Laying the foundations in Microsoft Defender for Endpoint

 

Introduction

Following on from my previous post about onboarding devices to test the functionality of Defender for Endpoint (MDE) I’d like to detail some key settings to ensure MDE is configured in the best way and to maximise value of the product.
These recommendations aren’t an exhaustive list, keep an eye out for further blog posts about more enhancements.

Create Device Groups

Device groups will form an important part of operations in MDE, especially if you plan to protect varying OS’s and device types. Device groups in MDE are used for:
  • Role based access control (RBAC)
  • Configuring auto-remediation settings
  • Filtering devices during remediation
  • Configuring alert levels
Device groups are configured in Settings -> Endpoints -> Device groups

A simple condition-based filter is used to dynamically populate device groups, an example of a Windows 10 device group is shown below.




Configure RBAC

Role based access control should be configured to allow the adoption of MDE across different internal teams and to define rights and permissions.

I recommend creating at least two roles in MDE to segregate admins from analysts. 
Roles can be created under Settings -> Endpoints -> Roles. 

Before doing so, create the associated user groups in your Azure AD.

Analysts will generally want to view the threat and vulnerability data, so creating a role as follows should suffice:





 
Administrators will need more permissions across MDE, using the following will work well:



Set Up Vulnerability Notifications

Keeping your team up to date with the latest vulnerabilities and exploits is paramount; configure vulnerability notifications to send email alerts about the following:
  • New vulnerability found (including zero-day vulnerability)
  • Exploit was verified
  • New public exploit
  • Exploit added to an exploit kit
These can be scoped to specific device groups

Vulnerability notifications are created in Settings -> Endpoints -> Email notifications -> Vulnerabilities



 
As you can see, the email notifications contain a decent level of detail and provide recommendations for remediation.





Conclusion

This post should have guided you into a position where you can start tweaking some of the more advanced features of MDE. Keep an eye out for further posts on this subject.

0 comments:

Post a Comment

About Me

My photo
Senior Consultant at CDW UK specialising in Microsoft workspace and cloud technologies.