Possibility of monitoring below via Defender for Endpoint

%3CLINGO-SUB%20id%3D%22lingo-sub-3463203%22%20slang%3D%22en-US%22%3EPossibility%20of%20monitoring%20below%20via%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3463203%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20have%20a%20requirement%20of%20getting%20done%20below%20things%20from%20Defender%20for%20Endpoint.%20I%20would%20appreciate%20it%2C%20if%20anyone%20let%20me%20know%20what%20are%20the%20things%20capable%20and%20if%20not%2C%20do%20we%20have%20any%20work%20arounds%20for%20that%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EFilter%20global%20threat%20actors%2Fhackers%20information%20based%20on%20Origin%2C%20target%20group%2C%20target%20country%2C%20target%20industry%20etc.%3C%2FLI%3E%3CLI%3Eblock%20inbound%2Foutbound%20malicious%20network(reverse%20TCP%2FBIND)%20traffic%20via%20firewalling%3C%2FLI%3E%3CLI%3Eautomatically%20update%20known%20behaviors%2Fthreat%20to%20adversary%20groups%3C%2FLI%3E%3CLI%3Ecapability%20of%20receiving%20notifications%20to%20Teams%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethanks%20in%20advance%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Eregards%2C%3C%2FP%3E%3CP%3EDilan%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3494377%22%20slang%3D%22en-US%22%3ERe%3A%20Possibility%20of%20monitoring%20below%20via%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3494377%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1142466%22%20target%3D%22_blank%22%3E%40dilanmic%3C%2FA%3E%26nbsp%3BThanks%20for%20your%20questions%20Dilan.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20your%20question%20on%3A%26nbsp%3B%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Ecapability%20of%20receiving%20notifications%20to%20Teams%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EYou%20can%20add%20this%20capability%20using%20MDE%20APIs.%20You%20can%20use%20Microsoft%20Flow%20(or%20your%20Security%20Orchestration%20Automated%20Response%20(SOAR)%20service)%20to%20call%20Microsoft%20Teams.%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-teams-community-blog%2Fintegrating-microsoft-teams-with-microsoft-cloud-app-security%2Fba-p%2F2986865%22%20target%3D%22_self%22%3EHere%3C%2FA%3E%20is%20an%20example%20of%20integration%20with%20Microsoft%20Defender%20for%20Cloud%20Apps%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fdefender-cloud-apps%2Fwhat-is-defender-for-cloud-apps%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EWhat%20is%20Defender%20for%20Cloud%20Apps%3F%20%7C%20Microsoft%20Docs%3C%2FA%3E).%20Instead%20of%20the%20Microsoft%20Defender%20for%20Cloud%20Apps%20you%20can%20replace%20with%20the%20Microsoft%20Defender%20for%20Endpoint%20APIs%3A%26nbsp%3B%3C%2FSPAN%3E%3CA%20tabindex%3D%22-1%22%20title%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-teams-community-blog%2Fintegrating-microsoft-teams-with-microsoft-cloud-app-security%2Fba-p%2F2986865%22%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fmicrosoft-teams-community-blog%2Fintegrating-microsoft-teams-with-microsoft-cloud-app-security%2Fba-p%2F2986865%22%20target%3D%22_blank%22%20aria-label%3D%22Link%20Integrating%20Microsoft%20Teams%20with%20Microsoft%20Cloud%20App%20Security%20-%20Microsoft%20Tech%20Community%22%3EIntegrating%20Microsoft%20Teams%20with%20Microsoft%20Cloud%20App%20Security%20-%20Microsoft%20Tech%20Community%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EI'll%20respond%20to%20your%20other%20questions%20as%20well.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3494980%22%20slang%3D%22en-US%22%3ERe%3A%20Possibility%20of%20monitoring%20below%20via%20Defender%20for%20Endpoint%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3494980%22%20slang%3D%22en-US%22%3E%3CP%3EFor%20this%20one%3A%3C%2FP%3E%0A%3CUL%3E%0A%3CLI%3Eblock%20inbound%2Foutbound%20malicious%20network(reverse%20TCP%2FBIND)%20traffic%20via%20firewalling%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3E%3CBR%20%2F%3EAre%20you%20interested%20in%20monitoring%20blocks%20on%20inbound%2Foutbound%20malicious%20network%20connections%3F%20If%20so%2C%20you%20can%20do%20this.%20You%20can%20see%20more%20info%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fwin32%2Ffwp%2Fauditing-and-logging%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EAuditing%20-%20Win32%20apps%20%7C%20Microsoft%20Docs%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3Esnippet%20below%3A%3C%2FP%3E%0A%3CTABLE%20class%3D%22table%20table-sm%22%20aria-label%3D%22Auditing%22%3E%0A%3CTBODY%3E%0A%3CTR%3E%0A%3CTD%3EObject%20Access%3C%2FTD%3E%0A%3CTD%3EFiltering%20Platform%20Connection%3CBR%20%2F%3E%7B0CCE9226-69AE-11D9-BED3-505054503030%7D%3C%2FTD%3E%0A%3CTD%3EAllowed%20and%20blocked%20connections%3A%3CBR%20%2F%3E%3CUL%3E%0A%3CLI%3E5154%20Listen%20permitted%3C%2FLI%3E%0A%3CLI%3E5155%20Listen%20blocked%3C%2FLI%3E%0A%3CLI%3E5156%20Connection%20permitted%3C%2FLI%3E%0A%3CLI%3E5157%20Connection%20blocked%3C%2FLI%3E%0A%3CLI%3E5158%20Bind%20permitted%3C%2FLI%3E%0A%3CLI%3E5159%20Bind%20blocked%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CBLOCKQUOTE%3E%5B!Note%5D%3CBR%20%2F%3EPermitted%20connections%20do%20not%20always%20audit%20the%20ID%20of%20the%20associated%20filter.%20The%20FilterID%20for%20TCP%20will%20be%200%20unless%20a%20subset%20of%20these%20filtering%20conditions%20are%20used%3A%20UserID%2C%20AppID%2C%20Protocol%2C%20Remote%20Port.%3C%2FBLOCKQUOTE%3E%0A%3C%2FTD%3E%0A%3C%2FTR%3E%0A%3C%2FTBODY%3E%0A%3C%2FTABLE%3E%3C%2FLINGO-BODY%3E
Contributor

Hi All,

 

We have a requirement of getting done below things from Defender for Endpoint. I would appreciate it, if anyone let me know what are the things capable and if not, do we have any work arounds for that?

 

  • Filter global threat actors/hackers information based on Origin, target group, target country, target industry etc.
  • block inbound/outbound malicious network(reverse TCP/BIND) traffic via firewalling
  • automatically update known behaviors/threat to adversary groups
  • capability of receiving notifications to Teams

 

thanks in advance

 

regards,

Dilan

2 Replies

@dilanmic Thanks for your questions Dilan.

 

For your question on: 

  • capability of receiving notifications to Teams

 

You can add this capability using MDE APIs. You can use Microsoft Flow (or your Security Orchestration Automated Response (SOAR) service) to call Microsoft Teams. Here is an example of integration with Microsoft Defender for Cloud Apps (What is Defender for Cloud Apps? | Microsoft Docs). Instead of the Microsoft Defender for Cloud Apps you can replace with the Microsoft Defender for Endpoint APIs: Integrating Microsoft Teams with Microsoft Cloud App Security - Microsoft Tech Community

I'll respond to your other questions as well.

For this one:

  • block inbound/outbound malicious network(reverse TCP/BIND) traffic via firewalling


Are you interested in monitoring blocks on inbound/outbound malicious network connections? If so, you can do this. You can see more info here: Auditing - Win32 apps | Microsoft Docs

snippet below:

Object Access Filtering Platform Connection
{0CCE9226-69AE-11D9-BED3-505054503030}
Allowed and blocked connections:
  • 5154 Listen permitted
  • 5155 Listen blocked
  • 5156 Connection permitted
  • 5157 Connection blocked
  • 5158 Bind permitted
  • 5159 Bind blocked
[!Note]
Permitted connections do not always audit the ID of the associated filter. The FilterID for TCP will be 0 unless a subset of these filtering conditions are used: UserID, AppID, Protocol, Remote Port.