Microsoft Defender for Endpoint series – Configure Defender for Endpoint – Part2
It is time for part 2 of the ultimate Microsoft Defender for Endpoint (MDE) series. After part 1 we are now going to deep-dive more into the initial configuration of Defender for Endpoint. In part 1 the question; what is Defender for Endpoint is answered – view the previous part here.
Introduction blog series
This ultimate blog series will contain as much information as possible based on my Defender experience in the past years. Not a copy of Microsoft Docs, but an addition based on practical experience combined with informational details – including the most frequent questions asked by customers focussing on the complete Windows platform. When it’s a success, other platforms like iOS, Android, Linux, and macOS will follow.
NOTE: Blog series is focussing on features in Microsoft Defender for Endpoint P2 all MDE P1 features are available in P2.
Specific question or content idea part of Defender for Endpoint? Use the contact submission form and share the post ideas.
Configure Defender for Endpoint
Before we start configuring all the specific subset features it is essential to fully configure Defender for Endpoint via the Microsoft 365 Defender portal and prepare the environment for onboarding the first devices/endpoints via Defender for Cloud, MEM/Intune, MDE Security Management, or other methods.
Microsoft Defender for Endpoint (MDE) service configuration is entirely cloud-based and integrated with AzureAD and other components for setting up RBAC/ and other features.
Microsoft Defender for Endpoint configuration is applicable tenant-wide (which means all devices enrolled in the tenant to Defender for Endpoint). The configuration is part of the Microsoft 365 product and is available via security.microsoft.com.
Part of the online security.microsoft.com configuration:
Microsoft 365 Defender
- Email notification
- Preview features
- Streaming API
Microsoft Defender for Endpoint
- Data retention
- Email notifications
- Advanced features (service features)
- Auto remediation
- Device groups
- Alert suppression
- Process Memory Indicators
- Web content filtering
- Automation uploads
- Automation folder exclusions
- Configuration management
- Enforcement scope
- Network assessments
- Assessment jobs
Microsoft Defender for Endpoint contains a large set of features that can be directly configured from the cloud portal. It is critical to confirm Defender for Endpoint is correctly configured with the right decision to make sure endpoints are completely protected and using all of the available protection features. Let’s start some deep-diving into the Defender for Endpoint available features.
NOTE: Initial Defender for Endpoint tenant activation is not part of this blog. View Defender for Endpoint documentation for enabling the correct license and activating the Defender for Endpoint product. Important; for the data storage location; Once configured, there is no option for changing the location. Make the correct decision based on governance reasons and compliance.
General – Data Retention
As already mentioned it is not possible to change the location where the data is stored after the initial configuration. The data retention period can be changed. By default, data is retained for 180 days, you can specify the data retention for all data in Defender for Endpoint for specific compliance needs between 30 days up to 180. Personally, the advice (when no governance restrictions) is to store data for up to 180 days (maximum) to make sure all history is available. Advanced Hunting data is not included for 180 days; Advanced Hunting data is available for 30 days.
By default, the data retention is 180 days. Contact Microsoft support for lower data retention configuration. Via security.microsoft.com there is no configuration available for data retention.
Information Microsoft: Microsoft Defender for Endpoint data storage and privacy
General – Email notifications
Defender for Endpoint supports Email notifications that are only working for the source Defender for Endpoint. Email notifications can be configured for Alerts and Vulnerabilities. Based on my opinion I’m not advising the alert email notifications part of Defender for Endpoint. Reason; notifications in Defender 365 give more flexibility and integration with other Defender 365 sources.
Notifications part of Microsoft Defender 365 is possible via security.microsoft.com -> Settings -> Microsoft 365 Defender -> Email notifications Alerting via Microsoft Defender 365 is applicable for incidents.
When there is the preference to use notifications for vulnerabilities use the Email notification configuration in Defender for Endpoint. With Email vulnerabilities, it is impossible to send automated emails when new vulnerabilities are affected to organization assets (for example; When the Severity threshold is critical/CVSS 9.0 and a new public exploit is available)
General – Advanced features
Advanced Features are important for using most of the protection features and integration with other features like Microsoft Endpoint Manager. Currently, there are many advanced features and some of them are critical for the best EDR/protection posture.
Automated investigation enables various inspection algorithms and is designed for taking immediate actions to resolve breaches and start automated investigations. For getting automated investigation and response (AIR) capabilities it is needed to enable the feature. Based on device groups the level of remediation can be configured. It will automatically clean files, and if something is detected it will automatically clean systems based on created exes, registry keys, scheduled tasks..
Advice: enable this feature and make remediation exceptions based on device groups when needed.
Live Response/ Live Response for Servers
Live Response is an MDE capability that provides security team members immediate remote console access to a device. This provides the ability to perform in-depth investigation, hunt for data, and further analysis. Live response can also be combined with device isolation for restricting the potential attack during investigations.
Advice: enable this feature, only be careful with the permissions, it is possible to run “custom” PowerShell scripts.
Live Response unsigned script execution
Live Response unsigned script execution enables the option for running unsigned PowerShell script in Live Response. Allowing the use of unsigned scripts directly from Live Response may increase your exposure to threats.
Advice: only use the future when there are no alternatives, ideally PowerShell scripts are correctly signed.
Restrict correlation within scoped device groups
This configuration can be used for scenarios where local SOC operations would like to limit alert correlations only to available device groups. By turning on this setting, an incident composed of alerts that cross-device groups will no longer be considered a single incident. SOC teams can view the alert. However, global SOC will see several different incidents by device group instead of one incident for all device groups.
Advice: Only enable when there are benefits of incident correlation across the organization. Changing this setting is only affected future alert correlation. Existing alerts are not affected after changing.
Enable EDR in block mode
When using third-party AV Defender for Endpoint in EDR in block mode it will override the third-party AV and clean items. The primary purpose of EDR in block mode is to remediate post-breach detections that were missed by a non-Microsoft antivirus product.
Enabled via Advanced Features the configuration is pushed to all supported onboarded systems. Since version 4.18.2202.x it is possible to enable EDR in block mode for specific devices using Intune CSPs.
Advice: Where the value is mostly based in combination with 3rd party AV solution it is recommended when endpoints are changing into passive/ EDR in block mode. There is completely no downside to having this feature enabled and works more as a post-breach fallback when Defender is not running in active mode or when attackers installing other AV solutions to bypass Defender AV protections.
Automatically resolve alerts
This one is interesting and depends on the needs and size of the environment/ customers. Automatically resolving alerts works in combination with the Automated Investigation features; when the automated investigation is cleaning up the alert, it will close it automatically by automation.
Advice: There is one major reason for enabling this feature; when using a device risk-based conditional access will get the users faster back online. The downside; Microsoft is automatically resolving the alerts; which makes in large environments the alert “hidden” in the resolved history. Where malware is cleaned up it required maybe some more investigation for tracking the initial action and in-depth investigation. Based on personal preference; the following is the advice;
Do you have the resources for tracking all incidents manually? disable the feature and check each incident more in-depth (don’t trust Microsoft completely). For smaller organizations, it is possible to automatically close the alerts which are cleaned by Automated Investigation and give more attention to the real ones. When enabled; always track weekly the action center history. If a security operations analyst manually sets the status of an alert to “In progress” or “Resolved” the auto-resolve capability will not overwrite it.
Allow or block file
When Defender Antivirus is running in active mode and cloud-based protection is enabled it is possible to block potentially malicious files from being read, written, or executed. When enabling the advanced features there is the option for adding custom hashes via indicators. Indicators can be completely scoped to specific device groups.
Advice: Enable the feature, it is useful for blocking files or whitelisting files centrally from the Defender for Endpoint. The Allow or block file feature can be used for allowing hash values. Indicators can be completely scoped to specific machine groups
Custom network indicators
Custom network indicators are needed for blocking specific network indicators (IP addresses, domains, or URLs) added via the Defender for Endpoint Indicators. To use this feature, network protection in block mode is required. Web protection is built on top of the custom network indicators.
Advice: Enable the feature, it is useful for blocking network indicators or whitelisting specific websites. Indicators can be completely scoped to specific machine groups
Tamper Protection is critical in protection against attacks. Tamper Protection in Defender for Endpoint protects organizations from unwanted changes in the Defender configuration by unauthorized users. Tamper Protection prevents malicious actors from changing protection features. By default (without Tamper Protection), a local administrator can disable Microsoft Defender Antivirus.
During cyber attacks, bad actors are trying to disable security features, such as virus and threat protection and real-time /behavior monitoring.
Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents configured security settings from being changed through apps and other methods such as:
- Registry Editor
- PowerShell cmdlets
- Group Policy
When enabled via Advanced Features Tamper Protection is globally enabled for all supported machines. Tamper Protection via Advanced Features requires dependency on cloud-delivered protection. Since Defender platform version 4.18.2111.5, if cloud-delivered protection is not turned on and Tamper Protection is enabled, it will automatically enable cloud-delivered protection.
It is possible to start configuring Tamper Protection via MEM/Intune during the initial deployment and switch directly to the global enablement after the initial deployment. For servers Tenant Attach is required.
When Tamper Protection is enabled globally it is possible to overwrite Tamper Protection using Intune for disabling Tamper Protection.
Advice: Configure from the portal is for all supported devices recommended; my advice is to enable Tamper Protection via de portal and not only in MECM or Intune, ideally configure both for the best protection state.
Based on my opinion tamper protection must be always enabled. The new troubleshooting mode can be used during troubleshooting situations for disabling the features for troubleshooting. Sometimes customers like to disable Microsoft Defender during troubleshooting and not configure Tamper Protection, which makes a security cap. The new troubleshooting mode is fixing this request, where teams are having more flexibility. View the in-depth troubleshooting blog here.
Microsoft docs: Protect security settings with tamper protection
Microsoft Defender for Identity integration
The integration with Microsoft Defender for Identity receives enriched user and device data from Defender for identity and forward Defender for Endpoint signals. In both products, there is better visibility, additional detections, and efficient investigations.
Advice: Always enable it when the license is available for Defender for Identity. There is no downside to having this feature enabled when Defender for Identity is available.
Update January 2023: Integration is not needed anymore; Defender for Identity is part of Microsoft Defender 365.
Show user details
When enabling this feature the user details stored in Azure Active Directory are visible in Microsoft Defender. Details include a user’s picture, name, title, and department information when investigating user account entities. Personal information is available in the following dashboard:
- Security operation dashboard
- Alert queue
- Device details page
Advice: Enable when there is no specific reason for disablement.
Office 365 Threat Intelligence connection
The Office 365 Threat Intelligence connection is available when Office 365 E5 or the Threat Intelligence add-on is available. When enabling data from Defender for Office 365 is available in Defender for Endpoint.
Note: Additional configuration is required from the Security & Compliance dashboard.
Advice: Always enable it when the license is available. There is no downside to having this feature enabled.
Update January 2023: Integration is not needed anymore; Defender for Office is part of Microsoft Defender 365.
Microsoft Defender for Cloud Apps
This feature/ integration will be discussed later in this series during the integration part.
Web content filtering
This feature will be discussed later in this series.
Download quarantined files
Downloading quarantined files allows security teams to download quarantined files using the “Download file” button. All quarantined files will be collected and stored in a secure location.
Advice: This feature will benefit Security Admins and SecOps teams during an investigation, by permitting them to download the quarantined files directly from the portal, without any end-user involvement.
Share endpoint alerts with Microsoft Purview Compliance Center
Forwards endpoint security alerts and their triage status to the Microsoft Purview compliance portal, which allows users to exchange insider risk management policies.
Advice: Enable and only disable when compliance sharing is not allowed with Microsoft Purview Compliance Center based on legal reasons.
Authentication telemetry prevents spoofing telemetry into Defender for Endpoint.
Advice: Always enable, giving protection against telemetry spoofing.
Microsoft Intune connection
This feature/ integration will be discussed later in this series during the onboarding part.
This feature will be discussed later in this series.
When enabled Defender for Endpoint tenant receives earlier new improvements and features. All preview features released in public preview are fully supported by Microsoft.
The preview versions are provided with a standard support level and can be used for production environments. When enabled the features will be enabled for the generally available (GA) release.
Advice: Depending on the environment – some environments are only using Global Availablity features. Personally I usually activate the preview features; to get a quicker hands-on experience with new features. Based on multiple years of experience; never had critical issues based on preview features.
Endpoint Attack Notification
Endpoint Attack Notification is part of Microsoft Threat Experts. Endpoint Attack Notifications provided proactive hunting based on real Microsoft Defender data. Endpoint attack notifications are recommended for enabling. These notifications show up as a new alert.
Endpoint Attack Notification is free when you apply and are approved. You can apply from security.microsoft.com -> From the navigation pane, go to Settings > General > Advanced features > Endpoint Attack Notification
Advice: Enable when possible, Endpoint Attack Notifications adds interesting threat information including proactive based on real Microsoft Defender data.
Permissions – Roles
Correct admin roles, permissions, and assigned Azure Active Directory groups are important for the tier-based/ role-based access model to assign and authorize access to different teams.
Defender for Endpoint supports different ways and options from basic permissions up to advanced permissions.
When configuring Defender for Endpoint for the first time it is based on basic permissions using the following build-in AAD roles:
|Group||AAD build-in role||Permissions in MDE|
|Security Administrator||Yes||Full access|
|Global Administrator||Yes||Full access|
|Security Reader||Yes||Reader-only access|
|Global Reader||Yes||Reader-only access|
Enabling the Role-based access control (RBAC) future is possible in Defender using the button “Turn on roles” in the Roles section.
For each role the permissions can be configured; For example; allow Tier 1 – Local support (Servicedesk) to view data in security operations and threat and vulnerability management.
Where Tier 2 – Regional/Opco security operations teams are allowed to view data and managed active remediation actions, Exception handling, alert investigations, and basic live response capabilities.
Click on Assigned user groups for attaching AzureAD groups.
Permissions – Device Groups
Device groups are based on my personal opinion critical in Defender for Endpoint environments. For the following reasons;
- RBAC management: Allowing teams to only manage a subset of devices
- Scoping for policies: Deploy policies based on device groups ( Web content Filtering, indicators, hashes, etc)
- Configure automation level: Allows the flexibility for automated remediation
- Filtering in Defender portal: Filter on device groups in TVM increases makes it possible to view only TVM recommendations for a specific group; for example domain controllers)
- Visibility for SOC/ SIEM/ Security: Direct visibility into different types of servers/ workstations (Kiosk, WVD, Domain Controller, SQL). Security knows direct the incident is scoped on one of the domain controllers.
You can define a membership rule that uses one or more of the following device attributes:
- Device name
- Device domain
- Device operating system
- Device tag
Device tags can be easily set by registry, PowerShell, API, Logic App, manual, or Intune. Device attributes can be used for configuring groups based on OS, name convention, or domain. It is possible to use the AND operator. For example; we can have a device group called NL devices with a membership rule: (“Device Name” starts with “NL” AND “OS” = “Windows 10 and Windows11”).
Devices can only be member of one device group. Device groups are assigned on a rank. When a device is matched to more than one group, it is only added to the highest-ranked group. Devices that are not matched to any groups are added to the Ungrouped devices group. In the below example; Server – all Windows Servers is the highest ranked group and ungrouped devices (default) the lowest.
User access makes it possible to restrict access for specific groups by selecting the configured Roles. For example; allow only admins in the US to view US-only devices. When configuring User access it is required to add the group first in one of the roles. When added in the Roles section it is possible to select the configured group in the device group user access settings.
General – Auto remediation
When configuring device groups in Defender for Endpoint it is possible to select the Auto remediation level. By default, automated remediation is configured on Full for all devices. When Automated investigation and remediation (AIR) is enabled on tenants, Microsoft Defender will auto-create a remediation action that removes the malicious entity found after investigating suspicious activity. This process is completely automatic and part of the AIR configuration. Response actions can be configured using the Auto remediation settings. Based on the automation level the remediation actions are completely automatic or require manual approval. The following levels are available:
No automated response
|Devices will not be investigated.|
|Semi – require approval for all folders||Devices are automatically investigated when an alert is received from a detection system, but require approval before any remediation action can be taken.|
Semi – require approval for non-temp folders
|Devices are automatically investigated when an alert is received from a detection system and automatically remediated within temp and download directories; all other remediation actions require approval.|
|Semi – require approval for core folders||Devices are automatically investigated when an alert is received from a detection system and remediated except those identified within core system directories; remediation actions for threats to core system directories require approval.|
|Full – remediate threats automatically||Devices will be automatically investigated and remediated by MDE, without the need for any human intervention.|
Advice: use Automation level Full – remediate threats automatically and make only exceptions when needed. When Full – remediate threats automatically is not possible (Critical devices, POS/Retail, KIOSK) it is recommended to configure one of the Semi automation levels. Don’t make exceptions for the Ungrouped devices (default) group), make the default always Full – remediate threats automatically.
Information Microsoft: Automation levels in automated investigation and remediation capabilities
Part 2 of the Microsoft Defender for Endpoint series is completed – focussed on the initial Defender for Endpoint service configuration. Stay tuned for the next parts; where more in-depth knowledge and experience will be shared around Defender for Endpoint focussing on all the components and additional settings.
Searching for specific Defender for Endpoint information? Use the contact submission form and share the post ideas or contact using Linkedin or Twitter. I will take all suggestions into the Defender for Endpoint series and help the community as far as possible.
View previous part – What is Defender for Endpoint? – Part1
Data Retention setting is no longer visible in settings page.
Opened a ticket with MS. They replied:
As per your issue, we have following details, please let us know if it’s helpful to you:
1.Data Retention period has been moved to default 180 days period.
2.If someone wants to change the data retention period, then they have to request the same with opening a specific case for the same.
Please let me know if you have any other queries.
Thanks for the information.
Indeed – the data retention setting is no longer available; the content will be updated.
I discovered that some alerts were stored in an incorrect folder and were not sent to the service provider. Do you know by any chance how technically they can replay all to us? All alerts from the 1st June until now pushed to us via API again?