Defender Advanced Threat Protection
6 TopicsMessage Relay Server for Defender ATP
Hi All, Is there an option to setup a message relay server for on-prem servers that do not have internet access? All communication is passed through the relay server to Defender ATP. If so, can the server also act as a jump box for onboarding the servers to ATP? Kind regards, MoSolved2.2KViews0likes1CommentDefender ATP Suppression Rules Still Action Files?
Hello, We have setup numerous suppression rules for various software within our environment but even though we no longer get an alert from ATP due to the rules, it still looks like it is preventing the file from running according to the items listed under matching alerts for the rule. I have created exceptions within SCCM for our users but it seems like the suppression rule should be doing that for us.1.3KViews0likes3CommentsExport Microsoft Defender event data to a log analytics workspace
In the Defender ATP portal (securitycenter.windows.com) it is possible to create custom detections, but the smallest time frame is 1 hour. Even though 1 hour is better than the mean time to detection of a breach reported via Ponemon, Verizon, etc. I'm trying to cut that down even further by piecing together different Azure cloud services i.e. Event Hubs, Blob Storage, Search Services, Log Analytics, etc. Is there a way to leverage the raw streaming API and perform searching with a log analytics workspace? This would speed up detection to within 5 minutes of an event occurring rather than 1 hour2.3KViews1like0Commentsforward logs to Log Analytics
how do i forward logs and alerts generated from MS Defender Security Center to Log analytics to be used in Sentinel ? there is an on preview connector on sentinel but i dont seem to find the configuration on the Defender security center side? tnx5.2KViews0likes2CommentsHow to Prevent Admin Users to add exclusions via Registry? + Simple Posh to disable Real-time?
So I know this is pretty much a quick "REMOVE ADMIN ACCESS!" answer, but in this case it is not. We'd like to know how to prevent users to exclude extensions, paths, or even processes via Registry. We set our policies via GPO so anyone with user admin or in this case the primary user can just add the simple exclusion so defender excludes it. Also, I'd like to know how everyone else prevents users to disable real-time scanning. We will be getting our Intune up and running but we have to have co-management enabled. This will be at the end of the year. Does Exploit Guard help with this?4.1KViews0likes2Comments