Defender for Endpoint
13 TopicsDefender Antivirus and Microsoft Defender for Endpoint (ATP) for Servers
Hi All, Our company is looking into migrating our antivirus solution for our server estate from Sophos to Microsoft Defender Antivirus and Microsoft Defender for Endpoint (ATP). Was hoping to get some advice on the best way to approach this. I have listed some points below which I was hoping to get some clarity on. - Servers that are considered as “down-level devices” that do not have MS Defender preinstalled by default i.e. 2008R2, 2012 and 2012R2 what would the best Microsoft solution to provide security. Have been looking at Microsoft’s System Center Endpoint Protection (SCEP) as a solution. Is there any services that can be used from Azure to protect on-prem servers? - We have a Hybrid Azure AD setup. None of our on-premise servers are HAADJ. Do we need to have server as a Azure resource for us to manage Defender AV and ATP (Server 2016 +). We currently manage our W10 workstation using the MEM - Microsoft Defender for Endpoint Baseline. - Majority of our servers do not have any internet access. To tighten the firewall rule, is there a list of IPs and URLs that are associated with Defender ATP so the servers can only communicate to these IPs etc. - Is there any pre-req work needed for servers such as 2008R2, 2012 and 2012R2 before on-boarding to ATP. Install updates, telemetry services updates etc - Anyone that is using defender ATP for servers that are on-prem. What type of setup do you have and any recommendations. Thank you Mo3.4KViews1like2CommentsMicrosoft Defender for Endpoint for BYOD Devices
Hi, I work in academia, students bring BYOD devices to access network resources. These BYOD devices are not domain joined computers however they connect to network (wired and WiFi) to access network resources. I am exploring if Defender for endpoint is a suitable solution for BYOD endpoint security/ EDR solution. Please guide if Defender for Endpoint can be used for BYOD security and provide information how I can implement Defender for Endpoint on BYOD.9.9KViews0likes3CommentsRunning a registry based query
Hello, we have some computers which we need to find out the specific registry value in order to be able to update their OS. The path:HKEY_LOCAL_MACHINE\software\policies\Microsoft\Windows\WindowsUpdate\AU The value (Dword): NoAutoUpdate I want to find out which computers that are onboarded to defender for endpoint has this registry set to "1"/On. Thanks for help7.3KViews0likes4CommentsDefender for Endpoint for devices with Intune in Endpoint Manager
I am trying to deploy Defender for devices with Intune in Endpoint Manager. As shown in the picture below, I am trying connect Windows devices to Defender but I keep getting the error highlighted. It's been like that for 4 days. The intune connection thing is enabled on Defender console too. Anyone else have this problem too?2.1KViews0likes3CommentsPermission required to import to Indicators page? Error "Failed to Import Indicators"
Hello, Do you need the permission "Manage security settings in Security Center" in order to import xslx to Indicators? User getting error "Failed to import indicators. User is not exposed to all Indicator's machine groups. Contact your administrator for further information." User is in role. Role is setup with a group that has all the permissions expect "Manage security settings in Security Center". Role also has access to device groups that are setup. Create and manage roles for role-based access control | Microsoft Docs -Link above doesn't list "Indicators" in permission options Can not find the answer based on Googling Thanks!2KViews0likes0CommentsDefender for Endpoint - Data Storage Location integrity question (GDPR/EU)
Hi, I have a question specific to Defender for Endpoint and its data storage within EU and the information provided on Microsoft Docs. The english text states customer data in psuedonymized form may also be stored and processed in US. Data storage location Defender for Endpoint operates in the Microsoft Azure datacenters in the European Union, the United Kingdom, or in the United States. Customer data collected by the service may be stored in: (a) the geo-location of the tenant as identified during provisioning or, (b) if Defender for Endpoint uses another Microsoft online service to process such data, the geolocation as defined by the data storage rules of that other online service. Customer data in pseudonymized form may also be stored in the central storage and processing systems in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. <https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide> OK, I get that. What I don't get is that on the corresponding Docs site in Swedish, the machine-translation instead presents the word "anonymiserad" which in English is "anonymized" which is a completely different thing. Is this a bug? What is actually correct here and where can I find information about this? The following is in swedish, link/Source at the bottom: Datalagringsplats Defender för Endpoint fungerar Microsoft Azure datacenter i EU, Storbritannien eller USA.Kunddata som samlas in av tjänsten kan lagras i: (a) klientorganisationens geoplats som identifieras under etableringen eller(b) om Defender för Endpoint använder en annan Microsoft-onlinetjänst för att bearbeta sådana data, den geolokalisering som definieras av datalagringsreglerna för den andra onlinetjänsten. Kunddata i anonymiserad form kan också lagras i de centrala lagrings- och bearbetningssystemen i USA. När den har konfigurerats kan du inte ändra platsen där dina data lagras.Det här är ett bekvämt sätt att minimera efterlevnadsrisken genom att aktivt välja de geografiska platser där dina data ska lagras. <https://docs.microsoft.com/sv-se/microsoft-365/security/defender-endpoint/data-storage-privacy?view=o365-worldwide>4.1KViews0likes1CommentHow to find the details of transactions (URLs visited) logged in Cloud Discovery
How do I get to the low level of detail behind the Transactions logged in Cloud Discovery? For example, 206 transaction have been recorded to Azure CDN Edge nodes, but I want to find the actual URLs that web browsers accessed. Happy to use KQL but I cannot figure out from the documentation where/if this level of detail is logged. Second question is my organization's cyber analysts want to stream this transactional level data from endpoint browsers into a SIEM for long term (3 year+) retention. Again, how can I obtain this info and possible buffer into into a Log Analytics Workspace?1KViews0likes0CommentsMicrosoft Defender for Endpoint - Network Issues
Hello, We recently started onboarding our machines into the Microsoft Security Center and using Defender for Endpoint. After doing so, we've noticed what seems to be related to how defender is handing network traffic. Issue 1 - We have an on-premise file share. When accessing network shares we're unable to open files randomly. We'll get generic errors like "Sorry we couldn't find [File Name]. Is it possible it was moved, renamed or deleted? and "Microsoft Excel cannot access the file [File Name]. There are several possible reasons". However, if we access the same files from a machine that has not been onboard yet there are no issues whatever so. Issue 2 - When accessing flow.microsoft.com from a machine with defender for endpoint enabled, I can not edit any flows or do any work. The flow constantly comes back as "invalid connection". I've deleted and re-added the connection multiple times, re-authenticated etc and nothing seems to work. However, same situation as above. When I access flow.microsoft.com from a machine that has not been onboarded yet there are no issues editing or working with the flows. I've disabled EDR in Block Mode and also the Customer network indicators just to see if it would help but no luck. So far the only thing that works is offboard the device. Thanks.Solved2.6KViews0likes3CommentsAdvanced Hunting
Hi I have set up Defender for Endpoint on our 365 tenant and I can see our devices within the O365 security portal. I want to now report on USB activity on our devices but when I run the following under advanced hunting I get no results but I know there must be some data. I am starting to think I don't have the correct licence? I have O365 E3 with Defender for End Point. Do I need an E5 for advanced hunting: Alistair //GetthelisttheUSBdevicesattachedtoadeviceinthepastweek. letmyDevice="<insertyourdeviceID>"; DeviceEvents |whereActionType=="UsbDriveMount"andTimestamp>ago(7d)andDeviceId==myDevice |extendProductName=todynamic(AdditionalFields)["ProductName"],SerialNumber=todynamic(AdditionalFields)["SerialNumber"], Manufacturer=todynamic(AdditionalFields)["Manufacturer"],Volume=todynamic(AdditionalFields)["Volume"] |summarizelastInsert=max(Timestamp)bytostring(ProductName),tostring(SerialNumber),tostring(Manufacturer),tostring(Volume)1.3KViews0likes0CommentsMicrosoft Defender Security Center (ATP) - Alerts
Hi All, Is there a way for us to get alerted from MS Security Center (ATP) if a device (Server) has not been seen online for more than 24hrs? I have intentionally onboarded a server to ATP and then took away its ability to communicate outside to the internet. Can see ATP reporting server last seen more than 24 hrs ago if I drill down into the device summary.Health state still showing active. Wondering how often Defender for Endpoint reassessthe devices? Also if above is possible. Kind regards, Mo1.6KViews0likes1Comment