Defender Advanced Threat Protection
10 TopicsMicrosoft Defender Endpoint (MDE) for SAP Applications on Windows Server
This blog focuses on two subcomponents: Next-generation protection (AntiVirus) and Endpoint Detection and Response (EDR). Next-generation protection is an AntiVirus (AV) product like other AV solutions for Windows environments. Endpoint Detection and Response (EDR) detects, then blocks suspicious activity and system calls.Defender Updates - Windows Update and in-app update the same
I'm having trouble understanding the update process of windows defender. There are 2 update locations and I don't see what the difference is - or if they are one and the same thing. 1. Windows Security => Virus & threat protection => Protection updates These updates can be scheduled to download and install using the defender group policy settings. 2. Windows Update Is always showing a "Security Intelligance-Update" missing/waiting for install (we do not auto-install updates on our servers). So my questions are: - Are both of those the same thing? The name suggests this to be the case - If yes, how can we just use the in-app updater without triggering windows update for the security intelligence updates? - If no, how can we auto install security intelligence updates without also auto installing all other windows updates? Thanks in advance861Views0likes0CommentsMessage Relay Server for Defender ATP
Hi All, Is there an option to setup a message relay server for on-prem servers that do not have internet access? All communication is passed through the relay server to Defender ATP. If so, can the server also act as a jump box for onboarding the servers to ATP? Kind regards, MoSolved2.2KViews0likes1CommentDefender ATP Suppression Rules Still Action Files?
Hello, We have setup numerous suppression rules for various software within our environment but even though we no longer get an alert from ATP due to the rules, it still looks like it is preventing the file from running according to the items listed under matching alerts for the rule. I have created exceptions within SCCM for our users but it seems like the suppression rule should be doing that for us.1.3KViews0likes3CommentsExport Microsoft Defender event data to a log analytics workspace
In the Defender ATP portal (securitycenter.windows.com) it is possible to create custom detections, but the smallest time frame is 1 hour. Even though 1 hour is better than the mean time to detection of a breach reported via Ponemon, Verizon, etc. I'm trying to cut that down even further by piecing together different Azure cloud services i.e. Event Hubs, Blob Storage, Search Services, Log Analytics, etc. Is there a way to leverage the raw streaming API and perform searching with a log analytics workspace? This would speed up detection to within 5 minutes of an event occurring rather than 1 hour2.3KViews1like0CommentsCannot find logs in Defender ATP for Discovered apps
We and our customers experience inaccurate data in the discovered apps in MCAS. For example: Discovered Apps show the up- and download of the app "Box" for multiple clients. If we search for connections in Defender ATP, we cannot find any indication for Box. The URL is not used in any Defender ATP logs. We can't hunt on IP address base, because there are no information which IP Addresses are behind the box service. How can we bring the discovery and log data together for further investigation? If we can't hunt down the logs we can not stop data loss. We need a possibility to bring MCAS in correlation with Defender. Niv Goldenbergyou have already answered the follwing post: https://techcommunity.microsoft.com/t5/microsoft-cloud-app-security/apps-seen-in-cloud-app-security-but-not-on-firewall/m-p/128084 Maybe you can assist here.966Views0likes0Commentsforward logs to Log Analytics
how do i forward logs and alerts generated from MS Defender Security Center to Log analytics to be used in Sentinel ? there is an on preview connector on sentinel but i dont seem to find the configuration on the Defender security center side? tnx5.2KViews0likes2CommentsHow to Prevent Admin Users to add exclusions via Registry? + Simple Posh to disable Real-time?
So I know this is pretty much a quick "REMOVE ADMIN ACCESS!" answer, but in this case it is not. We'd like to know how to prevent users to exclude extensions, paths, or even processes via Registry. We set our policies via GPO so anyone with user admin or in this case the primary user can just add the simple exclusion so defender excludes it. Also, I'd like to know how everyone else prevents users to disable real-time scanning. We will be getting our Intune up and running but we have to have co-management enabled. This will be at the end of the year. Does Exploit Guard help with this?4.1KViews0likes2Comments