Aug 18 2020 11:54 AM
When we create Indicators and Custom Detection block rules, how does MDATP enforces that setting to clients because in our environment we have only allowed one-way communication from clients to MDATP cloud service.
Does MDATP requires bi-directional communication between endpoints and MDATP cloud service URLs?
What else we miss if it is a uni-directional (endpoint to MDATP) communication?
Aug 18 2020 07:31 PM - edited Aug 18 2020 07:43 PM
@vijay_260569
The follow 95 seconds video provide a brief summary of the things that you may be missing: https://www.youtube.com/watch?v=BbQ3G2owiMo.
Basically, there are capabilities of auto-remediation. You can also use Device Health as part of the Zero Trust Strategy. So besides checking for device compliance, you can check if the device is showing indications of compromise and if so, deny access until the system is remediated. (https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection)
So lots of functionality will not work: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...
Gladys
https://azsecuritypodcast.net/
Aug 18 2020 10:29 PM
@Gladys - Thanks a lot for your response, i will checkout the links you have shared.
Also, are you implying that a bi-directional communication is a must?
Aug 18 2020 10:48 PM
@vijay_260569
Yes.
https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...
"The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.
The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service."
Hope this helps,
Aug 18 2020 10:51 PM
@Gladys - Thank you so much, it really helps.