endpoint.

Continuous Monitoring and Response

• Real-Time Alerts: The system generates alerts based on detected threats or anomalies.
• Incident Response: Administrators can use the admin portal to investigate alerts, track the spread of threats, and initiate response actions.
• Automated Remediation: In many cases, the system can automatically take actions to mitigate threats, such as isolating compromised devices or cleaning infected files.

Threat and Vulnerability Management

• Vulnerability Identification: The system identifies vulnerabilities and misconfigurations on endpoints in real-time.
• Prioritization and Remediation Guidance: It prioritizes these vulnerabilities based on potential impact and provides guidance on remediation.

How can I create RBAC roles?

You can find the RBAC (Role-Based Access Control) settings in the Settings -> Endpoints -> Permissions. Here you have two menu:

• Roles: Roles in Microsoft Defender for Endpoint are providing a detailed approach to managing permissions within the Defender .
• Device Groups: Device groups are to set the different remediation levels. Maybe you have different devices with different attention level for this you can segregate them via groups like Standard Devices, Board Devices, Windows Server… It is recommended to think about an concept how you want to create the groups.

What data is collected?

• Proactively identify indicators of attack (IOAs) in your organisation
• Generate alerts if a possible attack was detected
• Provide your security operations with a view into devices, files, and URLs related to threat signals from your network, enabling you to investigate and explore the presence of security threats on the network.

The collected data will be stored encrypted on the azure infrastructure managed by microsoft.

Where is the data stored?

There are Datacenters in European Union, the United Kingdom, the United States, or in Australia. The data will be stored in the location of the tenant or the data storage rules of the service.

Data from Microsoft Defender for Endpoint is retained for 180 days, visible across the portal. However, in the advanced hunting investigation experience, it’s accessible via a query for a period of 30 days.

How to activate Advanced Features?

To enable the advanced features you have to navigate to Settings -> Endpoints -> Advanced Features.

The following features are available:

Setting Name	Description
Restrict correlation to within scoped device groups	Isolates alerts into separate incidents based on device groups for better organization. By default, incidents are correlated across the entire tenant. Affects future alert correlations only.
Enable EDR in block mode	Employs behavioral blocking to stop post-breach threats. No change to detection and alert generation. Apply security baselines for optimal protection.
Automatically resolve alerts	Resolves alerts if Automated investigation finds no threats or successful remediation.
Allow or block file	Requires Windows Defender Antivirus and cloud-based protection for file control.
Hide potential duplicate device records	Conceals duplicate devices, enhancing inventory accuracy. Still viewable in global search, advanced hunting, and alert pages.
Custom network indicators	Configure device connections to specific IP addresses, domains, or URLs. Requires Windows 10, block mode, and specified antimalware platform version.
Tamper protection	Prevents malicious apps from disabling security features.
Show user details	Displays user details from Azure Active Directory.
Skype for business integration	Enables one-click communication with users.
Microsoft Defender for Cloud Apps	Sends Endpoint signals to Defender for Cloud Apps, improving visibility and app control. Requires E5 license and specific Windows 10 versions.
Web content filtering	Blocks unwanted websites and tracks web activity. Requires network protection in block mode.
Device discovery	Allows onboarded devices to discover unmanaged devices and assess vulnerabilities.
Download quarantined files	Safely store and download quarantined files.
Live Response	Authorizes users to investigate devices remotely using a remote shell connection.
Live Response for Servers	Permits remote access to servers for authorized users.
Live Response unsigned script execution	Allows unsigned PowerShell scripts in Live Response.
Share endpoint alerts with Microsoft Compliance Center	Forward security alerts to enhance insider risk management. Data stored with Office 365 data.
Microsoft Intune connection	Connects to Microsoft Intune for device information sharing and policy enforcement.
Authenticated telemetry	Prevents spoofing of telemetry data in your dashboard.
Preview features	Access upcoming features by enabling previews.
Endpoint Attack Notifications	Prioritize critical threats through active hunting across all endpoints and Microsoft Defender XDR.

Important Features you should know

Here’s a breakdown of some key features you definitely should consider:

1. EDR in Block Mode: This feature uses behavioral blocking to stop threats post-breach, enhancing your organization’s resilience against sophisticated attacks.
2. Custom Network Indicators: Define specific IP addresses, domains, or URLs for monitoring. This helps in controlling device connections and detecting potentially harmful traffic.
3. Tamper Protection: It safeguards against malicious applications trying to disable essential security features.
4. Web Content Filtering: This functionality blocks access to unwanted websites, enabling better control over web activity within the organization.
5. Device Discovery: Discover unmanaged devices in your network and assess their vulnerabilities.
6. Live Response: Provides the ability to remotely investigate devices through a shell connection.

Auto-Resolving Alerts

To set up automatic alert resolution:

1. Go to Settings -> Microsoft Defender XDR -> Alert tuning.
2. Here, you can customize the logic to auto-resolve or hide alerts based on specific conditions.

Setting Up Alert Notifications

Stay proactive by setting up email notifications for alerts:

1. Go to Settings -> Endpoints -> Email Notification.
2. Configure the settings to receive email alerts, ensuring that you’re promptly informed about potential security incidents.

Conclusion

Microsoft Defender for Endpoint offers a comprehensive security solution for enterprises. It is really easy to use, it utilize the full power of cloud and AI.