Forum Discussion
Indicators and custom detections
Microsoftvijay_260569
The follow 95 seconds video provide a brief summary of the things that you may be missing: https://www.youtube.com/watch?v=BbQ3G2owiMo.
Basically, there are capabilities of auto-remediation. You can also use Device Health as part of the Zero Trust Strategy. So besides checking for device compliance, you can check if the device is showing indications of compromise and if so, deny access until the system is remediated. (https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection)
So lots of functionality will not work: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure-proxy-internet#enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server%E2%80%8B
Gladys
https://azsecuritypodcast.net/
Gladys - Thanks a lot for your response, i will checkout the links you have shared.
Also, are you implying that a bi-directional communication is a must?
- Gladys
vijay_260569
Yes.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...
"The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service."
Hope this helps,Gladys - Thank you so much, it really helps.