Indicators and custom detections

%3CLINGO-SUB%20id%3D%22lingo-sub-1596911%22%20slang%3D%22en-US%22%3EIndicators%20and%20custom%20detections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1596911%22%20slang%3D%22en-US%22%3E%3CP%3EWhen%20we%20create%20Indicators%20and%20Custom%20Detection%20block%20rules%2C%20how%20does%20MDATP%20enforces%20that%20setting%20to%20clients%20because%20in%20our%20environment%20we%20have%20only%20allowed%20one-way%20communication%20from%20clients%20to%20MDATP%20cloud%20service.%3C%2FP%3E%3CP%3EDoes%20MDATP%20requires%20bi-directional%20communication%20between%20endpoints%20and%20MDATP%20cloud%20service%20URLs%3F%3C%2FP%3E%3CP%3EWhat%20else%20we%20miss%20if%20it%20is%20a%20uni-directional%20(endpoint%20to%20MDATP)%20communication%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1597775%22%20slang%3D%22en-US%22%3ERe%3A%20Indicators%20and%20custom%20detections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1597775%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F763596%22%20target%3D%22_blank%22%3E%40vijay_260569%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20follow%2095%20seconds%20video%20provide%20a%20brief%20summary%20of%20the%20things%20that%20you%20may%20be%20missing%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DBbQ3G2owiMo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DBbQ3G2owiMo%3C%2FA%3E.%3CBR%20%2F%3E%3CBR%20%2F%3EBasically%2C%20there%20are%20capabilities%20of%20auto-remediation.%26nbsp%3B%20You%20can%20also%20use%20Device%20Health%20as%20part%20of%20the%20Zero%20Trust%20Strategy.%26nbsp%3B%20So%20besides%20checking%20for%20device%20compliance%2C%20you%20can%20check%20if%20the%20device%20is%20showing%20indications%20of%20compromise%20and%20if%20so%2C%20deny%20access%20until%20the%20system%20is%20remediated.%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fadvanced-threat-protection%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmem%2Fintune%2Fprotect%2Fadvanced-threat-protection%3C%2FA%3E)%3CBR%20%2F%3E%3CBR%20%2F%3ESo%20lots%20of%20functionality%20will%20not%20work%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fconfigure-proxy-internet%23enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server%25E2%2580%258B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fconfigure-proxy-internet%23enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server%25E2%2580%258B%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EGladys%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fazsecuritypodcast.net%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fazsecuritypodcast.net%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1597943%22%20slang%3D%22en-US%22%3ERe%3A%20Indicators%20and%20custom%20detections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1597943%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F200011%22%20target%3D%22_blank%22%3E%40Gladys%20Rodriguez%3C%2FA%3E%26nbsp%3B%20%26nbsp%3B-%20Thanks%20a%20lot%20for%20your%20response%2C%20i%20will%20checkout%20the%20links%20you%20have%20shared.%3C%2FP%3E%3CP%3EAlso%2C%20are%20you%20implying%20that%20a%20bi-directional%20communication%20is%20a%20must%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1597957%22%20slang%3D%22en-US%22%3ERe%3A%20Indicators%20and%20custom%20detections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1597957%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F763596%22%20target%3D%22_blank%22%3E%40vijay_260569%3C%2FA%3E%26nbsp%3B%3CBR%20%2F%3EYes.%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fconfigure-proxy-internet%23enable-access-to-microsoft-defender-atp-service-urls-in-the-proxy-server%25E2%2580%258B%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Fconfigure...%3C%2FA%3E%3CBR%20%2F%3E%22The%20Microsoft%20Defender%20ATP%20sensor%20requires%20Microsoft%20Windows%20HTTP%20(WinHTTP)%20to%20report%20sensor%20data%20and%20communicate%20with%20the%20Microsoft%20Defender%20ATP%20service.%3C%2FP%3E%0A%3CP%3EThe%20embedded%20Microsoft%20Defender%20ATP%20sensor%20runs%20in%20system%20context%20using%20the%20LocalSystem%20account.%20The%20sensor%20uses%20Microsoft%20Windows%20HTTP%20Services%20(WinHTTP)%20to%20enable%20communication%20with%20the%20Microsoft%20Defender%20ATP%20cloud%20service.%22%3CBR%20%2F%3E%3CBR%20%2F%3EHope%20this%20helps%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EGladys%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fazsecuritypodcast.net%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3Ehttps%3A%2F%2Fazsecuritypodcast.net%2F%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1597962%22%20slang%3D%22en-US%22%3ERe%3A%20Indicators%20and%20custom%20detections%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1597962%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F200011%22%20target%3D%22_blank%22%3E%40Gladys%20Rodriguez%3C%2FA%3E%26nbsp%3B%20-%20Thank%20you%20so%20much%2C%20it%20really%20helps.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

When we create Indicators and Custom Detection block rules, how does MDATP enforces that setting to clients because in our environment we have only allowed one-way communication from clients to MDATP cloud service.

Does MDATP requires bi-directional communication between endpoints and MDATP cloud service URLs?

What else we miss if it is a uni-directional (endpoint to MDATP) communication?

4 Replies

@vijay_260569 

The follow 95 seconds video provide a brief summary of the things that you may be missing: https://www.youtube.com/watch?v=BbQ3G2owiMo.

Basically, there are capabilities of auto-remediation.  You can also use Device Health as part of the Zero Trust Strategy.  So besides checking for device compliance, you can check if the device is showing indications of compromise and if so, deny access until the system is remediated. (https://docs.microsoft.com/en-us/mem/intune/protect/advanced-threat-protection)

So lots of functionality will not work: https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...

Gladys
https://azsecuritypodcast.net/

@Gladys Rodriguez   - Thanks a lot for your response, i will checkout the links you have shared.

Also, are you implying that a bi-directional communication is a must?

@vijay_260569 
Yes.

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/configure...
"The Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report sensor data and communicate with the Microsoft Defender ATP service.

The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to enable communication with the Microsoft Defender ATP cloud service."

Hope this helps,

 

Gladys
https://azsecuritypodcast.net/

@Gladys Rodriguez  - Thank you so much, it really helps.