Hi IT Pros,
I have combined the information for Security Team who monitors, responds and manages the ATP Portal on a daily basis.
Please check it out and give your feedback.
For Alert Notification and Live Response with remediation and remote powershell to target device, please view the "Microsoft Defender for Endpoint - MD ATP Daily Operation - Part 2"
The Alert response could be done as follows:
Change Status of Alert (by your IT Security Team Member) Alert Status Alert\Action\Manage Alert\Status
|
New, In Progress Resolved |
Alert Classification Alert\Action\Manage alert\Classification |
true/false |
Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.
You can choose to suppress alerts on this machine or suppress alert in entire organization
Suppression Rule
|
o File SHA1, File name - wildcard supported, o Folder path - wildcard supported, o IP address, o URL - wildcard supported, o Command line - wildcard supported
|
Detection Rule (Customized Detection Rule by running Query) |
Action applied to threat detection once it is discovered
|
You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file (.exe and .dll file), you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
Indicator of compromise (IoCs) |
Indicator of compromise (IoCs) is used for detection and for blocking a threat. You could create IoC based on file hash, External IP address, URL |
There are two ways you can create indicators for files:
Prerequisite:
Important
One of the options when taking response actions on a file is adding an indicator for the file.
Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Network Protection for non-Microsoft browsers or calls made outside of a browser. You can now allow or block IPs, URLs, or domains through the settings page or by machine groups.
Prerequisites:
Important:
Only external IPs can be added to the indicator list.
For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection to inspect network traffic and allows blocks for TCP, HTTP, and HTTPS (TLS).
For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:
NOTE:
You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.
Download the sample CSV to know the supported column attributes.
You can use the Threat & Vulnerability Management capability in Microsoft Defender Security Center to:
See the current state of your organization's device exposure to threats and vulnerabilities. Several factors affect your organization's exposure score: weaknesses discovered in your devices, likelihood of your devices to be breached, value of the devices to your organization, and relevant alerts discovered with your devices. The goal is to lower the exposure score of your organization to be more secure. To reduce the score, you need to remediate the related security configuration issues listed in the security recommendations. |
|
See the security posture of the operating system, applications, network, accounts and security controls of your organization. The goal is to remediate the related security configuration issues to increase your configuration score. Selecting the bars will take you to the Security recommendation page. |
|
Weakness |
The Weaknesses page lists down the vulnerabilities found in the infected software running in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity, Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization, corresponding breach, and threat insights. |
Indicator of compromise (IoCs) |
Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).
Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to. |
You could add multiple different custom roles based on different permission sets:
ATP related documents are located at : https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/microsoft...
________________________________________
I hope the information is useful to your daily operation of ATP.
On "ATP Daily Operation - Part 2" of this blogpost series, we will explore the Live Response feature with remote client's powershell session and other ATP features.
Cheers!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.