cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Possibility of monitoring below via Defender for Endpoint

dilanmic
Brass Contributor

‎Jun 02 2022 08:35 PM

‎Jun 02 2022 08:35 PM

Possibility of monitoring below via Defender for Endpoint

Hi All,

 

We have a requirement of getting done below things from Defender for Endpoint. I would appreciate it, if anyone let me know what are the things capable and if not, do we have any work arounds for that?

 

  • Filter global threat actors/hackers information based on Origin, target group, target country, target industry etc.
  • block inbound/outbound malicious network(reverse TCP/BIND) traffic via firewalling
  • automatically update known behaviors/threat to adversary groups
  • capability of receiving notifications to Teams

 

thanks in advance

 

regards,

Dilan

764 Views
0 Likes
2 Replies
Reply
2 Replies
Marc_M

‎Jun 10 2022 11:41 AM

‎Jun 10 2022 11:41 AM

Re: Possibility of monitoring below via Defender for Endpoint

@dilanmic Thanks for your questions Dilan.

 

For your question on: 

  • capability of receiving notifications to Teams

 

You can add this capability using MDE APIs. You can use Microsoft Flow (or your Security Orchestration Automated Response (SOAR) service) to call Microsoft Teams. Here is an example of integration with Microsoft Defender for Cloud Apps (What is Defender for Cloud Apps? | Microsoft Docs). Instead of the Microsoft Defender for Cloud Apps you can replace with the Microsoft Defender for Endpoint APIs: Integrating Microsoft Teams with Microsoft Cloud App Security - Microsoft Tech Community

I'll respond to your other questions as well.

0 Likes
Reply
Marc_M

‎Jun 10 2022 02:07 PM

‎Jun 10 2022 02:07 PM

Re: Possibility of monitoring below via Defender for Endpoint

For this one:

  • block inbound/outbound malicious network(reverse TCP/BIND) traffic via firewalling


Are you interested in monitoring blocks on inbound/outbound malicious network connections? If so, you can do this. You can see more info here: Auditing - Win32 apps | Microsoft Docs

snippet below:

Object Access Filtering Platform Connection
{0CCE9226-69AE-11D9-BED3-505054503030}		 Allowed and blocked connections:
  • 5154 Listen permitted
  • 5155 Listen blocked
  • 5156 Connection permitted
  • 5157 Connection blocked
  • 5158 Bind permitted
  • 5159 Bind blocked
[!Note]
Permitted connections do not always audit the ID of the associated filter. The FilterID for TCP will be 0 unless a subset of these filtering conditions are used: UserID, AppID, Protocol, Remote Port.
0 Likes
Reply