cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Indicators and custom detections

vijay_260569
Copper Contributor

‎Aug 18 2020 11:54 AM

‎Aug 18 2020 11:54 AM

Indicators and custom detections

When we create Indicators and Custom Detection block rules, how does MDATP enforces that setting to clients because in our environment we have only allowed one-way communication from clients to MDATP cloud service.

Does MDATP requires bi-directional communication between endpoints and MDATP cloud service URLs?

What else we miss if it is a uni-directional (endpoint to MDATP) communication?

759 Views
0 Likes
4 Replies
Reply
4 Replies
Gladys Rodriguez

‎Aug 18 2020 07:31 PM - edited ‎Aug 18 2020 07:43 PM

‎Aug 18 2020 07:31 PM - edited ‎Aug 18 2020 07:43 PM

Re: Indicators and custom detections

@vijay_260569 

The follow 95 seconds video provide a brief summary of the things that you may be missing: https://www.youtube.com/watch?v=BbQ3G2owiMo.

Basically, there are capabilities of auto-remediation.  You can also use Device Health as part of the Zero Trust Strategy.  So besides checking for device compliance, you can check if the device is showing indications of compromise and if so, deny access until the system is remediated. (https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection)

So lots of functionality will not work: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...

Gladys
https://azsecuritypodcast.net/

0 Likes
Reply
vijay_260569

‎Aug 18 2020 10:29 PM

‎Aug 18 2020 10:29 PM

Re: Indicators and custom detections

@Gladys Rodriguez   - Thanks a lot for your response, i will checkout the links you have shared.

Also, are you implying that a bi-directional communication is a must?

0 Likes
Reply
Gladys Rodriguez

‎Aug 18 2020 10:48 PM

‎Aug 18 2020 10:48 PM

Re: Indicators and custom detections

@vijay_260569 
Yes.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...
"The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.

The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service."

Hope this helps,

 

Gladys
https://azsecuritypodcast.net/

0 Likes
Reply
vijay_260569

‎Aug 18 2020 10:51 PM

‎Aug 18 2020 10:51 PM

Re: Indicators and custom detections

@Gladys Rodriguez  - Thank you so much, it really helps.

0 Likes
Reply