Microsoft Defender for Endpoint articles https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog Microsoft Defender for Endpoint articles Sat, 23 Oct 2021 15:21:34 GMT MicrosoftDefenderATPBlog 2021-10-23T15:21:34Z Defending Windows Server 2012 R2 and 2016 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292 <P><FONT size="5"><STRONG>Introduction</STRONG></FONT></P> <P><FONT size="4">In today's threat landscape protecting all your servers is critical, particularly with human-operated and sophisticated ransomware attacks becoming more prevalent. Our mission for endpoint protection is to cover all endpoints regardless of platform, clients, and servers, and inclusive of mobile, IoT and network devices. Today, we are extending protections in Microsoft Defender for Endpoint that are already available for Windows Server 2019 and later to Windows Server 2012R2 and 2016 using a modernized, completely revamped solution stack.</FONT></P> <P>&nbsp;</P> <P><FONT size="5"><STRONG>Introducing our modernized, unified solution for Windows Server 2012 R2 and 2016 (Public Preview)!</STRONG></FONT></P> <P><FONT size="4">We are proud to introduce the public preview of a completely revamped Microsoft Defender for Endpoint solution stack for Windows Server 2012 R2 and Windows Server 2016. Whilst keeping up to date and upholding security hygiene is arguably still the best go-to when it comes to increasing resilience and reducing attack surface, we believe this modern, unified solution brings the best of the Microsoft Defender for Endpoint capabilities for prevention, detection, and response - in a single package.</FONT></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="server-onboarding-tools-methods.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/316048i07EF37B276ACCB46/image-size/large?v=v2&amp;px=999" role="button" title="server-onboarding-tools-methods.png" alt="Server onboarding steps. Note: Azure Defender integration and automated deployment will be available at a later time." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Server onboarding steps. Note: Azure Defender integration and automated deployment will be available at a later time.</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><FONT size="4">This new unified solution package reduces complexity by removing dependencies and installation steps. It also standardizes capabilities and functionality as it brings a very high level of parity with Microsoft Defender for Endpoint on Windows Server 2019:</FONT></P> <DIV id="tinyMceEditorPaulHb_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="PaulHb_0-1633643254431.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/316050i162700C6A1E870F7/image-size/large?v=v2&amp;px=999" role="button" title="PaulHb_0-1633643254431.png" alt="Overview of capabilities per operating system" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Overview of capabilities per operating system</span></span></P> <P>&nbsp;</P> <P><FONT size="4">Aside from having <STRONG>no specific client prerequisites or dependencies</STRONG>, the solution is functionally equivalent to Microsoft Defender for Endpoint on Windows Server 2019; meaning, all environment requirements around connectivity are the same and you can use the same Group Policy, PowerShell commands and Microsoft Endpoint Configuration Manager* to manage configuration. The solution does not use or require the installation of the Microsoft Monitoring Agent (MMA).</FONT></P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Improving resiliency against human-operated ransomware attacks</STRONG></FONT></P> <P><FONT size="4">To avoid security controls, we have often seen attackers leveraging machines with older operating systems inside our client’s environments. As such, the endpoint visibility required to detect and prevent modern-day ransomware attacks was at the center of many of our design decisions for this release.</FONT></P> <P>&nbsp;</P> <P><FONT size="4">Specifically, we modeled across the <A href="#" target="_blank" rel="noopener">MITRE tactics</A> which we felt provides the best chances of early alerting and emphasized capturing actionable telemetry across these. Some areas include:</FONT></P> <P>&nbsp;</P> <UL> <LI><FONT size="4"><STRONG>Initial Access</STRONG>: Servers are often the first point of entry for motivated attackers. The ability to monitor signs of entry via publicly facing, vulnerable services is critical.</FONT></LI> <LI><FONT size="4"><STRONG>Credential Access:</STRONG> Servers often contain sensitive credentials in memory from Administrator maintenance or other activities. Enhanced memory protections help identify potential credential theft activities.</FONT></LI> <LI><FONT size="4"><STRONG>Lateral Movement:</STRONG> Improved user logon activity allows better mapping of attempted movement across the network to or from Servers</FONT></LI> <LI><FONT size="4"><STRONG>Defense Evasion:</STRONG> Improved hardening via tampering protection provides security controls the best chance of preventing Ransomware’s most harmful effects on high value assets, such as Servers.</FONT></LI> </UL> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Next steps</STRONG></FONT></P> <P><FONT size="4">You can start testing today by simply visiting the <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender portal</A>. If you have enabled preview features, you can download the installation and onboarding packages from the new onboarding page:</FONT></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="PaulHb_0-1632511603044.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312752i3246B9097DA97C84/image-size/medium?v=v2&amp;px=400" role="button" title="PaulHb_0-1632511603044.png" alt="A screenshot of the new onboarding page option" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">A screenshot of the new onboarding page option</span></span><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="PaulHb_1-1632511342490.png" style="width: 304px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/312751i519BFF8F6A358785/image-size/medium?v=v2&amp;px=400" role="button" title="PaulHb_1-1632511342490.png" alt="A screenshot of the new installer" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">A screenshot of the new installer</span></span></P> <P>&nbsp;</P> <UL> <LI><FONT size="4">Before installation, please ensure your machines are fully updated and continue to apply the latest component updates containing important security improvements and bug fixes. For the EDR sensor on Windows Server 2012 R2 &amp; 2016, we now have a new update package available: <A href="#" target="_blank" rel="noopener">KB5005292</A>. Note that at time of publication the EDR sensor component is already up to date so there may not yet be an update published.&nbsp;</FONT></LI> <LI><FONT size="4"><SPAN>On Windows Server 2016, verify that Microsoft Defender Antivirus is installed, is active and up to date. You can download and install the latest platform version using Windows Update. Alternatively, download the update package manually from the </SPAN><A href="#" target="_self"><SPAN class="pl-e">Microsoft Update Catalog</SPAN></A><SPAN>&nbsp;or from the <A href="#" target="_self">Antimalware and cyber security portal</A></SPAN></FONT><FONT size="4">.</FONT></LI> <LI><FONT size="4">Ensure you meet all connectivity requirements; they match those for <A href="#" target="_blank" rel="noopener">Windows Server 2019</A>.</FONT></LI> <LI><FONT size="4">You can now use the Group Policy templates for Windows Server 2019 to manage Defender on Windows Server 2012 R2 &amp; 2016.</FONT></LI> <LI><FONT size="4">Please take a look at <A href="#" target="_blank" rel="noopener">New functionality in the modern unified solution for Windows Server 2012 R2 and 2016 Preview</A> for known issues and limitations.</FONT></LI> <LI><FONT size="4">Microsoft Endpoint Configuration Manager (MECM) 2107 with the hotfix rollup or later is required to support configuration of the preview solution, including through MECM tenant attach. Automated deployment and onboarding will be available upon GA.</FONT></LI> <LI><FONT size="4">We are also excited to have full Azure Defender integration coming to public preview in Q1 of 2022!</FONT></LI> </UL> <P>&nbsp;</P> <P><FONT size="3">*If you have previously onboarded your servers using the Microsoft Monitoring Agent (MMA) either manually or though Microsoft Endpoint Configuration Manager, follow the guidance provided in&nbsp;<A href="#" target="_blank" rel="noopener">Server migration</A>&nbsp;for helpful steps to help you to migrate to the new solution.&nbsp;</FONT></P> Fri, 15 Oct 2021 15:22:18 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/defending-windows-server-2012-r2-and-2016/ba-p/2783292 PaulHb 2021-10-15T15:22:18Z Device Control Device Installation update https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/device-control-device-installation-update/ba-p/2734428 <H1><SPAN>Device Control Device Installation update</SPAN></H1> <P>We are excited to announce the general availability of a new device installation policy which will dramatically simplify the management of the device installation feature.</P> <P>&nbsp;</P> <P>This policy setting will change the evaluation order in which Allow and Prevent policy settings are applied when more than one install policy setting is applicable for a given device. The policy setting is called “Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.”</P> <P>&nbsp;</P> <P>Enable this policy setting to ensure that overlapping device match criteria are applied based on an established hierarchy, such that more specific match criteria supersede less specific match criteria. The hierarchical order of evaluation for policy settings that specify device match criteria is as follows:</P> <UL> <LI>Device instance IDs &gt; Device IDs &gt; Device setup class &gt; Removable devices</LI> </UL> <P>Note: The "Prevent installation of devices not described by other policy settings" policy setting has been replaced by the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting for supported Windows 10 versions. We recommend using the "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria" policy setting when possible.</P> <P>&nbsp;</P> <P>This policy supports Group Policy and Intune.</P> <P>&nbsp;</P> <H2><SPAN>How to deploy the policy via Intune</SPAN></H2> <P>&nbsp;</P> <P>In Microsoft Endpoint Manager (<A href="#" target="_blank" rel="noopener">https://endpoint.microsoft.com/</A>)</P> <OL> <LI><SPAN>Configure <STRONG>Prevent installation of devices using drivers that match these device setup classes.&nbsp;</STRONG></SPAN><SPAN>Go to <STRONG>Endpoint security</STRONG> &gt; <STRONG>Attack surface reduction</STRONG> &gt; <STRONG>Create Policy</STRONG> &gt; <STRONG>Platform: Windows 10 and later</STRONG>, and <STRONG>Profile: Device control.</STRONG></SPAN> <OL class="lia-list-style-type-lower-alpha"> <LI>&nbsp;&nbsp;&nbsp;&nbsp; <STRONG><SPAN>{36fc9e60-c465-11cf-8056-444553540000}</SPAN></STRONG><STRONG>: <SPAN>USB Bus Devices (hubs and host controllers</SPAN></STRONG><SPAN>. This class includes USB host controllers and USB hubs, but not USB peripherals. Drivers for this class are system-supplied.</SPAN></LI> <LI>&nbsp;&nbsp;&nbsp;&nbsp; <STRONG><SPAN>{88BAE032-5A81-49f0-BC3D-A4FF138216D6}: USB Device</SPAN></STRONG><SPAN>. This class includes all USB devices that do not belong to another class. It is not used for USB host controllers and hubs.</SPAN></LI> </OL> </LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_4-1631139918998.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309097i52F23A3D3F38BBAB/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_4-1631139918998.png" alt="Tewang_Chen_4-1631139918998.png" /></span></P> <P>&nbsp;</P> <P>Before you finish the configuration, if you plug in a USB device, you will see following error:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_5-1631139930618.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309098i99C4F01B9C19D5EA/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_5-1631139930618.png" alt="Tewang_Chen_5-1631139930618.png" /></span></P> <P><SPAN><BR />Proceed through the next few steps to finish the configuration.<BR /><BR /></SPAN></P> <OL start="2"> <LI><SPAN>Enable <STRONG>Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria</STRONG></SPAN> <OL class="lia-list-style-type-lower-alpha"> <LI><SPAN>Configure <STRONG>Support for OMA-URI only for now</STRONG>.<BR />Go to <STRONG>Devices</STRONG> &gt; <STRONG>Configuration profiles</STRONG> &gt; <STRONG>Create profile</STRONG> &gt; <STRONG>Platform: Windows 10 and later</STRONG>, and <STRONG>Profile: Custom</STRONG></SPAN></LI> </OL> </LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_6-1631139964802.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309099iD83F57AFC7EAFFE9/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_6-1631139964802.png" alt="Tewang_Chen_6-1631139964802.png" /></span></P> <P>&nbsp;</P> <OL start="3"> <LI><SPAN>Enable and add allowed USB Instance ID – <STRONG>Allow installation of devices that match any of these device IDs</STRONG></SPAN> <OL class="lia-list-style-type-lower-alpha"> <LI><SPAN>Update the Device control profile from step 1.</SPAN></LI> </OL> </LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_11-1631140066566.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309104iFAD15CCD28BE7853/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_11-1631140066566.png" alt="Tewang_Chen_11-1631140066566.png" /></span></P> <P>&nbsp;</P> <P><SPAN>Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&amp;HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB in the above screen capture is required because it is not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. You have to ensure all the USB devices that precede the target one are not blocked (and instead allowed) as well. You can open Device Manager and change view to <STRONG>Devices by connections</STRONG> to see the way devices are installed in the PnP tree. In our case, the following devices must be allowed so the target USB thumb-drive could be allowed as well:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN>“Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” &gt; PCI\CC_0C03</SPAN></LI> <LI><SPAN>“USB Root Hub (USB 3.0)” &gt; USB\ROOT_HUB30</SPAN></LI> <LI><SPAN>“Generic USB Hub” &gt; USB\USB20_HUB</SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_12-1631140092482.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309105iC7B74172E0EFDAA4/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_12-1631140092482.png" alt="Tewang_Chen_12-1631140092482.png" /></span></P> <P>&nbsp;</P> <P>Note: Some devices in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it is important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. Following is one example (not always the same for all USB, you have to understand the PnP tree of the device you want to manage through the Device Manager):</P> <P>&nbsp;</P> <UL> <LI>PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&amp;HOST (for Host Controllers)/ USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ USB\USB20_HUB (for Generic USB Hubs)/</LI> </UL> <P>&nbsp;</P> <P>Specifically for desktop machines, it is very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing their machine through HID devices.</P> <P>&nbsp;</P> <P>Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it is done.</P> <P><SPAN>&nbsp;</SPAN></P> <P>When you plug in the USB drive now, you can see that it is allowed and available.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_13-1631140107414.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309106iDF09B325443A9CA9/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_13-1631140107414.png" alt="Tewang_Chen_13-1631140107414.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><SPAN>How to deploy the policy via Group Policy</SPAN></H2> <P>Under Administrative Templates &gt; System &gt; Device Installation &gt; Device Installation Restrictions:</P> <OL> <LI><SPAN>Configure <STRONG>Prevent installation of devices using drivers that match these device setup classes</STRONG>:</SPAN> <OL class="lia-list-style-type-lower-alpha"> <LI><SPAN>{36fc9e60-c465-11cf-8056-444553540000}</SPAN>: <SPAN>USB Bus Devices (hubs and host controllers), this class includes USB host controllers and USB hubs, but not USB peripherals. Drivers for this class are system-supplied.</SPAN></LI> <LI><SPAN>{88BAE032-5A81-49f0-BC3D-A4FF138216D6}: USB Device, this includes all USB devices that do not belong to another class. This class is not used for USB host controllers and hubs.</SPAN></LI> </OL> </LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_14-1631140136738.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309107i58A937C46BD19410/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_14-1631140136738.png" alt="Tewang_Chen_14-1631140136738.png" /></span></P> <P>&nbsp;</P> <P>Before you have finished the configuration, when you plug in a USB, device, you will see following error:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_15-1631140152645.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309108i5C4EB666544EA118/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_15-1631140152645.png" alt="Tewang_Chen_15-1631140152645.png" /></span></P> <P>&nbsp;</P> <OL start="2"> <LI><SPAN>Enable <STRONG>Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria</STRONG></SPAN></LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_16-1631140164681.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309109i606CEA269397CF61/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_16-1631140164681.png" alt="Tewang_Chen_16-1631140164681.png" /></span></P> <P>&nbsp;</P> <OL start="3"> <LI><SPAN>Enable and add allowed USB Instance ID – <STRONG>Allow installation of devices that match any of these device IDs</STRONG></SPAN></LI> </OL> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_17-1631140176293.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309110iF8AE5256ED3EF0E0/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_17-1631140176293.png" alt="Tewang_Chen_17-1631140176293.png" /></span></P> <P>&nbsp;</P> <P><SPAN>Adding PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&amp;HOST; USB\ROOT_HUB30; USB\ROOT_HUB20; USB\USB20_HUB on above screen capture is required because it is not enough to enable only a single hardware ID in order to enable a single USB thumb-drive. You have to ensure all the USB devices that precede the target one are not blocked (allowed) as well. You can open Device Manager and change view to ‘Devices by connections’ to see the way devices are installed in the PnP tree. In our case, the following devices have to be allowed so the target USB thumb-drive could be allowed as well:</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <UL> <LI><SPAN>“Intel(R) USB 3.0 eXtensible Host Controller – 1.0 (Microsoft)” -&gt; PCI\CC_0C03</SPAN></LI> <LI><SPAN>“USB Root Hub (USB 3.0)” -&gt; USB\ROOT_HUB30</SPAN></LI> <LI><SPAN>“Generic USB Hub” -&gt; USB\USB20_HUB</SPAN></LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_18-1631140805358.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309111i3055D487AF98903D/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_18-1631140805358.png" alt="Tewang_Chen_18-1631140805358.png" /></span></P> <P>&nbsp;</P> <P>Note: Some devices in the system have several layers of connectivity to define their installation on the system. USB thumb-drives are such devices. Thus, when looking to either block or allow them on a system, it is important to understand the path of connectivity for each device. There are several generic Device IDs that are commonly used in systems and could provide a good start to build an ‘Allow list’ in such cases. Following is one example (not always the same for all USB, you have to understand the PnP tree of the device you want to manage through the Device Manager):</P> <P>&nbsp;</P> <P>PCI\CC_0C03; PCI\CC_0C0330; PCI\VEN_8086; PNP0CA1; PNP0CA1&amp;HOST (for Host Controllers)/ USB\ROOT_HUB30; USB\ROOT_HUB20 (for USB Root Hubs)/ USB\USB20_HUB (for Generic USB Hubs)/</P> <P>&nbsp;</P> <P>Specifically for desktop machines, it is very important to list all the USB devices that your keyboards and mice are connected through in the above list. Failing to do so could block a user from accessing its machine through HID devices.</P> <P>&nbsp;</P> <P>Different PC manufacturers sometimes have different ways to nest USB devices in the PnP tree, but in general this is how it is done.</P> <P><SPAN>&nbsp;</SPAN></P> <P>When you plug in the USB device now, you’ll see that it is allowed and available.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_19-1631140827811.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309112i499917110BF08EF9/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_19-1631140827811.png" alt="Tewang_Chen_19-1631140827811.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2><SPAN>View Device Control Device Installation data in Microsoft Defender for Endpoint</SPAN></H2> <P>The <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender</A> portal shows removable storage blocked by the Device Control Device Installation. To access advanced hunting in the Microsoft 365 Defender portal, you must have a license that includes Microsoft Defender for Endpoint for reporting to be enabled. Go to Advanced hunting, and then use the following example query:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_20-1631140840387.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/309113i5BBAFDD02D2A7FF3/image-size/medium?v=v2&amp;px=400" role="button" title="Tewang_Chen_20-1631140840387.png" alt="Tewang_Chen_20-1631140840387.png" /></span></P> <P>&nbsp;</P> <P>For more information, see our documentation: <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint Device Control Device Installation | Microsoft Docs</A>.</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense&nbsp;in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, </EM><A href="#" target="_blank" rel="noopener"><EM>sign up for a free trial</EM></A><EM> of Microsoft Defender for Endpoint today.</EM>&nbsp;</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint team</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 29 Sep 2021 18:25:12 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/device-control-device-installation-update/ba-p/2734428 Tewang_Chen 2021-09-29T18:25:12Z Announcing performance analyzer for Microsoft Defender Antivirus https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-performance-analyzer-for-microsoft-defender-antivirus/ba-p/2713911 <P>Microsoft Defender Antivirus provides always-on, real-time protection, and on-demand antivirus scans on files to protect environments from malicious entities. However, there are times that scans can take a while to complete due to various factors such as environment configurations, longer processes, or unknown files.</P> <P>&nbsp;</P> <P>IT admins, developers, and other users need visibility into the impact of these scans so they can troubleshoot, assess, and address any performance issues.</P> <P>&nbsp;</P> <P><STRONG>We are excited to announce performance analyzer for Microsoft Defender Antivirus (available with the Defender platform update 418.2108.7+). This new PowerShell command-line tool assists in the collection of performance recordings on an individual endpoint and reports information for top scans, processes, files, and file extensions most affected by Microsoft Defender Antivirus.</STRONG></P> <P>&nbsp;</P> <P><A href="#" target="_self">Performance analyzer</A> is simple to use, requires no installations, and focuses specifically on Microsoft Defender Antivirus system scan data. This feature provides data in a programmatic, consumable way for admins and other users to easily analyze the results.</P> <P>&nbsp;</P> <H2><STRONG>How it works</STRONG></H2> <P>&nbsp;</P> <P>To analyze performance, from a Windows PowerShell, run performance analyzer using the cmdlet:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">New-MpPerformanceRecording -RecordTo &lt;recording.etl&gt;</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;As shown in the image below, performance analyzer collects a recording of Microsoft Defender for Antivirus events to be analyzed.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="marysia_k_9-1630620531445.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307777i92722FCE1262B48B/image-size/large?v=v2&amp;px=999" role="button" title="marysia_k_9-1630620531445.png" alt="marysia_k_9-1630620531445.png" /></span></P> <P>&nbsp;</P> <P>During this time, carry out the tasks that you think may have been causing performance impact so that performance analyzer can record this. When you have finished, Press <STRONG>&lt;Enter&gt;</STRONG> to stop and save the recording per image below.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="marysia_k_10-1630620531457.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307779i51CA542C95A141D1/image-size/large?v=v2&amp;px=999" role="button" title="marysia_k_10-1630620531457.png" alt="marysia_k_10-1630620531457.png" /></span></P> <P>&nbsp;</P> <P>Once the recording is completed, using the cmdlet,</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">Get-MpPerformanceReport </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>enables you to view full tabular performance reports that show top files, scans, file extensions, and processes causing highest impact.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="marysia_k_11-1630620531462.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307778i0C0F8A826ABB6A79/image-size/large?v=v2&amp;px=999" role="button" title="marysia_k_11-1630620531462.png" alt="marysia_k_11-1630620531462.png" /></span></P> <P><FONT size="2"><EM><STRONG>Image caption:</STRONG> Parameters for cmdlet Get-MpPerformanceReport</EM></FONT></P> <P>&nbsp;</P> <P>&nbsp;Based on the specified parameters, the report includes data sorted by count, duration, and path.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="marysia_k_12-1630620531475.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307781i21DD58CF9D008E1E/image-size/large?v=v2&amp;px=999" role="button" title="marysia_k_12-1630620531475.png" alt="marysia_k_12-1630620531475.png" /></span></P> <P><FONT size="2"><EM><STRONG>Image caption:</STRONG>&nbsp;Preview of report forTop 10 files that impact scan time.&nbsp;</EM></FONT></P> <P>&nbsp;</P> <P>You can use nested grouping to get a more detailed report.</P> <P>For example: <EM>Get-MpPerformanceReport -Path &lt;recording.etl&gt; -TopProcesses: 3 -TopScansPerProcess: 5&nbsp;</EM>will&nbsp;display a report of top 3 processes that impact scan time and the top 5 scans associated with each.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="marysia_k_13-1630620531487.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307782i3D6B9EC10ABFCB81/image-size/large?v=v2&amp;px=999" role="button" title="marysia_k_13-1630620531487.png" alt="marysia_k_13-1630620531487.png" /></span></P> <P><FONT size="2"><EM><STRONG>Image caption:</STRONG>&nbsp;Preview of report for top 3 processes that impact scan time and the top 5 scans associated with each</EM></FONT></P> <P>&nbsp;</P> <P>You can also use multiple queries:</P> <P><EM>G</EM><EM>et-MpPerformanceReport -Path &lt;recording.etl&gt;&nbsp; -TopExtensions: 10&nbsp; -TopProcesses:3 -TopScansPerProcess:5</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="marysia_k_14-1630620531496.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307783i642B3E792FA50F24/image-size/large?v=v2&amp;px=999" role="button" title="marysia_k_14-1630620531496.png" alt="marysia_k_14-1630620531496.png" /></span><FONT size="2"><EM><STRONG>Image caption:</STRONG>&nbsp;Preview of report for top 10 extensions, top 3 processes, and top scans per process that impact scan time</EM></FONT></P> <H2>&nbsp;</H2> <H2><STRONG>Other functionalities</STRONG></H2> <P>&nbsp;</P> <H6><FONT size="4">Using -MinDuration Parameter:</FONT></H6> <P>You can also report only on top scans that have a certain minimum duration. In the image below, the report displays a sample preview of the top 100 scans that took a minimum of 100 ms.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="marysia_k_15-1630620531499.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/307784i27F8848CAA42C512/image-size/large?v=v2&amp;px=999" role="button" title="marysia_k_15-1630620531499.png" alt="marysia_k_15-1630620531499.png" /></span></P> <P>&nbsp;</P> <H6><FONT size="4">Exporting &amp; Converting to CSV and JSON:</FONT></H6> <P>You can also export and convert the results of the analyzer to a CSV file. The following are sample examples.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>To export to CSV:</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000 -MinDuration:30ms).TopScans | Export-Csv -Path:.\Repro-Install-Scans.csv -Encoding:UTF8 -NoTypeInformation</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>To convert to CSV:</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">(Get-MpPerformanceReport -Path:.\Repro-Install.etl -TopScans:1000).TopScans | ConvertTo-Csv -NoTypeInformation</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>To convert to JSON:</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">(Get-MpPerformanceReport -Path:.\Repro-Install.etl -Topscans:1000). TopScans | ConvertTo-Json -Depth:1</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>For more information, see <A href="#" target="_self"><STRONG>Performance analyzer for Microsoft Defender Antivirus</STRONG></A>.</EM></P> <P>&nbsp;</P> <P><FONT size="4"><STRONG>Requirements and availability:&nbsp;</STRONG></FONT></P> <P>&nbsp;</P> <P><STRONG>Availability: </STRONG>Early September with release of the Defender August Platform version</P> <P><STRONG>Defender Platform version: </STRONG>4.18.2108.7+</P> <P><STRONG>Supported OS versions: </STRONG>Windows 10+ and Windows Server 2016+</P> <P><STRONG>PowerShell version: </STRONG>&nbsp;PowerShell version 5.1</P> <P>&nbsp;</P> <P>We’re excited to offer you this new tool to assess performance related to Microsoft Defender Antivirus. We welcome your questions and feedback in the comments!</P> <P>&nbsp;</P> Mon, 13 Sep 2021 19:07:34 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-performance-analyzer-for-microsoft-defender-antivirus/ba-p/2713911 marysia_k 2021-09-13T19:07:34Z Introducing Microsoft Defender for Endpoint Plan 1 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/introducing-microsoft-defender-for-endpoint-plan-1/ba-p/2636641 <P>Today, we are excited to announce the preview of a core set of our industry leading prevention and protection capabilities for client endpoints running Windows, macOS, Android, and iOS. This new solution will make it easier for more security teams across the globe to buy and adopt the best of breed fundamentals of Microsoft Defender for Endpoint.</P> <P>&nbsp;</P> <P>The threat landscape is more complex than ever. Organizations with already limited resources are trying to keep up, while also ensuring that they have a Zero Trust security strategy that evolves with ever changing threats and their own organizational needs.</P> <P>&nbsp;</P> <P>The endpoint remains one of the most targeted attack surfaces as new and sophisticated malware and ransomware continue to be prevalent threats. As we move into the second half of 2021, ransomware in particular continues to persist and evolve, financial damage continues to increase, and the impact is felt across numerous industries - not just in private sector but also across public infrastructures.</P> <P><BR />Over the last year, Microsoft security researchers have tracked nearly a <STRONG>121% increase</STRONG> <STRONG>in organizations who have encountered ransomware</STRONG> (July 2020 - July 2021) as shown in the chart below.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Ransomwaretrend.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306093i742C171385FD4928/image-size/large?v=v2&amp;px=999" role="button" title="Ransomwaretrend.jpg" alt="Volume of organizations affected by ransomware." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Volume of organizations affected by ransomware.</span></span></P> <P>&nbsp;</P> <P>The level of sophistication of these kinds of attacks and the speed at which they evolve requires a different approach to security, one that is based on cloud native technology, built on deep threat and human intelligence, and that can easily scale. It requires robust prevention that uses AI and machine learning to rapidly stop threats and a solution that enables a Zero Trust approach.</P> <P>&nbsp;</P> <P><STRONG>Delivering security for all</STRONG></P> <P>Microsoft is committed to delivering best of breed, multi-platform, and multi-cloud security for all organizations across the globe. Our aim is to offer simplified, comprehensive protection that prevents breaches and enables our customers to innovate and grow. As part of that commitment, we’re excited to offer a foundational set of our <A href="#" target="_blank" rel="noopener">market leading endpoint security</A>&nbsp;capabilities for Windows, macOS, Android, and iOS at a lower price in a new solution to be named Microsoft Defender for Endpoint Plan 1 (P1).</P> <P>&nbsp;</P> <P>With Microsoft Defender for Endpoint P1, customers will get the following core capabilities:</P> <UL> <LI><STRONG>Industry leading antimalware</STRONG> that is cloud-based with built-in AI that helps to stop ransomware, known and unknown malware, and other threats in their tracks.</LI> <LI><STRONG>Attack surface reduction capabilities</STRONG> that harden the device, prevent zero days, and offer granular control over access and behaviors on the endpoint.</LI> <LI><STRONG>Device based conditional access</STRONG> that offers an additional layer of data protection and breach prevention and enables a Zero Trust approach.</LI> </UL> <P>&nbsp;</P> <P>All of these capabilities stand on the same strong foundation that all Microsoft Defender for Endpoint customers benefit from today:</P> <UL> <LI>Cloud powered solution with nearly infinite scale to meet your needs – no additional IT costs, no compatibility issues, no waiting for updates.</LI> <LI>Unparalleled breadth and depth of built-in threat and human intelligence powered by machine learning models and AI.</LI> <LI>A unified solution offering unmatched threat visibility, incident correlation and insight, and a world class SecOps experience as part of Microsoft 365 Defender – our XDR solution.</LI> </UL> <P>Microsoft Defender for Endpoint P1 delivers on our endpoint security promise to help organizations rapidly stop attacks, scale their security resources, and evolve their defenses and is available in preview today. Our existing endpoint security solution will continue to be offered without changes and named Microsoft Defender for Endpoint Plan 2 (P2).</P> <P>&nbsp;</P> <P><STRONG>Comparing solutions</STRONG><BR />The new Plan 1 is a subset of the capabilities that are in Microsoft Defender for Endpoint today - as highlighted in green in our capability graphic below. It offers organizations the foundational security they need against malware, and other threats such as ransomware, and helps organizations get started on their Zero Trust journey with capabilities that control access and behaviors on the endpoint as well as enable conditional access.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDE P1 diagram.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306100iE5AD7E66D9F96A75/image-size/large?v=v2&amp;px=999" role="button" title="MDE P1 diagram.jpg" alt="Microsoft Defender for Endpoint P1 offers attack surface reduction, next generation protection, APIs and integration, and a unfied security experience for client endpoints including Windows, macOS, Android, and iOS." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Microsoft Defender for Endpoint P1 offers attack surface reduction, next generation protection, APIs and integration, and a unfied security experience for client endpoints including Windows, macOS, Android, and iOS.</span></span></P> <P>&nbsp;</P> <P>Customers that seek Plan 1 are those that are looking for EPP (endpoint protection) capabilities only. Plan 1 offers best of breed fundamentals in prevention and protection for client endpoints running Windows, macOS, Android, and iOS. It includes next generation protection, device control, endpoint firewall, network protection, web content filtering, attack surface reduction rules, controlled folder access, device based conditional access, APIs and connectors, and the ability to bring your own custom TI. Finally, it includes access to the Microsoft 365 Defender security experience to view alerts and incidents, security dashboards, device inventory, and perform investigations and manual response actions on next generation protection events.</P> <P>&nbsp;</P> <P>For the most complete endpoint security solution, Plan 2 is by far the best fit for enterprises that need a solution with advanced threat prevention and detection, deep investigation and hunting capabilities, and advanced SecOps investigation and remediation tools. Plan 2 capabilities further prevent security breaches, reduce time to remediation, and minimize the scope of attacks with vulnerability management, endpoint detection and response (EDR), automated remediation, advanced hunting, sandboxing, managed hunting services, and in-depth threat intelligence and analysis about the latest malware campaigns and nation state threats.</P> <P>&nbsp;</P> <P>The below table offers a comparison of capabilities are offered in Plan 1 versus Plan 2.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="P1andP2_blogupdated.png" style="width: 525px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/310412i15C0A6A57ACA0B45/image-dimensions/525x429?v=v2" width="525" height="429" role="button" title="P1andP2_blogupdated.png" alt="Comparison between Microsoft Defender for Endpoint P1 and P2 capabilities. Microsoft Threat Experts includes Targeted Attack Notifications (TAN) and Experts on Demand (EOD). Customers must apply for TAN and EOD is available for purchase as an add-on." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Comparison between Microsoft Defender for Endpoint P1 and P2 capabilities. Microsoft Threat Experts includes Targeted Attack Notifications (TAN) and Experts on Demand (EOD). Customers must apply for TAN and EOD is available for purchase as an add-on.</span></span></P> <P>&nbsp;</P> <P><STRONG>Taking it for a spin</STRONG></P> <P>Let’s go through an example of how a security analyst can use the capabilities of Microsoft Defender for Endpoint P1 to discover and investigate a security event.</P> <P>&nbsp;</P> <P>Security teams can access P1 capabilities through Microsoft 365 Defender at <A href="#" target="_blank" rel="noopener">security.microsoft.com</A>. Once logged in, you will land on the home page that offers a quick snapshot including a summary of active incidents, a view of your device health, and which devices may be at risk. Additional important links are located in the left-hand menu enabling teams to look at incidents and alerts, perform searches, see their device inventory, and access configuration management.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.jpg" style="width: 636px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306357iE38320DEE5AA2040/image-dimensions/636x329?v=v2" width="636" height="329" role="button" title="Picture1.jpg" alt="Screenshot of Microsoft 365 Defender portal with Microsoft Defender for Endpoint P1 capabilities." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Screenshot of Microsoft 365 Defender portal with Microsoft Defender for Endpoint P1 capabilities.</span></span></P> <P>&nbsp;</P> <P>The incidents queue offers high level information about each incident including its severity, threat categories, impacted entities such as users and devices, and more. Let’s take a closer look at the incident named “Multiple threat families detected on one endpoint”.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2.jpg" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306358i8E1C11333F088AA2/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.jpg" alt="Incidents queue with &quot;Multiple threat families detected on one endpoint&quot; incident highlighted." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Incidents queue with "Multiple threat families detected on one endpoint" incident highlighted.</span></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture3.jpg" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306361i11A7DA9F561EAF45/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.jpg" alt="Incident summary of incident named &quot;Multiple threat families detected on one endpoint&quot;" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Incident summary of incident named "Multiple threat families detected on one endpoint"</span></span></P> <P>&nbsp;</P> <P>An incident is created by correlating related alerts and behaviors, giving security teams a holistic view of the potential threat so that they can quickly assess it and take action. On the incident page, the security team can further investigate with the additional details that are included such as all the alerts associated with the incident, which users and devices were affected, MITRE ATT&amp;CK tactics used, and all the evidence that was collected.</P> <P>&nbsp;</P> <P>On the alerts tab, let’s dive into the alert named “’Powemet' malware was blocked”. This alert was generated by our antimalware capabilities that offer behavior-based, heuristic, and real-time antivirus protection. Microsoft Defender for Endpoint offers one of the best antimalware capabilities in the industry with built in machine learning and behavioral monitoring, and <A href="#" target="_blank" rel="noopener">consistently achieving top scores in independent AV tests</A>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture4.jpg" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306362iB99BB3C155834F2C/image-size/large?v=v2&amp;px=999" role="button" title="Picture4.jpg" alt="Alerts list that is part of incident. Alert named &quot;Powermet malware was blocked&quot; is highlighted." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Alerts list that is part of incident. Alert named "Powermet malware was blocked" is highlighted.</span></span></P> <P>&nbsp;</P> <P>In the Alert page, the security team can see rich and insightful information regarding the specific alert and the execution process. In this example we can see that Cmd.exe launched the attack that was detected as “Powemet”.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture5.jpg" style="width: 618px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306363i56CADE042ED5C009/image-dimensions/618x348?v=v2" width="618" height="348" role="button" title="Picture5.jpg" alt="Alert details with process tree." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Alert details with process tree.</span></span></P> <P>&nbsp;</P> <P>By analyzing the process execution tree and the flow of the attack, the security team can assess the threat and then take remediation actions directly from the Alert page. This can easily be done by clicking the ellipses next to the device at the top of the alert page. There, the security team has a range of actions available to them such as:</P> <UL> <LI>Opening the device page for more detail</LI> <LI>Managing the device tags</LI> <LI>Performing an AV scan</LI> <LI>Collecting an investigation package</LI> <LI>Restricting app execution</LI> <LI>Isolating a device</LI> </UL> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture6.jpg" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306365i84899D6BF3CE37BE/image-size/large?v=v2&amp;px=999" role="button" title="Picture6.jpg" alt="Drop down menu showing available action options for device." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Drop down menu showing available action options for device.</span></span></P> <P>&nbsp;</P> <P>Depending on what is needed, the security analyst can take the appropriate action right in the console to continue their investigation and remediation steps.</P> <P><BR /><STRONG>Licensing</STRONG><BR />During this public preview, organizations can try out Microsoft Defender for Endpoint P1 for free. General availability is estimated to be later this year. Once generally available, Plan 1 will be offered in two ways:</P> <OL> <LI>As a standalone SKU licensed per user. Eligible licensed users will be able to use Microsoft Defender for Endpoint Plan 1 on up to five concurrent devices.</LI> <LI>Included as part of Microsoft 365 E3/A3 with the same per user model and device entitlements as stated above.</LI> </OL> <P>For those customers that already have Microsoft 365 E3/A3, you will automatically get Microsoft Defender for Endpoint P1 capabilities when they become generally available. There will be a few steps you will have to take to enable this – we will share that information in detail closer to general availability.</P> <P>&nbsp;</P> <P>Those organizations that own <A href="#" target="_blank" rel="noopener">licenses that include Microsoft Defender for Endpoint P2</A> will not be eligible for P1. These licenses are already entitled to the full comprehensive solution that is P2.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDE P1 skus.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306366iFB81D69EF3C93F66/image-size/large?v=v2&amp;px=999" role="button" title="MDE P1 skus.png" alt="Microsoft Defender for Endpoint P1 capabilities are offered as a standalone license or as part of Microsoft 365 E3." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Microsoft Defender for Endpoint P1 capabilities are offered as a standalone license or as part of Microsoft 365 E3.</span></span></P> <P>&nbsp;</P> <P><STRONG>How to get started</STRONG></P> <P>For detailed information on Microsoft Defender for Endpoint P1 capabilities and deployment guidelines please visit our <A href="#" target="_blank" rel="noopener">documentation page</A>.&nbsp;</P> <P>&nbsp;</P> <P>Microsoft Defender for Endpoint P1 supports client endpoints running Windows 7*, 8.1, 10, 11, macOS, Android, and iOS. To get started, organizations can sign up for the <A href="#" target="_blank" rel="noopener">preview</A>. After signing up, customers will be able to try P1 for free for 90 days. After the 90 days is up, we recommend that organizations work with their Microsoft account team or their cloud service provider (CSP) to purchase P1 licenses.</P> <P>&nbsp;</P> <P>For detailed hardware and software requirements, please visit our <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <P>We’re excited to offer more options for organizations across the globe to be able to adopt our industry leading endpoint security capabilities. Customer feedback is critical to us and our development process. We are grateful to the many customers who have given us their input and look forward to hearing more from you. Please don’t hesitate to reach out with your thoughts either in the comments or by clicking on the “Give feedback” button in Microsoft 365 Defender.</P> <P>&nbsp;</P> <P><FONT size="2">* Windows 7 requires Extended Security Updates (ESU) for support. For more information on Windows 7 ESU, please check out the <A href="#" target="_blank" rel="noopener">FAQ</A>.&nbsp;</FONT></P> <P>&nbsp;</P> Tue, 14 Sep 2021 20:05:57 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/introducing-microsoft-defender-for-endpoint-plan-1/ba-p/2636641 Barak Klinghofer 2021-09-14T20:05:57Z Make sure Tamper Protection is turned on https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/make-sure-tamper-protection-is-turned-on/ba-p/2695568 <P><SPAN>Tamper protection </SPAN><SPAN>in Microsoft Defender for Endpoint (MDE) helps protect organizations like yours from unwanted changes to your security settings by unauthorized users. Tamper protection prevents malicious actors from turning off threat protection&nbsp;features, such as antivirus protection, and includes detect</SPAN><SPAN>ion of, and response to tampering attempts. </SPAN>Tamper protection is available to customers ranging from consumers to enterprise organizations. <SPAN>If you haven’t already done so, turn on tamper protection now to help prevent attackers from disabling your antivirus and antimalware protection.</SPAN></P> <P>&nbsp;</P> <H1><SPAN>Why tamper protection is so important</SPAN></H1> <P><SPAN>Turning off&nbsp;anti-tampering measures, such as tamper protection,&nbsp;is often the first step in a ransomware, supply chain, or other Advanced Persistent Threat (APT) attack. (See our example later in this article.) By hardening against&nbsp;tampering, you can help prevent breaches from the outset. </SPAN>Tamper protection essentially locks Microsoft Defender Antivirus to its secure, default values, and prevents your security settings from being changed through apps and other methods, such as registry key modifications, PowerShell cmdlets, Group Policy, and so on. Having tamper protection on is one of the most critical tools in your fight against ransomware.</P> <P>&nbsp;</P> <P><STRONG>Note</STRONG>: Because tamper protection is so critical in helping to protect against ransomware, we have taken the approach to enable it as on by default for all new Microsoft Defender for Endpoint tenants for some time now.</P> <P>&nbsp;</P> <H1><SPAN>What to expect when tamper protection is enabled</SPAN></H1> <P>In a digital estate where tamper protection is enabled, malicious apps, users, or admins are prevented from taking unauthorized or unintentional actions such as:</P> <UL> <LI>Disabling virus and threat protection</LI> <LI>Disabling real-time protection</LI> <LI>Turning off behavior monitoring</LI> <LI>Disabling antivirus (such as IOfficeAntivirus (IOAV))</LI> <LI>Disabling cloud-delivered protection</LI> <LI>Removing security intelligence updates</LI> <LI>Change threat severity actions (config name: ThreatSeverityDefaultAction)</LI> <LI>Disable script scanning (config name: DisableScriptScanning)</LI> </UL> <P>&nbsp;</P> <P><STRONG>Note</STRONG>: Tamper protection <STRONG>does not break </STRONG>your Group Policy Objects or Mobile Device Management configurations and scripts that are deployed through your security management solutions. Also, any unauthorized tampering (intentional or unintentional) with the reg key will be ignored by Defender for Endpoint.</P> <P>&nbsp;</P> <H1>Methods to manage tamper protection</H1> <P>Depending on your subscription and endpoint operating systems, you can choose from several methods to manage tamper protection. The following table lists the default state for different environments and ways to configure tamper protection in your organization.</P> <P>&nbsp;</P> <TABLE width="621"> <TBODY> <TR> <TD width="207"> <P><STRONG>Environment</STRONG> &nbsp;</P> </TD> <TD width="188"> <P><STRONG>Tamper protection state&nbsp;</STRONG>&nbsp;&nbsp;</P> </TD> <TD width="226"> <P><STRONG>Methods to manage tamper protection</STRONG></P> </TD> </TR> <TR> <TD width="207"> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Microsoft 365 E5/ <A href="#" target="_blank" rel="noopener">Education A5</A> - New Tenants&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> </TD> <TD width="188"> <P>On by default  &nbsp;</P> </TD> <TD rowspan="2" width="226"> <P>- Microsoft Endpoint Manager: <A href="#" target="_blank" rel="noopener">Intune</A> for Windows 10 devices onboarded to Microsoft Defender for Endpoint (Defender for Endpoint)</P> <P>&nbsp;</P> <P>- Microsoft Endpoint Manager: <A href="#" target="_blank" rel="noopener">Configuration Manager Tenant attach&nbsp;</A>for Windows Server&nbsp;2016 &amp; 2019&nbsp;and Windows 10&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>-<A href="#" target="_blank" rel="noopener"> Microsoft 365 Defender portal</A>&nbsp;(security.microsoft.com): under advanced feature settings for endpoints (global setting)&nbsp;&nbsp;</P> <P>&nbsp;</P> <P> &nbsp;</P> </TD> </TR> <TR> <TD width="207"> <P>Microsoft 365 E5/ Education A5 - Existing Tenants&nbsp;&nbsp;</P> </TD> <TD width="188"> <P>Off by default, but customers&nbsp;can&nbsp;opt-in&nbsp;&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H1>An example of tamper protection in action</H1> <P>As mentioned in the recent blog, <A href="#" target="_blank" rel="noopener">Hunting down LemonDuck and LemonCat attacks</A>, tamper protection helps prevent robust malware like LemonDuck from automatically disabling Microsoft Defender for Endpoint real-time monitoring and protection. The following diagram outlines the LemonDuck attack chain. Notice that in the Evasion phase, antimalware protection is disabled.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Oludele0315_0-1630182176029.png" style="width: 909px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/306442iFCB44ABC52342754/image-dimensions/909x501?v=v2" width="909" height="501" role="button" title="Oludele0315_0-1630182176029.png" alt="Oludele0315_0-1630182176029.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Unchecked, malware like LemonDuck can take actions that could, in effect, disable protection capabilities in Microsoft Defender for Endpoint. Disabling your threat protection frees the attacker to perform other actions, such as exfiltrating credentials and spreading to other devices. Tamper protection is designed to help safeguard people and organizations from such actions.</P> <P>&nbsp;</P> <H1>Next steps</H1> <P>Make sure tamper protection is turned on.</P> <UL> <LI>If you’re part of your organization’s security team, turn on tamper protection for your organization. See <A href="#" target="_blank" rel="noopener">Protect security settings with tamper protection</A>.</LI> <LI>If tamper protection is turned on for some, but not all endpoints, consider turning it on tenant wide. You can do this using the Microsoft 365 Defender portal. See <A href="#" target="_blank" rel="noopener">Manage tamper protection for your organization</A>.</LI> </UL> <P>&nbsp;</P> <P>Let us know what you think! Post a comment and give us your feedback!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 30 Aug 2021 16:06:41 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/make-sure-tamper-protection-is-turned-on/ba-p/2695568 OludeleOgunrinde 2021-08-30T16:06:41Z Announcing Apple M1 native support https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-apple-m1-native-support/ba-p/2685585 <P>We are thrilled to announce that Microsoft Defender for Endpoint on Mac now natively supports Apple’s M1 chip-based devices!</P> <P>&nbsp;</P> <P><STRONG>How will</STRONG>&nbsp;<STRONG>the native M1 support be delivered?</STRONG></P> <P>&nbsp;</P> <P>Microsoft Defender for Endpoint version 101.40.84 (or later) will natively support Apple ARM silicon. The newest version of Microsoft Defender for Endpoint on Mac will be delivered to all Mac devices via the existing Microsoft AutoUpdate (MAU) channel.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Will the native M1 support bring any visible changes?</STRONG></P> <P>&nbsp;</P> <P>The update will deliver our latest unified package that is designed to seamlessly work on M1-based and Intel-based Mac devices.</P> <P>&nbsp;</P> <P>With the native M1 support, Microsoft Defender for Endpoint on Mac no longer requires the Rosetta 2 emulator to function on M1-based Big Sur devices. Microsoft Defender for Endpoint does not explicitly take any action on the Rosetta 2. If the Rosetta 2 is no longer needed on a device, it is the responsibility of a user or an organization to remove it.</P> <P>&nbsp;</P> <P>After successfully deploying and activating the latest update, the on-device experience will remain unchanged. The Microsoft Defender for Endpoint on Mac agent will function on M1-based devices in the same way it functions on Intel-based Mac devices.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>What are the prerequisites for receiving native M1 support?</STRONG></P> <P>&nbsp;</P> <UL> <LI>Native M1 support applies to macOS version 11 (Big Sur) and upcoming major macOS versions.</LI> <LI>Microsoft Defender for Endpoint on Mac required version is 101.40.84 (or later).</LI> <LI>Native M1 support will initially be offered to devices registered for “Beta” (formerly “InsiderFast”) and “Preview” (formerly “External”) Microsoft AutoUpdate channels. For more information, see <A href="#" target="_blank" rel="noopener">Set preferences for Microsoft AutoUpdate</A>.</LI> <LI>Over the course of the next several weeks, this version will also reach Mac devices registered for “Current” (formerly “Production”) channel.</LI> </UL> <P class="lia-indent-padding-left-30px">Sep 08, 2021 update: <STRONG>Microsoft Defender for Endpoint on Mac version with the native M1 support is now available to all Mac devices</STRONG> registered for the "Current" (formerly "Production) channel.</P> <P class="lia-indent-padding-left-30px">Follow <A href="#" target="_blank" rel="noopener">What's new in Microsoft Defender for Endpoint on Mac</A> page to stay informed on the latest updates.</P> <P>&nbsp;</P> <P>Apple M1 support has been highly requested, and we’re excited to provide it! We welcome any questions and feedback.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense&nbsp;in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, </EM><A href="#" target="_blank" rel="noopener"><EM>sign up for a free trial</EM></A><EM> of Microsoft Defender for Endpoint today.</EM>&nbsp;&nbsp;</P> <P>&nbsp;</P> <P><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint team</EM></P> Sun, 12 Sep 2021 23:16:03 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-apple-m1-native-support/ba-p/2685585 Helen_Allas 2021-09-12T23:16:03Z Public Preview: Custom file IoC enhancements and API schema update https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/public-preview-custom-file-ioc-enhancements-and-api-schema/ba-p/2676997 <P>Alerts are now optional for the file custom IoC “block and remediate” action. Additionally, the IoC API scheme and portal description was updated to more accurately describe whether the response action taken was a block or “block and remediate”.</P> <P>&nbsp;</P> <P>Up until now, every blocked and remediate file IoC event raised security alerts to the SOC (security operations center) team. However, some organizations were flooded with unwanted security alerts. &nbsp;Today we’re announcing a public preview that allows customers to determine if such events require security team awareness, and if they do, the ability to set specific parameters to be met in order for an alert to be raised. In addition, we are updating the IoC API schema and description shown in the portal to more accurately describe whether the response action taken was a block or “block and remediate”.</P> <P>&nbsp;</P> <P><STRONG>Updated list of available IoC actions </STRONG></P> <P>When creating a new indicator (IoC), one or more of the following actions are now available:</P> <UL> <LI>Allow – the IoC will be allowed to run on your devices.</LI> <LI>Audit – an alert will be triggered when the IoC runs.</LI> <LI>Block execution - the IoC will not be allowed to run.</LI> <LI>Block and remediate - the IoC will not be allowed to run and a remediation action will be applied to the IoC.</LI> </UL> <P>More specifically, the table below shows exactly which actions are available per indicator (IoC) type:</P> <TABLE> <TBODY> <TR> <TD width="198"> <P class="lia-align-left"><STRONG>IoC type</STRONG></P> </TD> <TD width="210" class="lia-align-left"> <P><STRONG>Available actions</STRONG></P> </TD> </TR> <TR> <TD width="198"> <P>File</P> </TD> <TD width="210"> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Audit</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Block and remediate</P> </TD> </TR> <TR> <TD width="198"> <P>IP address</P> </TD> <TD width="210"> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Audit</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Block execution</P> </TD> </TR> <TR> <TD width="198"> <P>URL\ domain</P> </TD> <TD width="210"> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Audit</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Block execution</P> </TD> </TR> </TBODY> </TABLE> <TABLE class=" lia-align-left"> <TBODY> <TR> <TD width="198"> <P>Certificate</P> </TD> <TD width="210"> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Allow</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Block and remediate</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>For example, the original three IoC response actions were “allow,” “alert only,” and “alert and block.” As part of the update, the functionality of pre-existing IoCs will not change. However, the indicators were renamed to match the current supported response actions:&nbsp;&nbsp;</P> <UL> <LI>The “alert only” response action was renamed to&nbsp;“audit”&nbsp;with the generate alert setting enabled.&nbsp;</LI> <LI>The “alert and block” response was renamed to&nbsp;“block and remediate”&nbsp;with the optional generate alert setting</LI> </UL> <P>The IoC API schema and the threat ids in advance hunting have been updated to align with the renaming of the IoC response actions. The API scheme changes apply to all IoC Types.</P> <P>&nbsp;</P> <P>Indicators can be imported through Microsoft Defender for Endpoint APIs: <A href="#" target="_blank" rel="noopener">List Indicators API | Microsoft Docs</A>. The indicator action types supported by the API are AlertAndBlock, Allow, Audit, Alert, Warn, BlockExecution, BlockRemediation.</P> <P>&nbsp;</P> <P>Note: The prior response actions (AlertAndBlock, and Alert) will be removed once the feature has reached GAed. The estimated GA date with grace period is end of October 2021. &nbsp;We advise updating any existing templates or scripts as soon as possible.</P> <P>&nbsp;</P> <TABLE> <TBODY> <TR> <TD width="312"> <P>Note: The format for importing new indicators (IoCs) has changed according to the new updated actions and alerts settings. We recommend downloading the new CSV format that is found at the bottom of the import panel.&nbsp;</P> <P>&nbsp;</P> </TD> <TD width="312"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jody_Cedola_0-1629754283998.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305233i874C8E0BC7032A95/image-size/medium?v=v2&amp;px=400" role="button" title="Jody_Cedola_0-1629754283998.png" alt="Jody_Cedola_0-1629754283998.png" /></span> <P>&nbsp;</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P><STRONG>Alerting on file blocking actions</STRONG></P> <P>&nbsp;</P> <P>In Microsoft 365 Defender, go to <STRONG>Settings &gt; Endpoints &gt; Indicators &gt; add new File hash</STRONG></P> <P>Choose to <STRONG>Block and remediate </STRONG>the file</P> <P>Choose if to <STRONG>Generate an alert</STRONG> on the file block event and define the alerts settings:</P> <UL> <LI>The alert title</LI> <LI>The alert severity</LI> <LI>Category</LI> <LI>Description</LI> <LI>Recommended actions</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Jody_Cedola_1-1629754347627.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/305234iEC063CC372B5D4D5/image-size/medium?v=v2&amp;px=400" role="button" title="Jody_Cedola_1-1629754347627.png" alt="Jody_Cedola_1-1629754347627.png" /></span></P> <P class="lia-align-left">Alert settings for file indicators</P> <P>&nbsp;</P> <P>For more information about custom indicators handling in Microsoft Defender for Endpoint, see (<A href="#" target="_blank" rel="noopener">Create indicators</A>).</P> <P>&nbsp;</P> <P><STRONG>Summary</STRONG></P> <P>We’re excited to hear your feedback as you explore the new IoC capabilities, and we will continue to update the documentation throughout the preview.</P> <P>&nbsp;</P> <P>If you’ve enabled public preview features, you can check out the new IoC functionality today! If not, we encourage you to <A href="#" target="_blank" rel="noopener">turn on preview features</A> for Microsoft Defender for Endpoint to get access to the newest capabilities. These features can be turned on in the Microsoft Defender Security Center or the Microsoft 365 security center.</P> <P>&nbsp;</P> <P><STRONG>Resources for using&nbsp;IoCs:&nbsp;</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener noreferrer"><SPAN>IoC&nbsp;support documentation</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-unified-indicators-of-compromise-iocs/ba-p/656415%22%20/h%20%20HYPERLINK%20%22https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-unified-indicators-of-compromise-iocs/ba-p/656415" target="_blank" rel="noopener"><SPAN>Overview of&nbsp;unified IoC experience in Microsoft Defender for Endpoint</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/pushing-custom-indicator-of-compromise-iocs-to-microsoft/m-p/532203" target="_blank" rel="noopener"><SPAN>Pushing&nbsp;IoCs&nbsp;to Microsoft Defender for Endpoint</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-and-malware-information-sharing-platform/m-p/576648" target="_blank" rel="noopener"><SPAN>How to integrate MISP with Microsoft Defender for Endpoint</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities,&nbsp;</EM><A href="#" target="_blank" rel="noopener"><EM>sign up for a free Microsoft Defender for Endpoint trial</EM></A><EM>&nbsp;today.&nbsp;&nbsp;</EM>&nbsp;</P> Tue, 24 Aug 2021 17:13:08 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/public-preview-custom-file-ioc-enhancements-and-api-schema/ba-p/2676997 Jody_Cedola 2021-08-24T17:13:08Z Best practices for optimizing custom indicators https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/best-practices-for-optimizing-custom-indicators/ba-p/2670357 <P><SPAN data-contrast="auto">Custom indicators&nbsp;of compromise (IoC)&nbsp;are an essential feature&nbsp;for&nbsp;every endpoint solution.&nbsp;Custom&nbsp;IoCs&nbsp;provide SecOps with&nbsp;greater&nbsp;capacity to&nbsp;fine-tune&nbsp;detections based on&nbsp;their&nbsp;organization’s&nbsp;particular and contextualized threat intelligence.&nbsp;Microsoft&nbsp;Defender&nbsp;for Endpoint&nbsp;supports a&nbsp;robust and&nbsp;comprehensive</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">&nbsp;custom&nbsp;IoC</SPAN></A><SPAN data-contrast="auto">&nbsp;platform.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In this blog, we&nbsp;will&nbsp;discuss&nbsp;recommendations for&nbsp;using custom&nbsp;IoCs&nbsp;to maximize their capabilities.&nbsp;In addition,&nbsp;we will provide recommendations&nbsp;for customers who ingest large threat intelligence (TI) feeds&nbsp;(beyond&nbsp;our&nbsp;limit of&nbsp;15,000&nbsp;indicators&nbsp;per tenant)&nbsp;or have more complex&nbsp;rules.&nbsp;However, note that the more indicators are added, the more management is&nbsp;needed.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="auto">Use ‘allow IoC’ sparingly</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Each time an IoC is allowed, it opens new attack vectors as well as increases the IoC count. We recommend that you&nbsp;limit the&nbsp;number of allow IoC&nbsp;policies&nbsp;that&nbsp;bypass&nbsp;Microsoft&nbsp;Defender&nbsp;Antivirus</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">SmartScreen</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">attack&nbsp;surface&nbsp;reduction&nbsp;(ASR</SPAN><SPAN data-contrast="auto">),&nbsp;</SPAN><SPAN data-contrast="auto">or&nbsp;web&nbsp;content&nbsp;filtering</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">blocks</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Allow&nbsp;IoC is used for exclusion management.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">If there is an entity&nbsp;that&nbsp;is blocked by&nbsp;Microsoft&nbsp;Defender&nbsp;Antivirus&nbsp;or SmartScreen&nbsp;that&nbsp;you do not want blocked&nbsp;on your devices,&nbsp;you can add a policy to allow for the entity you want to unblock.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">Additionally, you&nbsp;can keep&nbsp;your&nbsp;ASR or&nbsp;web&nbsp;content&nbsp;filtering&nbsp;rules but exclude certain&nbsp;entities&nbsp;that&nbsp;would have been blocked by those rules</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">According to the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>conflict handling&nbsp;guidance</SPAN></A><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;custom&nbsp;IoC&nbsp;will win over&nbsp;ASR and&nbsp;web&nbsp;content&nbsp;filtering rules and&nbsp;Microsoft&nbsp;Defender&nbsp;Antivirus&nbsp;and&nbsp;SmartScreen ratings</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="auto">Set an expiration date when importing&nbsp;new indicators</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Third&nbsp;party&nbsp;threat intelligence</SPAN><SPAN data-contrast="auto">&nbsp;(</SPAN><SPAN data-contrast="auto">TI</SPAN><SPAN data-contrast="auto">)&nbsp;</SPAN><SPAN data-contrast="auto">can give insight into recently&nbsp;released&nbsp;malware or malicious websites.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">Ingesting&nbsp;these feeds can enrich your cybersecurity telemetry</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">and give&nbsp;your devices an extra level of security. Custom</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">IoCs</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">provide the ability to import&nbsp;these&nbsp;feeds and block or monitor these entities.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We recommend&nbsp;setting an expiration date when&nbsp;ingesting recently added or relevant indicators to your organization to minimize the common overlap between&nbsp;third</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">party TI and&nbsp;Microsoft</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">TI that feeds solutions like Microsoft Defender for Endpoint. Setting an expiration date&nbsp;can&nbsp;also&nbsp;remove&nbsp;aged&nbsp;indicators that are more likely to have already been blocked by&nbsp;Defender</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">Antivirus</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">and&nbsp;can&nbsp;make room for newer&nbsp;intelligence.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To&nbsp;import</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">third</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">party&nbsp;TI</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">either&nbsp;use the&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/pushing-custom-indicator-of-compromise-iocs-to-microsoft/m-p/532203" target="_blank" rel="noopener"><SPAN data-contrast="none">indicator&nbsp;API</SPAN></A><SPAN data-contrast="auto">&nbsp;or&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>upload a csv</SPAN></A><SPAN data-contrast="none">&nbsp;file</SPAN><SPAN data-contrast="auto">&nbsp;through the portal.&nbsp;Set the&nbsp;expiration&nbsp;date to&nbsp;a few days in advance&nbsp;and&nbsp;once the expiration date passes, import a&nbsp;fresh&nbsp;set of indicators&nbsp;from the previous few days</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Many of our customers</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">use custom&nbsp;IoCs</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">to ingest third</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">party&nbsp;TI&nbsp;feeds.&nbsp;For example, many of them&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-and-malware-information-sharing-platform/m-p/576648" target="_blank" rel="noopener"><SPAN data-contrast="none">integrate</SPAN><SPAN data-contrast="none">&nbsp;</SPAN></A><SPAN data-contrast="none">MISP&nbsp;with&nbsp;Microsoft Defender for Endpoint</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;MISP is a free, open-source platform to share&nbsp;indicators&nbsp;and&nbsp;it&nbsp;consolidates many&nbsp;TI&nbsp;feeds</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="auto">&nbsp;They&nbsp;import</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">the previous few days' worth of indicators, set&nbsp;the action to&nbsp;block these indicators,&nbsp;generates&nbsp;alerts, and&nbsp;set&nbsp;an expiration&nbsp;date of 3 days.&nbsp;Then, after&nbsp;the expiration&nbsp;date</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">has&nbsp;passed,</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">they&nbsp;push&nbsp;a&nbsp;new&nbsp;set of indicators from the previous few days.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Other&nbsp;enterprise customers have opted to directly import indicators from third</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">party intelligence feed APIs such as&nbsp;PhishTank&nbsp;and&nbsp;Phishunt</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="auto">Identify and&nbsp;remove&nbsp;duplicate&nbsp;indicators</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Duplicate indicators count towards the</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">15</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">000</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">indicator</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">limit&nbsp;per&nbsp;tenant</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">but&nbsp;result in the&nbsp;duplicate indicator’s</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">policy not being&nbsp;enforced.&nbsp;Let’s go over a few examples of duplicate indicators and ways to identify and remove them.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="13" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Indicators with&nbsp;the&nbsp;same device group</SPAN></STRONG><STRONG><SPAN data-contrast="auto">,&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="auto">enforcement target, and action</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">Defender</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">for Endpoint&nbsp;already detects this type of duplicate indicator and does not import&nbsp;it</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">If importing</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">through</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">the portal,&nbsp;Defender&nbsp;will&nbsp;automatically update&nbsp;the existing policy with&nbsp;the</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">new&nbsp;expiration date&nbsp;and&nbsp;alert severity/details&nbsp;if they differ from those of the previous policy.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="12" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Conflicting&nbsp;indicators</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">Policies with&nbsp;the same device group and enforcement target but&nbsp;conflicting actions follow a policy&nbsp;conflict handling&nbsp;order. Refer to the IoC support documentation on</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">conflict handling&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">file/cert</SPAN></A><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>domain/URL/IP.</SPAN></A><SPAN data-contrast="auto">&nbsp;Note that the conflict handling orders differ for file/cert vs. domain/URL/IP.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">detect existing conflicting&nbsp;IoCs</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">execute</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>this&nbsp;PowerShell&nbsp;script</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">which&nbsp;detects&nbsp;and reports</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">them</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="11" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><STRONG><SPAN data-contrast="auto">Indicators already blocked by&nbsp;Defender&nbsp;Antivirus&nbsp;or SmartScreen</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">Many indicators are already blocked by Defender&nbsp;Antivirus or SmartScreen, and therefore don’t need an&nbsp;IoC&nbsp;block&nbsp;policy.&nbsp;You can use the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Virus Total API</SPAN></A><SPAN data-contrast="auto">&nbsp;to verify whether&nbsp;Defender&nbsp;already blocks&nbsp;the entity and if so,&nbsp;not import the&nbsp;indicator</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">For example, when looking&nbsp;at the&nbsp;ThreatFox&nbsp;feed&nbsp;from&nbsp;abuse.ch,&nbsp;94% of the&nbsp;SHA&nbsp;256 indicators&nbsp;are&nbsp;already blocked by Defender&nbsp;AV and therefore don’t need to be imported.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Note: The Virus Total Public API has a limit of 4 requests/minute while the Premium API allows for an unlimited number of requests.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="10" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">File indicators with hash collisions</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">Defender for Endpoint&nbsp;allows for importing of SHA256, SHA1, and MD5 hashes. There can be hash collisions, however, where there are different types of hashes for the same file</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;resulting in&nbsp;only&nbsp;the longer hash’s policy being applied.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To detect duplicate indicators upon import,&nbsp;you can&nbsp;execute&nbsp;this&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Powershell&nbsp;script</SPAN></A><SPAN data-contrast="auto">&nbsp;which detects and reports&nbsp;conflicting indicators, file indicators already blocked by Defender, and file indicators with hash collisions.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="9" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="auto">File and Cert Indicators&nbsp;already&nbsp;blocked&nbsp;by&nbsp;application&nbsp;control&nbsp;solutions</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><A href="#" target="_blank" rel="noopener"><SPAN>Application control&nbsp;capabilities</SPAN></A><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;such as</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">those that are&nbsp;included in</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">Windows 10</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">or</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">its predecessor&nbsp;Applocker</SPAN><SPAN data-contrast="auto">,&nbsp;</SPAN><SPAN data-contrast="auto">can&nbsp;also restrict execution based on allow or block lists. If file and cert&nbsp;indicators</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">are&nbsp;also&nbsp;blocked by</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">an&nbsp;application control solution, then the file/cert IoC&nbsp;is&nbsp;a&nbsp;duplication&nbsp;and should be removed</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Application control</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">and&nbsp;Applocker&nbsp;can block on&nbsp;cert and Authenticode&nbsp;file hashes</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">Additionally, the policy limited for both&nbsp;Applocker&nbsp;and&nbsp;application control</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">has greater capacity&nbsp;than&nbsp;Defender&nbsp;for Endpoint’s&nbsp;IoC&nbsp;solution</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-contrast="auto">To&nbsp;learn&nbsp;about</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">application control</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">and&nbsp;Applocker&nbsp;enforcement capabilities, visit the documentation resources below</SPAN><SPAN data-contrast="auto">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN>Understanding the publisher rule condition in AppLocker</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><A href="#" target="_blank" rel="noopener"><SPAN>Understand application control&nbsp;policy&nbsp;and file rules</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">You can also learn more about viewing&nbsp;application control&nbsp;and&nbsp;Applocker&nbsp;events&nbsp;with advanced&nbsp;hunting&nbsp;in the documentation about&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>querying&nbsp;application control events</SPAN></A><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="auto">Periodically clean&nbsp;up&nbsp;old indicators</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">Our final&nbsp;recommendation&nbsp;is to&nbsp;periodically&nbsp;go&nbsp;through your indicators and&nbsp;clean up</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">ones</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">that may no longer be relevant</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;such as&nbsp;indicators with no expiration date. To help with these periodic reviews and revisions,&nbsp;a best&nbsp;practice is to&nbsp;add a description with a reason</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">whenever an indicator is added</SPAN><SPAN data-contrast="auto">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">We hope that you’ve found this&nbsp;guidance useful in offering recommendations and best&nbsp;practices&nbsp;to optimize the usage of custom&nbsp;IoCs</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">to</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">ingest an organization’s&nbsp;particular and contextualized&nbsp;threat intelligence.&nbsp;Let us know your feedback and questions&nbsp;and&nbsp;check out the additional resources&nbsp;below!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><STRONG>Resources for using&nbsp;IoCs:&nbsp;</STRONG></P> <UL> <LI><A href="#" target="_blank" rel="noopener"><SPAN>IoC&nbsp;support documentation</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-unified-indicators-of-compromise-iocs/ba-p/656415%22%20/h%20%20HYPERLINK%20%22https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-unified-indicators-of-compromise-iocs/ba-p/656415" target="_blank" rel="noopener"><SPAN>Overview of&nbsp;unified IoC experience in Microsoft Defender for Endpoint</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/pushing-custom-indicator-of-compromise-iocs-to-microsoft/m-p/532203" target="_blank" rel="noopener"><SPAN>Pushing&nbsp;IoCs&nbsp;to Microsoft Defender for Endpoint</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-and-malware-information-sharing-platform/m-p/576648" target="_blank" rel="noopener"><SPAN>How to integrate MISP with Microsoft Defender for Endpoint</SPAN></A><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> Tue, 24 Aug 2021 01:08:41 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/best-practices-for-optimizing-custom-indicators/ba-p/2670357 christinecho 2021-08-24T01:08:41Z Microsoft Defender for Endpoint Ninja Training: August 2021 update https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-ninja-training-august-2021/ba-p/2611623 <P>We published a lot of new Microsoft Defender for Endpoint resources over the past few months and have these now included in the Ninja training.&nbsp;If you want to refresh your knowledge and get updated, here is what has been added since the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-ninja-training-february-2021/ba-p/2118350" target="_self">February 2021 update</A>:</P> <P>&nbsp;</P> <P>Legend:</P> <TABLE border="1"> <TBODY> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> Product videos</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span> Webcast recordings</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TechCommunity.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205059iE2A42D8A7F13D7BC/image-dimensions/17x19?v=v2" width="17" height="19" role="button" title="TechCommunity.png" alt="TechCommunity.png" /></span> Tech Community</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Docs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Blogs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GitHub.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205065i083675CF15D6F1EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="GitHub.png" alt="GitHub.png" /></span>&nbsp;GitHub</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P>⤴ External</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="InteractiveGuides.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205067iF93A500E533F67FB/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="InteractiveGuides.png" alt="InteractiveGuides.png" /></span>&nbsp;Interactive guides</P> </TD> <TD width="209.333px" height="28px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE width="900"> <TBODY> <TR> <TD width="268px" height="28px"> <P><EM><STRONG>Module (ordered by roles SecOps &amp; SecAdmin)</STRONG></EM></P> </TD> <TD width="368px" height="28px"> <P><STRONG><EM>What's new</EM></STRONG></P> </TD> </TR> <TR> <TD width="368px" height="66px"> <P>Security Operations Fundamentals:</P> <P>Module 2. Getting started</P> </TD> <TD width="368px" height="66px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/welcome-to-microsoft-365-defender/ba-p/2436618" target="_blank" rel="noopener">Welcome to Microsoft 365 Defender!</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="81px"> <P>Security Operations Fundamentals:</P> Module 6. Investigation – Incident</TD> <TD width="368px" height="81px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/mitre-att-amp-ck-techniques-now-available-in-the-device-timeline/ba-p/2136788" target="_blank" rel="noopener">MITRE ATT&amp;CK Techniques available in the device timeline</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="93px"> <P>Security Operations Intermediate:</P> Module 2. Threat and vulnerability management</TD> <TD width="368px" height="93px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909" target="_blank" rel="noopener">Endpoint Discovery - Navigating your way through unmanaged devices</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="66px"> <P>Security Operations Intermediate:</P> Module 3. Next generation protection</TD> <TD width="368px" height="66px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/enhancing-linux-antivirus-with-behavior-monitoring-capabilities/ba-p/2226705" target="_blank" rel="noopener">Enhancing Linux antivirus with behavior monitoring capabilities</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="100px"> <P>Security Operations Intermediate:</P> Module 8. Evaluation Lab</TD> <TD width="368px" height="100px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;&nbsp;<A href="#" target="_blank" rel="noopener">Updates to the evaluation lab</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="93px"> <P>Security Operations Experts:</P> Module 4. Advanced hunting</TD> <TD width="368px" height="93px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-migrate-advanced-hunting-to-microsoft-365-defender/ba-p/2409440" target="_blank" rel="noopener">How to migrate advanced hunting to Microsoft 365 Defender</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/advanced-hunting-updates-to-threat-and-vulnerability-management/ba-p/2162584" target="_blank" rel="noopener">Advanced hunting: updates to threat and vulnerability management tables</A> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">DeviceTvmSoftwareInventory</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">DeviceTvmSoftwareVulnerabilities</A></LI> </UL> </LI> </UL> </TD> </TR> <TR> <TD width="368px" height="40px"> <P>Security Administrator Fundamentals,</P> <P>Module 2. Onboarding</P> </TD> <TD width="368px" height="40px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/one-app-for-vpn-and-mobile-threat-defense/ba-p/2170142" target="_blank" rel="noopener">One app for VPN and mobile threat defense</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909" target="_blank" rel="noopener">Endpoint Discovery - Navigating your way through unmanaged devices</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="66px"> <P>Security Administrator Fundamentals,</P> <P>Module 4. Security configuration</P> </TD> <TD width="368px" height="66px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-a-global-switch-for-tamper-protection/ba-p/2192490" target="_blank" rel="noopener">A global switch for tamper protection</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/secure-configuration-assessment-for-macos-and-linux-now-in/ba-p/2320517" target="_blank" rel="noopener">Secure configuration assessment for macOS and Linux now in public preview</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="200px"> <P>Security Administrator Intermediate,</P> <P>Module 1. Threat and vulnerability management</P> </TD> <TD width="368px" height="200px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<SPAN style="font-family: inherit; background-color: transparent;">Updated </SPAN><A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Supported operating systems, platforms and capabilities</A><SPAN style="font-family: inherit; background-color: transparent;">&nbsp;</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/threat-amp-vulnerability-management-integrates-with-servicenow/ba-p/2454065" target="_blank" rel="noopener">Threat and vulnerability management integrates with ServiceNow VR</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/new-threat-and-vulnerability-management-experiences-in-microsoft/ba-p/2233284" target="_blank" rel="noopener">New threat and vulnerability management experiences in Microsoft 365 security</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/new-threat-amp-vulnerability-management-apis-create-reports/ba-p/2445813" target="_blank" rel="noopener">New APIs - create reports, automate, integrate</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/network-device-discovery-and-vulnerability-assessments/ba-p/2267548" target="_blank" rel="noopener">Network device discovery and vulnerability assessments</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Device discovery</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/vulnerability-management-for-linux-now-generally-available/ba-p/2451145" target="_blank" rel="noopener">Vulnerability management for Linux</A></LI> </UL> </TD> </TR> <TR> <TD> <P>Security Administrator Intermediate,</P> <P>Module 2. Attack surface reduction</P> </TD> <TD> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;Updated <A href="#" target="_blank" rel="noopener">Learn about attack surface reduction rules</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> <SPAN>Details about using&nbsp;</SPAN><U>Microsoft Endpoint Manager</U><SPAN>&nbsp;</SPAN><A href="#" target="_blank" rel="noopener noreferrer">MEM OMA-URI</A><SPAN>&nbsp;to configure ASR rules</SPAN></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/mac-updates-control-your-usb-devices-with-microsoft-defender-for/ba-p/2224439" target="_blank" rel="noopener">USB device control on Mac</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Device control for MacOS</A></LI> </UL> </TD> </TR> <TR> <TD> <P>Security Administrator Intermediate,</P> <P>Module 3. Next generation protection</P> </TD> <TD> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730" target="_blank" rel="noopener">New capabilities on Android and iOS</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/enhancing-linux-antivirus-with-behavior-monitoring-capabilities/ba-p/2226705" target="_blank" rel="noopener">Enhancing Linux antivirus with behavior monitoring capabilities</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;Updated <A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Microsoft Defender Antivirus compatibility</A></LI> </UL> </TD> </TR> <TR> <TD> <P>Security Administrator Intermediate,</P> <P>Module 8. Migration</P> </TD> <TD> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;Updated the <A href="#" target="_blank" rel="noopener">setup phase of the migration guide</A></LI> </UL> </TD> </TR> <TR> <TD> <P>Security Administrator Expert,</P> <P>Module 3. Custom Integrations, APIs</P> </TD> <TD> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;New threat and vulnerability management API collection <A href="#" target="_blank" rel="noopener">Export Assessment API</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;New threat and vulnerability management API collection <A href="#" target="_blank" rel="noopener">Remediation Activity</A></LI> </UL> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Wed, 04 Aug 2021 17:42:26 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-ninja-training-august-2021/ba-p/2611623 Heike Ritter 2021-08-04T17:42:26Z DeepSurface integrates with Microsoft's vulnerability management capabilities https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/deepsurface-integrates-with-microsoft-s-vulnerability-management/ba-p/2544600 <P>Today, we are excited to announce that predictive vulnerability management platform, <A href="#" target="_blank" rel="noopener">DeepSurface</A>, has integrated across our threat and vulnerability management capabilities in Microsoft Defender for Endpoint. Now, Microsoft Defender for Endpoint customers can import vulnerability information across Microsoft, Linux and MacOS hosts directly into the DeepSurface vulnerability management platform, further strengthening our focus on interoperability.</P> <P>&nbsp;</P> <P><EM>“As the volume of vulnerabilities increases, it’s critical that vulnerability management teams can quickly identify which matter to their domain and filter out any that don’t pose any risk to their organization. The status quo has been to juggle multiple platforms and spend hours manually prioritizing vulnerabilities - this integration between Microsoft and DeepSurface streamlines the number of platforms for end-users and provides comprehensive, real-time insight into their threat stance.”</EM> – Tomer Teller, Principal Security PM Lead, Threat &amp; Vulnerability Management at Microsoft</P> <P>&nbsp;</P> <P>DeepSurface considers more than 50 different attributes of an environment to contextualize vulnerabilities – and chains of vulnerabilities – within an organization’s digital infrastructure to predict where an attacker could cause the most damage and provides users with actionable intelligence on how to reduce the most risk, fastest. Now, users of Microsoft Defender for Endpoint have an integrated solution, easily operationalized in just a few minutes, that provides them with at-a-glance insight into their threat stance.</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="pic1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/300311iF08596F6BD7071D5/image-size/large?v=v2&amp;px=999" role="button" title="pic1.png" alt="Image 1 shows DeepSurface’s Risk Insight model. The paretograph shows all the patches on your network and the relative risk they pose to your business, as well as the number of affected hosts and number of vulnerabilities on your network." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 1 shows DeepSurface’s Risk Insight model. The paretograph shows all the patches on your network and the relative risk they pose to your business, as well as the number of affected hosts and number of vulnerabilities on your network.</span></span></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>DeepSurface integrates with Microsoft Defender for Endpoint APIs to collect vulnerabilities and identify missing patches, then prioritizes the patches, hosts and vulnerabilities based on a holistic threat model of your infrastructure.</SPAN></P> <P>&nbsp;</P> <P><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="image2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/300312iEF07A21EDD05BD50/image-size/large?v=v2&amp;px=999" role="button" title="image2.png" alt="Image 2 shows the risk pathways or hacker roadmap of vulnerabilities and chains of vulnerabilities that could be exploited on a network. By visualizing the most exploitable risk paths, DeepSurface can help you identify which paths pose the most risk to your business and prioritize where to patch first." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 2 shows the risk pathways or hacker roadmap of vulnerabilities and chains of vulnerabilities that could be exploited on a network. By visualizing the most exploitable risk paths, DeepSurface can help you identify which paths pose the most risk to your business and prioritize where to patch first.</span></span></SPAN></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>When viewing a specific patch, DeepSurface can show users which hosts are affected, and the severity of the risk for each host after taking the holistic context of your network into account.&nbsp; DeepSurface also provides information about patch supersedence, and extra steps required to fully mitigate the vulnerabilities covered by the patch.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>Integration is quick and seamless. All you have to do is add your API key to the DeepSurface console (see screenshot below). Documentation is available for DeepSurface customers.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="image3.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/300314i60963D3D799C7D2B/image-size/medium?v=v2&amp;px=400" role="button" title="image3.png" alt="Image 3: DeepSurface setup console to configure the Microsoft Defender for Endpoint integration." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 3: DeepSurface setup console to configure the Microsoft Defender for Endpoint integration.</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>For additional details, you can <A href="#" target="_self">view the full press release here.</A></SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>At Microsoft, we believe that when solutions work well together, customers benefit and can build stronger defenses. That’s why the Microsoft threat and vulnerability management APIs give partners like DeepSurface, as well as security full access to the threat and vulnerability management dataset, allowing them to build integrations or other custom workflows.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><STRONG>More information and feedback</STRONG></P> <UL> <LI>The threat and vulnerability management capabilities are part of <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A> and enable organizations to effectively identify, assess, and remediate endpoint weaknesses to reduce organizational risk.</LI> <LI>Documentation on how to configure the integration is available for DeepSurface customers in the product portal.</LI> <LI>We want to hear from you! If you have any suggestions, questions, or comments, please visit us on our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP" target="_blank" rel="noopener">Tech Community page</A>.</LI> </UL> Wed, 04 Aug 2021 15:19:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/deepsurface-integrates-with-microsoft-s-vulnerability-management/ba-p/2544600 Kim Kischel 2021-08-04T15:19:35Z Download quarantined files now Generally Available https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/download-quarantined-files-now-generally-available/ba-p/2581160 <P><SPAN data-contrast="none">During a threat investigation, time is of the essence.&nbsp;Being able to move quickly&nbsp;and&nbsp;get the information needed to assess the situation can dramatically help to&nbsp;reduce the time to remediation and&nbsp;limit the scope of an attack.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">Today, we are excited to offer&nbsp;a new feature that&nbsp;gives&nbsp;security teams the&nbsp;ability to&nbsp;</SPAN><SPAN>download quarantined files</SPAN><SPAN data-contrast="none">&nbsp;and</SPAN><SPAN>&nbsp;</SPAN><SPAN data-contrast="none">expands the scope of sample submission to include files that are quarantined on your endpoints.&nbsp;This feature&nbsp;will help&nbsp;Security Admins and SecOps&nbsp;more efficiently&nbsp;investigate threats as they’ll be able to&nbsp;download&nbsp;a quarantined&nbsp;file directly&nbsp;without&nbsp;needing to get&nbsp;end&nbsp;users&nbsp;involved&nbsp;– helping to save&nbsp;critical&nbsp;minutes, if not hours&nbsp;during an investigation.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG><SPAN data-contrast="none">The download quarantine files feature will be turned on by default&nbsp;in&nbsp;Microsoft&nbsp;365 Defender.</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Files that have been&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">quarantined</SPAN></A><SPAN data-contrast="none">&nbsp;by Microsoft Defender Antivirus or your security team&nbsp;will be saved in a compliant way according to your&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">sample submission configurations</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-contrast="none">&nbsp;Your security team can&nbsp;then&nbsp;download the files directly from the file’s detail page&nbsp;via the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Download file&nbsp;</SPAN></STRONG><SPAN data-contrast="none">button.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JuliHooper_1-1627063550721.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298078iC7EFF35FC0DCEE30/image-size/large?v=v2&amp;px=999" role="button" title="JuliHooper_1-1627063550721.png" alt="JuliHooper_1-1627063550721.png" /></span></P> <P>&nbsp;</P> <P><SPAN><I>1</I></SPAN><I><SPAN data-contrast="auto">&nbsp;Screenshot&nbsp;of&nbsp;Microsoft 365 Defender showing&nbsp;a file page with&nbsp;the ”Download&nbsp;file” option available</SPAN></I><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">The file will be saved in your&nbsp;</SPAN><SPAN><STRONG>‘</STRONG></SPAN><SPAN><STRONG>Downloads</STRONG></SPAN><SPAN><STRONG>’</STRONG></SPAN><SPAN data-contrast="none">&nbsp;folder:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JuliHooper_2-1627063550713.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298076i931E1BB0E84279C3/image-size/large?v=v2&amp;px=999" role="button" title="JuliHooper_2-1627063550713.png" alt="JuliHooper_2-1627063550713.png" /></span></P> <P>&nbsp;</P> <P><SPAN><I>2</I></SPAN><I><SPAN data-contrast="auto">&nbsp;Screenshot&nbsp;of file explorer showing a password protected zip file that has been downloaded from quarantine.</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">If you want to find a specific quarantined file, there are a few places in Microsoft 365 Defender&nbsp;you&nbsp;can look:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><STRONG><SPAN data-contrast="none">Alerts</SPAN></STRONG><SPAN data-contrast="none">&nbsp;- select the corresponding links from the “Description” or “Details” in the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Artifact</SPAN></STRONG><SPAN data-contrast="none">&nbsp;timeline</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="3" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><STRONG><SPAN data-contrast="none">Search box</SPAN></STRONG><SPAN data-contrast="none">&nbsp;- select&nbsp;</SPAN><STRONG><SPAN data-contrast="none">File</SPAN></STRONG><SPAN data-contrast="none">&nbsp;from the drop–down menu, and then enter the file name</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P aria-level="2"><STRONG>Collecting&nbsp;quarantined files&nbsp;</STRONG></P> <P><SPAN data-contrast="none">Users&nbsp;might&nbsp;be prompted to provide consent&nbsp;before the quarantined file is collected, depending on your&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">sample submission configuration</SPAN></A><SPAN data-contrast="none">.&nbsp;If sample submission is&nbsp;turned&nbsp;off or the end user declines to share the file,&nbsp;the file will not be collected.&nbsp;A quarantined file will only be collected once per organization.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2"><SPAN data-contrast="none">Requirements</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Your organization uses Microsoft Defender Antivirus&nbsp;in active&nbsp;mode</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Antivirus engine version is 1.1.17300.4 or later. See&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Monthly platform and engine versions</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="auto">Cloud–based protection is enabled.&nbsp;See&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Turn on cloud-delivered protection</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="none">Sample submission</SPAN><SPAN data-contrast="auto">&nbsp;is turned on</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="auto">Devices have Windows 10 version 1703 or later, or Windows server 2016 or 2019</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">This feature is available to customers in public preview.&nbsp;If you have not yet opted in, we encourage you to&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>turn on preview features</SPAN></A><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">so that you can try this out today.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="2"><STRONG>Turning off the download quarantined file setting&nbsp;</STRONG></P> <P><SPAN data-contrast="none">Having this setting turned on&nbsp;can&nbsp;help&nbsp;security teams&nbsp;examine&nbsp;potentially bad files and investigate&nbsp;incidents&nbsp;quickly and in a&nbsp;less risky way.&nbsp;However, if you need to turn this setting&nbsp;off, go&nbsp;to&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Settings&nbsp;</SPAN></STRONG><SPAN data-contrast="none">&gt;&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Endpoints</SPAN></STRONG><SPAN data-contrast="none">&nbsp;&gt;&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Advanced features&nbsp;</SPAN></STRONG><SPAN data-contrast="none">and toggle “Download quarantined files”&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Off</SPAN></STRONG><SPAN data-contrast="none">.&nbsp;See&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Configure advanced features in Microsoft Defender for Endpoint | Microsoft Docs</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-contrast="auto">&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JuliHooper_3-1627063550718.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/298077iC57A0623ABD34E45/image-size/large?v=v2&amp;px=999" role="button" title="JuliHooper_3-1627063550718.png" alt="JuliHooper_3-1627063550718.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN><SPAN><I>3</I></SPAN><I><SPAN data-contrast="none">&nbsp;Screenshot of Microsoft 365 Defender showing the&nbsp;Advanced features page and the&nbsp;Download&nbsp;quarantined&nbsp;files&nbsp;button&nbsp;on the right</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:200,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><LI-WRAPPER><I></I></LI-WRAPPER></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">We’re excited to offer you this new feature and&nbsp;look forward to your feedback,&nbsp;let us know what you think&nbsp;in the comments or through the&nbsp;portal</SPAN><SPAN data-contrast="none">!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="none">Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, </SPAN></I><A href="#" target="_blank" rel="noopener"><SPAN><I>sign up for a free Microsoft Defender for Endpoint trial</I></SPAN></A><I><SPAN data-contrast="none"> today. </SPAN></I><I><SPAN data-contrast="none"> </SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="none">The Microsoft Defender for Endpoint team</SPAN></I><I><SPAN data-contrast="auto"> </SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> Tue, 19 Oct 2021 21:52:10 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/download-quarantined-files-now-generally-available/ba-p/2581160 Juli Hooper 2021-10-19T21:52:10Z Protect your removable storage and printers with Microsoft Defender for Endpoint https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806 <P><STRONG>UPDATE:&nbsp;The Printer protection is now General Availability. We have backported the feature, so now it supports&nbsp;Windows 1809, 1909, 2004 or later.</STRONG></P> <P>&nbsp;</P> <P>External devices such as USB and home printers are commonplace tools needed to complete daily business operations. These devices help employee productivity, but also pose a threat to enterprise data and serve as a potential entry point for malware and viruses. The move to remote work due to COVID-19 over the last year has raised the risk to another level.</P> <P>&nbsp;</P> <P>End user activities represent one of the most common threat vectors and Microsoft Defender for Endpoint brings a compelling story for organizations looking to reduce their security exposure associated with removable media and printing.</P> <P>&nbsp;</P> <P>We are excited to announce new device control capabilities in Microsoft Defender for Endpoint to secure removable storage scenarios on Windows and macOS platforms and offer an additional layer of protection for printing scenarios. These new device control capabilities further reduce the potential attack surface on user’s machines and safeguard organizations against malware and data loss in removable storage media scenarios.</P> <P>&nbsp;</P> <H2><SPAN>Overview</SPAN></H2> <P>&nbsp;</P> <TABLE width="940"> <TBODY> <TR> <TD width="300px"><STRONG>Feature</STRONG></TD> <TD width="475px"><STRONG>Availability</STRONG></TD> <TD width="240px"><STRONG>Documentation</STRONG></TD> </TR> <TR> <TD width="187"> <P>Removable storage access control on Windows</P> </TD> <TD width="138"> <P>General Availability (Defender version 4.18.2106 or later)</P> </TD> <TD width="151"><A href="#" target="_blank" rel="noopener">Removable storage access control</A></TD> </TR> <TR> <TD width="137"> <P>Removable storage protection on Mac</P> </TD> <TD width="138"> <P>General Availability (Defender (Mac) version 101.34.20 or later)</P> </TD> <TD width="201"><A href="#" target="_blank" rel="noopener">Device control for macOS</A></TD> </TR> <TR> <TD width="137"> <P>Printer protection</P> </TD> <TD width="138"> <P>General Availability (Windows 1809, 1909, 2004 or later)</P> </TD> <TD width="201"><A href="#" target="_blank" rel="noopener">Printer protection on Windows</A></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <H2><SPAN>What’s new</SPAN></H2> <H3>&nbsp;</H3> <H3><SPAN>Removable storage access control on Windows </SPAN></H3> <P>We are bringing removable storage access control capabilities on Windows to complement our existing device control protection in scenarios such as Device Installation, removable storage Endpoint DLP, and removable storage BitLocker.</P> <P>&nbsp;</P> <P>The new feature allows to <EM>Audit/Allow/Prevent</EM> Read, Write, or Execute access to removable storage based on various device properties, e.g., Vendor ID, Serial Number, Friendly Name, with or without an exclusion.</P> <P>&nbsp;</P> <H3>Removable storage protection on Mac</H3> <P>We also recently introduced removable storage protection capabilities on Mac. USB storage device control for Mac is designed to regulate the level of access given to external USB storage devices (including SD cards). The access level is controlled through custom policies. You can find more details in our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/mac-updates-control-your-usb-devices-with-microsoft-defender-for/ba-p/2224439" target="_blank" rel="noopener">Mac USB storage device control blog</A>.</P> <P>&nbsp;</P> <UL> <LI>The capability supports Audit and Block enforcement levels.</LI> <LI>USB device access can be set to Read, Write, Execute, No access.</LI> <LI>To achieve a high degree of granularity, USB access level can be specified for Product ID, Vendor ID, and Serial Number.</LI> <LI>The custom policy allows customization of the URL where user is redirected to when interacting with an end user facing “device restricted” notification.</LI> </UL> <P>&nbsp;</P> <H3><SPAN>Printer protection on Windows </SPAN></H3> <P>The new printer protection feature allows you to block users from printing via a non-corporate network printer or non-approved USB printer. This adds an additional layer of security and data protection for work from home and remote work scenarios.</P> <P>&nbsp;</P> <H2><SPAN>Getting started</SPAN></H2> <P class="GBodylist">The next few sections will go over how to get started deploying and using the new device control capabilities.</P> <P>&nbsp;</P> <H2><SPAN>How to deploy removable storage access control on Windows</SPAN></H2> <P>Removable storage access control policies can be applied for a user or machine via GPO (group policy object). The feature includes group configuration policy and access control policy.</P> <P>&nbsp;</P> <P>For example, here is the most common scenario: Prevent Write and Execute access to all but allow specific approved USBs.</P> <P>Step 1: Create groups</P> <UL> <LI>Group 1: Any removable storage and CD/DVD. An example of a removable storage and CD/DVD is: Group 9b28fae8-72f7-4267-a1a5-685f747a7146 in the sample <A href="#" target="_blank" rel="noopener">Any Removable Storage and CD-DVD Group.xml</A> file.</LI> <LI>Group 2: Approved USBs based on device properties. An example for this use case is: Instance ID – Group 65fa649a-a111-4912-9294-fb6337a25038 in the sample <A href="#" target="_blank" rel="noopener">Approved USBs Group.xml</A> file.</LI> </UL> <P>Step 2: Create policy</P> <UL> <LI>Policy 1: Block Write and Execute Access but allow approved USBs. An example for this use case is: PolicyRule c544a991-5786-4402-949e-a032cb790d0e in the sample <A href="#" target="_blank" rel="noopener">Scenario 1 Block Write and Execute Access but allow approved USBs .xml</A> file.</LI> <LI>Policy 2: Audit Write and Execute access to allowed USBs. An example for this use case is: PolicyRule 36ae1037-a639-4cff-946b-b36c53089a4c in the sample <A href="#" target="_blank" rel="noopener">Scenario 1 Audit Write and Execute access to approved USBs.xml</A> file.</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <H3><SPAN>Deploy policy via Group Policy</SPAN></H3> <OL> <LI>Combine all groups within &lt;Groups&gt; &lt;/Groups&gt; into one xml file.</LI> </OL> <P>The following image illustrates the example of <A href="#" target="_blank" rel="noopener">Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs</A>.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_0-1626453194255.png" style="width: 600px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296431i9996165137CF9166/image-dimensions/600x246?v=v2" width="600" height="246" role="button" title="Tewang_Chen_0-1626453194255.png" alt="Tewang_Chen_0-1626453194255.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <OL start="2"> <LI>Combine all rules within &lt;PolicyRules&gt; &lt;/PolicyRules&gt; into one xml file.</LI> </OL> <P>If you want to restrict a specific user, then use SID property into the Entry. If there is no SID in the policy Entry, the Entry will be applied to everyone login instance for the machine.</P> <P>&nbsp;</P> <P>The following image illustrates the usage of SID property, and an example of <A href="#" target="_blank" rel="noopener">Scenario 1: Prevent Write and Execute access to all but allow specific approved USBs</A>.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_1-1626453287080.png" style="width: 592px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296432i0D872EE94E9501E4/image-dimensions/592x596?v=v2" width="592" height="596" role="button" title="Tewang_Chen_1-1626453287080.png" alt="Tewang_Chen_1-1626453287080.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <OL start="3"> <LI>Save both rule and group XML files on network share folder and put network share folder path into the Group Policy setting: Computer Configuration -&gt; Administrative Templates -&gt; Windows Components -&gt; Microsoft Defender Antivirus -&gt; Device Control: ‘Define device control policy groups’ and ‘Define device control policy rules’. If you cannot find the policy configuration UX in the Group Policy, you can download the <A href="#" target="_blank" rel="noopener">WindowsDefender.adml</A> and <A href="#" target="_blank" rel="noopener">WindowsDefender.admx</A> file by clicking 'Raw' and 'Save as'.</LI> </OL> <P>The target machine must be able to access the network share to have the policy. However, once the policy is read, the network share connection is no longer required, even after machine reboot.</P> <P>&nbsp;</P> <P>Here is an example of configuring policy on Group Policy:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_2-1626453320757.png" style="width: 613px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296433i58CE21223FDBE3E8/image-dimensions/613x524?v=v2" width="613" height="524" role="button" title="Tewang_Chen_2-1626453320757.png" alt="Tewang_Chen_2-1626453320757.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><SPAN>View device control data in Microsoft Defender for Endpoint</SPAN></H3> <P>The policy events can be viewed in <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender</A> and the Microsoft Defender Security Center via advanced hunting.</P> <P>Here is an advanced hunting query example:</P> <P><EM>&nbsp;</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_3-1626453367501.png" style="width: 634px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296435iBABEE6D758B23251/image-dimensions/634x262?v=v2" width="634" height="262" role="button" title="Tewang_Chen_3-1626453367501.png" alt="Tewang_Chen_3-1626453367501.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>For more information, see <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs</A>.</P> <P>&nbsp;</P> <H2>&nbsp;</H2> <H2><SPAN>How to protect removable storage on Mac</SPAN></H2> <P><SPAN>To learn more about Mac USB storage device control, refer to our recent&nbsp;<A title="Mac USB storage device control blog" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/mac-updates-control-your-usb-devices-with-microsoft-defender-for/ba-p/2224439" target="_blank" rel="noopener">Mac USB storage device control blog</A>. For a more in-depth overview of this capability and step by step guidance on configuring USB device control policies on macOS, refer to our&nbsp;<A title="Mac USB device control public documentation" href="#" target="_blank" rel="noopener">Mac USB device control public documentation</A>.</SPAN></P> <P>&nbsp;</P> <H3><SPAN>View Mac device control data in Microsoft Defender for Endpoint</SPAN></H3> <P>USB device mount/unmount events on Mac devices can be viewed in Microsoft 365 Defender and in the Microsoft Defender Security Center via advanced hunting and in the device timeline.</P> <P>&nbsp;</P> <P>Here is an advanced hunting query example:</P> <P><EM>&nbsp;</EM></P> <P><EM>DeviceEvents </EM></P> <P><EM>&nbsp;&nbsp;&nbsp; | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"</EM></P> <P><EM>&nbsp;&nbsp;&nbsp; | where DeviceId == "&lt;device ID&gt;"</EM></P> <P>&nbsp;</P> <P>And that is how the above advanced hunting query looks like in the security center:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_4-1626453401628.png" style="width: 642px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296436iBE0FAED48C1C5A69/image-dimensions/642x247?v=v2" width="642" height="247" role="button" title="Tewang_Chen_4-1626453401628.png" alt="Tewang_Chen_4-1626453401628.png" /></span></P> <P>&nbsp;</P> <P>Here is an example of Mac USB device control event in the device timeline page:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_5-1626453427502.png" style="width: 690px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296437i5548CB889B2E8416/image-dimensions/690x300?v=v2" width="690" height="300" role="button" title="Tewang_Chen_5-1626453427502.png" alt="Tewang_Chen_5-1626453427502.png" /></span></P> <P>&nbsp;</P> <H2>&nbsp;</H2> <H2><SPAN>How to deploy printer protection on Windows</SPAN></H2> <P>To deploy printer protection on Windows, you can apply the policy for users or machines via GPO or Intune/OMA-URI.</P> <P>&nbsp;</P> <H3>Deploy policy via Intune OMA-URI</H3> <P>For Intune, currently printer protection supports <A href="#" target="_blank" rel="noopener">Open Mobile Alliance Uniform Resource Identifier (OMA-URI) setting</A> (Microsoft Endpoint Manager admin center: Devices -&gt; Configuration profiles -&gt; Create profile -&gt; Platform: Windows 10 and later; Profile type: Templates -&gt; Custom) only.</P> <P>&nbsp;</P> <P>Block people from printing via any non-corporate printer</P> <UL> <LI>Apply policy over machine: <UL> <LI>./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControl</LI> </UL> </LI> <LI>Apply policy over user: <UL> <LI>./Vendor/MSFT/Policy/Config/Printers/EnableDeviceControlUser</LI> </UL> </LI> </UL> <P>The CSP support string Data type with Value:&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_6-1626453462676.png" style="width: 615px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296438i37032D75F4849F02/image-dimensions/615x209?v=v2" width="615" height="209" role="button" title="Tewang_Chen_6-1626453462676.png" alt="Tewang_Chen_6-1626453462676.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Allow specific approved USB printers</P> <UL> <LI>Apply policy over machine: <UL> <LI>./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevices</LI> </UL> </LI> <LI>Apply policy over user: <UL> <LI>./Vendor/MSFT/Policy/Config/Printers/ApprovedUsbPrintDevicesUser</LI> </UL> </LI> </UL> <P>The CSP support string Data type with approved USB printer VID/PID via ‘ApprovedUsbPrintDevices’ property and the property supports multiple VID/PIDs via comma. Currently does not support wildcard.</P> <P>&nbsp;</P> <P>The following is a policy allowing printing if the USB printer VID/PID is either 03F0/0853 or 0351/0872 -&nbsp;<FONT color="#333399"><EM>&lt;enabled/&gt;&lt;data id="ApprovedUsbPrintDevices_List" value="03F0/0853,0351/0872"/&gt;</EM>:</FONT></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_7-1626453565826.png" style="width: 583px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296440i2944FA4BDCE542C6/image-dimensions/583x596?v=v2" width="583" height="596" role="button" title="Tewang_Chen_7-1626453565826.png" alt="Tewang_Chen_7-1626453565826.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><SPAN>Deploy policy via Group Policy</SPAN></H3> <P>Block people from printing via any non-corporate printer</P> <UL> <LI>Apply policy over machine: <UL> <LI>Computer Configuration &gt; Administrative Templates &gt; Printer: Enable Device control Printing Restrictions</LI> </UL> </LI> <LI>Apply policy over user: <UL> <LI>User Configuration &gt; Administrative Templates &gt; Control Panel &gt; Printers: Enable Device control Printing Restrictions</LI> </UL> </LI> </UL> <P>Following is an example of configuring the policy in Group Policy:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_8-1626453596023.png" style="width: 577px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296441i063663A41D591912/image-dimensions/577x418?v=v2" width="577" height="418" role="button" title="Tewang_Chen_8-1626453596023.png" alt="Tewang_Chen_8-1626453596023.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Allow specific approved USB printers</P> <UL> <LI>Apply policy over machine: <UL> <LI>Computer Configuration &gt; Administrative Templates &gt; Printer: List of Approved USB-connected print devices</LI> </UL> </LI> <LI>Apply policy over user: <UL> <LI>User Configuration &gt; Administrative Templates &gt; Control Panel &gt; Printers: List of Approved USB-connected print devices</LI> </UL> </LI> </UL> <P>Following is an example allowing printing if the USB printer VID/PID is either 03F0/0853 or 0351/0872:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_9-1626453625977.png" style="width: 599px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296442i466A6575BE481335/image-dimensions/599x433?v=v2" width="599" height="433" role="button" title="Tewang_Chen_9-1626453625977.png" alt="Tewang_Chen_9-1626453625977.png" /></span></P> <P>&nbsp;</P> <H3>&nbsp;</H3> <H3><SPAN>View device control data in Microsoft Defender for Endpoint</SPAN></H3> <P>The policy events can be viewed in <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender</A> and the Microsoft Defender Security Center via advanced hunting.</P> <P>Here is an advanced hunting query example:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tewang_Chen_10-1626453655550.png" style="width: 644px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/296443iB2833C26364A7A0D/image-dimensions/644x232?v=v2" width="644" height="232" role="button" title="Tewang_Chen_10-1626453655550.png" alt="Tewang_Chen_10-1626453655550.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>For more information, see our documentation: <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint Device Control Printer Protection | Microsoft Docs</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>We’re excited to deliver these new device control functionalities to you. To experience these capabilities in public preview, we encourage you to&nbsp;<A href="#" target="_blank" rel="noopener">turn on preview features</A>&nbsp;for Microsoft Defender for Endpoint today. As always, we welcome your feedback and look forward to hearing from you! You can submit feedback directly to our team through the portal. &nbsp;</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense&nbsp;in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, </EM><A href="#" target="_blank" rel="noopener"><EM>sign up for a free trial</EM></A><EM> of Microsoft Defender for Endpoint today.</EM>&nbsp;</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint team</EM></P> Thu, 26 Aug 2021 16:10:51 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/protect-your-removable-storage-and-printers-with-microsoft/ba-p/2324806 Tewang_Chen 2021-08-26T16:10:51Z Announcing live response API public preview https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-live-response-api-public-preview/ba-p/2537833 <P>As part of our ongoing effort to provide a rich set of APIs to allow customers and partners to benefit from the power of the Microsoft Defender for Endpoint platform, we are happy to announce the public preview of the live response API.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="israelcp_0-1626090540815.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295017i3C736963C75A16E8/image-size/medium?v=v2&amp;px=400" role="button" title="israelcp_0-1626090540815.png" alt="live response API request example" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">live response API request example</span></span></P> <P>Time plays a critical role when collecting forensic evidence. Due to frequent changes that occur in the memory and storage of a device, it's critical to collect forensic evidence swiftly. Forensic evidence must be gathered as soon as suspicious activity is identified on a device.</P> <P>&nbsp;</P> <P>The live response APIs allow you to collect information and take real-time actions on a remote endpoint using APIs. These actions include the ability to <STRONG>upload and download files</STRONG> and <STRONG>execute scripts</STRONG> on the endpoint.</P> <P>The live response APIs are currently supported on Windows 10 and Windows Server 2019, support for other platforms is coming very soon.</P> <P>In fact, the new functionality inevitably includes a number of new APIs that join the Microsoft Defender for Endpoint scheme. These include:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Run live response commands on a device</A></LI> <LI><A href="#" target="_blank" rel="noopener">Get live response results</A></LI> <LI><A href="#" target="_blank" rel="noopener">Cancel machine action API</A></LI> </UL> <P>In addition to the APIs listed above, we highly recommend to use the existing <A href="#" target="_blank" rel="noopener">Get Machine Action API</A> and <A href="#" target="_blank" rel="noopener">List Machine Action API.</A></P> <P>Check out the tutorial below where you’ll be guided on how to use the live response API to export and collect artifacts from a compromised device.</P> <P>&nbsp;</P> <H2>How to use the live response API</H2> <P>In this tutorial we will show you how to use the live response API to collect forensic evidence, that indicates the current state of the device such as running processes, scheduled tasks etc. You can later set the script to run automatically when a specific alert is raised, so you can investigate threats and respond in real time.&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Step 1 – Create/download a script that collects any artifact that may interest you. For basic usage, you can use the sample script below.</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">&lt;# .Synopsis Sample script to export all Scheduled Tasks #&gt; Get-ScheduledTask | Get-ScheduledTaskInfo | Export-csv "C:\Windows\Temp\ScheduledTasks.csv" -NoTypeInformation -Force Get-Service | Export-csv "C:\Windows\Temp\Services.csv" -NoTypeInformation -Force Get-Process | Export-csv "C:\Windows\Temp\Processes.csv" -NoTypeInformation -Force</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Step 2 – Upload the script to the Live response library.</STRONG></P> <P>Before you can run a script, you must first upload it to the library. If you plan to use an unsigned script in the session, you'll need to enable the setting in the Advanced Features settings.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="israelcp_0-1626180616044.png" style="width: 346px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/295440i152A89427F536735/image-size/medium?v=v2&amp;px=400" role="button" title="israelcp_0-1626180616044.png" alt="israelcp_0-1626180616044.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Step 3 – Run a new live response session.</STRONG></P> <P>We will initiate a session and execute commands: RunScript for exporting the data and GetFile to collect the output. To pass arguments to the script, use the Args parameter.<U></U></P> <P><U>Request:</U></P> <P>Type: HTTP POST</P> <PRE data-unlink="true">https://api.securitycenter.microsoft.com/api/machines/{machine_id}/runliveresponse&nbsp;</PRE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "Commands":[ { "type":"RunScript", "params":[ { "key":"ScriptName", "value":"forensics.ps1" }, ] }, { "type":"GetFile", "params":[ { "key":"Path", "value":"C:\\windows\\Temp\\Services.csv" } ] }, { "type":"GetFile", "params":[ { "key":"Path", "value":"C:\\windows\\Temp\\Processes.csv" } ] }, { "type":"GetFile", "params":[ { "key":"Path", "value":"C:\\windows\\Temp\\ScheduledTasks.csv" } ] } ], "Comment":"Testing Live Response API" } </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>You will then get a response with the ID of the session (machine action) that was just created. With this ID you can track the status of the session, cancel it, and collect its outputs.</P> <P>&nbsp;</P> <P><STRONG>Step 4 – Check the session status.</STRONG></P> <P>Once you have initiated the session, you can check its progress and the status of executed commands using the following request:<U></U></P> <P><U>Request:</U></P> <P>Type: HTTP GET</P> <PRE data-unlink="true">https://api.securitycenter.microsoft.com/api/machineactions/{machine_action_id}&nbsp;</PRE> <P>&nbsp;</P> <P><STRONG>Step 5 – Get script transcript.</STRONG></P> <P>If a command has ended successfully, the response will include a link to the script output (for RunScript) or collected file (for GetFile). The link will expire within 30 minutes.</P> <P><U>Request:</U></P> <P>Type: HTTP GET</P> <PRE data-unlink="true">https://api.securitycenter.microsoft.com/api/machineactions/{machine_action_id}/GetLiveResponseResultDownloadLink(index=0)&nbsp;</PRE> <P>&nbsp;</P> <P><U>Response:</U></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="applescript">{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String", "value": "https://core.windows.net/investigation-actions-data/ID/CustomPlaybookCommandOutput/4ed5e7807ad1fe59b00b664fe06a0f07?se=2021-02-04T16%3A13%3A50Z&amp;sp=r&amp;sv=2019-07-07&amp;sr=b&amp;sig=1dYGe9rPvUlXBPvYSmr6/OLXPY98m8qWqfIQCBbyZTY%3D" } </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><U>File content:</U></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "script_name": "forensics.ps1", "exit_code": 0, "script_output": "Transcript started, output file is C:\\ProgramData\\Microsoft\\Windows Defender Advanced Threat Protection\\Temp\\PSScriptOutputs\\PSScript_Transcript_{TRANSCRIPT_ID}.txt \u0000\u0000\u0000", "script_error":”” } </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Step 6 – Download the collected files.</STRONG></P> <P>Generate a download-link for each of the collected files, and then download them to your local machine. The link will expire within 30 minutes.</P> <P>&nbsp;</P> <P><U>Request:</U></P> <P>Type: HTTP GET</P> <PRE data-unlink="true">https://api.securitycenter.microsoft.com/api/machineactions/{machine_action_id}/GetLiveResponseResultDownloadLink(index=1)&nbsp;</PRE> <P>&nbsp;</P> <P><U>Response:</U></P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="json">{ "@odata.context": "https://api.securitycenter.microsoft.com/api/$metadata#Edm.String", "value":"https://core.windows.net/f10/41/sha256/cf1041e3e2a4c2d36c72bcc53b1fcf7d7c65a175e6385110d4659de38c80dd79?sv=2015-12-11&amp;sr=b&amp;sig=BXM9Q1ZAAZ9Is1PqzmErbNihk6xPt8csOvuFqsMkDaI%3D&amp;spr=https&amp;st=2021-02-04T15%3A44%3A53Z&amp;se=2021-02-04T17%3A31%3A35Z&amp;sp=r&amp;rscd=attachment%3B%20filename%3D%22ScheduledTasks.csv.zip" } </LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Summary</H2> <P>We’re excited to hear your feedback as you explore the new APIs and we will continue to update the documentation throughout the preview. Our mission is to provide you a generic platform that allows you to develop a customized IR solution on top of it. Additional new capabilities are expected to be released soon, such as managing the live response library via API, and support for macOS and Linux.</P> <P>If you’ve enabled public preview features, you can check out the new live response APIs today! If not, we encourage you to <A href="#" target="_blank" rel="noopener">turn on preview features for Microsoft Defender for Endpoint</A> to get access to the newest capabilities. These features can be turned on in the Microsoft Defender Security Center or the Microsoft 365 security center.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense&nbsp;in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, </EM><A href="#" target="_blank" rel="noopener"><EM>sign up for a free trial</EM></A><EM> of Microsoft Defender for Endpoint today.</EM>&nbsp;</P> Mon, 26 Jul 2021 17:08:48 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-live-response-api-public-preview/ba-p/2537833 israelcp 2021-07-26T17:08:48Z Evaluation lab updates: device renewal and new simulations https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/evaluation-lab-updates-device-renewal-and-new-simulations/ba-p/2519691 <P><SPAN data-contrast="auto">Microsoft Defender for Endpoint’s&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Evaluation Lab</SPAN></A><SPAN data-contrast="auto">&nbsp;is growing with a new feature for device renewal, as well as two new simulations!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">The evaluation lab&nbsp;is a playground for&nbsp;you to test Microsoft Defender for Endpoint’s defense against test scenarios of your own, as well as&nbsp;various simulations provided by our partners&nbsp;SafeBreach&nbsp;&amp;&nbsp;AttackIQ, without the hassle of setting up a testing environment.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Until now, the evaluation lab provided customers with a limited number of devices. Now,&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">you can renew your lab resources once a month</SPAN></STRONG><SPAN data-contrast="auto">, allowing you to continuously use the evaluation lab&nbsp;for your testing needs.&nbsp;To do this, simply click on the “request for more devices” button, choose your configuration, and submit the request.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Yaniv_Carmel_3-1625582836608.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/293793i1C5702CFB60C1A6E/image-size/large?v=v2&amp;px=999" role="button" title="Yaniv_Carmel_3-1625582836608.png" alt="Yaniv_Carmel_3-1625582836608.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">When the request is submitted successfully, you will see a green confirmation banner and the date of the last submission.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Yaniv_Carmel_4-1625582836612.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/293794iB69CFCE8F8F925A8/image-size/large?v=v2&amp;px=999" role="button" title="Yaniv_Carmel_4-1625582836612.png" alt="Yaniv_Carmel_4-1625582836612.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">You&nbsp;can&nbsp;find the status of your request in the “User Actions” tab. Expect the request to be approved&nbsp;shortly.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Now that you have added your new devices, it’s a great time to&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">check out our new simulations for&nbsp;Carbanak&nbsp;and FIN7</SPAN></STRONG><SPAN data-contrast="auto">,</SPAN><STRONG><SPAN data-contrast="auto">&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">as well as&nbsp;the</SPAN><STRONG><SPAN data-contrast="auto">&nbsp;SolarWinds Campaign</SPAN></STRONG><SPAN data-contrast="auto">,</SPAN><STRONG><SPAN data-contrast="auto">&nbsp;</SPAN></STRONG><SPAN data-contrast="auto">provided by&nbsp;SafeBreach!</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">These simulations allow you to evaluate Microsoft Defender for Endpoint’s detection and protection capabilities against a few of the most prominent threat&nbsp;actors these days.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Carbanak&nbsp;and FIN7 are&nbsp;financially-motivated&nbsp;threat groups, considered to be two of the most successful criminal hacking groups in the world, so much that they were chosen to be the subject of&nbsp;the recent <A href="#" target="_self">MITRE&nbsp;Engenuity&nbsp;ATT&amp;CK® 2021</A> evaluation.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">The SolarWinds&nbsp;Campaign&nbsp;is a supply chain attack utilizing SolarWinds’ popular network management software - SolarWinds® Orion®. This campaign, dubbed “the largest and most sophisticated attack the world has ever seen”, left tens of thousands of organizations vulnerable.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To run these simulations,&nbsp;navigate to the “Tutorials &amp; simulations” section, choose a simulation, and click “run”. Then, in the “Create simulation” side panel, select a device and click on the “Create simulation” button.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yaniv_Carmel_6-1625583450605.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/293797iF77DEEC31AA4C259/image-size/large?v=v2&amp;px=999" role="button" title="Yaniv_Carmel_6-1625583450605.png" alt="Yaniv_Carmel_6-1625583450605.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">To learn more about&nbsp;the simulations, read the simulation documentation:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><A href="#" target="_self"><SPAN data-contrast="auto">Carbanak&nbsp;and FIN7</SPAN></A><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335551550&quot;:1,&quot;335551620&quot;:1,&quot;335559737&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><A href="#" target="_self"><SPAN data-contrast="auto">SolarWinds Campaign</SPAN></A></LI> </UL> Tue, 06 Jul 2021 15:20:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/evaluation-lab-updates-device-renewal-and-new-simulations/ba-p/2519691 Yaniv_Carmel 2021-07-06T15:20:00Z Vulnerability management for Linux now generally available https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/vulnerability-management-for-linux-now-generally-available/ba-p/2451145 <P>In May we <A href="#" target="_blank" rel="noopener">announced</A> the support for Linux across our threat and vulnerability management capabilities in Microsoft Defender for Endpoint. Today, we are excited to announce that threat and vulnerability management for Linux is now generally available across <STRONG>Red Hat, Ubuntu, CentOS, SUSE, and Oracle</STRONG>, with support for <STRONG>Debian </STRONG>coming soon.&nbsp;In addition to Linux, the threat and vulnerability management capabilities already support macOS and Windows, with support for Android and iOS coming later this summer to further expand our support of third party platforms. &nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Vulnerability Management plays a crucial role in monitoring an organization’s overall security posture. That’s why we continue to expand our cross-platform support to equip security teams with real-time insights into risk with continuous vulnerability discovery, intelligent prioritization, and the ability to seamlessly remediate vulnerabilities for all their platforms. With the general availability of support for Linux, organizations can now review vulnerabilities within installed apps across the Linux OS and issue remediation tasks for affected .</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Software inventory 1.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/290503i2A7CB34A1CE6A96A/image-size/large?v=v2&amp;px=999" role="button" title="Software inventory 1.PNG" alt="Image 1: Software inventory page in the vulnerability management console, showing various Linux platforms" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 1: Software inventory page in the vulnerability management console, showing various Linux platforms</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Software inventory2.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/290502i729599765ED9087F/image-size/large?v=v2&amp;px=999" role="button" title="Software inventory2.PNG" alt="Image 2: Software inventory page in the vulnerability management portal, showing glibc across various Linux systems" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 2: Software inventory page in the vulnerability management portal, showing glibc across various Linux systems</span></span></P> <P>&nbsp;</P> <P>Support for the various Linux platforms in threat and vulnerability management closely follows <A href="#" target="_blank" rel="noopener">what is available across our Endpoint Detection and Response</A> (EDR) capabilities. This alignment ensures a consistent experience for Microsoft Defender for Endpoint customers, as we continue to expand our cross-platform support.</P> <P>&nbsp;</P> <P><STRONG>More information and feedback</STRONG></P> <P>The threat and vulnerability management capabilities are part of&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A>&nbsp;and enable organizations to effectively identify, assess, and remediate endpoint weaknesses to reduce organizational risk.</P> <P>&nbsp;</P> <P>Check out our&nbsp;<A href="#" target="_blank" rel="noopener">documentation</A>&nbsp;for a complete overview of supported operating systems and platforms.</P> <P>&nbsp;</P> <P>We want to hear from you! If you have any suggestions, questions, or comments, please visit us on our&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP" target="_blank" rel="noopener">Tech Community page</A>.</P> <P>&nbsp;</P> Tue, 29 Jun 2021 13:20:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/vulnerability-management-for-linux-now-generally-available/ba-p/2451145 Kim Kischel 2021-06-29T13:20:00Z Unmanaged device protection capabilities are now generally available https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/unmanaged-device-protection-capabilities-are-now-generally/ba-p/2463796 <P>Two months ago, <A href="#" target="_blank" rel="noopener">we announced the public preview</A> of a new set of capabilities that would <STRONG>give Microsoft Defender for Endpoint customers </STRONG><STRONG>visibility</STRONG> <STRONG>over unmanaged devices running on their networks.</STRONG> It’s devices like these that introduce some of the greatest risks to an organization’s cybersecurity posture.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">“The riskiest threat is the one you don’t know about. Unmanaged devices are literally one of your weakest links.</P> <P class="lia-indent-padding-left-30px">Smart attackers go there first.”&nbsp;- David Weston, Microsoft Director of Enterprise and OS Security</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P>We are pleased to announce that starting today, these capabilities are generally available to all our customers worldwide!</P> <P>&nbsp;</P> <P>With this release we deliver a rich set of new capabilities, including:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Discovery of endpoints and network devices connected to your corporate network </STRONG></LI> </UL> <P class="lia-indent-padding-left-60px">This capability provides Defender for Endpoint with the ability to discover unmanaged workstations, servers, and mobile endpoints (Windows, Linux, macOS, iOS, and Android) that haven’t been onboarded and secured. Additionally, network devices (e.g.: switches, routers, firewalls, WLAN controllers, VPN gateways and others) can be discovered and added to the device inventory using periodic authenticated scans of preconfigured network devices.</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <UL> <LI><STRONG>Onboard discovered devices and secure them using integrated workflows </STRONG></LI> </UL> <P class="lia-indent-padding-left-60px">Once discovered, unmanaged endpoint and network devices connected to your networks can be onboarded to Defender for Endpoint. Integrated new workflows and new security recommendations in the threat and vulnerability management experience make it easy to onboard and secure these devices.</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <UL> <LI><STRONG>Review assessments and address threats and vulnerabilities on newly discovered devices</STRONG></LI> </UL> <P class="lia-indent-padding-left-60px">Once endpoints and network devices have been discovered, assessments can be run using Defender for Endpoint’s threat and vulnerability management capabilities. These security recommendations can be used to address issues on devices helping to reduce an organization’s threat and risk exposure.</P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P>Now that these features have reached general availability, you will notice that endpoint discovery is already enabled on your tenant. This is indicated by a banner that appears in the <STRONG>Endpoints\Device inventory</STRONG> section of the Microsoft 365 Defender console.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="2021 - Modern Work Security Group Marketing Field Advisory - Discovery GA - Pic.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289980i718384184F33330A/image-size/large?v=v2&amp;px=999" role="button" title="2021 - Modern Work Security Group Marketing Field Advisory - Discovery GA - Pic.png" alt="Figure 1: Device inventory view listing &quot;Can be onboarded&quot; devices and option to enable Standard Mode discovery." /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Figure 1: Device inventory view listing "Can be onboarded" devices and option to enable Standard Mode discovery.</span></span></P> <P>&nbsp;</P> <P>This banner will be available until July 19, 2021 which is when the default behavior for discovery will be switched from <A href="#" target="_self">Basic to Standard</A>. At this time, Standard discovery will enable the collection of a broader range of device related properties and it will also perform improved device classification. The switch to Standard mode was verified as having negligible network implications during the public preview. More information about the discovery and its two modes can be found in our previous <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909" target="_self">blog</A>.</P> <P>&nbsp;</P> <P>We’re excited for you to <A href="#" target="_blank" rel="noopener">take a look</A>&nbsp;and start using these capabilities and we look forward to your feedback on them. If you have any questions or feedback feel free to leave them in the comment section below. For more information please review the <A href="#" target="_blank" rel="noopener">device discovery</A> and <A href="#" target="_blank" rel="noopener">network discovery</A> documentations on Microsoft Docs.</P> <P>&nbsp;</P> <P>To read more about our new device discovery and assessment capabilities, check out:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Secure your unmanaged devices</A> in the Microsoft security blog</LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909" target="_blank" rel="noopener">Endpoint Discovery - Navigating your way through unmanaged devices</A></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909" target="_blank" rel="noopener">Network device discovery and vulnerability assessments</A></LI> </UL> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities,&nbsp;</EM><A href="#" target="_blank" rel="noopener"><EM>sign up for a free trial</EM></A><EM>&nbsp;of Microsoft Defender for Endpoint today.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 22 Jun 2021 12:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/unmanaged-device-protection-capabilities-are-now-generally/ba-p/2463796 Chris Hallum 2021-06-22T12:00:00Z Threat & vulnerability management integrates with ServiceNow VR https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/threat-amp-vulnerability-management-integrates-with-servicenow/ba-p/2454065 <P>Most enterprises rely on a multitude of vendors, security solutions, and IT tools to combat advanced cyber-attacks. At Microsoft, we believe that when these solutions work well together, customers benefit and can build stronger defenses.</P> <P>That’s why we are excited to announce the general availability of a new integration between Microsoft threat and vulnerability management and <A href="#" target="_blank" rel="noopener">ServiceNow Vulnerability Response</A> (VR). The integration between these two products gives customers more flexibility in managing the end- to-end workflow of their vulnerability management program and aims to:</P> <P>&nbsp;</P> <UL> <LI>Optimize vulnerability prioritization</LI> <LI>Automate response workflows</LI> <LI>Speed up overall time to remediation</LI> </UL> <P>ServiceNow’s VR module ingests asset information, data of open and fixed vulnerabilities, as well as recommendations from Microsoft threat and vulnerability management. It syncs these findings into VR tables and data structures, where vulnerabilities are matched against existing assets in your CMDB or creates a new Configuration Item (CI) if no match is found. The integration leverages standard Vulnerability Response data import and CI reconciliation methods.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Vulnerbaility Response Workflow Diagram.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/290276i99C17448296E13D0/image-size/large?v=v2&amp;px=999" role="button" title="Vulnerbaility Response Workflow Diagram.png" alt="Image 1: Vulnerability Response Workflow Diagram" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 1: Vulnerability Response Workflow Diagram</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The diagram above shows the import of vulnerability assessment content from Microsoft threat and vulnerability management into ServiceNow VR to orchestrate the remediation workflow of vulnerabilities.</P> <P>Once ServiceNow VR has ingested information from Microsoft threat and vulnerability management, security teams can start with a top-level view of the ingested data or dive deep using various views. Some of the available views include vulnerability groups, vulnerable items, and security recommendations taken directly from Microsoft threat and vulnerability management.&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Integration run status.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289850i0B6A805A5FD03A50/image-size/large?v=v2&amp;px=999" role="button" title="Integration run status.png" alt="Image 2: Integration run status dashboard" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 2: Integration run status dashboard</span></span></P> <P>&nbsp;</P> <P>Image 2 shows an all-up integration run status and details of how much data has been ingested over the last 30 days. The included timeline shows performance metrics over the same period.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="List of vulnerable items.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289851i0BA547339D0B6167/image-size/large?v=v2&amp;px=999" role="button" title="List of vulnerable items.png" alt="Image 3: Overview of ingested vulnerable items" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 3: Overview of ingested vulnerable items</span></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Overview of Microsoft threat and vulnerability management security recommendations.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289852i2AE8AC5DDEA55764/image-size/large?v=v2&amp;px=999" role="button" title="Overview of Microsoft threat and vulnerability management security recommendations.png" alt="Image 4: Overview of Microsoft threat and vulnerability management security recommendations" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 4: Overview of Microsoft threat and vulnerability management security recommendations</span></span></P> <P>&nbsp;</P> <P>As part of the remediation workflow, ServiceNow VR prioritizes vulnerabilities using asset and business context, along with vulnerability risk scores. The risk score and rating take the vulnerability information and configuration item into account. Security teams can customize the risk calculator based on their organization’s preferences and requirements, optimizing the prioritization of vulnerabilities.</P> <P>&nbsp;</P> <P>Users can then investigate each vulnerability and associated details within the ServiceNow console.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Details view of a vulnerable item.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/289853i61FC901674815576/image-size/large?v=v2&amp;px=999" role="button" title="Details view of a vulnerable item.png" alt="Image 5: Details view of vulnerable items" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 5: Details view of vulnerable items</span></span></P> <P>&nbsp;</P> <P>Lastly, ServiceNow VR provides a grouping of vulnerabilities based on the Microsoft recommendations and automatically assigns tickets to the relevant IT owners and sets the SLAs using predefined rules. This enables customers to use existing workflows and established processes in their organization and create an end-to-end process across the vulnerability management program.</P> <P>The integration between Microsoft threat and vulnerability management and ServiceNow VR can help security teams create more automated remediation workflows and drive efficiencies with their IT counterparts.</P> <P>&nbsp;</P> <P><STRONG>An added focus on interoperability</STRONG></P> <P>Microsoft threat and vulnerability management APIs empower security teams to deliver greater value to their vulnerability management program. The set of APIs that was used to build the ServiceNow integration gives customers and partners full access to the threat and vulnerability management dataset, including:</P> <P>&nbsp;</P> <UL> <LI>Vulnerability assessment</LI> <LI>Security configuration assessment</LI> <LI>Software inventory for all devices</LI> </UL> <P>If you want to know how to use these APIs to create custom reports, build automations, and more, <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/new-threat-amp-vulnerability-management-apis-create-reports/ba-p/2445813" target="_blank" rel="noopener">check out this blog post.</A></P> <P>As we continue to expand the depth and breadth of Microsoft’s vulnerability management capabilities, our team is focused on building a broad ecosystem of integration partners. We understand that our customers have existing investments and established processes to run their security and IT operations and we want to ensure our products support these requirements. If you would like to see additional integrations within Microsoft Defender for Endpoint, go to the&nbsp;<A href="#" target="_blank" rel="noopener"><EM>Partner Application page</EM></A>&nbsp;in the Microsoft Defender Security Center, and click&nbsp;<STRONG>Recommend other partners</STRONG>.</P> <P>&nbsp;</P> <P><STRONG>More information and feedback</STRONG></P> <UL> <LI>The threat and vulnerability management capabilities are part of&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A>&nbsp;and enable organizations to effectively identify, assess, and remediate endpoint weaknesses to reduce organizational risk.</LI> <LI><A href="#" target="_blank" rel="noopener">Check out the step-by-step guide</A> on how to setup and use the integration.</LI> <LI><A href="#" target="_self">Get the integration in the ServiceNow store.</A></LI> <LI>We want to hear from you! If you have any suggestions, questions, or comments, please visit us on our&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP" target="_blank" rel="noopener">Tech Community page</A>.</LI> </UL> Mon, 21 Jun 2021 14:32:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/threat-amp-vulnerability-management-integrates-with-servicenow/ba-p/2454065 Kim Kischel 2021-06-21T14:32:00Z New threat & vulnerability management APIs - create reports, automate, integrate https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/new-threat-amp-vulnerability-management-apis-create-reports/ba-p/2445813 <P>We are excited to announce the general availability of a new set of APIs for Microsoft threat and vulnerability management that allow security administrators to drive efficiencies and customize their vulnerability management program. While previous versions were dependable and feature-rich, we built the new APIs with enterprises in mind that are looking for economies of scale within their vulnerability management program and need to handle large datasets and device inventories daily. <A href="#" target="_blank" rel="noopener">These new APIs</A> provide the ability to design and export customized reports and dashboards, automate tasks, and allow teams to build or leverage existing integrations with third party tools.</P> <P>&nbsp;</P> <P>Security teams will get detailed information as part of a full data snapshot or they can limit the dataset to only include changes since the last data download for a more focused view. Information from the following threat and vulnerability management areas is included:</P> <P>&nbsp;</P> <UL> <LI><STRONG>Vulnerabilities assessment</STRONG> - discovered vulnerabilities on devices</LI> <LI><STRONG>Secure Configuration Assessment</STRONG> - detected misconfigurations on devices</LI> <LI><STRONG>Software inventory</STRONG> – a full list of installed software products across devices</LI> </UL> <P>&nbsp;</P> <P>Now let’s look at how you can use these new APIs to boost and customize your vulnerability management program.</P> <P>&nbsp;</P> <H1><FONT size="5"><STRONG>Create custom reports</STRONG></FONT></H1> <P>Customized reports and dashboards enable you to pool the most meaningful data and insights about your organization’s security posture into a more focused view based on what your organization or specific teams and stakeholders need to know and care about most. Custom reports can increase the actionability of information and improve efficiencies across teams, because it reduces the workload of busy security teams and allows them to focus on the most critical vulnerabilities.</P> <P>&nbsp;</P> <P>Before building custom views using tools such as PowerBI and Excel, you can enrich the native datasets provided by Microsoft’s threat and vulnerability management solution with additional data from Microsoft Defender for Endpoint or a third-party tool of your choice.</P> <P>&nbsp;</P> <P>In addition, these reports/dashboards give you an easy way to report key information and trends to top management to track business KPIs and provide meaningful insights on the overall status of the vulnerability management program in your organization.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>With a custom interface you can show the information that your teams need and nothing more, creating a simpler task view or list of day-to-day work items. It provides flexibility in using any of the solution’s components, such as vulnerability report, missing security updates, installed software, end-of-support products, and operating systems, and combining them with advanced filtering capabilities. This can help optimize and streamline the end user experience according to your organization’s needs.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Let’s look at examples of reports that you can create:</H3> <P>&nbsp;</P> <P><STRONG>Vulnerabilities report</STRONG><STRONG>&nbsp;</STRONG></P> <P>This report gives you a snapshot of the security posture of your organization and allows you to identify the most critical and exploitable vulnerabilities, see the most exposed devices distributed by OS, or drill down into specific CVEs. You can user filters to show when a CVE was detected for the first time, or use advanced properties such as Device tags, Device groups, Device health (active\inactive), and more.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Vulnerability report.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288681iC231403FFC4CFBEB/image-size/large?v=v2&amp;px=999" role="button" title="Vulnerability report.png" alt="Image 1: Vulnerabilities report" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 1: Vulnerabilities report</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="pic_2.png" style="width: 924px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288734i4E67FCD6D365F109/image-size/large?v=v2&amp;px=999" role="button" title="pic_2.png" alt="Image 2: Vulnerability report - severity and vulnerable devices by OS" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 2: Vulnerability report - severity and vulnerable devices by OS</span></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>Missing Windows security updates</STRONG><STRONG>&nbsp;</STRONG></P> <P>This report gives you a complete picture of all missing Windows security updates across your organization. You can see what the most exposed operating systems are, or search for a particular security update to show all affected devices.</P> <P>You can filter the report by the associated CVE criticality, by age of each security update, or filter by advanced properties such as device tags, device groups, device health (active\inactive) and more.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pic_3.png" style="width: 916px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288735iC284A5827DFC5147/image-size/large?v=v2&amp;px=999" role="button" title="pic_3.png" alt="Image 3: Missing Windows Security Updates" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 3: Missing Windows Security Updates</span></span></P> <P>&nbsp;</P> <P><STRONG>Software inventory </STRONG></P> <P>This report gives an overview of your software inventory. In addition to the org-level view, you can explore recent installations and on which devices, when, and in what version they were installed.</P> <P>&nbsp;</P> <P>You can filter the report by number of the weaknesses associated with each software, by software name\vendor, or filter by advanced properties such as Device tags, Device groups, Device health (active\inactive) and more.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="pic_4.png" style="width: 954px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288736iF63B153A6E19370E/image-size/large?v=v2&amp;px=999" role="button" title="pic_4.png" alt="Image 4: Software inventory" /><span class="lia-inline-image-caption" onclick="event.preventDefault();">Image 4: Software inventory</span></span></P> <P>&nbsp;</P> <P>You can create your own reports, use any of the templates we have shown above, or check out more report templates in our <A href="#" target="_blank" rel="noopener">GitHub library</A>:</P> <UL> <LI>End-of-support operating systems</LI> <LI>End-of-support software and versions</LI> <LI>Misconfigurations per device</LI> <LI>Software vulnerability recommendations</LI> <LI>Non-windows security updates</LI> <LI>Exposure score visualizations</LI> </UL> <P>&nbsp;</P> <P>Have you created your own report or used these published templates? We would love to see how you’re using these new capabilities!</P> <P>&nbsp;</P> <P><STRONG>Other resources: </STRONG></P> <P>Build <A href="#" target="_blank" rel="noopener">OData queries with Microsoft Defender for Endpoint</A></P> <P>Create <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/create-custom-reports-using-microsoft-defender-atp-apis-and/ba-p/1007684" target="_blank" rel="noopener">custom reports using Microsoft Defender ATP APIs and Power BI</A></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>&nbsp;</STRONG></P> <P><FONT size="5"><STRONG>Automation and integrations</STRONG></FONT></P> <P>A big part of a successful vulnerability management (VM) program is the ability to automate tasks and reduce the manual workload of security and IT teams, as well as integrating the VM solution with existing tools that are part of an established workflow process in your organization.</P> <P>Our new threat and vulnerability management APIs enable you to build a data exchange between natively provided data and your existing tools. At the same time, we are working with partners to continuously expand the portfolio of out-of-the-box integrations with third party solutions. You can already leverage our <A href="#" target="_blank" rel="noopener">Skybox</A> integration today and we are in the process of releasing additional integrations for <A href="#" target="_blank" rel="noopener">ServiceNow VR</A> and <A href="#" target="_blank" rel="noopener">Kenna Security</A> and in the coming weeks.</P> <P>&nbsp;</P> <P>The Kenna Security partnership will strengthen the overall prioritization capabilities, combining threat and vulnerability management data with real-world threat and exploit intelligence and advanced data science to determine which vulnerabilities pose the highest risk to your organization. To learn more about the upcoming integration <A href="#" target="_blank" rel="noopener">join our webinar on 6/24</A>.</P> <P>&nbsp;</P> <P>By integrating with <A href="#" target="_blank" rel="noopener">ServiceNow Vulnerability Response</A> you will be able to easily automate and track workflows. We will share more information soon!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>While we will have more news on integrations and automation in the coming months, if there are specific integrations you would like to see on our roadmap, go to the&nbsp;<A href="#" target="_blank" rel="noopener">Partner Application page</A>&nbsp;in the Microsoft Defender Security Center, and click&nbsp;<STRONG>Recommend other partners</STRONG>.</P> <P>&nbsp;</P> <P>&nbsp;</P> <H1><FONT size="5">More information and feedback</FONT></H1> <P>&nbsp;</P> <P>The threat and vulnerability management capabilities are part of <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A> and enable organizations to effectively identify, assess, and remediate endpoint weaknesses to reduce organizational risk.</P> <P>&nbsp;</P> <P>Check out our <A href="#" target="_blank" rel="noopener">documentation</A> for a complete overview of how you can consume these new APIs.</P> <P>&nbsp;</P> <P>We want to hear from you! If you have any suggestions, questions, or comments, please visit us on our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bd-p/MicrosoftDefenderATP" target="_blank" rel="noopener">Tech Community page</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 22 Jun 2021 14:50:25 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/new-threat-amp-vulnerability-management-apis-create-reports/ba-p/2445813 Kim Kischel 2021-06-22T14:50:25Z Announcing new capabilities on Android and iOS https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730 <P><SPAN data-contrast="none">Today we are excited to announce&nbsp;new&nbsp;Microsoft Defender for Endpoint&nbsp;capabilities&nbsp;that are&nbsp;generally&nbsp;available&nbsp;for Android and iOS that provide additional breach&nbsp;protection,&nbsp;reduce risk in your organization,&nbsp;simplify the end user experience, and&nbsp;offer secure access to on-prem resources.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">First, customers&nbsp;will notice an updated look to the&nbsp;Microsoft Defender for Endpoint&nbsp;mobile&nbsp;app.&nbsp;The new experience helps end users better understand the capabilities the app provides and enables the user to be more aware of the security threats to their device.&nbsp;Microsoft’s mobile threat defense solution will continue to offer: </SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="none">Protection against phishing coming from browsing, email, apps, and messaging&nbsp;platforms</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="none">Scans for malware and potentially unwanted apps (on Android)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="none">Blocking of unsafe connections as well as access to sensitive data (on Android)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="1" aria-setsize="-1" data-aria-posinset="4" data-aria-level="1"><SPAN data-contrast="none">A&nbsp;unified security experience&nbsp;for SecOps&nbsp;in Microsoft 365 Defender&nbsp;</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Dashboard Dark.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288841i99F3F54892175494/image-size/medium?v=v2&amp;px=400" role="button" title="Dashboard Dark.png" alt="Dashboard Dark.png" /></span><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:240}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="App Security LightAppSecurity.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288840i6FB0E4AC04DD0EBD/image-size/medium?v=v2&amp;px=400" role="button" title="App Security LightAppSecurity.png" alt="App Security LightAppSecurity.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Web Protection.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288842iE0DBB178F31D0EBB/image-size/medium?v=v2&amp;px=400" role="button" title="Web Protection.png" alt="Web Protection.png" /></span><SPAN class="TextRun SCXW113531675 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW113531675 BCX8" data-ccp-parastyle="Normal (Web)">&nbsp;&nbsp;</SPAN></SPAN></SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tunnel.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288272i58F7E9D414154504/image-size/medium?v=v2&amp;px=400" role="button" title="Tunnel.png" alt="Tunnel.png" /></span><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:240}"><SPAN class="TextRun SCXW113531675 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW113531675 BCX8" data-ccp-parastyle="Normal (Web)">&nbsp;&nbsp;</SPAN></SPAN></SPAN><SPAN style="font-family: inherit;">&nbsp;</SPAN></P> <P><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:240}"><SPAN class="TextRun SCXW113531675 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW113531675 BCX8" data-ccp-parastyle="Normal (Web)">&nbsp; &nbsp; &nbsp;Figur</SPAN></SPAN></SPAN><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:240}"><SPAN class="TextRun SCXW113531675 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW113531675 BCX8" data-ccp-parastyle="Normal (Web)">e 1: Microsoft Defender for En</SPAN></SPAN></SPAN><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:160,&quot;335559740&quot;:240}"><SPAN class="TextRun SCXW113531675 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW113531675 BCX8" data-ccp-parastyle="Normal (Web)">dpoint&nbsp;</SPAN><SPAN class="NormalTextRun SCXW113531675 BCX8" data-ccp-parastyle="Normal (Web)">updated mobile app screens in light and dark mode.</SPAN></SPAN><SPAN class="EOP SCXW113531675 BCX8" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559740&quot;:240}">&nbsp;</SPAN></SPAN></P> <P>&nbsp;</P> <P><STRONG style="font-family: inherit;"><SPAN data-contrast="none">Mobile application&nbsp;management&nbsp;support&nbsp;for&nbsp;non-Intune enrolled devices</SPAN></STRONG><SPAN style="font-family: inherit;" data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">We are pleased to&nbsp;announce&nbsp;the general availability of&nbsp;Microsoft Defender&nbsp;for Endpoint&nbsp;support&nbsp;for&nbsp;mobile&nbsp;application&nbsp;management (MAM)&nbsp;on&nbsp;Android and iOS. Prior to this update, Microsoft Defender for Endpoint&nbsp;worked on&nbsp;devices that&nbsp;were&nbsp;enrolled using Intune mobile device management (MDM) only.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">With this&nbsp;update&nbsp;Microsoft Defender for Endpoint&nbsp;can protect&nbsp;an&nbsp;organization’s data&nbsp;within a managed application&nbsp;for those&nbsp;who&nbsp;aren’t using&nbsp;an MDM&nbsp;but are using Intune to manage mobile applications. It also&nbsp;extends support to&nbsp;customers&nbsp;who use other&nbsp;enterprise mobility management solutions&nbsp;such as AirWatch,&nbsp;MobileIron, MaaS360, and others, while still using Intune for&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">mobile&nbsp;application management</SPAN></A><SPAN data-contrast="none">.&nbsp;&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Microsoft&nbsp;Defender for Endpoint&nbsp;will continue to&nbsp;evaluate&nbsp;the&nbsp;device risk&nbsp;score&nbsp;based on&nbsp;threats identified on the device&nbsp;and&nbsp;will&nbsp;share&nbsp;that score&nbsp;with&nbsp;app protection policies.&nbsp;These polices&nbsp;provide an additional layer of breach protection by&nbsp;blocking access or selectively wiping a user’s corporate data.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">For&nbsp;setup and configuration details&nbsp;read the&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/intune-customer-success/microsoft-defender-for-endpoint-risk-signals-available-for-your/ba-p/2186322" target="_blank" rel="noopener"><SPAN data-contrast="none">blog&nbsp;post</SPAN></A><SPAN data-contrast="none">. </SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="none">Jailbreak detection available for iOS</SPAN></STRONG><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Jailbreaking an iOS&nbsp;device&nbsp;elevates&nbsp;root access that is granted to the user of the device.&nbsp;Once this happens, users can easily sideload potentially malicious applications and the iPhone won’t get critical, automatic iOS updates that may fix security&nbsp;vulnerabilities.&nbsp;These kinds of devices&nbsp;introduce additional risk and a higher probability of a breach to your organization.&nbsp;We&nbsp;are&nbsp;excited to share the general availability of&nbsp;the jailbreak&nbsp;detection capability in Microsoft Defender for Endpoint on iOS. This&nbsp;adds to the&nbsp;phishing protection that already exists.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Jailbreak-Alert-Console-edit.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/288277iBF933A420FF6BB74/image-size/large?v=v2&amp;px=999" role="button" title="Jailbreak-Alert-Console-edit.png" alt="Jailbreak-Alert-Console-edit.png" /></span></P> <P><SPAN data-contrast="none">Figure 2: Jailbreak alert in Microsoft 365 Defender&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">With this change, Microsoft Defender for Endpoint on iOS&nbsp;will detect&nbsp;both unmanaged and managed devices that are jailbroken.&nbsp;If it’s detected that a device is jail broken,&nbsp;an alert is&nbsp;surfaced to&nbsp;the security team in Microsoft 365 Defender.&nbsp;The device will then be&nbsp;considered&nbsp;as a&nbsp;high risk&nbsp;device and this risk score&nbsp;is shared with your app&nbsp;protection or&nbsp;device&nbsp;compliance&nbsp;policies&nbsp;so that you can block it from accessing corporate resources.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">For more details, please refer to the documentation </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">here</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="none">Simplified&nbsp;onboarding for iOS users</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">As a part of our commitment to continuously improve the experience for end users, we are now also simplifying end user onboarding. Until now, end users needed to provide VPN permissions to allow the iOS app to provide anti-phishing protection. With this update, admins will be able to setup configuration and push the VPN profile to enrolled devices so that VPN related permissions will not have to be provided by end users, thus simplifying their onboarding experience.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">For more information, please refer to the documentation </SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">here</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><STRONG><SPAN data-contrast="none">Microsoft Tunnel VPN integration</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Finally, we’re excited to share the&nbsp;general availability of&nbsp;Microsoft Tunnel VPN capabilities&nbsp;unified&nbsp;in&nbsp;the&nbsp;Microsoft Defender for Endpoint app for Android. This&nbsp;unification&nbsp;enables organizations to offer a simplified end user experience with one security app&nbsp;– offering both mobile threat defense and the ability to access&nbsp;on-prem resources from their mobile device, while security and IT teams are able to maintain the same admin&nbsp;experiences&nbsp;they are familiar with.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none"> </SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Existing customers of Microsoft Defender for Endpoint, who are also licensed for Microsoft Tunnel, will see Tunnel&nbsp;capabilities&nbsp;in the Defender for Endpoint app on Android. Existing Tunnel customers will switch to using the Microsoft Defender for Endpoint app for VPN. They will not see any other changes to Tunnel features, it will simply now appear within the Defender for Endpoint app. IT administrators will be able to continue to use the Microsoft Endpoint Manager admin center to configure both Defender and Tunnel features. For additional details, </SPAN><A href="#" target="_blank" rel="noopener"><SPAN>read the blog</SPAN></A><SPAN data-contrast="none"> announcing these changes.</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">We’re excited to share these new updates with you and&nbsp;continue to build on security capabilities across platforms.&nbsp;We look forward to hearing your feedback!</SPAN><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233117&quot;:true,&quot;134233118&quot;:true,&quot;201341983&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><I><SPAN data-contrast="none">Microsoft Defender for Endpoint is an industry-leading, cloud-powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense&nbsp;in a single unified platform. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities, </SPAN></I><A href="#" target="_blank" rel="noopener"><I><SPAN data-contrast="none">sign up for a free trial</SPAN></I></A><I><SPAN data-contrast="none"> of Microsoft Defender for Endpoint today.</SPAN></I><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> Mon, 21 Jun 2021 18:52:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-new-capabilities-on-android-and-ios/ba-p/2442730 Shravan Thota 2021-06-21T18:52:35Z Welcome to Microsoft 365 Defender! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/welcome-to-microsoft-365-defender/ba-p/2436618 <P><SPAN>Last month, we </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/unified-experiences-across-endpoint-and-email-are-now-generally/ba-p/2278132" target="_blank">announced</A><SPAN> the general availability of Microsoft Defender for Endpoint and Microsoft Defender for Office 365 capabilities in Microsoft 365 Defender. Security teams can now manage all endpoint, email and collaboration, cross-product investigation, configuration, and remediation activities within a single unified XDR dashboard. Our efforts to bring these solutions together are part of our commitment to deliver world class SecOps capabilities that empower security teams to respond to threats more rapidly and effectively.</SPAN></P> <P>&nbsp;</P> <P><SPAN>We are excited by the reception you have given us on Microsoft 365 Defender and many customers have already made the transition to the new experience. Starting <STRONG>July 6, 2021</STRONG>, the default experience for Microsoft Defender for Endpoint will shift to Microsoft 365 Defender. This change will take some time to roll out across all geographies and will be&nbsp;completed automatically by Microsoft. Once transitioned, you can continue to use your existing portal URL and it will redirect to the new experience.</SPAN></P> <P>&nbsp;</P> <P><SPAN>For Microsoft Defender for Endpoint customers, all existing capabilities are already available in Microsoft 365 Defender. To learn more about the integrated experience and features, please refer to our recent </SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-now-delivers-unified-experiences-across/ba-p/2177512" target="_blank">blog</A><SPAN> and instructional </SPAN><A href="#" target="_blank">video</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Amir_Lande_0-1623351001972.png" style="width: 521px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/287912iEC903C22FD496BFE/image-dimensions/521x255?v=v2" width="521" height="255" role="button" title="Amir_Lande_0-1623351001972.png" alt="Amir_Lande_0-1623351001972.png" /></span></P> <P>Figure 1: Endpoint features integrated into Microsoft 365 Defender.&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>For those who have not yet tried out the unified experience in Microsoft 365 Defender, we recommend that you navigate to security.microsoft.com today and explore it.&nbsp; To help you get up to speed quickly please refer to this </SPAN><A href="#" target="_blank">quick reference</A> <SPAN>to guide you through the changes you can expect in the new portal.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Moving forward, we are focusing our engineering efforts on the unified experience in Microsoft 365 Defender. We recognize that some customers need more time to transition. The legacy portal will still be available and if you need more time to transition you can </SPAN><A href="#" target="_blank">opt-out of the automatic redirection in your portal settings</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><SPAN>We’d like to hear your feedback&nbsp;as you move to the&nbsp;new experience, and we are here to help you with a smooth transition</SPAN><SPAN>. </SPAN><A href="#" target="_blank">Send us feedback</A><SPAN> directly through the portal. If you wish to opt-out of the preview migration you can contact us at unifiedportal@microsoft.com.</SPAN></P> Thu, 10 Jun 2021 18:56:21 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/welcome-to-microsoft-365-defender/ba-p/2436618 Amir_Lande 2021-06-10T18:56:21Z How to migrate advanced hunting to Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-migrate-advanced-hunting-to-microsoft-365-defender/ba-p/2409440 <P><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft 365 Defender</SPAN></A><SPAN data-contrast="auto">&nbsp;simplifies and expands Microsoft security capabilities by consolidating data and functionality into unified experiences highlighted by incident, automated investigation and response, and&nbsp;advanced hunting experiences&nbsp;that&nbsp;you can access in Microsoft 365 security center.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">With&nbsp;advanced&nbsp;hunting, customers can continue using the powerful Kusto-based query interface to hunt across a device-optimized schema for Microsoft Defender for Endpoint. They can also switch to the Microsoft 365 security center, where we’ve surfaced additional email, identity, and app data consolidated under Microsoft 365 Defender.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Customers who actively use&nbsp;advanced hunting in Microsoft Defender for Endpoint are advised to note the following details to ensure a smooth transition to&nbsp;advanced hunting in Microsoft 365 Defender:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI><SPAN data-contrast="auto">You can edit your Microsoft Defender for Endpoint&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">custom detection rules</SPAN></A><SPAN data-contrast="auto">&nbsp;in Microsoft 365 Defender. At the same time, alerts generated by custom detection rules in Microsoft 365 Defender will now be displayed in a newly built alert page that provides the following information:</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <UL> <LI><SPAN data-contrast="auto">Alert title and description&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="auto">Impacted assets</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="auto">Actions taken in response to the alert</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="auto">Query results that triggered the alert (timeline and table views)</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="auto">Information on the custom detection rule&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </LI> </UL> <P class="lia-indent-padding-left-30px"><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AlertPage.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/285655i95C928DA424D7803/image-size/large?v=v2&amp;px=999" role="button" title="AlertPage.png" alt="AlertPage.png" /></span></SPAN></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <UL> <LI><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW175948138 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW175948138 BCX8">With alert data consolidated from various sources in Microsoft 365 Defender, the contents of the&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW175948138 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW175948138 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW175948138 BCX8" data-ccp-charstyle="Hyperlink">DeviceAlertEvents</SPAN></SPAN></A><SPAN class="TextRun SCXW175948138 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW175948138 BCX8">&nbsp;table are surfaced using the&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW175948138 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW175948138 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW175948138 BCX8" data-ccp-charstyle="Hyperlink">AlertInfo</SPAN></SPAN></A><SPAN class="TextRun SCXW175948138 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW175948138 BCX8">&nbsp;and&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW175948138 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW175948138 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW175948138 BCX8" data-ccp-charstyle="Hyperlink">AlertEvidence</SPAN></SPAN></A><SPAN class="TextRun SCXW175948138 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW175948138 BCX8">&nbsp;tables. These replacement tables are&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW175948138 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW175948138 BCX8">not</SPAN></SPAN><SPAN class="TextRun SCXW175948138 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW175948138 BCX8">&nbsp;constrained to alerts on devices. Instead, they also cover alerts from Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Cloud App Security, providing visibility over threat activity impacting emails, apps, and identities. See&nbsp;</SPAN><SPAN class="NormalTextRun SCXW175948138 BCX8">our documentation:&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW175948138 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW175948138 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW175948138 BCX8" data-ccp-charstyle="Hyperlink">Migrate advanced hunting queries from Microsoft Defender for Endpoint&nbsp;</SPAN></SPAN></A><SPAN class="EOP SCXW175948138 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></LI> </UL> <DIV id="tinyMceEditorTali Ash_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><SPAN data-contrast="auto">Read through the following sections for tips on how you can transition your Microsoft Defender for Endpoint rules smoothly to Microsoft 365 Defender.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H4><STRONG><SPAN data-contrast="auto">Migrate custom detection rules</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">When Microsoft Defender for Endpoint rules are edited on Microsoft 365 Defender, they can continue to function as before&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">if the resulting query looks at device tables only</SPAN></STRONG><SPAN data-contrast="auto">. For example, alerts generated by custom detection rules that query only device tables will continue to be delivered to your SIEM and generate email notifications, depending on how you’ve configured these in&nbsp;Defender for Endpoint. Any existing suppression rules in&nbsp;Defender for Endpoint will also continue to apply.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Once you edit a&nbsp;Defender for Endpoint rule so that it queries&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">identity and email</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">tables</SPAN></STRONG><SPAN data-contrast="auto">, which are only available in Microsoft 365 Defender, the rule is automatically moved to Microsoft 365 Defender. Alerts generated by the migrated rule:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI><SPAN data-contrast="auto">Are no longer visible in the&nbsp;Microsoft Defender Security Center&nbsp;(Microsoft Defender for Endpoint portal).</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="auto">Stop being delivered to your SIEM or generate email notifications. To work around these&nbsp;changes,&nbsp;configure notifications through&nbsp;Microsoft 365 Defender&nbsp;to get the alerts. You&nbsp;can use the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft 365 Defender API</SPAN></A><SPAN data-contrast="auto">&nbsp;to receive notifications for custom&nbsp;detection alerts or related incidents.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="auto">Won't be suppressed by Microsoft Defender for Endpoint suppression rules. To prevent alerts from being generated for certain users, devices, or mailboxes, modify the corresponding queries to exclude those entities explicitly.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">If you do edit a rule this way, you will be prompted for confirmation before such changes are applied.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H4><STRONG><SPAN data-contrast="auto">Write queries without&nbsp;DeviceAlertEvents</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">In&nbsp;Microsoft 365 Defender, the&nbsp;AlertInfo&nbsp;and&nbsp;AlertEvidence&nbsp;tables are provided to accommodate the diverse set of information that accompany alerts from various sources. Once you transition to Advanced hunting in Microsoft 365 Defender, you’ll need to make&nbsp;adjustments&nbsp;so your queries get the same alert information that you used to get from the&nbsp;DeviceAlertEvents&nbsp;table in the Microsoft Defender for Endpoint schema.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In general, you can get all the device-specific Microsoft Defender for Endpoint alert info by filtering the&nbsp;AlertInfo&nbsp;table by&nbsp;ServiceSource&nbsp;and then joining each unique ID with the&nbsp;AlertEvidence&nbsp;table, which provides detailed event and entity information. See the sample query below:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="none">AlertInfo</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| where Timestamp &gt; ago(7d)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| where&nbsp;ServiceSource&nbsp;== "Microsoft Defender&nbsp;for Endpoint"</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| join&nbsp;AlertEvidence&nbsp;on AlertId</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;</SPAN></PRE> <P><SPAN data-contrast="auto">This query will yield many more columns than simply taking records from&nbsp;DeviceAlertEvents. To keep results manageable, use&nbsp;</SPAN><I><SPAN data-contrast="auto">project</SPAN></I><SPAN data-contrast="auto">&nbsp;to get only the columns you are interested in. The example below projects columns you might be interested in when investigation detected PowerShell activity:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <PRE><SPAN data-contrast="none">AlertInfo</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| where Timestamp &gt; ago(7d)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| where&nbsp;ServiceSource&nbsp;== "Microsoft Defender&nbsp;for Endpoint"</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp; and&nbsp;AttackTechniques&nbsp;has "powershell"</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| join&nbsp;AlertEvidence&nbsp;on AlertId</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| project Timestamp, Title, AlertId,&nbsp;DeviceName,&nbsp;FileName,&nbsp;ProcessCommandLine&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;</SPAN></PRE> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <H4><STRONG><SPAN data-contrast="auto">Let us know how we can help</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">While the move to Microsoft 365 Defender offers limitless benefits especially to customers who have deployed multiple Microsoft 365 security solutions, we understand how change can&nbsp;present challenge. We’d like to encourage all customers to send us feedback about their experiences managing this change and suggestions on how we can help further. Contact us at&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=mailto:ahfeedback@microsoft.com" target="_blank" rel="noopener"><SPAN data-contrast="none">ahfeedback@microsoft.com</SPAN></A><SPAN data-contrast="auto">&nbsp;or send us feedback through the portals.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> Fri, 04 Jun 2021 22:36:30 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-migrate-advanced-hunting-to-microsoft-365-defender/ba-p/2409440 Tali Ash 2021-06-04T22:36:30Z Secure configuration assessment for macOS and Linux now in public preview https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/secure-configuration-assessment-for-macos-and-linux-now-in/ba-p/2320517 <P>Effectively identifying, assessing, and remediating device misconfigurations that deviate from security best practices is pivotal in running a healthy security program, hardening your surface area, and reducing organizational risk. Microsoft’s <A href="#" target="_blank" rel="noopener">Threat and Vulnerability Management</A> capabilities already does this for Windows 10 and Windows Server devices today. However, when it comes to misconfiguration detection and remediation, covering additional operating systems is just as important.</P> <P>&nbsp;</P> <P>Today, we’re excited to announce that we're expanding our secure configuration assessment capabilities to cover <STRONG>macOS</STRONG> and <STRONG>Linux, in addition to existing support for Windows 10 and Windows Server devices.</STRONG> With this expansion, organizations can now discover, prioritize, and remediate over 30 known unsecure configurations in macOS and Linux to improve their organization's security posture. <SPAN>We’ll </SPAN><SPAN>be</SPAN><SPAN> continuously expanding on the initial set of supported configuration assessments to provide more visibility into your security posture.</SPAN></P> <P>&nbsp;</P> <P>The secure configuration assessment feature in threat &amp; vulnerability management is a key component of <A href="#" target="_blank" rel="noopener">Microsoft Secure Score for Devices</A>. When generally available, the newly introduced configuration assessments for macOS and Linux will also be surfaced in the all-up <A href="#" target="_blank" rel="noopener">Microsoft Secure Score</A>.</P> <P>&nbsp;</P> <P><SPAN>Want to know how many macOS devices have FileVault turned off, or how many Linux devices have real-time protection disabled? Go to </SPAN><A href="#" target="_blank" rel="noopener">Vulnerability management &gt; Security recommendations</A><SPAN> in the Microsoft 365 security portal (security.microsoft.com). You can also open the device page for any of your macOS or Linux devices and select the 'Security recommendations' tab.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>This new capability requires client version 101.23.64 and later.</SPAN></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="used.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/277772i45B89566FB2153B1/image-size/large?v=v2&amp;px=999" role="button" title="used.png" alt="used.png" /></span></P> <P>&nbsp;</P> <P><EM>&nbsp;</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>&nbsp;</EM></P> <P><EM>Microsoft Defender for Endpoint team</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 14 May 2021 19:15:01 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/secure-configuration-assessment-for-macos-and-linux-now-in/ba-p/2320517 Gilad_Mittelman 2021-05-14T19:15:01Z Endpoint Discovery - Navigating your way through unmanaged devices https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909 <P data-unlink="true">Today (June 22nd), <A href="#" target="_self">we released into GA a new set of capabilities</A> for <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A> that empower organizations to discover and secure network devices and unmanaged endpoints. This is especially critical in the new global hybrid working environment, which exposes the most challenging cybersecurity landscape we’ve ever encountered. This blog provides more information on the unmanaged endpoint discovery feature while an additional&nbsp;blog provides more information on <A href="#" target="_self">how to configure the network device discovery feature</A>.</P> <P><SPAN>&nbsp;</SPAN></P> <H2><FONT color="#000080"><SPAN>The challenge – unmanaged endpoints</SPAN></FONT></H2> <P><SPAN>In recent years,&nbsp;the efficacy of&nbsp;Endpoint Protection (EPP)&nbsp;and&nbsp;Endpoint&nbsp;Detection and Response (EDR)&nbsp;platforms&nbsp;has continued to increase. With the rise of&nbsp;unified SIEM and XDR&nbsp;(extended detection and response)&nbsp;solutions, like&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft 365 Defender</SPAN></A><SPAN>,&nbsp;the&nbsp;level of efficacy&nbsp;that&nbsp;our customers&nbsp;are&nbsp;benefiting&nbsp;from&nbsp;continues to improve.</SPAN><SPAN>&nbsp;To fully utilize&nbsp;these solutions to defend your environment, it's critical to have full visibility of all the devices in your organization. You can't protect what you can't see!</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P>David Weston, Microsoft&nbsp;Director of Enterprise and OS Security, advises: &nbsp;&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px"><EM>“The riskiest threat is the one you don’t know about. Unmanaged devices are literally one of your weakest links. Smart attackers go there first.&nbsp;With work-from-home,&nbsp;the&nbsp;threat has grown exponentially, making discovering and applying security controls to&nbsp;these devices&nbsp;mission critical.”</EM>&nbsp;</P> <P>&nbsp;</P> <P>There have been many examples where unmanaged devices were exploited and led to a breach, such as the <A href="#" target="_blank" rel="noopener">Equifax breach</A>. In this case the breach originated via an unpatched vulnerability on an internet-facing server. This might have been easily addressed except for the fact that the server was unmanaged--no one knew it needed patching. Those responsible for the security profiles and policies of these devices were basically unaware of its existence.&nbsp;</P> <P>&nbsp;</P> <H2><FONT color="#333399"><SPAN>Unmanaged endpoint discovery in Microsoft Defender for Endpoint</SPAN></FONT></H2> <P><SPAN>To address scenarios like this we’re adding unmanaged endpoint discovery to Microsoft Defender for Endpoint to help customers discover and secure unmanaged endpoints on their corporate network. This will help detect and report upon any device seen on a corporate network that can be onboarded and secured by Microsoft Defender for Endpoint.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>As part of this new functionality, two forms of discovery are provided including Standard and Basic.&nbsp;For public preview all tenants will initially&nbsp;have Basic discovery configured which uses&nbsp;</SPAN>unicast or broadcast network events captured by the onboarded devices to discover unmanaged endpoints. Basic discovery uses the SenseNDR.exe binary for passive network data collection and no network traffic will be initiated.&nbsp;On May 10, unless otherwise configured by the tenant, we will automatically switch from Basic to our recommended form of discovery which is called Standard discovery. This is an active discovery method where managed devices actively probe the network to identify unmanaged devices. From here the interfaces on discovered devices are leveraged to collect threat, vulnerability and metadata used for device fingerprinting. Standard discovery builds a deeper more complete picture of the discovered devices than Basic mode and and allows for vulnerability assessments.&nbsp; Once you have enabled this process the amount of network traffic is minimal, up to 5k of traffic is generated per discovered device and the frequency of this process is only once every 3 weeks after initial discovery or when certain characteristics of the managed device change.&nbsp; For example if the name of the device that is doing the scanning changes then this is an indication that the environment the device exists in may have changed and so the standard discovery probing will be initiated.</P> <P>&nbsp;</P> <P>When you go to <A href="#" target="_blank" rel="noopener">Microsoft 365 security console</A> you will see two new tiles available.&nbsp;The first shows “Devices to onboard” and will present all devices seen in the last 30 days. We also check whether the device has been seen more than just once over a 3-day period. This prevents a recommendation appearing to onboard a device that was plugged onto the network once, then won’t be seen again.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.jpg" style="width: 521px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/271956i362765BD79FD40F4/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.jpg" alt="Picture1.jpg" /></span></P> <P>&nbsp;</P> <P>The second tile is “Discovered devices in my network” and will be broken down into device types.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2.jpg" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/271944i96F40CC05F52EB6B/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.jpg" alt="Picture2.jpg" /></span></P> <P>&nbsp;</P> <P data-unlink="true">Once discovered, the devices will appear in the Device Inventory. Clicking the button to “View recently discovered devices” will take you straight to where we have a new set of filters available where you can apply criteria relevant to these new devices, as shown in the screenshot below:</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture3.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/275745i1994C08EDD7C7DF1/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.jpg" alt="Picture3.jpg" /></span></P> <P>&nbsp;</P> <P data-unlink="true">This data is then used as part of the security recommendations within threat and vulnerability management. You can go to the Security recommendations&nbsp; section under Vulnerability management and type “Onboard” into the Search box to see discovered devices eligible for onboarding:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture4.jpg" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/271957i5F4D3791556695DB/image-size/large?v=v2&amp;px=999" role="button" title="Picture4.jpg" alt="Picture4.jpg" /></span></P> <P>&nbsp;</P> <P>Once you know about these devices, you can start to onboard them into Defender for Endpoint. This empowers you to close the unmanaged endpoint gap in your environment which is an easy target for attackers. By using the remediation options presented as part of the Security Recommendations, you can open a ticket in Microsoft Endpoint Manager to remediate and onboard the device.</P> <P>&nbsp;</P> <P>Advanced hunting has also been improved to allow you to query these devices and export data with whatever columns you like:</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px"><FONT color="#000000"><EM>DeviceInfo&nbsp;</EM></FONT></P> <P class="lia-indent-padding-left-60px"><FONT color="#000000"><EM>|&nbsp;where&nbsp;Timestamp&nbsp;&gt;&nbsp;ago(7d)</EM></FONT></P> <P class="lia-indent-padding-left-60px"><FONT color="#000000"><EM>|&nbsp;summarize&nbsp;arg_max(Timestamp,&nbsp;*)&nbsp;by&nbsp;DeviceId</EM></FONT></P> <P class="lia-indent-padding-left-60px"><FONT color="#000000"><EM>|&nbsp;where&nbsp;OnboardingStatus&nbsp;==&nbsp;'Can&nbsp;be&nbsp;onboarded'</EM></FONT></P> <P class="lia-indent-padding-left-60px"><FONT color="#000000"><EM>| distinct&nbsp;Timestamp,&nbsp;DeviceName,&nbsp;DeviceId,&nbsp;OSPlatform,&nbsp;OSDistribution,&nbsp;OSVersion,&nbsp;ReportId</EM></FONT></P> <P>&nbsp;</P> <P>“Timestamp” and “ReportId” lets you run this as a custom detection. For example, you could write a rule to generate an alert whenever a device is connected to a certain subnet.</P> <P>&nbsp;</P> <P>We have also exposed “Onboarding Status” in the API and in the connector for Azure Sentinel, to provide visibility into security tooling you might have in place.</P> <P>&nbsp;</P> <H2><FONT color="#333399">Enabling discovery</FONT></H2> <P data-unlink="true">You will see that endpoint discovery is enabled on your tenant through a banner that appears in Device inventory&nbsp;. This banner will be available until the automatic switch from Basic to Standard discovery occurs on July 19th, giving you the option to easily spot and switch over to Standard discovery as soon as you are ready.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ED 02.jpg" style="width: 880px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272305i3301AA25D528405E/image-dimensions/880x463?v=v2" width="880" height="463" role="button" title="ED 02.jpg" alt="ED 02.jpg" /></span></P> <P>&nbsp;</P> <P data-unlink="true">If you don’t want Standard discovery to be automatically enabled on July 19, you also have the option to go to Device discovery&nbsp; in settings and select Basic discovery to ensure the automatic change doesn’t occur.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ED 03.jpg" style="width: 880px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272306i3FE4CB046D71447A/image-dimensions/880x463?v=v2" width="880" height="463" role="button" title="ED 03.jpg" alt="ED 03.jpg" /></span></P> <P>&nbsp;</P> <H2><FONT color="#333399">Controlling discovery</FONT></H2> <P>Although we recommend using Standard discovery, there may be conditions that justify applying controls to the discovery process. When Standard discovery actively probes the network, it uses two PowerShell scripts. These PowerShell scripts are Microsoft signed, and are executed from the following location:&nbsp;</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px"><EM>C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\Downloads\*.ps</EM></P> <P>&nbsp;</P> <P>If you are using other security tooling in your environment, there is a possibility these scripts could cause alerts to be raised in those tools.&nbsp;To avoid this situation, we suggest adding the path the scripts are run from to the allow list within your tooling. We also provide customization capabilities around which devices will perform Standard discovery and thus run the scripts. When you enable Standard discovery, the default mode is that all managed Windows 10 devices perform this task. To change this you can leverage a tagging feature which enables you to restrict the execution of the Standard discovery process to only certain devices in your environment.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ED 04.jpg" style="width: 880px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272307iB52D2924F55D08DE/image-dimensions/880x535?v=v2" width="880" height="535" role="button" title="ED 04.jpg" alt="ED 04.jpg" /></span></P> <P>&nbsp;</P> <P>One caveat: we only recognize tags that have been applied to the device through the portal (or via the API). You cannot utilize tags that have been set via the registry on the device.</P> <P>&nbsp;</P> <P data-unlink="true">You may also have situations where devices are set up as honeypots or have certain networks where you have specific monitoring in place. You can exclude these from Standard discovery and can configure this through the Exclusions tab in Device discovery. There, you can specify either a specific IP address or a subnet to exclude from the Standard discovery mode, although we will still gather details of devices through the passive discovery available in Basic discovery.</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ED 05.jpg" style="width: 880px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272308i51E0860C1098BA7E/image-dimensions/880x499?v=v2" width="880" height="499" role="button" title="ED 05.jpg" alt="ED 05.jpg" /></span></P> <P>&nbsp;</P> <H2><FONT color="#333399"><SPAN>Discovering the right devices</SPAN></FONT></H2> <P><SPAN>One important aspect to this functionality is ensuring it discovers the correct devices. You don't want to take your laptop home and then see all your smart devices, TVs, gaming consoles, etc., showing up in the device inventory list.&nbsp;Not only does it clutter the inventory, but there are also privacy implications from discovering personal, at home devices.</SPAN></P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>The good news: there is built-in logic to prevent this, and a level of control to define what networks this discovery process runs against. </SPAN>The logic was designed to differentiate between corporate networks and non-corporate networks, to avoid discovery of private or public devices not controlled by the organization. Strict conditions are in place to ensure such devices won’t be discovered and presented in the portal.</P> <P>&nbsp;</P> <P>The system differentiates between corporate and non-corporate networks by correlating common network interfaces identifiers among Microsoft Defender for Endpoint onboarded devices.</P> <P>&nbsp;</P> <P><SPAN>To add an extra layer of control, the following screenshot displays the Monitored networks tab within Device discovery settings which makes discovered networks visible and enables you to specifically whether to include or exclude them.</SPAN></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ED 06.jpg" style="width: 880px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272309iF14DD21D8CAF705F/image-dimensions/880x535?v=v2" width="880" height="535" role="button" title="ED 06.jpg" alt="ED 06.jpg" /></span>&nbsp;</SPAN></P> <P>&nbsp;</P> <H2><FONT color="#333399"><SPAN>Disabling…if you really must!</SPAN></FONT></H2> <P><SPAN>Finally, if you decide that our new endpoint discovery capability isn't for you, a switch is available in the Advanced settings page in the Microsoft Defender Security Center that allows you to disable the feature (under “Endpoints” in the settings in the Microsoft 365 security center) . While this isn’t recommended, we recognize&nbsp;some organizations&nbsp;may require due diligence to be performed before taking advantage of the feature.</SPAN></P> <P>&nbsp;</P> <P><SPAN>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture10.jpg" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/271955iDD17D910433EF3A7/image-size/large?v=v2&amp;px=999" role="button" title="Picture10.jpg" alt="Picture10.jpg" /></span></SPAN></P> <P>&nbsp;</P> <P>We’re excited to offer you this new functionality and thank you for your interest in the unmanaged endpoint discovery feature. You will gain enhanced visibility of your estate, and the power to close down a vector of attack that attackers increasingly take advantage of.</P> <P>&nbsp;</P> <P>We encourage you to join us in the public preview program. This program lets you test new features in their early phases and captures your feedback that will influence the final product. For those not already enrolled in the program, we encourage you to participate by turning on <A href="#" target="_blank" rel="noopener">preview features</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P>Once enrolled, we welcome your feedback. More information about this feature and our broader range of unmanaged devices capabilities can be found in the Microsoft Defender for Endpoint <A href="#" target="_blank" rel="noopener">product documentation</A>.</P> <P>&nbsp;</P> <P>&nbsp;</P> Mon, 12 Jul 2021 08:24:16 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909 Steve Newby 2021-07-12T08:24:16Z Network device discovery and vulnerability assessments https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/network-device-discovery-and-vulnerability-assessments/ba-p/2267548 <P><SPAN style="font-family: inherit;" data-contrast="auto">Earlier today <A href="#" target="_self">we announced</A></SPAN><A href="#" target="_self"><SPAN style="font-family: inherit;" data-contrast="auto">&nbsp;</SPAN></A><SPAN style="font-family: inherit;" data-contrast="auto"><A href="#" target="_self">a&nbsp;new&nbsp;set&nbsp;of&nbsp;capabilities</A>&nbsp;for&nbsp;</SPAN><A style="font-family: inherit; background-color: #ffffff;" href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft Defender for Endpoint</SPAN></A><SPAN style="font-family: inherit;" data-contrast="auto">&nbsp;that&nbsp;empower</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">&nbsp;</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">organizations to discover and secure network devices</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">&nbsp;</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">and&nbsp;unmanaged endpoints</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">.</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">&nbsp;</SPAN><SPAN style="font-family: inherit;" data-contrast="auto">This is especially critical in the new&nbsp;global&nbsp;hybrid working environment, which&nbsp;exposes the most challenging cybersecurity landscape we’ve ever encountered.</SPAN><SPAN style="font-family: inherit;" data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><SPAN data-contrast="none">The&nbsp;challenge:&nbsp;unmanaged&nbsp;network devices</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto">We know that users <A href="#" target="_self">are&nbsp;71%&nbsp;more likely to be infected</A>&nbsp;on an unmanaged device and connecting from these devices to business networks from offers a high value target for attackers to launch broader attacks from.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">In&nbsp;recent years,&nbsp;we witnessed several cases&nbsp;where security vulnerabilities in&nbsp;networking&nbsp;gear were&nbsp;actively exploited in the wild by cybercriminals. In some cases, this meant that attackers had the capability to access computers&nbsp;connected directly to&nbsp;corporate networks&nbsp;from&nbsp;the internet (such as CDPwn, EternaBlue, EternalRed).&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">From a vulnerability&nbsp;management&nbsp;standpoint, the large number of unmanaged network devices deployed in&nbsp;each&nbsp;organization creates&nbsp;a large&nbsp;surface area of&nbsp;attack, representing&nbsp;a&nbsp;significant&nbsp;risk&nbsp;to the entire enterprise.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;These network devices&nbsp;must&nbsp;be secured&nbsp;and included in each organization's vulnerability management&nbsp;program.&nbsp;The first step is for an organization to make&nbsp;sure that&nbsp;every&nbsp;network device is discovered,&nbsp;accurately classified, and&nbsp;added to asset inventory.&nbsp;&nbsp;</SPAN></P> <P>&nbsp;</P> <H2 aria-level="1"><SPAN data-contrast="none">Network device&nbsp;discovery&nbsp;in Defender for Endpoint</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto">Defender for Endpoint customers can&nbsp;now&nbsp;take advantage of the new network discovery&nbsp;capabilities&nbsp;available in the <STRONG>Device inventory&nbsp;</STRONG> section </SPAN><SPAN data-contrast="auto">of the&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Microsoft 365 security center</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;and&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">Microsoft Defender Security Center</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;consoles.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;To do so a</SPAN><SPAN data-contrast="auto">&nbsp;designated&nbsp;Microsoft Defender for Endpoint device&nbsp;will be used&nbsp;on each network segment&nbsp;to&nbsp;perform&nbsp;periodic&nbsp;authenticated scans of preconfigured network devices.&nbsp;Once discovered,&nbsp;Defender for Endpoint’s&nbsp;threat and vulnerability management&nbsp;capabilities&nbsp;provide&nbsp;integrated workflows to secure discovered switches, routers, WLAN controllers, firewalls, and VPN gateways.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P aria-level="1">&nbsp;</P> <H2 aria-level="1"><SPAN data-contrast="none">Vulnerability management&nbsp;for network devices</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto">After&nbsp;the network devices are discovered and classified,&nbsp;security administrators&nbsp;will be able to&nbsp;receive&nbsp;the latest security recommendations&nbsp;and&nbsp;review recently discovered vulnerabilities&nbsp;on&nbsp;network devices deployed across their&nbsp;organizations.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 00.png" style="width: 793px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272233iDD55D6242A1F7170/image-dimensions/793x269?v=v2" width="793" height="269" role="button" title="ND Picture 00.png" alt="ND Picture 00.png" /></span></SPAN></P> <P class="lia-align-center">&nbsp;</P> <P class="lia-indent-padding-left-60px"><STRONG><SPAN data-contrast="auto">Figure&nbsp;1:</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;Security recommendation&nbsp;to update&nbsp;Cisco operating systems&nbsp;that&nbsp;run on&nbsp;routers, switches,&nbsp;and&nbsp;WLAN&nbsp;controllers</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:270,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:270,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 000.png" style="width: 771px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272234i355AA7A7430F0DA5/image-dimensions/771x331?v=v2" width="771" height="331" role="button" title="ND Picture 000.png" alt="ND Picture 000.png" /></span></P> <P class="lia-indent-padding-left-60px"><SPAN data-contrast="auto"><STRONG>Figure&nbsp;2:</STRONG> Security recommendation&nbsp;details&nbsp;with&nbsp;all vulnerabilities&nbsp;associated with the Cisco IOS&nbsp;operating system</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335551550&quot;:2,&quot;335551620&quot;:2,&quot;335559685&quot;:270,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <H2 aria-level="1"><SPAN data-contrast="none">Solution approach</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="auto">Network devices are not managed&nbsp;as standard&nbsp;endpoints since&nbsp;Defender for Endpoint&nbsp;does not&nbsp;have&nbsp;a sensor&nbsp;built&nbsp;into the network devices themselves.&nbsp;These&nbsp;types&nbsp;of devices&nbsp;require&nbsp;an agentless&nbsp;approach&nbsp;where a&nbsp;remote&nbsp;scan will&nbsp;obtain the&nbsp;necessary&nbsp;information from the devices.&nbsp;Depending on the&nbsp;network topology and characteristics,&nbsp;a one or more Windows&nbsp;devices&nbsp;onboarded to&nbsp;Microsoft Defender for Endpoint&nbsp;will perform authenticated scans of network devices using SNMP (read-only).</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <H2 aria-level="1"><SPAN data-contrast="none">OS coverage for vulnerability assessment</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="none">Currently,&nbsp;the&nbsp;following operating systems are supported:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <OL> <LI><SPAN data-contrast="none">Cisco IOS, IOS-XE, NX-OS</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="none">Juniper JUNOS</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="none">HPE&nbsp;ArubaOS,&nbsp;Procurve&nbsp;Switch Software</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="none">Palo Alto Networks PAN-OS</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </OL> <P><STRONG><SPAN data-contrast="none">Note</SPAN></STRONG><SPAN data-contrast="none">: Support for additional networking vendors and&nbsp;operating systems&nbsp;will be added over time, based on data gathered from customer usage. Therefore, you are encouraged to configure all your network devices, even if they are not specified in this list.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <H2><SPAN data-contrast="none">How to get started</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="none">Your first step is to select a device that will perform the&nbsp;authenticated&nbsp;network&nbsp;scans.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <OL> <LI><SPAN data-contrast="none">Allocate an&nbsp;</SPAN><STRONG><SPAN data-contrast="none">assessment&nbsp;device&nbsp;</SPAN></STRONG><SPAN data-contrast="none">(client or server) that has a network connection&nbsp;to&nbsp;the&nbsp;management port&nbsp;for&nbsp;the&nbsp;target network devices.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">This can be any Windows device that has been onboarded to Defender for Endpoint.&nbsp; <STRONG>Note:&nbsp;</STRONG></SPAN><SPAN data-contrast="none">SNMP traffic between the Defender for Endpoint&nbsp;</SPAN><STRONG><SPAN data-contrast="none">assessment device</SPAN></STRONG><SPAN data-contrast="none">&nbsp;and the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">target network devices</SPAN></STRONG><SPAN data-contrast="none">&nbsp;must be allowed (e.g.,&nbsp;by the&nbsp;organization’s firewall).</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="none">Decide which network devices will be assessed for vulnerabilities (e.g.,&nbsp;a Cisco switch or a Palo Alto Networks firewall).&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="none">Make sure&nbsp;</SPAN><STRONG><SPAN data-contrast="none">SNMP read-only</SPAN></STRONG><SPAN data-contrast="none">&nbsp;is&nbsp;enabled on all configured network devices to allow&nbsp;Defender for Endpoint&nbsp;assessment device to query the configured network devices.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN><STRONG style="font-family: inherit;"><SPAN data-contrast="none">Note:</SPAN></STRONG><SPAN style="font-family: inherit;" data-contrast="none">&nbsp;‘SNMP write’ is not needed for the proper functionality of this feature.</SPAN><SPAN style="font-family: inherit;" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="none">Obtain the IP addresses of the target network devices to be scanned (or the subnets where these devices are deployed).</SPAN></LI> <LI><SPAN data-contrast="none">Obtain the SNMP credentials of the target network devices (e.g.,&nbsp;Community String,&nbsp;noAuthNoPriv,&nbsp;authNoPriv,&nbsp;authPriv). You’ll be required to provide these when configuring a new&nbsp;</SPAN><STRONG><SPAN data-contrast="none">assessment job</SPAN></STRONG><SPAN data-contrast="none">.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="none">Proxy client configuration: No additional configuration is required other than the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Defender for Endpoint device proxy requirements</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI><SPAN data-contrast="none">The following domains/URLs should be allowed/enabled in your firewall/proxy rules. This is essential to allow the network scanner to be authenticated and work properly.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;<STRONG>Note:</STRONG> The following user permission option is required to configure assessment jobs:&nbsp;<I>‘Manage security settings in Security&nbsp;Center’.</I></SPAN></LI> </OL> <P class="lia-indent-padding-left-60px"><I><SPAN data-contrast="none">login.windows.net&nbsp;</SPAN></I><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-60px"><I><SPAN data-contrast="none">*.securitycenter.windows.com</SPAN></I><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-60px"><I><SPAN data-contrast="none">login.microsoftonline.com</SPAN></I><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-60px"><I><SPAN data-contrast="none">*.blob.core.windows.net/networkscannerstable/*</SPAN></I><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H2><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-contrast="none">Install the network&nbsp;scanner</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="none">&nbsp; &nbsp; &nbsp;1. In&nbsp;the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Microsoft&nbsp;365 security&nbsp;center&nbsp;</SPAN></STRONG><SPAN data-contrast="none">console,&nbsp;go</SPAN><STRONG><SPAN data-contrast="none">&nbsp;</SPAN></STRONG><SPAN data-contrast="none">to&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Settings &gt;&nbsp;Endpoints &gt;&nbsp;Assessment jobs</SPAN></STRONG><SPAN data-contrast="none">&nbsp;page.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px"><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 01.png" style="width: 530px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272236i5860D1972AAA28E8/image-dimensions/530x227?v=v2" width="530" height="227" role="button" title="ND Picture 01.png" alt="ND Picture 01.png" /></span></SPAN></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 02.png" style="width: 539px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272237i0029CEDF8E130501/image-dimensions/539x292?v=v2" width="539" height="292" role="button" title="ND Picture 02.png" alt="ND Picture 02.png" /></span></SPAN></P> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp; &nbsp; &nbsp; 2.&nbsp;</SPAN><SPAN data-contrast="none">Download the network scanner and install it on the designated Defender for Endpoint&nbsp;assessment&nbsp;device.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 03.png" style="width: 469px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272238i3B8B3050D93F01FF/image-size/large?v=v2&amp;px=999" role="button" title="ND Picture 03.png" alt="ND Picture 03.png" /></span></P> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;<BR />&nbsp; &nbsp; &nbsp;3.&nbsp;</SPAN><SPAN data-contrast="none">Network scanner installation &amp; registration:</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="2"><SPAN data-contrast="none">Sign in using a Microsoft account that has the Defender for Endpoint permission called "Manage security settings in Security Center.".&nbsp;</SPAN>The&nbsp;sign-in process can be completed on the assessment device itself or any other device (i.e.,&nbsp;your personal client device).</LI> </UL> <P class="lia-indent-padding-left-30px"><SPAN style="font-family: inherit;" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 04.png" style="width: 751px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272239iBD19A98F38A451FB/image-dimensions/751x76?v=v2" width="751" height="76" role="button" title="ND Picture 04.png" alt="ND Picture 04.png" /></span></SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="20" aria-setsize="-1" data-aria-posinset="1" data-aria-level="2"><SPAN data-contrast="none">To complete the network scanner registration process, copy and follow the URL that appears on the command line,&nbsp;and use the provided installation code to complete the registration process.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN><STRONG style="font-family: inherit;"><SPAN data-contrast="none">Note:</SPAN></STRONG><SPAN style="font-family: inherit;" data-contrast="none">&nbsp;You may need to change Command Prompt settings to be able to copy the URL.&nbsp;</SPAN><SPAN style="font-family: inherit;" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-60px"><SPAN data-contrast="none">Enter the code here:</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 05.png" style="width: 349px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272240i260C29F88442943A/image-dimensions/349x271?v=v2" width="349" height="271" role="button" title="ND Picture 05.png" alt="ND Picture 05.png" /></span></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-60px"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-contrast="none">Use your Microsoft account with the required threat and vulnerability management permissions to sign&nbsp;in.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 06.png" style="width: 353px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272241i1E2D8359633F5D1F/image-dimensions/353x349?v=v2" width="353" height="349" role="button" title="ND Picture 06.png" alt="ND Picture 06.png" /></span></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><SPAN data-contrast="none">When finished, you should see&nbsp;the following&nbsp;messages&nbsp;in your browser and CMD&nbsp;that state that you have signed into the Microsoft Defender for Endpoint network&nbsp;scan agent application&nbsp;successfully:&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 07.png" style="width: 356px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272243iD5EB8BAA9C1BD6DE/image-dimensions/356x284?v=v2" width="356" height="284" role="button" title="ND Picture 07.png" alt="ND Picture 07.png" /></span></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <P class="lia-indent-padding-left-60px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 08.png" style="width: 437px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272244iDAF3D0BD0D2D9D43/image-dimensions/437x310?v=v2" width="437" height="310" role="button" title="ND Picture 08.png" alt="ND Picture 08.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <H2 aria-level="2"><SPAN data-contrast="none">Configure a new&nbsp;network&nbsp;assessment&nbsp;job&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P aria-level="2"><SPAN data-contrast="none">&nbsp; &nbsp; &nbsp;1. In the&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Microsoft 365 security&nbsp;center&nbsp;</SPAN></STRONG><SPAN data-contrast="none">console,&nbsp;go</SPAN><STRONG><SPAN data-contrast="none">&nbsp;</SPAN></STRONG><SPAN data-contrast="none">to&nbsp;</SPAN><STRONG><SPAN data-contrast="none">Settings &gt; Endpoints &gt; Assessment jobs</SPAN></STRONG><SPAN data-contrast="none">&nbsp;page.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 089.png" style="width: 576px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272245i1267B97C5573BDE4/image-dimensions/576x312?v=v2" width="576" height="312" role="button" title="ND Picture 089.png" alt="ND Picture 089.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-contrast="none">&nbsp; &nbsp; &nbsp;2. Add a new network assessment job.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 09.png" style="width: 506px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272246i63AE2F294CD474C5/image-size/large?v=v2&amp;px=999" role="button" title="ND Picture 09.png" alt="ND Picture 09.png" /></span></P> <P>&nbsp;</P> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp; &nbsp; &nbsp;3.&nbsp;</SPAN><SPAN data-contrast="none">Follow the&nbsp;set-up flow:&nbsp;&nbsp;&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="28" aria-setsize="-1" data-aria-posinset="1" data-aria-level="2"><SPAN data-contrast="none">Choose&nbsp;an ‘Assessment job’ name and the&nbsp;‘Assessment device’ on which the network scanner was installed. This device will perform&nbsp;the periodic&nbsp;authenticated&nbsp;scans.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 10.png" style="width: 516px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272247i3DDF8274CE2786FD/image-dimensions/516x185?v=v2" width="516" height="185" role="button" title="ND Picture 10.png" alt="ND Picture 10.png" /></span></P> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="27" aria-setsize="-1" data-aria-posinset="1" data-aria-level="2"><SPAN data-contrast="none">Add IP addresses of target network devices to be scanned (or the subnets where these devices are deployed).</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559731&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:257}"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 11.png" style="width: 640px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272250i8ACF2AEF6AB1DFBD/image-dimensions/640x177?v=v2" width="640" height="177" role="button" title="ND Picture 11.png" alt="ND Picture 11.png" /></span>&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559731&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:257}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="26" aria-setsize="-1" data-aria-posinset="1" data-aria-level="2"><SPAN data-contrast="none">Add&nbsp;required SNMP&nbsp;credentials of the target network devices.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 12.png" style="width: 243px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272251i3399FBF61AA24E2B/image-dimensions/243x237?v=v2" width="243" height="237" role="button" title="ND Picture 12.png" alt="ND Picture 12.png" /></span></P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:1440,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 13.png" style="width: 648px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272252iFC511CFBFDD39A5F/image-dimensions/648x253?v=v2" width="648" height="253" role="button" title="ND Picture 13.png" alt="ND Picture 13.png" /></span></SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="25" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="none">Save the&nbsp;newly-configured&nbsp;network assessment job to start the periodic&nbsp;network&nbsp;scan.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <H2 aria-level="2"><SPAN>&nbsp;<BR /></SPAN><SPAN data-contrast="none">Scan and add network&nbsp;devices</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:40,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN></H2> <P><SPAN data-contrast="none">In the&nbsp;set-up flow, you can perform a&nbsp;one-time&nbsp;test scan to verify that:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P>&nbsp;</P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="24" aria-setsize="-1" data-aria-posinset="2" data-aria-level="1"><SPAN data-contrast="none">There is connectivity between the Defender for Endpoint assessment device&nbsp;(network scanner)&nbsp;and the configured target network devices.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="24" aria-setsize="-1" data-aria-posinset="3" data-aria-level="1"><SPAN data-contrast="none">The configured SNMP credentials are correct.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 14.png" style="width: 651px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272253i38DAE175D043A6F8/image-dimensions/651x297?v=v2" width="651" height="297" role="button" title="ND Picture 14.png" alt="ND Picture 14.png" /></span></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Once the results show up, you can choose which devices will be included in the periodic scan.&nbsp;If you skip&nbsp;viewing the scan results, all configured IP addresses will be added to the network assessment job&nbsp;periodic scan&nbsp;(regardless of the device’s response).&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">TIP:&nbsp;The scan results can also be exported.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 15.png" style="width: 592px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272254iE623E1E5CE783381/image-size/large?v=v2&amp;px=999" role="button" title="ND Picture 15.png" alt="ND Picture 15.png" /></span></P> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559685&quot;:720,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Newly-discovered&nbsp;devices will be shown under the new&nbsp;</SPAN><I><SPAN data-contrast="none">Network devices</SPAN></I><SPAN data-contrast="none">&nbsp;tab in the&nbsp;</SPAN><I><SPAN data-contrast="none">Device inventory</SPAN></I><SPAN data-contrast="none">&nbsp;page (it may take up to ~2hrs after adding an assessment job until the devices are updated).</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P class="lia-indent-padding-left-30px"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ND Picture 16.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272255i37F6F7F3286F49CD/image-size/large?v=v2&amp;px=999" role="button" title="ND Picture 16.png" alt="ND Picture 16.png" /></span></P> <P>&nbsp;</P> <P aria-level="1"><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559738&quot;:240,&quot;335559739&quot;:0,&quot;335559740&quot;:259}">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">Thank&nbsp;you for your interest in&nbsp;the network devices discovery&nbsp;and vulnerability management&nbsp;feature. We encourage you to&nbsp;join us in the&nbsp;public&nbsp;preview&nbsp;program.&nbsp;This&nbsp;program&nbsp;lets&nbsp;you&nbsp;test new features in&nbsp;their&nbsp;early&nbsp;phases&nbsp;and&nbsp;enables you to&nbsp;provide feedback&nbsp;that&nbsp;will&nbsp;influence&nbsp;the final&nbsp;product.&nbsp;</SPAN><SPAN data-contrast="auto">For those not already enrolled in the program, we encourage you to do so by turning on the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">preview features</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN><SPAN data-contrast="none">Once enrolled,&nbsp;we look forward to&nbsp;seeing your&nbsp;feedback&nbsp;at:&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=mailto:mdatptvm@microsoft.com?subject=Network%20device%20vulnerability%20assessment" target="_self">mdatptvm@microsoft.com</A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> <P><SPAN data-contrast="none">More information about this feature and our broader range of unmanaged&nbsp;devices capabilities can be found in the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft Defender for Endpoint product documentation</SPAN></A><SPAN data-contrast="none">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:0,&quot;335559740&quot;:240}">&nbsp;</SPAN></P> Wed, 09 Jun 2021 19:18:57 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/network-device-discovery-and-vulnerability-assessments/ba-p/2267548 Tomer_Reisner 2021-06-09T19:18:57Z Configuring exclusions for Splunk on RedHat Linux 7.9 https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/configuring-exclusions-for-splunk-on-redhat-linux-7-9/ba-p/2261914 <P>&nbsp;</P> <P>Several customers have approached me on how to configure Splunk antivirus exclusions for processes, folders, and files within Microsoft Defender for Endpoint on RedHat Enterprise Linux.&nbsp; This quick reference article has been created to&nbsp;address this common question.</P> <P>&nbsp;</P> <P>Note: This blog is in support of Microsoft Defender for Endpoint&nbsp;on Red Hat Enterprise Linux 7.9.</P> <P>&nbsp;</P> <P><FONT size="1 2 3 4 5 6 7"><STRONG><EM>Disclaimer:&nbsp;</EM></STRONG></FONT><EM><FONT size="1 2 3 4 5 6 7">&nbsp;This may not work on all versions of Linux.&nbsp;Linux is a third-party entity with its own potential licensing restrictions. This content is provided to assist our customers to better navigate integration with a 3rd party component or operating system, and as such, no guarantees are implied. Process and folder exclusions could potentially be harmful because such exclusions increase your organizational exposure to security risks</FONT>.</EM></P> <P>&nbsp;</P> <OL> <LI>First let’s check if any file or folder exclusions are already configured on your RedHat Enterprise Linux clients by running the following command</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><STRONG>mdatp exclusion list</STRONG></P> <P>&nbsp;</P> <OL start="2"> <LI>In the following example, we see that we do not have any exclusions configured for the device</LI> </OL> <P>&nbsp;</P> <P>[azureuser@redhat /]$ <STRONG>mdatp exclusion list</STRONG></P> <P>=====================================</P> <P><STRONG>No exclusions</STRONG></P> <P>=====================================</P> <P>[azureuser@redhat /]$</P> <P>&nbsp;</P> <OL start="3"> <LI>To review Microsoft Defender for Endpoint on Linux exclusions information, visit our public <A href="#" target="_blank" rel="noopener">documentation</A>.</LI> <LI>Splunk exclusions list is noted in their respective <A href="#" target="_blank" rel="noopener">documentation</A>. &nbsp;</LI> <LI>Here is a simplified list of the recommended exclusion from the link above:</LI> </OL> <P>&nbsp;</P> <TABLE width="708"> <TBODY> <TR> <TD width="18%"> <P><STRONG>version:</STRONG></P> </TD> <TD width="37%"> <P><STRONG>Directories to exclude:</STRONG></P> </TD> <TD width="43%"> <P><STRONG>Processes to exclude:</STRONG></P> </TD> </TR> <TR> <TD> <P>Splunk Enterprise (*nix)</P> </TD> <TD> <P>/opt/splunk ($SPLUNK_HOME)&nbsp;and all sub-directories<BR />/opt/splunk/var/lib/splunk ($SPLUNK_DB)&nbsp;and all sub-directories<BR /><BR /></P> </TD> <TD> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bloom</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; btool</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; btprobe</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; bzip2</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; cherryd</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; classify</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; exporttool</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; locktest</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; locktool</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; node</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; python*</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; splunk</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; splunkd</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; splunkmon</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tsidxprobe</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; tsidxprobe_plo</P> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; walklex</P> </TD> </TR> <TR> <TD> <P>Splunk universal forwarder (*nix)</P> </TD> <TD> <P>/opt/splunkforwarder ($SPLUNK_HOME)&nbsp;and all subdirectories<BR /><BR /></P> </TD> <TD> <P>·&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Same as Splunk Enterprise (*nix)</P> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <OL start="6"> <LI>To add an exclusion manually for a process running on RHEL 7.9, you need to run the following command:</LI> </OL> <P class="lia-indent-padding-left-30px"><STRONG>mdatp exclusion process add --name [nameofprocess]</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <OL start="7"> <LI>Since we have 17 processes to exclude, we will have to run the command 17 times, one for each process.</LI> </OL> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name bloom</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name btool</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name btprobe</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name bzip2</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name cherryd</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name classify</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name exporttool</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name locktest</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name locktool</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name node</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name python*</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name splunk</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name splunkd</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name splunkmon</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name tsidxprobe</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name tsidxprobe_plo</STRONG></P> <P class="lia-indent-padding-left-60px"><STRONG>sudo mdatp exclusion process add --name walklex</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P>[azureuser@redhat /]$<STRONG> sudo mdatp exclusion process add --name bloom</STRONG></P> <P>Process exclusion added successfully</P> <P><STRONG>&nbsp;</STRONG></P> <OL start="8"> <LI>Once we run through the 17 processes, we can check the exclusions list again.</LI> </OL> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">[azureuser@redhat /]$ <STRONG>mdatp exclusion list</STRONG></P> <P class="lia-indent-padding-left-30px">=====================================</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: bloom</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: btool</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: btprobe</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: bzip2</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: cherryd</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: classify</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: exporttool</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: locktest</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: locktool</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: node</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: python*</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: splunk</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: splunkd</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: splunkmon</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: tsidxprobe</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: tsidxprobe_plo</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">Excluded process</P> <P class="lia-indent-padding-left-30px">Process name: walklex</P> <P class="lia-indent-padding-left-30px">=====================================</P> <P class="lia-indent-padding-left-30px">[azureuser@redhat /]$</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px">Note: Now that we have all 17 processes excluded. We can move on to the folder exclusions.</P> <P>&nbsp;</P> <OL start="9"> <LI>To add folder exclusions manually for RedHat Enterprise Linux 7.9, you need to run the following commands:</LI> </OL> <P class="lia-indent-padding-left-30px"><STRONG>sudo mdatp exclusion folder add --path <SPAN>"/</SPAN>opt/splunk<SPAN>/"</SPAN></STRONG></P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <P class="lia-indent-padding-left-30px"><SPAN><STRONG>&nbsp;</STRONG></SPAN>Note:&nbsp; This will exclude all paths and all sub directories under /opt/splunk.</P> <P>&nbsp;</P> <P>[azureuser@redhat /]$ <STRONG>sudo mdatp exclusion folder add --path "/opt/splunk/"</STRONG></P> <P>Folder exclusion configured successfully</P> <P>&nbsp;</P> <OL start="10"> <LI>We can check the folder exclusions list again and verify the folders are excluded.</LI> </OL> <P class="lia-indent-padding-left-30px">[azureuser@redhat /]$ <STRONG>mdatp exclusion list</STRONG></P> <P class="lia-indent-padding-left-30px"><STRONG>&nbsp;</STRONG></P> <P class="lia-indent-padding-left-30px">=====================================</P> <P class="lia-indent-padding-left-30px">[azureuser@redhat /]$ mdatp exclusion list</P> <P class="lia-indent-padding-left-30px">=====================================</P> <P class="lia-indent-padding-left-30px">Excluded folder</P> <P class="lia-indent-padding-left-30px">Path: "/opt/splunk/"</P> <P class="lia-indent-padding-left-30px">---</P> <P class="lia-indent-padding-left-30px">&nbsp;</P> <OL start="11"> <LI>Now that we have added the folder exclusions for the application and verified it with<STRONG> mdatp exclusion list</STRONG> we are good to go.</LI> </OL> <P>&nbsp;</P> <P>Hopefully this article provides you with added clarity around the common task of adding Splunk exclusions on Linux clients protected by Microsoft Defender for Endpoint on Linux.</P> <P>&nbsp;</P> <P><FONT size="1 2 3 4 5 6 7"><STRONG><EM>Disclaimer</EM></STRONG><EM><BR />The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.</EM></FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Tue, 13 Apr 2021 03:50:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/configuring-exclusions-for-splunk-on-redhat-linux-7-9/ba-p/2261914 pbracher 2021-04-13T03:50:00Z New threat and vulnerability management experiences in Microsoft 365 security https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/new-threat-and-vulnerability-management-experiences-in-microsoft/ba-p/2233284 <P>The Microsoft 365 security center at <A href="#" target="_blank" rel="noopener">security.microsoft.com</A> combines security capabilities that protect, detect, investigate, and respond to email, collaboration, identity, and endpoint threats. We recently shared details about how we’re bringing together these existing product experiences and functionalities in our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/microsoft-365-defender-now-delivers-unified-experiences-across/ba-p/2177512" target="_blank" rel="noopener">recent blog post</A>.</P> <P>&nbsp;</P> <P>As part of our investment in delivering <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/delivering-world-class-secops-experiences/ba-p/2170092" target="_blank" rel="noopener">world class SecOps experiences</A>, we improved all of our threat and vulnerability management pages including: Dashboard, Recommendations, Remediation, Software inventory, Weaknesses, and Event timeline.</P> <P>&nbsp;</P> <P><EM>Going forward, all new threat and vulnerability management features will only be available in the new portal. </EM>&nbsp;</P> <P>&nbsp;</P> <P>Here’s what you’ll see under the “Vulnerability management” section in the Microsoft 365 security center:</P> <UL> <LI>New look and feel (including new insights on the top of each page)</LI> <LI>Recommendation side panel improvements <UL class="lia-list-style-type-circle"> <LI>New side panel design</LI> <LI>Lists of related device names and CVEs are in separate tabs with searchable items</LI> <LI>Threat Analytics reports</LI> </UL> </LI> <LI>New remediation request experience</LI> <LI>All items are visible when you scroll (no more pagination)</LI> <LI>New filters</LI> <LI>Better search options</LI> <LI>Better performance</LI> <LI>Accessibility improvements</LI> </UL> <P>&nbsp;</P> <P><STRONG>Let’s go through some of the changes in Microsoft 365 security in more detail.</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The new vulnerability management <STRONG>Weaknesses page</STRONG> includes:</P> <UL> <LI>New insights on the top of the page: Including the number of exploitable vulnerabilities, critical vulnerabilities, and zero-day vulnerabilities.</LI> <LI>New filter experience: See what filters are turned on above the list.</LI> <LI>All items are now visible when you scroll: No more pagination.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="weaknesses_page.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266758iDF088557DDE7BB71/image-size/large?v=v2&amp;px=999" role="button" title="weaknesses_page.png" alt="weaknesses_page.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Each recommendation in the <STRONG>Security recommendations page</STRONG> has <STRONG>a new side panel design</STRONG> with much more information:</P> <UL> <LI>Wider side panel has better visibility with more in-depth information. All items are visible and with no need to scroll.</LI> <LI>Associated CVEs pivot, which is organized by severity.</LI> <LI>List of “related threats” with Threat Analytics links to related articles.</LI> <LI>All the lists are now shown in tabs, and each tab has its own search option.</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shir_Feldman_2-1616612569264.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266739i6DE2D39D4EAD7A92/image-size/large?v=v2&amp;px=999" role="button" title="Shir_Feldman_2-1616612569264.png" alt="Shir_Feldman_2-1616612569264.png" /></span></P> <P>&nbsp;</P> <P>Under the <STRONG>Related threats</STRONG> <STRONG>header</STRONG> within a security recommendation, you can find the related Threat Analytics articles and access them directly by clicking on the name:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shir_Feldman_3-1616612594626.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266740i27A8673341F4001F/image-size/large?v=v2&amp;px=999" role="button" title="Shir_Feldman_3-1616612594626.png" alt="Shir_Feldman_3-1616612594626.png" /></span></P> <P>&nbsp;</P> <P>In every tab within the security recommendation you can search for a specific item, such as a CVE or a device name, to check if the CVE or a device are applicable to this recommendation. The other option is to select the column header to sort the list:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shir_Feldman_4-1616612653584.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266741i725C972E3E80C15B/image-size/large?v=v2&amp;px=999" role="button" title="Shir_Feldman_4-1616612653584.png" alt="Shir_Feldman_4-1616612653584.png" /></span></P> <P>&nbsp;</P> <P>Search for a device name in the <STRONG>Devices </STRONG>tab of the recommendation. There is also a “last seen” column for each device:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shir_Feldman_5-1616612672389.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266742i41F04CABD9B48E21/image-size/large?v=v2&amp;px=999" role="button" title="Shir_Feldman_5-1616612672389.png" alt="Shir_Feldman_5-1616612672389.png" /></span></P> <P>&nbsp;</P> <P>Selecting an activity in the <STRONG>Remediation activities</STRONG> tab of the recommendation will open a side panel with the remediation description, progress, and more. Previously, it directed you to another page:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shir_Feldman_6-1616612692676.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266744i34FFAA78A3357E0B/image-size/large?v=v2&amp;px=999" role="button" title="Shir_Feldman_6-1616612692676.png" alt="Shir_Feldman_6-1616612692676.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shir_Feldman_7-1616612698476.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266745i3DC1CFACC2A74929/image-size/large?v=v2&amp;px=999" role="button" title="Shir_Feldman_7-1616612698476.png" alt="Shir_Feldman_7-1616612698476.png" /></span></P> <P>&nbsp;</P> <P>To request remediation for a security recommendation, the <STRONG>Remediation request</STRONG> experience has been updated. Instead of a long form you need to scroll to fill out, there is a new wizard with step-by-step guidance:</P> <P>&nbsp;</P> <DIV id="tinyMceEditorShir_Feldman_8" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shir_Feldman_9-1616612764223.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266747iFCF25641EE930B96/image-size/large?v=v2&amp;px=999" role="button" title="Shir_Feldman_9-1616612764223.png" alt="Shir_Feldman_9-1616612764223.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>On the <STRONG>Remediation</STRONG> <STRONG>page </STRONG>in vulnerability management, you now have insights into how many activities past due:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shir_Feldman_10-1616612828675.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266748iBEEDF3E42A9F41BF/image-size/large?v=v2&amp;px=999" role="button" title="Shir_Feldman_10-1616612828675.png" alt="Shir_Feldman_10-1616612828675.png" /></span></P> <P>&nbsp;</P> <P>The main <STRONG>Dashboard page</STRONG> has had some design changes, including the list of the top security recommendations:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Shir_Feldman_11-1616612842115.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266749iE513BB1101B5E26C/image-size/large?v=v2&amp;px=999" role="button" title="Shir_Feldman_11-1616612842115.png" alt="Shir_Feldman_11-1616612842115.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Finally, all the TVM experiences are compliant to the <STRONG>accessibility standard</STRONG> called WCAG 2.1.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Are you ready? If you’ve enabled public preview features, you can <A href="#" target="_blank" rel="noopener">check out the new threat and vulnerability management experiences in the unified portal</A> today! If not, we encourage you to turn on <A href="#" target="_blank" rel="noopener">preview features</A> for Microsoft Defender for Endpoint to get access to the newest capabilities. These features can be turned on in the Microsoft Defender Security Center or the Microsoft 365 security center. In addition, we recommend you <A href="#" target="_blank" rel="noopener">learn about how to redirect accounts from Microsoft Defender for Endpoint to the Microsoft 365 security center</A><SPAN>.</SPAN></P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you’re not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities,&nbsp;</EM><A href="#" target="_blank" rel="noopener">sign up for a free Microsoft Defender for Endpoint trial</A><EM>&nbsp;today.</EM></P> <P>&nbsp;</P> <P>We’re excited to&nbsp;<A href="#" target="_blank" rel="noopener">hear your feedback</A>&nbsp;as you explore the&nbsp;unified&nbsp;portal and we will continue to update the documentation throughout the preview.&nbsp;Our mission is to&nbsp;empower you&nbsp;with the&nbsp;most unified extended detection and response (XDR) solution in the industry so that you can focus on&nbsp;what’s important:&nbsp;preventing and remediating threats.&nbsp;</P> <P>&nbsp;</P> <P>To read more&nbsp;about the&nbsp;unified portal&nbsp;experience, check out:&nbsp;</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Overview - Microsoft 365 security center&nbsp;</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint in the Microsoft 365 security center&nbsp;</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Defender for Office&nbsp;365 in the Microsoft 365 security center&nbsp;</A></LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 09 Jun 2021 19:09:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/new-threat-and-vulnerability-management-experiences-in-microsoft/ba-p/2233284 Shir_Feldman 2021-06-09T19:09:00Z Enhancing Linux antivirus with behavior monitoring capabilities! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/enhancing-linux-antivirus-with-behavior-monitoring-capabilities/ba-p/2226705 <P>As we continue our powerful momentum in securing Linux platforms, we are excited to announce the public preview of Microsoft Defender for Endpoint on Linux antivirus behavior monitoring and blocking!</P> <P>&nbsp;</P> <P>The new preventive antivirus functionality complements our existing strong content-based capabilities with behavior monitoring and deep memory scanning. These enhancements bring immediate ability to closely monitor processes, file system activities, and process interactions within the system. The enhanced ability to correlate events and behaviors across multiple processes allows us to more generically detect and block malware based on their behavioral classification. These behavior-based signals will act as additional runtime signals for behavioral cloud-powered machine learning models and for effective runtime protection.</P> <P>&nbsp;</P> <P>Our Linux antivirus behavior monitoring and blocking can be previewed on any Linux distribution that is currently supported by Microsoft Defender for Endpoint on Linux:</P> <UL> <LI>RHEL 7.2+,</LI> <LI>CentOS Linux 7.2+</LI> <LI>Ubuntu 16 LTS, or higher LTS</LI> <LI>SLES 12+</LI> <LI>Debian 9+</LI> <LI>Oracle Linux 7.2+</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>Microsoft Defender for Endpoint on Linux antivirus behavior monitoring seamlessly integrates into the existing preventive experiences. Behavior monitoring details and artifacts can be explored locally using the existing Microsoft Defender for Endpoint on Linux command line interface.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="client-alert_med2.png" style="width: 961px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266516iBE3D4EEE6C70359A/image-size/large?v=v2&amp;px=999" role="button" title="client-alert_med2.png" alt="client-alert_med2.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Behavior monitoring alerts appear in the Microsoft Defender Security Center (as well as in the Microsoft 365 security center) alongside all other alerts and can be effectively investigated.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="portal-alert1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/266535iBC3460DF02534C18/image-size/large?v=v2&amp;px=999" role="button" title="portal-alert1.png" alt="portal-alert1.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>What are the preview prerequisites for Linux antivirus behavior monitoring and blocking?</STRONG></P> <P>&nbsp;</P> <P>To experience the Linux antivirus behavior monitoring and blocking in public preview, you’ll need to have preview features turned on in the Microsoft Defender Security Center. If you have not yet opted into previews, we encourage you to&nbsp;<A href="#" target="_blank" rel="noopener">turn on preview features</A>&nbsp;in the Microsoft Defender Security Center or in the Microsoft 365 security center today.</P> <P>&nbsp;</P> <P>As a preview entry prerequisite, please ensure the following requirements are fulfilled:</P> <UL> <LI><SPAN>Device must be&nbsp;in the&nbsp;<STRONG>InsiderFast</STRONG>&nbsp;channel</SPAN><SPAN>&nbsp;</SPAN></LI> <LI><SPAN><STRONG>Minimal Microsoft Defender for Endpoint version</STRONG></SPAN><SPAN>&nbsp;number must be (InsiderFast):&nbsp;<STRONG>101.25.42</STRONG> </SPAN></LI> <LI>Device must be explicitly enrolled into the preview. <SPAN>The preview enrollment can be activated / deactivated using&nbsp;the&nbsp;following&nbsp;commands</SPAN><SPAN>:</SPAN></LI> </UL> <P class="lia-indent-padding-left-60px"><EM>$ sudo mdatp config behavior-monitoring –value enabled</EM></P> <P class="lia-indent-padding-left-60px"><EM>$ sudo mdatp config behavior-monitoring –value disabled</EM></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <UL> <LI>Microsoft Defender for Endpoint must be restarted for the enrollment/unenrollment commands to take effect.</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>How to start previewing Linux antivirus behavior monitoring and blocking?</STRONG></P> <P>&nbsp;</P> <P>To get started with the Linux antivirus behavior monitoring and blocking public preview:</P> <UL> <LI>Ensure preview prerequisites are met</LI> <LI>Ensure to initially evaluate this new functionality on a selected subset of your <STRONG><EM>non-production</EM></STRONG> Linux devices</LI> <LI>Ensure cloud-delivered protection is enabled on devices enrolled into the preview by running the following command:&nbsp;&nbsp;</LI> </UL> <P class="lia-indent-padding-left-60px"><EM style="font-family: inherit;">$ mdatp health --field cloud_enabled # this should print “true”</EM></P> <P class="lia-indent-padding-left-60px">&nbsp;</P> <UL> <LI>Try “Do It Yourself” scenarios to see features in action. You can find <A title="Do It Yourself: Linux behavior monitoring and blocking" href="https://gorovian.000webhostapp.com/?exam=gxcuf89792/attachments/gxcuf89792/MicrosoftDefenderATPBlog/1161/1/Linux_BM_DIY.pdf" target="_self">"Do It Yourself" scenarios</A> attached to this blog</LI> <LI>Continue running Linux clients enrolled into evaluation as you normally would</LI> <LI>Share your feedback and observations to help us improve.</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>We welcome your feedback and look forward to hearing from you! You can submit feedback through&nbsp;the Microsoft Defender Security Center or through the Microsoft 365 security center.</P> <P>&nbsp;</P> <P>Monitor the <A href="#" target="_blank" rel="noopener">What's new in Microsoft Defender for Endpoint on Linux page</A> for upcoming announcements (including general availability of Linux antivirus behavior monitoring and blocking). Stay tuned to our&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog" target="_blank" rel="noopener">blog</A><SPAN>&nbsp;</SPAN>and&nbsp;<A href="#" target="_blank" rel="noopener">Twitter channel</A><SPAN>&nbsp;</SPAN>to stay up to date on additional Microsoft Defender for Endpoint advancements.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering endpoint protection, endpoint detection and response, vulnerability management, and mobile threat defense. With our solution, threats are no match. If you are not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities,&nbsp;<A href="#" target="_blank" rel="noopener">sign up for a free Microsoft Defender for Endpoint trial</A>&nbsp;today.</EM><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint team</EM></P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Mon, 29 Mar 2021 17:13:40 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/enhancing-linux-antivirus-with-behavior-monitoring-capabilities/ba-p/2226705 Helen_Allas 2021-03-29T17:13:40Z Mac updates: Control your USB devices with Microsoft Defender for Endpoint on Mac! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/mac-updates-control-your-usb-devices-with-microsoft-defender-for/ba-p/2224439 <P>&nbsp;</P> <P><FONT size="4">Microsoft Defender for Endpoint on Mac USB storage device control is in general availability as of July 2021.&nbsp;</FONT></P> <P>&nbsp;</P> <P>In line with our commitment to rapidly expand Microsoft Defender for Endpoint cross-platform capabilities, we are preparing a set of enhancements to further reduce organizational exposure attributed to common end user activities. Today we are thrilled to announce the public preview of USB storage device control for Mac!</P> <P>&nbsp;</P> <P>Preventing threats and securing your organization takes a multi-layered approach. Many users will plug in USB removable storage devices without considering their potential security risk. Enabling removable device control policies reduces the attack surface on user’s machines and protects organizations against malware and data loss in these scenarios.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>What level of USB device control comes with this new capability?</STRONG></P> <P>&nbsp;</P> <P>USB storage device control for Mac is designed to regulate the level of access given to external USB storage devices (including SD cards). The access level is controlled through custom policies.</P> <P>&nbsp;</P> <UL> <LI>The capability supports Audit and Block enforcement levels.</LI> <LI>USB device access can be set to Read, Write, Execute, No access.</LI> <LI>To achieve a high degree of granularity, USB access level can be specified for Product ID, Vendor ID, and Serial Number.</LI> <LI>The custom policy allows customization of the URL where user is redirected to when interacting with an end user facing “device restricted” notification.</LI> </UL> <P>&nbsp;</P> <P>The USB device control policy is hierarchical. At the top of the hierarchy are vendors. For each vendor, there are products. Finally, for each product there are serial numbers denoting specific USB devices.</P> <P>The policy is evaluated from the most specific entry to the most general one. When a USB device does not match any of the nested entries, the access level for this device defaults to the top-level permission.</P> <P>&nbsp;</P> <P class="lia-indent-padding-left-30px"><EM>|-- policy top level</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp; |-- vendor 1</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp;&nbsp;&nbsp;&nbsp; |-- product 1</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |-- serial number 1</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; …</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; |-- serial number N</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; …</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp;&nbsp;&nbsp;&nbsp; |-- product N</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp; …</EM></P> <P class="lia-indent-padding-left-30px"><EM>&nbsp; |-- vendor N</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P style="margin: 0in;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">In cases when the USB device control policy restricts Mac end user actions, a notification appears informing the end user about the restriction imposed by the organization:</SPAN></P> <P style="margin: 0in;">&nbsp;</P> <P style="margin: 0in;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screen Shot 2021-02-09 at 12.18.35 PM (2).png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/265844iE4A7D32F4D049261/image-size/large?v=v2&amp;px=999" role="button" title="Screen Shot 2021-02-09 at 12.18.35 PM (2).png" alt="Screen Shot 2021-02-09 at 12.18.35 PM (2).png" /></span></P> <P style="margin: 0in;">&nbsp;</P> <P style="margin: 0in;">&nbsp;</P> <P style="margin: 0in;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">Security teams have visibility into instances of restricted actions involving USB storage devices in the Microsoft Defender Security Center:</SPAN></P> <P style="margin: 0in;">&nbsp;</P> <P style="margin: 0in;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Portal.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/265803i53E22E2DDDD5190B/image-size/large?v=v2&amp;px=999" role="button" title="Portal.png" alt="Portal.png" /></span></P> <P style="margin: 0in;">&nbsp;</P> <P style="margin: 0in;">&nbsp;</P> <P style="margin: 0in;"><SPAN style="font-size: 10.0pt; font-family: 'Arial',sans-serif; color: black;">USB device control events can also be explored using advanced hunting queries. For example:</SPAN></P> <P class="lia-indent-padding-left-30px"><FONT size="2">DeviceEvents</FONT></P> <P class="lia-indent-padding-left-30px"><FONT size="2">&nbsp;&nbsp;&nbsp; | where ActionType == "UsbDriveMount" or ActionType == "UsbDriveUnmount" or ActionType == "UsbDriveDriveLetterChanged"</FONT></P> <P class="lia-indent-padding-left-30px"><FONT size="2">&nbsp;&nbsp;&nbsp; | where DeviceId == "&lt;device ID&gt;"</FONT></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>What are the available options to deploy USB storage device control policies for Mac?</STRONG></P> <P>&nbsp;</P> <P>USB device control policies can be deployed using , Intune, and manual deployment. For more information, read the <A title="Mac USB storage device control documentation" href="#" target="_self">Mac USB storage device control documentation</A>&nbsp;for detailed guidance on policy deployment (including examples of USB device control configurations).</P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>What are the preview prerequisites for USB storage device control for Mac?</STRONG></P> <P>&nbsp;</P> <P>To experience the USB storage device control for Mac capability in public preview, you’ll need to have preview features turned on in the Microsoft Defender Security Center. If you have not yet opted into previews, we encourage you to&nbsp;<A href="#" target="_blank" rel="noopener">turn on preview features</A>&nbsp;in the Microsoft Defender Security Center today.</P> <P>&nbsp;</P> <P>Ensure the following requirements are fulfilled:</P> <UL> <LI>This new capability is supported on devices running macOS Catalina 10.15.4+</LI> <LI>Participating devices must be running with system extensions (this is the default on macOS 11 Big Sur)</LI> <LI>Participating devices must be registered for the InsiderFast Microsoft AutoUpdate channel</LI> <LI>Minimum client version for Microsoft Defender for Endpoint for this capability is 101.24.59</LI> </UL> <P>&nbsp;</P> <P>For more information, see the <A title="Mac USB device control documentation" href="#" target="_self">Mac USB device control documentation</A> for additional details on setting and checking the aforementioned prerequisites on participating devices.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>We welcome your feedback and look forward to hearing from you!</P> <P>You can submit feedback by opening Microsoft Defender for Endpoint application on your Mac device and navigating to&nbsp;<EM>Help &gt; Send feedback.</EM>&nbsp;Another option is to submit feedback via&nbsp;the Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P>Monitor the <A href="#" target="_blank" rel="noopener">What's new in Microsoft Defender for Endpoint on Mac page</A> for upcoming announcements (including general availability of Mac USB storage device control).&nbsp;</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities,&nbsp;<A href="#" target="_blank" rel="noopener">sign up for free trial</A><STRONG>&nbsp;</STRONG>of Microsoft Defender for Endpoint today.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint team</EM></P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Wed, 25 Aug 2021 23:24:56 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/mac-updates-control-your-usb-devices-with-microsoft-defender-for/ba-p/2224439 Helen_Allas 2021-08-25T23:24:56Z Migrate advanced hunting from Microsoft Defender for Endpoint to Microsoft 365 Defender https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/migrate-advanced-hunting-from-microsoft-defender-for-endpoint-to/ba-p/2214499 <P><A href="#" target="_blank" rel="noopener"><SPAN>Microsoft 365 Defender</SPAN></A><SPAN data-contrast="auto">&nbsp;simplifies and expands Microsoft security capabilities by consolidating data and functionality into unified</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-contrast="auto">experiences in</SPAN><SPAN data-contrast="auto">&nbsp;the</SPAN><SPAN data-contrast="auto">&nbsp;Microsoft 365 security center.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">With&nbsp;</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">dvanced hunting, customers can continue using the powerful Kusto-based query interface to hunt across a device-optimized schema for Microsoft Defender for Endpoint.&nbsp;</SPAN><SPAN data-contrast="auto">You</SPAN><SPAN data-contrast="auto">&nbsp;can also switch to the Microsoft 365 security center, where we’ve surfaced additional email, identity, and app data consolidated under Microsoft 365 Defender.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Customers who actively use&nbsp;</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">dvanced hunting in Microsoft Defender for Endpoint are advised to note the following details to ensure a smooth transition to&nbsp;</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">dvanced hunting in Microsoft 365 Defender:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI><SPAN data-contrast="auto">You can now edit your Microsoft Defender for Endpoint&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">c</SPAN><SPAN data-contrast="none">ustom detection rules</SPAN></A><SPAN data-contrast="auto">&nbsp;in Microsoft 365 Defender. At the same time, alerts generated by custom detection rules in Microsoft 365 Defender will now be displayed in a newly built alert page that provides the following information:</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN> <UL> <LI><SPAN data-contrast="auto">Alert title and description&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="o" data-font="Courier New" data-listid="1" aria-setsize="-1" data-aria-posinset="2" data-aria-level="2"><SPAN data-contrast="auto">Impacted&nbsp;</SPAN><SPAN data-contrast="auto">assets</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="o" data-font="Courier New" data-listid="1" aria-setsize="-1" data-aria-posinset="3" data-aria-level="2"><SPAN data-contrast="auto">Actions taken in response to the&nbsp;</SPAN><SPAN data-contrast="auto">alert</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="o" data-font="Courier New" data-listid="1" aria-setsize="-1" data-aria-posinset="4" data-aria-level="2"><SPAN data-contrast="auto">Query results that triggered the alert (timeline and table views)</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="o" data-font="Courier New" data-listid="1" aria-setsize="-1" data-aria-posinset="4" data-aria-level="2"><SPAN data-contrast="auto">Information on the custom detection rule&nbsp;</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> </LI> </UL> <P><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="newAlertPage.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/264384i2E9C73C912749B29/image-size/large?v=v2&amp;px=999" role="button" title="newAlertPage.png" alt="newAlertPage.png" /></span></SPAN></P> <UL> <LI><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}"><SPAN class="TextRun SCXW29128231 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW29128231 BCX8">With alert data consolidated from various sources in Microsoft 365 Defender, the contents of the&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW29128231 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW29128231 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW29128231 BCX8" data-ccp-charstyle="Hyperlink">DeviceAlertEvents</SPAN></SPAN></A><SPAN class="TextRun SCXW29128231 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW29128231 BCX8">&nbsp;table are surfaced using the&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW29128231 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW29128231 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW29128231 BCX8" data-ccp-charstyle="Hyperlink">AlertInfo</SPAN></SPAN></A><SPAN class="TextRun SCXW29128231 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW29128231 BCX8">&nbsp;and&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW29128231 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="TextRun Underlined SCXW29128231 BCX8" data-contrast="none"><SPAN class="NormalTextRun SCXW29128231 BCX8" data-ccp-charstyle="Hyperlink">AlertEvidence</SPAN></SPAN></A><SPAN class="TextRun SCXW29128231 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW29128231 BCX8">&nbsp;tables. These replacement tables are&nbsp;</SPAN></SPAN><SPAN class="TextRun SCXW29128231 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW29128231 BCX8">not</SPAN></SPAN><SPAN class="TextRun SCXW29128231 BCX8" data-contrast="auto"><SPAN class="NormalTextRun SCXW29128231 BCX8">&nbsp;constrained to alerts on devices. Instead, they also cover alerts from Microsoft Defender for Office 365, Microsoft Defender for Identity, and Microsoft Cloud App Security, providing visibility over threat activity impacting emails, apps, and identities.&nbsp;</SPAN></SPAN><A class="Hyperlink SCXW29128231 BCX8" href="#" target="_blank" rel="noreferrer noopener"><SPAN class="FieldRange SCXW29128231 BCX8"><SPAN class="TextRun Underlined SCXW29128231 BCX8" data-contrast="none"><SPAN class="NormalTextRun CommentStart SCXW29128231 BCX8" data-ccp-charstyle="Hyperlink">See Migrate advanced hunting queries from Microsoft Defender for Endpoint&nbsp;</SPAN></SPAN></SPAN></A><SPAN class="EOP SCXW29128231 BCX8" data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></SPAN></LI> </UL> <P><SPAN data-contrast="auto">Read through the following sections for tips on how you can transition your Microsoft Defender for Endpoint rules smoothly to Microsoft 365 Defender.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H4><STRONG><SPAN data-contrast="auto">Migrate custom detection&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="auto">rules</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">When Microsoft Defender for Endpoint rules are edited&nbsp;</SPAN><SPAN data-contrast="auto">i</SPAN><SPAN data-contrast="auto">n Microsoft 365 Defender, they can continue to function as before&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">if the resulting query looks at device tables only</SPAN></STRONG><SPAN data-contrast="auto">. For example, alerts generated by custom detection rules that query only device tables will continue to be delivered to your SIEM and generate email notifications, depending on how you’ve configured these in Microsoft Defender for Endpoint. Any existing suppression rules in Microsoft Defender for Endpoint will also continue to apply.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">Once you edit a Microsoft Defender for Endpoint rule so that it queries&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">identity and email</SPAN></STRONG><SPAN data-contrast="auto">&nbsp;</SPAN><STRONG><SPAN data-contrast="auto">tables</SPAN></STRONG><SPAN data-contrast="auto">, which are only available in Microsoft 365 Defender, the rule is automatically moved to Microsoft 365 Defender. Alerts&nbsp;</SPAN><SPAN data-contrast="auto">generated by the migrated rule</SPAN><SPAN data-contrast="auto">:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <UL> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Are no longer visible in the Microsoft Defender&nbsp;</SPAN><SPAN data-contrast="auto">Security Center</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Will cease&nbsp;</SPAN><SPAN data-contrast="auto">being delivered to your SIEM or generate email notifications. To work around th</SPAN><SPAN data-contrast="auto">e</SPAN><SPAN data-contrast="auto">s</SPAN><SPAN data-contrast="auto">e</SPAN><SPAN data-contrast="auto">&nbsp;changes,&nbsp;</SPAN><SPAN data-contrast="auto">configure notifications through Microsoft 365 Defender to get the alerts.</SPAN><SPAN data-contrast="auto">&nbsp;You can use the&nbsp;</SPAN><A href="#" target="_blank" rel="noopener"><SPAN data-contrast="none">Microsoft 365 Defender API</SPAN></A><SPAN data-contrast="auto">&nbsp;to receive notifications for custom detection alerts or related incidents.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> <LI data-leveltext="" data-font="Symbol" data-listid="2" aria-setsize="-1" data-aria-posinset="1" data-aria-level="1"><SPAN data-contrast="auto">Won't be suppressed by Microsoft Defender for Endpoint suppression rules. To prevent alerts from being generated for certain users, devices, or mailboxes,&nbsp;</SPAN><SPAN data-contrast="auto">modify the corresponding queries to exclude those entities explicitly</SPAN><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;134233279&quot;:true,&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></LI> </UL> <P><SPAN data-contrast="auto">If you do edit a rule this way, you will be prompted for confirmation before such changes are applied.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H4><STRONG><SPAN data-contrast="auto">Write queries without&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="auto">DeviceAlertEvents</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">In the Microsoft 365 Defender, the&nbsp;</SPAN><I><SPAN data-contrast="auto">AlertInfo</SPAN></I><I><SPAN data-contrast="auto">&nbsp;</SPAN></I><SPAN data-contrast="auto">and&nbsp;</SPAN><I><SPAN data-contrast="auto">AlertEvidence</SPAN></I><I><SPAN data-contrast="auto">&nbsp;</SPAN></I><SPAN data-contrast="auto">tables are provided to accommodate the diverse set of information that accompany alerts from various sources. Once you transition to&nbsp;</SPAN><SPAN data-contrast="auto">a</SPAN><SPAN data-contrast="auto">dvanced hunting in Microsoft 365 Defender, you’ll need to make&nbsp;</SPAN><SPAN data-contrast="auto">adjustments</SPAN><SPAN data-contrast="auto">&nbsp;so your queries get the same alert information that you used to get from the&nbsp;</SPAN><I><SPAN data-contrast="auto">DeviceAlertEvents</SPAN></I><SPAN data-contrast="auto">&nbsp;table in the Microsoft Defender for Endpoint schema.&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN data-contrast="auto">In general, you can get all the device-specific Microsoft Defender for Endpoint alert info by filtering the&nbsp;</SPAN><SPAN data-contrast="auto">AlertInfo</SPAN><SPAN data-contrast="auto">&nbsp;table by&nbsp;</SPAN><I><SPAN data-contrast="auto">ServiceSource</SPAN></I><SPAN data-contrast="auto">&nbsp;and then joining each unique ID with the&nbsp;</SPAN><SPAN data-contrast="auto">AlertEvidence</SPAN><SPAN data-contrast="auto">&nbsp;table, which provides detailed event and entity information.&nbsp;</SPAN><SPAN data-contrast="auto">See the sample query below:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;</SPAN></P> <P>&nbsp;</P> <PRE><SPAN data-contrast="none">AlertInfo</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| where Timestamp &gt; ago(7d)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| where&nbsp;</SPAN><SPAN data-contrast="none">ServiceSource</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">== "</SPAN><SPAN data-contrast="none">Microsoft Defender&nbsp;</SPAN><SPAN data-contrast="none">for Endpoint</SPAN><SPAN data-contrast="none">"</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| join&nbsp;</SPAN><SPAN data-contrast="none">AlertEvidence</SPAN><SPAN data-contrast="none">&nbsp;on&nbsp;</SPAN><SPAN data-contrast="none">AlertId</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;</SPAN></PRE> <P><SPAN data-contrast="auto">This query will yield many more columns than simply taking records from&nbsp;</SPAN><SPAN data-contrast="auto">DeviceAlertEvents</SPAN><SPAN data-contrast="auto">. To keep results manageable, use&nbsp;</SPAN><I><SPAN data-contrast="auto">project</SPAN></I><SPAN data-contrast="auto">&nbsp;to get only the columns you are interested in. The&nbsp;</SPAN><SPAN data-contrast="auto">query&nbsp;</SPAN><SPAN data-contrast="auto">below projects columns you might be interested in when investigati</SPAN><SPAN data-contrast="auto">ng</SPAN><SPAN data-contrast="auto">&nbsp;detected PowerShell activity:</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <PRE><SPAN data-contrast="none">AlertInfo</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| where Timestamp &gt; ago(7d)</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| where&nbsp;</SPAN><SPAN data-contrast="none">ServiceSource</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-contrast="none">== "</SPAN><SPAN data-contrast="none">Microsoft Defender&nbsp;</SPAN><SPAN data-contrast="none">for Endpoint</SPAN><SPAN data-contrast="none">"</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">&nbsp;&nbsp;&nbsp; and&nbsp;</SPAN><SPAN data-contrast="none">AttackTechniques</SPAN><SPAN data-contrast="none">&nbsp;has "</SPAN><SPAN data-contrast="none">powershell</SPAN><SPAN data-contrast="none">"</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| join&nbsp;</SPAN><SPAN data-contrast="none">AlertEvidence</SPAN><SPAN data-contrast="none">&nbsp;on&nbsp;</SPAN><SPAN data-contrast="none">AlertId</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;<BR /></SPAN><SPAN data-contrast="none">| project Timestamp, Title,&nbsp;</SPAN><SPAN data-contrast="none">AlertId</SPAN><SPAN data-contrast="none">,&nbsp;</SPAN><SPAN data-contrast="none">DeviceName</SPAN><SPAN data-contrast="none">,&nbsp;</SPAN><SPAN data-contrast="none">FileName</SPAN><SPAN data-contrast="none">,&nbsp;</SPAN><SPAN data-contrast="none">ProcessCommandLine</SPAN><SPAN data-contrast="none">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:2,&quot;335559739&quot;:160,&quot;335559740&quot;:285}">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></PRE> <P>&nbsp;</P> <H4><STRONG><SPAN data-contrast="auto">Important note</SPAN></STRONG><STRONG><SPAN data-contrast="auto">&nbsp;on the visibility of data in Microsoft Defender for Endpoint</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">S</SPAN><SPAN data-contrast="auto">aved queries and custom detection rules</SPAN><SPAN data-contrast="auto">&nbsp;that use tables that are not in&nbsp;</SPAN><SPAN data-contrast="auto">Microsoft Defender for Endpoint</SPAN><SPAN data-contrast="auto">&nbsp;are visible in Microsoft 365&nbsp;</SPAN><SPAN data-contrast="auto">security center</SPAN><SPAN data-contrast="auto">(security.microsoft.com)</SPAN><SPAN data-contrast="auto">&nbsp;only</SPAN><SPAN data-contrast="auto">—</SPAN><SPAN data-contrast="auto">you will not see them in&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">Microsoft Defender&nbsp;</SPAN><SPAN data-contrast="auto">Security Center</SPAN><SPAN data-contrast="auto">. In&nbsp;</SPAN><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">Microsoft Defender&nbsp;</SPAN><SPAN data-contrast="auto">Security Center</SPAN><SPAN data-contrast="auto">,</SPAN><SPAN data-contrast="auto">&nbsp;you will see&nbsp;</SPAN><I><SPAN data-contrast="auto">only&nbsp;</SPAN></I><SPAN data-contrast="auto">the&nbsp;</SPAN><SPAN data-contrast="auto">queries and rules&nbsp;</SPAN><SPAN data-contrast="auto">that&nbsp;</SPAN><SPAN data-contrast="auto">are based on the tables available in this portal.</SPAN><SPAN data-contrast="auto">&nbsp;</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> <P>&nbsp;</P> <H4><STRONG><SPAN data-contrast="auto">Let us know how we can&nbsp;</SPAN></STRONG><STRONG><SPAN data-contrast="auto">help</SPAN></STRONG><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></H4> <P><SPAN data-contrast="auto">While the move to Microsoft 365 Defender offers limitless benefits especially to customers who have deployed multiple Microsoft 365 security solutions, we understand how change can always present challenge</SPAN><SPAN data-contrast="auto">s</SPAN><SPAN data-contrast="auto">. We’d like to encourage all customers to send us feedback about their experiences managing this change and suggestions on how we can help further. Send us feedback through the portals o</SPAN><SPAN data-contrast="auto">r</SPAN><SPAN data-contrast="auto">&nbsp;contact us at&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=mailto:ahfeedback@microsoft.com" target="_blank" rel="noopener"><SPAN data-contrast="none">ahfeedback@microsoft.com</SPAN></A><SPAN data-contrast="auto">.</SPAN><SPAN data-ccp-props="{&quot;201341983&quot;:0,&quot;335559739&quot;:160,&quot;335559740&quot;:259}">&nbsp;</SPAN></P> Tue, 16 Mar 2021 17:05:33 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/migrate-advanced-hunting-from-microsoft-defender-for-endpoint-to/ba-p/2214499 Tali Ash 2021-03-16T17:05:33Z Announcing a global switch for tamper protection https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-a-global-switch-for-tamper-protection/ba-p/2192490 <P>Advanced breaches like <A href="#" target="_blank" rel="noopener">human-operated ransomware campaigns</A> and <A href="#" target="_blank" rel="noopener">NOBELIUM&nbsp;</A>continue to pose significant risks to businesses. Most of these breaches involve tampering with security solutions and settings. To defend against these types of breaches, it's clear that <A href="#" target="_blank" rel="noopener">tamper protection</A> in Microsoft Defender for Endpoint should be turned on for all devices. Tamper protection helps prevent bad actors from disabling security features, such as antivirus protection, on your devices.</P> <P>&nbsp;</P> <P>Last year, we announced <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246" target="_blank" rel="noopener">support for tamper protection on Configuration Manager managed devices</A> (using tenant attach).&nbsp;Now, we are excited to announce that you can use the Microsoft Defender Security Center or Microsoft 365 security center to manage tamper protection for your organization. The update helps ensure that all devices onboarded to Microsoft Defender for Endpoint have tamper protection turned on, and is applicable for both active- and passive-mode devices.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MicrosoftTeams-image (6).png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/264195iE841A3266696FF8D/image-size/large?v=v2&amp;px=999" role="button" title="MicrosoftTeams-image (6).png" alt="MicrosoftTeams-image (6).png" /></span></P> <P>&nbsp;</P> <DIV id="tinyMceEditorShweta Jha_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><STRONG>TIP</STRONG>: If you are managing devices in a hybrid environment, or you need more granular control than a tenant-wide setting, continue using <A href="#" target="_blank" rel="noopener">Intune</A> or <A href="#" target="_blank" rel="noopener">Configuration Manager</A>. We recommend keeping tamper protection turned on, tenant wide. To do that, you can use the <A href="#" target="_blank" rel="noopener">Microsoft Defender Security Center</A>&nbsp;or the Microsoft 365 security center, our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/delivering-world-class-secops-experiences/ba-p/2170092" target="_blank" rel="noopener">unified secops experience</A>.&nbsp;</P> <P>&nbsp;</P> <P>You shouldn’t need to exclude devices from tamper protection; however, if your organization wants to exclude devices, use the Microsoft Endpoint Manager admin center. To learn more, see <A href="#" target="_blank" rel="noopener">Exclude groups from a profile assignment</A>.</P> <P>&nbsp;</P> <P>Currently, the option to manage tamper protection in the security centers is on by default for new deployments. For existing deployments, tamper protection is&nbsp;available on an&nbsp;opt-in basis, with plans to make this the default method in near future.</P> <P>&nbsp;</P> <P>To learn more, see our documentation about how to&nbsp;<A href="#" target="_blank" rel="noopener">Manage tamper protection using the security center</A>. These instructions apply to both the Microsoft Defender Security Center and the Microsoft 365 security center.&nbsp;</P> <P>&nbsp;</P> <P>There’s more to come!</P> <P>&nbsp;</P> <P>Additional resources:</P> <UL> <LI><A href="#" target="_blank" rel="noopener">Documentation: Protect security settings with tamper protection</A></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/tamper-protection-now-generally-available-for-microsoft-defender/ba-p/911482" target="_blank" rel="noopener">Tech Community blog: Tamper protection is now generally available</A></LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/enable-tamper-protection-in-threat-amp-vulnerability-management/ba-p/1182920" target="_blank" rel="noopener">Tech Community blog: Enable tamper protection in Threat &amp; Vulnerability Management</A></LI> <LI><A style="font-family: inherit; background-color: #ffffff;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-endpoint-manager-blog/announcing-tamper-protection-for-configuration-manager-tenant/ba-p/1700246" target="_blank" rel="noopener">Tech Community blog: Announcing tamper protection for Configuration Manager tenant attach clients</A></LI> </UL> <P><EM>Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you’re not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities,&nbsp;<A href="#" target="_self" rel="noopener noreferrer">sign up for a free Microsoft Defender for Endpoint trial</A>&nbsp;today.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM><STRONG>Microsoft Defender for Endpoint team</STRONG></EM></P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Tue, 16 Mar 2021 06:25:11 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-a-global-switch-for-tamper-protection/ba-p/2192490 Shweta Jha 2021-03-16T06:25:11Z Investigating the Print Spooler EoP exploitation https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/investigating-the-print-spooler-eop-exploitation/ba-p/2166463 <P>We are excited to share a short attack simulation to highlight how Microsoft Defender for Endpoint can alert analysts for every suspicious system event that’s related to an intrusion and how analysts can mitigate the attacker’s actions right from the alert page.&nbsp;We’ve chosen a relatively straightforward exploitation scenario which we believe still carries significant risk for organizations that have not been able to update their operating systems. In this scenario, we use the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/say-hello-to-the-new-alert-page-in-microsoft-defender-atp/ba-p/1463673" target="_blank" rel="noopener">updated Microsoft Defender for Endpoint alert page</A>, which has features to make the investigation experience better and more effective.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">SafeBreach</A>, one of our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-evaluation-lab-breach-amp-attack/ba-p/1406088" target="_self">evaluation lab partners</A> for breach and attack simulation solutions, discovered&nbsp;an <A href="#" target="_blank" rel="noopener">elevation of privilege</A> vulnerability in the Windows print spooler mechanism. This vulnerability,&nbsp;assigned <A href="#" target="_blank" rel="noopener">CVE-2020-1048</A><A href="https://gorovian.000webhostapp.com/?exam=#_edn1" target="_blank" rel="noopener" name="_ednref1"><SPAN><U>[i]</U></SPAN></A>, has already been patched. However, it remains an</P> <P><SPAN style="font-family: inherit;">interesting case study because of the prevalence of the print spooler mechanism, and the vulnerability’s involvement in a widely covered high-profile attack in the past.</SPAN></P> <P>&nbsp;</P> <P>The actual exploitation details have already been discussed extensively in other blogs, but in summary, this vulnerability allows an unprivileged user to modify a file that they should not have been able to access, or to create a file in a folder they should not have write access to.</P> <P>&nbsp;&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_0-1614275005050.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257969i40126CF562FA1622/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_0-1614275005050.png" alt="Yonit_Glozshtein_0-1614275005050.png" /></span></P> <P><EM>Figure 1. Attack phases </EM><EM>of a sample attack using CVE-2020-1048 </EM></P> <P>&nbsp;</P> <P>The&nbsp;<A href="#" target="_blank" rel="noopener">print spooler</A> is a Windows component that manages the printing process and runs with system privileges. Specifically, it can write or modify files in the System32 folder. Since this is a common service that comes preinstalled, any suspicious activity initiated by the spooler might be easily missed.</P> <P>&nbsp;</P> <P>Unprivileged users could easily add new printers in Windows. Every printer is then associated to a port. The catch is that the printer port, instead of being an actual port, could instead be a path to a file. When the port is a file path, the printer creates a file on the file system and prints content to it. Before the vulnerability was patched, this means that any user could print to folders they don’t have access to.</P> <P>&nbsp;</P> <P>Malicious actors can thus use this vulnerability to create a malicious DLL, for instance, print it to the system folder, and wait for the system to run it in a classic DLL hijacking attack. We will use this scenario in our simulation.</P> <P>&nbsp;</P> <P>Microsoft Defender for Endpoint blocks, detects, and remediates the attack. This blog will cover the phases of the attack and how Defender for Endpoint correlates these to a single view of an incident, providing the full context of the related alerts, impacted entities, and the investigation.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_0-1614709027552.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/260016iD567D0A5C8DEE0B9/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_0-1614709027552.png" alt="Yonit_Glozshtein_0-1614709027552.png" /></span></P> <P>&nbsp;<EM>Figure 2. The incident page providing the full context of the attack</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_1-1614709047361.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/260017i1A76D33915A99CD8/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_1-1614709047361.png" alt="Yonit_Glozshtein_1-1614709047361.png" /></span></P> <P><EM>Figure 3. Detailed alert story showing steps of the attack and affected assets</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Step 1: Add a new printer and a printer port</H2> <P>&nbsp;</P> <P>Let’s say an attacker was able to determine that one of the devices in our fictional network has not yet been patched for CVE-2020-1048 and was able to log on to the device through an effective social engineering lure. The first phase of our exploitation scenario is for the attacker to add a new printer on this device called MS Publisher Color Printer. It is then associated to a new printer port which points to our targeted system file c:\windows\system32\wbem\browcli.dll.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_18-1614275208836.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257988i0E26E63B203A8BE0/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_18-1614275208836.png" alt="Yonit_Glozshtein_18-1614275208836.png" /></span></P> <P><EM>Figure 4. Printer and port creation</EM></P> <P>&nbsp;</P> <P><EM>&nbsp;</EM></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig 3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/258139iD9E13101DDE3A0FB/image-size/large?v=v2&amp;px=999" role="button" title="Fig 3.png" alt="Fig 3.png" /></span></P> <P><EM>Figure 5. device timeline event showing the printer port was added</EM></P> <P><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P>In the background, whenever a printer port is added, the spooler service adds a registry key containing the value of the path the user pointed to and where they would like to insert content. Since Defender for Endpoint monitors registry operations, it will detect this action as a suspicious registry activity right off the bat. The analyst will see the following alert:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_1-1614276889298.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257996i7464A5E5468F040B/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_1-1614276889298.png" alt="Yonit_Glozshtein_1-1614276889298.png" /></span></P> <P><EM>Figure 6. Alert flagging suspicious registry entry</EM></P> <P><EM>&nbsp;</EM></P> <P>&nbsp;</P> <H2>Step 2: Print content to a restricted file</H2> <P>&nbsp;</P> <P>Typically, when a regular user creates a print job, the print job will be stored by the print spooler service &nbsp;(spoolsv.exe) to a dedicated folder, System32\SPOOL\Printers, as two files: the file, which contains the content to be printed, and the shadow job file (SHD), which contains the metadata of the print job, including the path of the printer port that was created. This same behavior is taken advantage of in this attack.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_5-1614275005097.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257974i417C6385C63B54ED/image-size/medium?v=v2&amp;px=400" role="button" title="Yonit_Glozshtein_5-1614275005097.png" alt="Yonit_Glozshtein_5-1614275005097.png" /></span></P> <P><EM>Figure 7. Print job creation</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>The core of this vulnerability is that through adding a printer port that points to the SYSTEM folder and by rebooting the spooler service, the attacker gets to run its malicious file when the spooler reloads, running as SYSTEM, and "prints" to the folder specified in the printer port.</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">SafeBreach</A> Labs created <A href="#" target="_blank" rel="noopener">proof-of-concept code</A> on GitHub to generate one such crafted SHD file.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_6-1614275005127.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257977iF94034A5FD62BAA8/image-size/medium?v=v2&amp;px=400" role="button" title="Yonit_Glozshtein_6-1614275005127.png" alt="Yonit_Glozshtein_6-1614275005127.png" /></span></P> <P><EM>Figure 8. Sample SHD file</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Now the attacker simply needs to wait for the print spooler to be initialized after a reboot. The print spooler then does its regular function of enumerating the SHD files folder so that it can process any remaining print jobs.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_7-1614275005134.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257976iED56DA560616872B/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_7-1614275005134.png" alt="Yonit_Glozshtein_7-1614275005134.png" /></span></P> <P><EM>Figure 9. Print spooler enumerates unprocessed print jobs</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>In our exploitation scenario, the attacker was able to write arbitrary data to the path of the printer port which the attacker should not have had write access to. Just by copying the crafted SHD and SPL files and waiting for the system to reboot, the attacker achieved an elevation of privilege.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_8-1614275005135.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257975iB9FF70EBE920CD31/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_8-1614275005135.png" alt="Yonit_Glozshtein_8-1614275005135.png" /></span></P> <P><EM>Figure 10. Attacker copies crafted print jobs files which triggers the vulnerability.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Fortunately, analysts will be made aware that this step was performed on the system because Defender for Endpoint will trigger and alert for the file creation of browcli.dll by the print spooler service.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_2-1614277004930.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257997iB2EB48F17665E92B/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_2-1614277004930.png" alt="Yonit_Glozshtein_2-1614277004930.png" /></span></P> <P><EM>Figure 11. Alerts flagging suspicious file creation</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Step 3: Perform DLL hijacking</H2> <P>&nbsp;</P> <P>In Windows environments, when an application or a service starts, it first loads several dependencies, also known as DLLs, to function properly. If these dependencies don’t exist or are implemented in an insecure way, attackers could load and execute their malicious DLL instead.</P> <P>&nbsp;</P> <P>In our attack scenario, the <A href="#" target="_blank" rel="noopener">elevation of privilege</A> allows <A href="#" target="_blank" rel="noopener">code execution</A> using <A href="#" target="_blank" rel="noopener">DLL search order hijacking</A>.&nbsp;The DLL actually contains a stager payload which reflectively (in-memory) loads a Meterpreter Reverse TCP shellcode over a TCP socket.</P> <P>&nbsp;</P> <P>Once Windows is restarted, the WMI service (which is running as NT AUTHORITY\SYSTEM) will execute the browcli.dll library from the C:\Windows\System32\wbem folder, resulting in a reverse Meterpreter shell. This provides the attacker the ability to remotely steal information and propagate throughout more computers in the network, among others.&nbsp;The service executes the DLL every time the system reboots, so the attacker can use the vulnerability to elevate privileges.</P> <P>&nbsp;</P> <P>In this case, thanks to the Defender for Endpoint registry, file, and load image sensors, we produced strong detection logic to identify suspicious behaviors indicating any attempt to exploit the vulnerability. At this point, the analyst assigned to this set of alerts will see the following alert story:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_10-1614275005151.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257979i139392DCADCBB108/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_10-1614275005151.png" alt="Yonit_Glozshtein_10-1614275005151.png" /></span></P> <P><EM>Figure 12. Alerts flagging </EM><EM>suspicious ‘Meterpreter’ payload in memory</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Please note that in this specific case we used an un-patched device, with the AV in passive-mode for the purpose of the simulation. If Defender AV was enabled, it would have blocked the malware before execution.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_20-1614276070863.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257994iDBBA3BE196451CE5/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_20-1614276070863.png" alt="Yonit_Glozshtein_20-1614276070863.png" /></span></P> <P><EM>Figure 13. malicious ‘Meterpreter’ activity blocked by Defender AV</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <H2>Seeing the attack story in one view</H2> <P>&nbsp;</P> <P>On top of the individual suspicious event detection, Defender for Endpoint provides an extensive attack storytelling capability. The incident page is the first stop of the security analyst, where they can learn about the scope of the attack, the related alerts, and the impacted entities across the organization, together with a full context of the investigation and remediation actions.</P> <P>&nbsp;</P> <P>Diving in the new alert page, the full story of the suspicious registry activity by the printer port (detected by the EDR) followed by the Meterpreter file creation and the file loading events (detected by the AV) will be shown in the same detailed page, making the investigation more efficient and providing a better understanding of why the alerts were triggered—along with their impact.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_11-1614275005158.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257980i5D4FE1D54D00EB3B/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_11-1614275005158.png" alt="Yonit_Glozshtein_11-1614275005158.png" /></span></P> <P>&nbsp;<EM>Figure 14. Analyst’s first stop - the incident page</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_12-1614275005166.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257983iEC71311ACA07EA5A/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_12-1614275005166.png" alt="Yonit_Glozshtein_12-1614275005166.png" /></span></P> <P><EM>Figure 15. Full alert story of each step of the attack</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>This view of the correlation provides a full visualization of the attack goals and activities. The security operations team can clearly see that the alerts are related to the same sequence of events and thus can respond with the full attack context in mind.</P> <P>&nbsp;</P> <P>The analyst can then drill down into the DLL tile, which is the malicious binary in this scenario, and see all the relevant details and actions, within the context of the investigation. Likewise, each tile in the alert story is expandable and shows more details in the side pane when clicked. Alert tiles are also actionable. By clicking on the "..." icon, available actions will be provided directly from the process tree.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_13-1614275005168.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257981i1971907D297878E6/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_13-1614275005168.png" alt="Yonit_Glozshtein_13-1614275005168.png" /></span></P> <P>&nbsp;<EM>Figure 16. Available actions provided directly from the alert story</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>By opening the automated investigation page, available both in the incident and the alert pages, the analyst can get a better understanding of the actions that were taken on the device, which assets where involved, and get all the related evidence.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_14-1614275005172.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257982iCB52E154088DB9DA/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_14-1614275005172.png" alt="Yonit_Glozshtein_14-1614275005172.png" /></span></P> <P>&nbsp;<EM>Figure 17. Alert details and actions</EM></P> <P><EM>&nbsp;</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_16-1614275005187.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257986iD960B663DF041C93/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_16-1614275005187.png" alt="Yonit_Glozshtein_16-1614275005187.png" /></span></P> <P>&nbsp;<EM>Figure 18. Automated investigation remediates and quarantines the malicious file</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Searching for the vulnerability in Weaknesses page in <A href="#" target="_self">Threat and Vulnerability Management</A> will also help to identify all the other devices that might be vulnerable to spooler EoP:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_4-1614275005084.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257973i7CFBC75A08F6F7E6/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_4-1614275005084.png" alt="Yonit_Glozshtein_4-1614275005084.png" /></span></P> <P><EM>Figure 19. Exposed devices in weaknesses page</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Furthermore, the details pane provides information about which MITRE ATT&amp;CK technique was used in each step. These are incredibly useful in post-activity learning in incident response as it identifies which gaps exist in the current configuration of the network so the analyst can make recommendations to admins to improve security to avoid or lessen the impact of the next attack.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Yonit_Glozshtein_17-1614275005192.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/257984iC63332F8A8195E28/image-size/large?v=v2&amp;px=999" role="button" title="Yonit_Glozshtein_17-1614275005192.png" alt="Yonit_Glozshtein_17-1614275005192.png" /></span></P> <P><EM>Figure 20. MITRE ATT&amp;CK techniques and alerts flagged for each attacker step</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>As you have seen, using the SafeBreach attack simulations, Defender for Endpoint was able to detect the attack across the different kill-chain stages, provide a full investigation experience across detection and protection, including all data needed and by that telling the full alert story. The security operations team can explore all relevant details and take action on each related entity—without leaving the context of the alert investigation, designed to make the investigation experience efficient and easy.</P> <P>&nbsp;</P> <P>To learn more about the new alert page, please read our <A href="#" target="_blank" rel="noopener">documentation</A> and <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/say-hello-to-the-new-alert-page-in-microsoft-defender-atp/ba-p/1463673" target="_blank" rel="noopener">blog post</A>.</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft Defender for Endpoint’s industry leading security optics and detection capabilities, we encourage you to <A href="#" target="_blank" rel="noopener">sign up for a free trial</A> today.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="#" target="_self">Peleg Hadar</A> SafeBreach Labs</P> <P><A href="#" target="_self">Charles-Edouard Bettan</A> &amp; <A href="#" target="_self">Yonit Glozshtein</A> Microsoft Defender for Endpoint team</P> <P>______________________________________________________________________________________</P> <P>&nbsp;</P> <P><A href="https://gorovian.000webhostapp.com/?exam=#_ednref1" target="_blank" rel="noopener" name="_edn1"><SPAN>[i]</SPAN></A> Microsoft released fixes to address fix bypasses to CVE-2020-1048. These were documented as CVE-2020-1337 and CVE-2020-17001. While we are not discussing the details of those CVEs, the detection for CVE-2020-1048 also detects attempts to exploit CVE-2020-1337 and CVE-2020-17001.</P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Mon, 08 Mar 2021 17:35:46 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/investigating-the-print-spooler-eop-exploitation/ba-p/2166463 Yonit_Glozshtein 2021-03-08T17:35:46Z Advanced hunting: updates to threat and vulnerability management tables https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/advanced-hunting-updates-to-threat-and-vulnerability-management/ba-p/2162584 <P>We are happy to announce that threat and vulnerability management tables in advanced hunting are being updated with an improved structure and additional data&nbsp;– now available in&nbsp;public&nbsp;preview.&nbsp;</P> <P>&nbsp;</P> <P>The existing ‘DeviceTvmSoftwareInventoryVulnerabilities’ table in advanced hunting, which currently combines both software inventory and vulnerabilities, is being deprecated and split into two new dedicated tables.&nbsp;</P> <P>&nbsp;</P> <P>This change is aimed at creating better clarity and reducing noise/complexity when using advanced hunting for common threat and vulnerability management scenarios.&nbsp;</P> <P>&nbsp;</P> <P>Newly introduced tables:&nbsp;</P> <OL> <LI><STRONG>DeviceTvmSoftwareInventory</STRONG>&nbsp;(see schema below) – This table will serve as a complete list of all software on your devices,&nbsp;whether or not&nbsp;they have any vulnerabilities.&nbsp;&nbsp;<BR /> <UL> <LI>No duplicate entries – unlike the old table, you’ll have a single row for each software installed on every device.&nbsp;</LI> <LI>New fields – ‘EndOfSupportStatus’ and ‘EndOfSupportDate’ will have the end-of-support state (if applicable) for specific software versions installed on devices.&nbsp;</LI> </UL> </LI> <LI><STRONG>DeviceTvmSoftwareVulnerabilities&nbsp;</STRONG>(see schema below) – This table will be dedicated to discovering vulnerabilities (CVEs) in existing software across all your devices.&nbsp;<BR /> <UL> <LI>New fields – ‘RecommendedSecurityUpdate’ and ‘RecommendedSecurityUpdateId’ will have missing security updates / KBs for installed software.  &nbsp;<BR />&nbsp;</LI> </UL> </LI> </OL> <P>To avoid breaking existing flows in the short term, the&nbsp;old advanced&nbsp;hunting table will continue to be temporarily available in the back-end for querying. However, to avoid future issues it’s strongly encouraged you switch to using the new tables at your earliest convenience.</P> <P>&nbsp;&nbsp;</P> <P><STRONG>New table schemas:&nbsp;</STRONG></P> <P>&nbsp;</P> <TABLE border="1" width="100%"> <TBODY> <TR> <TD width="50%" style="width: 50%; vertical-align: top;"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DeviceTvmSoftwareInventory.png" style="width: 244px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261431i6092DFEF0FD009C4/image-size/large?v=v2&amp;px=999" role="button" title="DeviceTvmSoftwareInventory.png" alt="DeviceTvmSoftwareInventory.png" /></span></TD> <TD width="50%"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="DeviceTvmSoftwareVulnerabilities.png" style="width: 257px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/261433i223AB25F2C858AFA/image-size/large?v=v2&amp;px=999" role="button" title="DeviceTvmSoftwareVulnerabilities.png" alt="DeviceTvmSoftwareVulnerabilities.png" /></span></TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <P>For more information on advanced hunting tables in Microsoft Defender for Endpoint, read our <A href="#" target="_self">advanced hunting documentation</A>.&nbsp;</P> <P>&nbsp;</P> <P>To get access to Microsoft Defender for Endpoint public preview capabilities, we encourage you to turn on <A href="#" target="_self">preview features</A> in the Microsoft Defender Security Center. We’re looking forward to hearing any feedback you may have.</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense. With our solution, threats are no match. If you’re not yet taking advantage of Microsoft’s unrivaled threat optics and proven capabilities,&nbsp;<A href="#" target="_self">sign up for a free Microsoft Defender for Endpoint trial</A>&nbsp;today.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM><STRONG>Microsoft Defender for Endpoint team</STRONG></EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Wed, 09 Jun 2021 19:12:59 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/advanced-hunting-updates-to-threat-and-vulnerability-management/ba-p/2162584 Gilad_Mittelman 2021-06-09T19:12:59Z One app for VPN and mobile threat defense https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/one-app-for-vpn-and-mobile-threat-defense/ba-p/2170142 <P>Today we are excited to <A href="#" target="_blank" rel="noopener">announce</A> that Microsoft Tunnel VPN capabilities will show up in the Microsoft Defender for Endpoint app for iOS and Android. This enables organizations to offer a simplified end user experience with one security app, while security and IT teams are able to maintain the same admin experiences they are familiar with.</P> <P>&nbsp;</P> <P>Later this month, existing customers of Microsoft Defender for Endpoint, who are also licensed for Microsoft Tunnel, will see Tunnel capabilities in the Defender for Endpoint app on Android. On iOS, Tunnel capabilities will be added to the Defender app next quarter. Existing Tunnel customers that opt-in for the new public preview will switch to using the Microsoft Defender for Endpoint app for VPN. They will not see any other changes to Tunnel features, it will simply now appear within the Defender for Endpoint app. IT administrators will be able to continue to use the Microsoft Endpoint Manager admin center to configure both Defender and Tunnel features. For additional details, <A href="#" target="_blank" rel="noopener">read the blog</A> announcing these changes.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="2-Dashboard Dark shadow resize.png" style="width: 374px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259546i5EFF495A910347DB/image-size/large?v=v2&amp;px=999" role="button" title="2-Dashboard Dark shadow resize.png" alt="2-Dashboard Dark shadow resize.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4-Tunnel shadow resize.png" style="width: 374px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259548i367532A8AE1ECA26/image-size/large?v=v2&amp;px=999" role="button" title="4-Tunnel shadow resize.png" alt="4-Tunnel shadow resize.png" /></span></P> <P>&nbsp;</P> <P>Microsoft Defender for Endpoint customers will notice an updated look and feel to the app. The new experience helps end users better understand the capabilities the app provides and enables the user to be more aware of the security threats to their device. There are no changes to Defender for Endpoint capabilities on mobile. Microsoft’s mobile threat defense solution will continue to offer:</P> <P>&nbsp;</P> <UL> <LI>Protection against phishing coming from browsing, email, apps, and messaging platforms</LI> <LI>Scans for malware and potentially unwanted apps (on Android)</LI> <LI>Blocking of unsafe connections as well as access to sensitive data (on Android)</LI> <LI>A single pane-of-glass experience for SecOps through the Microsoft Defender Security Center, or the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/delivering-world-class-secops-experiences/ba-p/2170092" target="_blank" rel="noopener">unified Microsoft 365 security center</A></LI> </UL> <P data-unlink="true">Finally, we are pleased to share that later this month, we will be offering mobile application management (MAM) support for Android and iOS in public preview. Currently, Microsoft Defender for Endpoint on Android and iOS works on devices that are enrolled with Intune mobile device management (MDM) only. With this update, we are extending support to enable enterprises that are using Intune only for application management to use Microsoft Defender for Endpoint. This will also extend support to devices enrolled with third-party EMM providers as long as they are using Intune to <A href="#" target="_blank" rel="noopener">manage apps</A>&nbsp;on the&nbsp;devices.</P> <P>&nbsp;</P> <P>Please don’t hesitate to share your feedback with us! We look forward to continuing to make our experiences for end users as well as security and IT teams better and better.</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense capabilities. With our solution, threats are no match. If you’re not yet taking advantage of Microsoft’s industry leading capabilities,&nbsp;</EM><EM><A href="#" target="_blank" rel="noopener">sign up for a free Microsoft Defender for Endpoint trial</A></EM><EM>&nbsp;today.</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Tue, 02 Mar 2021 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/one-app-for-vpn-and-mobile-threat-defense/ba-p/2170142 Kasia Kaplinska 2021-03-02T17:00:00Z Delivering world class SecOps experiences https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/delivering-world-class-secops-experiences/ba-p/2170092 <P><STRONG>Update:</STRONG><SPAN>&nbsp;</SPAN><SPAN>unified experiences across endpoint, email and collaboration in Microsoft 365 Defender are now</SPAN><SPAN>&nbsp;</SPAN><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-365-defender/unified-experiences-across-endpoint-and-email-are-now-generally/ba-p/2278132" target="_blank" rel="noopener">generally available</A><SPAN>&nbsp;</SPAN><SPAN>as of April 19, 2021.&nbsp;</SPAN></P> <P>&nbsp;</P> <P>Security teams need to rapidly get visibility into threats across domains and need the right critical information easily surfaced to them so that they can quickly and effectively investigate and respond to security events. At Microsoft, we have a deep commitment to improving security teams’ effectiveness. We listen to our customers’ feedback and build our products around that feedback to empower defenders.</P> <P>&nbsp;</P> <P><STRONG>Unifying the SecOps experience</STRONG></P> <P>Today, we’re announcing two ways we are supporting our customers with world class SecOps experiences. The first is the <A href="#" target="_blank" rel="noopener">public preview</A> of the integration of our endpoint, along with <A href="#" target="_blank" rel="noopener">email and collaboration</A>, security capabilities into the Microsoft 365 security center. Customers who are signed up for preview features can access <A href="#" target="_blank" rel="noopener">security.microsoft.com</A> where they will be able to see a unified portal experience empowering them to effectively prevent and remediate threats across endpoints, and email and collaboration tools. The Microsoft 365 security center gives security teams a single place to operate from, with unified alerts, incidents, user pages and more. It’s part of our journey to deliver a best-in-class XDR (extended detection and response) solution to our customers.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture9.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259952i7FBCA3234D3A7C43/image-size/large?v=v2&amp;px=999" role="button" title="Picture9.jpg" alt="Picture9.jpg" /></span></P> <P>Microsoft Defender for Endpoint customers visiting the new experience will find that the information they are accustomed to seeing in the Security Operations dashboard or the “home page” in the Microsoft Defender Security Center has been moved to the home page of the Microsoft 365 security center. They can always navigate back to this spot by clicking on "<STRONG>Home"</STRONG> in the top left-hand navigation. Security teams will also see incidents, alerts, threat hunting, actions, threat analytics, and Secure score as unified capabilities in the same part of the menu.</P> <P>&nbsp;</P> <P>Attackers don’t think in silos and unifying these capabilities across domains helps security teams tackle threats more holistically and effectively.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="M365Dnav.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259274iDB4CADC9F7E076B7/image-size/large?v=v2&amp;px=999" role="button" title="M365Dnav.png" alt="M365Dnav.png" /></span></P> <P>&nbsp;</P> <P>The rest of the capabilities from Microsoft Defender for Endpoint such as search, device inventory, threat and vulnerability management, partners and APIs, Evaluation lab and tutorials, as well as configuration management, can easily be located under the <STRONG>“Endpoints”</STRONG> section on the left-hand navigation. All the screens and dashboards for these features will be the same familiar ones as in the Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="M365Dnav2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259276iA8D46442CC3E3D70/image-size/large?v=v2&amp;px=999" role="button" title="M365Dnav2.png" alt="M365Dnav2.png" /></span></P> <P>&nbsp;</P> <P>Finally, additional features like reports, service health, settings and more can be found further down on the left-hand menu. For further details about the unified capabilities, guidelines for automatic URL redirection, and information on how to migrate your custom detections and devices related queries, read the <A href="#" target="_blank" rel="noopener">blog</A>. For a deep dive into what’s changed, improvements, and new elements, please read the&nbsp;<A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <P><STRONG>Improving the alerts experience</STRONG></P> <P>The second way we’re investing to improve the SecOps experience is through the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/say-hello-to-the-new-alert-page-in-microsoft-defender-atp/ba-p/1463673" target="_blank" rel="noopener">new alerts page</A>. The revamped alerts page was built on customer feedback to help security teams improve their focus, take an investigation-oriented approach, and make it easier for them to take actions by constructing a detailed alert story with full context. Over the last few months, we’ve gotten a lot of positive feedback about this new experience from customers.</P> <P>&nbsp;</P> <P>The new alert experience is present in both the Microsoft Defender Security Center as well as the Microsoft 365 security center.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Alertspage.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/259295i498F0454F69FA031/image-size/large?v=v2&amp;px=999" role="button" title="Alertspage.png" alt="Alertspage.png" /></span></P> <P>&nbsp;</P> <P>Considering our investments in this alerts experience and on-going work to add more advanced capabilities to this page, we will be deprecating the legacy alert page on <STRONG>April 2, 2021</STRONG>. Once this happens, customers who have been using the legacy page will only see the new alerts page in both the Microsoft Defender Security Center and the Microsoft 365 security center. There will no longer be a toggle to switch between the old and new version of the page. The new page helps security teams more effectively triage, investigate, and take quick actions on alerts and we’re excited to continue investing and bringing new capabilities to this experience.</P> <P>&nbsp;</P> <P>To learn more about the alerts page please visit our <A href="#" target="_blank" rel="noopener">documentation</A> or get a quick overview in the following video.</P> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4yiO5" width="890" height="550" allowfullscreen="allowfullscreen" wmode="transparent"></IFRAME></P> <P>&nbsp;</P> <P data-unlink="true">We also encourage you to view our <A href="#" target="_blank" rel="noopener">interactive guide</A>&nbsp;on how to investigate and remediate threats with Microsoft Defender for Endpoint.</P> <P>&nbsp;</P> <P>Thank you to our customers for being on this journey with us and we welcome your feedback!</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint is an industry leading, cloud powered endpoint security solution offering vulnerability management, endpoint protection, endpoint detection and response, and mobile threat defense capabilities. With our solution, threats are no match. If you’re not yet taking advantage of Microsoft’s industry leading capabilities,&nbsp;</EM><A href="#" target="_blank" rel="noopener"><EM>sign up for a free Microsoft Defender for Endpoint trial</EM></A><EM>&nbsp;today.</EM></P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-clip-margin: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Sat, 24 Jul 2021 00:45:10 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/delivering-world-class-secops-experiences/ba-p/2170092 Kasia Kaplinska 2021-07-24T00:45:10Z MITRE ATT&CK Techniques now available in the device timeline https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/mitre-att-amp-ck-techniques-now-available-in-the-device-timeline/ba-p/2136788 <P>We are excited to announce the public preview of MITRE ATT&amp;CK techniques and sub-techniques in the Microsoft Defender for Endpoint device timeline.</P> <P>&nbsp;</P> <P>Techniques are an additional data type that provides valuable insight regarding behaviors observed on the device. You can find them on the device timeline alongside device events. They are marked in bold, with a blue icon, and MITRE tags.</P> <P>&nbsp;</P> <P>Techniques enrich the timeline with information about which <A href="#" target="_blank" rel="noopener">MITRE ATT&amp;CK</A> techniques and sub-techniques were observed, making the investigation experience even more efficient and easier for analysts.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="techniquesBlog.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255750i7AF11286B3538632/image-size/large?v=v2&amp;px=999" role="button" title="techniquesBlog.png" alt="techniquesBlog.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Techniques are available in the device timeline by default for public preview customers. You can use the <STRONG>Data type</STRONG> and <STRONG>Event group</STRONG> filters, apart from the search bar, to easily control your timeline verbosity.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="techniquesFilter.png" style="width: 308px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255055i70657ED5A9162268/image-size/large?v=v2&amp;px=999" role="button" title="techniquesFilter.png" alt="techniquesFilter.png" /></span></P> <P>&nbsp;</P> <P>Selecting a certain technique will open the details side pane with more information on the technique, related tactics, and a link to the MITRE website. Analysts can then learn more about the observed behavior and expand the investigation if necessary.</P> <P>&nbsp;</P> <P>To learn more about the techniques in the device timeline, see the <A href="#" target="_blank" rel="noopener">Techniques in the device timeline documentation.</A></P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Turn on preview features</A> in the Microsoft Defender Security Center to try it out today. We welcome your feedback and are looking forward to hearing it!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Tue, 20 Apr 2021 16:24:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/mitre-att-amp-ck-techniques-now-available-in-the-device-timeline/ba-p/2136788 Yonit_Glozshtein 2021-04-20T16:24:09Z Protecting sensitive information on devices https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/protecting-sensitive-information-on-devices/ba-p/2143555 <P><FONT size="3">On November 10, 2020, Microsoft <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/announcing-microsoft-endpoint-dlp-general-availability/ba-p/1814010" target="_blank" rel="noopener">announced</A> the general availability of Microsoft Endpoint DLP (Data Loss Prevention). Endpoint DLP is a native integrated experience that identifies and protects sensitive information accessed by information workers in the applications they use every day. It is part of Microsoft Information Protection, an intelligent, unified, and extensible solution to know your data, protect your data, and prevent data loss across all the touchpoints within an enterprise – including Microsoft 365 apps and services, on-premises file stores, endpoint devices, and third-party SaaS applications and services.&nbsp;</FONT></P> <P>&nbsp;</P> <H4><FONT size="5">Seamless Endpoint DLP onboarding for Microsoft Defender for Endpoint customers</FONT></H4> <P>As a Microsoft Defender for Endpoint customer, you can take advantage of a seamless onboarding to Endpoint DLP.</P> <P>&nbsp;</P> <P>If you own the <A href="#" target="_blank" rel="noopener">required licenses</A>, all it takes is a&nbsp;single click in&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft 365 Compliance portal’s device onboarding</A> the to enable Endpoint DLP across all your Windows 10 devices that are onboarded to Defender for Endpoint.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2021-02-17 185346.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/255547iB0860668D00FB69D/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2021-02-17 185346.png" alt="Screenshot 2021-02-17 185346.png" /></span></P> <P>&nbsp;</P> <P>If you don’t own the appropriate license, we encourage you to try out our Endpoint DLP capabilities by signing up for a free trial of Microsoft 365 E5 Compliance, available through the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft 365 Admin Center</A>.</P> <P><BR />For more information, read our <A href="#" target="_blank" rel="noopener">official documentation</A> on Endpoint DLP onboarding.</P> <P><BR />Once a device is onboarded, Endpoint DLP automatically provides &nbsp;telemetry information and data discovery capabilities for sensitive data out of the box. Endpoint DLP monitors sensitive data for file access, copy, paste, print and saving to removable media, file shares and uploads via browsers for Office 365, PDF, and CSV files without requiring the configuration of policies. Endpoint DLP also analyzes files for sensitivity related information by parsing the file content, extracting sensitive information types, and &nbsp;assigned sensitivity label, if it exists. This telemetry is available in Activity Explorer, alongside similar telemetry from other Microsoft workloads.</P> <P>&nbsp;</P> <P>This telemetry data provides a direct view into information worker’s regular interactions with sensitive information and can be used to streamline the identification and deployment of DLP policies that would have the most significant impact on improving the overall security posture of the organization by reducing the risk of sensitive data loss. &nbsp;</P> <P>&nbsp;</P> <H4><FONT size="5">Deprecating Azure Information Protection integration with Microsoft Defender for Endpoint</FONT></H4> <P>Microsoft Defender for Endpoint has an integration with Azure Information Protection (AIP) that shares sensitive data user activity and device risk data. This information is stored in the Log Analytics workspace and is displayed in the AIP Analytics screens, along with the other AIP audit logs. It is an integration has been available to customers as part of a Public Preview.</P> <P>&nbsp;</P> <P>Endpoint DLP incorporates an improved discovery and protection solution for sensitive data stored on endpoint devices that facilitates greater visibility and integration between solutions. On March 29, 2021, the current integration between Microsoft Defender for Endpoint and AIP will be deprecated. Existing Microsoft Defender for Endpoint customers who have been using the Public Preview of the AIP integration are encouraged to move to Endpoint DLP and enjoy the improved security capabilities and activity visibility in . For more information about Endpoint DLP, see please read our <A href="#" target="_blank" rel="noopener">documentation</A> as well as our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/a-unified-approach-to-data-loss-prevention-from-microsoft/ba-p/1694492" target="_blank" rel="noopener">announcement blog</A>.</P> <P>&nbsp;</P> <P>The integration is controlled by an on/off toggle in the Microsoft Defender Security Center under Settings -&gt; Advanced features:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDE_AIP.png" style="width: 624px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/272615i5FEDA64A75D2392D/image-size/large?v=v2&amp;px=999" role="button" title="MDE_AIP.png" alt="MDE_AIP.png" /></span></P> <DIV id="tinyMceEditorOmri Amdursky_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>When deprecated, this setting will be removed, and Microsoft Defender for Endpoint will not forward signals to Azure Information Protection.</P> <P>&nbsp;</P> <P>If you haven’t yet tried out Endpoint DLP, sign up for a free trial in the Microsoft 365 admin center.</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading optics and endpoint security capabilities, <A href="#" target="_blank" rel="noopener">sign up for a free trial</A> of Microsoft Defender Endpoint today.</P> <H5>Additional resources:</H5> <UL> <LI>For more information on Data Loss Prevention, please see <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-security-and/a-unified-approach-to-data-loss-prevention-from-microsoft/ba-p/1694492" target="_blank" rel="noopener">our blog</A> and <A href="#" target="_blank" rel="noopener">our documentation</A></LI> <LI>For videos on Microsoft’s Unified DLP approach and Endpoint DLP, watch the following: <UL> <LI>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/video-hub/understanding-and-maximizing-the-value-of-microsoft-s-dlp/m-p/1688051" target="_blank" rel="noopener">Understanding and maximizing the value of Microsoft's DLP Approach</A></LI> <LI>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/video-hub/extending-microsoft-dlp-deployment-to-endpoints/m-p/1688046" target="_blank" rel="noopener">Extending Microsoft DLP Deployment to Endpoints</A></LI> <LI><A href="#" target="_blank" rel="noopener">Microsoft Mechanics: Endpoint DLP - what it is and how to set it up in Microsoft 365</A></LI> </UL> </LI> <LI>For more information on DLP alerts and event management, check out the <A href="#" target="_blank" rel="noopener">documentation</A></LI> </UL> Tue, 13 Apr 2021 20:41:21 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/protecting-sensitive-information-on-devices/ba-p/2143555 Omri Amdursky 2021-04-13T20:41:21Z Microsoft Defender for Endpoint Ninja Training: February 2021 update https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-ninja-training-february-2021/ba-p/2118350 <P>We have fresh Microsoft Defender for Endpoint Ninja training content.&nbsp;If you want to refresh your knowledge and get updated, here is what has been added since the September 2020 update:</P> <P>&nbsp;</P> <P>Legend:</P> <TABLE border="1"> <TBODY> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> Product videos</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span> Webcast recordings</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TechCommunity.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205059iE2A42D8A7F13D7BC/image-dimensions/17x19?v=v2" width="17" height="19" role="button" title="TechCommunity.png" alt="TechCommunity.png" /></span> Tech Community</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Docs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Blogs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GitHub.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205065i083675CF15D6F1EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="GitHub.png" alt="GitHub.png" /></span>&nbsp;GitHub</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P>⤴ External</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="InteractiveGuides.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205067iF93A500E533F67FB/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="InteractiveGuides.png" alt="InteractiveGuides.png" /></span>&nbsp;Interactive guides</P> </TD> <TD width="209.333px" height="28px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE width="738px"> <TBODY> <TR> <TD width="368px" height="28px"> <P><EM><STRONG>Module (ordered by roles SecOps &amp; SecAdmin)</STRONG></EM></P> </TD> <TD width="368px" height="28px"> <P><STRONG><EM>What's new</EM></STRONG></P> </TD> </TR> <TR> <TD width="368px" height="66px"> <P>Security Operations Intermediate:</P> <P>Module 3. Next generation protection</P> </TD> <TD width="368px" height="66px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-edr-in-block-mode-general-availability/ba-p/1972064" target="_blank" rel="noopener">EDR in block mode</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="81px">Security Operations Intermediate:<BR />Module 5. Automated investigation and remediation</TD> <TD width="368px" height="81px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-automation-defaults-are-changing/ba-p/2068744" target="_blank" rel="noopener">Default settings</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="93px">Security Operations Intermediate:<BR />Module 6. Threat analytics</TD> <TD width="368px" height="93px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Track and respond to emerging threats</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Understand the analyst report section in threat analytics</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="66px">Security Operations Expert: <BR />Module 1. Responding to threats</TD> <TD width="368px" height="66px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Investigate entities on devices using live response</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="146px">Security Administrator Fundamentals: <BR />Module 2. Onboarding</TD> <TD width="368px" height="146px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Deploy Microsoft Defender for Endpoint in rings</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-on-ios-is-generally-available/ba-p/1962420" target="_blank" rel="noopener">Microsoft Defender for Endpoint for iOS</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-generally-available/ba-p/2048539" target="_blank" rel="noopener">Microsoft Defender for Endpoint for Linux</A></LI> </UL> </TD> </TR> <TR> <TD width="368px" height="28px">Security Administrator Fundamentals: <BR />Module 3. Grant and control access</TD> <TD width="368px" height="28px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058" target="_blank" rel="noopener">How to use tagging effectively (Part 1)</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-2/ba-p/1962008" target="_blank" rel="noopener">How to use tagging effectively (Part 2)</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-3/ba-p/1964073" target="_blank" rel="noopener">How to use tagging effectively (Part 3)</A><SPAN style="font-family: inherit; background-color: transparent;">&nbsp;&nbsp;</SPAN></LI> </UL> </TD> </TR> <TR> <TD width="368px">Security Administrator Fundamentals: <BR />Module 4. Security configuration</TD> <TD width="368px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A style="font-family: inherit;" href="#" target="_blank" rel="noopener">Configure advanced features</A></LI> </UL> </TD> </TR> <TR> <TD width="368px">Security Administrator Fundamentals: <BR />Module 5. Reporting</TD> <TD width="368px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A style="font-family: inherit;" href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/introducing-a-new-threat-and-vulnerability-management-report/ba-p/1827448" target="_blank" rel="noopener">Threat and vulnerability management report</A></LI> </UL> </TD> </TR> <TR> <TD>Security Administrator Intermediate<BR />Module 8. Migration</TD> <TD> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Migrate from Symantec to Microsoft Defender for Endpoint</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Migrate from McAfee to Microsoft Defender for Endpoint</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Make the switch from a non-Microsoft endpoint solution to Microsoft Defender for Endpoint </A>&nbsp;</LI> </UL> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: 0px; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Wed, 31 Mar 2021 03:34:02 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-ninja-training-february-2021/ba-p/2118350 Heike Ritter 2021-03-31T03:34:02Z Microsoft Defender Antivirus: 12 reasons why you need it https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-antivirus-12-reasons-why-you-need-it/ba-p/2115116 <DIV class="WordSection1"> <P class="paragraph"><SPAN class="normaltextrun"><SPAN>Having the right cybersecurity strategy requires a delicate balance between protection and convenience. The scale tips and topples when one side outweighs the other. In the world of security, the scale has typically leaned towards convenience for the purpose of business operability and efficiency. Unfortunately, a focus heavily weighted too far on convenience can result in massive security incidents and data breaches.</SPAN></SPAN></P> <P class="paragraph"><SPAN class="eop"><SPAN>&nbsp;</SPAN></SPAN></P> <P class="paragraph"><SPAN class="normaltextrun"><SPAN>The Microsoft Detection and Response Team (DART) wants to help all organizations avoid common mistakes and issues we see when handling customers' security incidents and breaches. In this blog, we would like to share lessons learned from commonly seen gaps specific to endpoint security. Understanding this can help you prioritize your security controls and processes.</SPAN></SPAN></P> <P class="paragraph"><SPAN>&nbsp;</SPAN></P> <P class="paragraph"><SPAN class="normaltextrun"><STRONG><SPAN>Note:</SPAN></STRONG></SPAN><SPAN class="normaltextrun"><SPAN>&nbsp;The information in this post is recommended for administrators, such as security architects, support staff, and leadership, who deal with security solutions. Consider these recommendations and decide whether they are being applied, or whether sufficient justification against implementing these recommendations exists.&nbsp;</SPAN></SPAN></P> <P class="paragraph">&nbsp;</P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><STRONG><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">Understanding the effect of third-party antivirus and Microsoft Defender Antivirus coexistence</SPAN></STRONG></P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><SPAN style="font-size: 9.0pt; mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;</SPAN></P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;">On Windows 10 devices, Microsoft Defender Antivirus is shipped as part of the OS and is enabled by default. However, on endpoints protected with a non-Microsoft antivirus (AV) or antimalware application, Microsoft Defender Antivirus will automatically disable itself. Identifying the current AV solution in place, and any secondary support, is imperative to understanding what level of protection you have, and which solutions are turned on and actively protecting your organization. When DART arrives on site, often the first question from the customer is "why didn't Defender stop this?" Microsoft Defender Antivirus has entire teams dedicated to threat intel updates, real time analysis, and detection support. Having a secondary AV in place will disable Microsoft Defender Antivirus and all this backend support. (See <A href="#" target="_blank" rel="noopener">11 reasons to use Microsoft Defender Antivirus together with Microsoft Defender for Endpoint</A>.)&nbsp;</P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><SPAN style="font-size: 9.0pt; mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;</SPAN></P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;">Windows 10 client devices that are enrolled with Microsoft Defender for Endpoint and have a non-Microsoft antivirus solution as primary AV, Microsoft Defender Antivirus operates in passive mode, allowing the primary AV to do real-time protection. Important: Real-time protection and threats will not be remediated by Microsoft Defender Antivirus while it is in passive mode. Customers should <SPAN class="GramE">still keep</SPAN> Microsoft Defender Antivirus up to date even when it is in passive mode via Security intelligence updates and product updates. There are many reasons for doing so. One such reason is if an attacker manages to disable the primary 3<SUP>rd</SUP> party antivirus, Defender antivirus may detect the missing primary antivirus and start itself to protect the system. It will act as a backup antivirus. For isolation and remediation capabilities, the Endpoint Detection and Response (EDR) component of Defender for Endpoint will handle these actions. In fact, most investigations begin with EDR, as suspicious activity on an endpoint is sandboxed and allows security operators to analyze thereafter. AV can only block known threats, but behavioral based threats need the advanced defense capability that EDR technology provides.<SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast; color: #2b579a; background: #E6E6E6;">&nbsp;</SPAN></P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;">&nbsp;</P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">On Windows Server 2016 or 2019, Microsoft Defender Antivirus will not automatically enter passive mode if you have also installed a third-party antivirus product. If you install a third-party antivirus product on Windows Server, you should set Microsoft Defender Antivirus to passive mode manually to prevent problems caused by having multiple antivirus products installed on a machine. Having multiple antivirus solutions on a system may strain resources and caused performance issues on the system.</SPAN></P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><SPAN style="font-size: 9.0pt; mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;</SPAN></P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><STRONG><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">What you get with Microsoft Defender Antivirus and Defender for Endpoint</SPAN></STRONG><STRONG style="mso-bidi-font-weight: normal;"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;</SPAN></STRONG></P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><SPAN style="font-size: 9.0pt; mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;</SPAN></P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">While customers can use a non-Microsoft antivirus solution with Defender for Endpoint if they choose to, using Defender Antivirus and Defender for Endpoint together amplifies endpoint protection and maximizes the return on investment with the following capabilities:&nbsp;</SPAN></P> <OL> <LI><U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">Feedback-loop blocking</SPAN></U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">:</SPAN> <SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">Also referred to as rapid protection, feedback-loop blocking is a component of behavioral blocking and containment capabilities in Microsoft Defender for Endpoint. When a suspicious behavior or file is detected by Microsoft Defender Antivirus, information about that artifact is sent to multiple classifiers. The rapid protection loop engine inspects and correlates the information with other signals to arrive at a decision as to whether to block a file. Checking and classifying artifacts happens quickly. It results in rapid blocking of confirmed malware and drives protection across the entire ecosystem. With feedback-loop blocking, devices across your organization are better protected from attacks.</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Network protection</SPAN></U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">: Network protection is a feature in that enables customers to allow or block specific URLs and IP addresses, either manually or via threat intelligence feeds. It helps to prevent applications from accessing malicious domains. This feature is available but will not work without our antivirus capabilities enabled.&nbsp;Detailed information about network protection events and blocks can be viewed and analyzed in the Microsoft Defender Security Center, where security teams can also run advanced hunting queries for a more proactive security approach.</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Block at first sight</SPAN></U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">: Block at first sight provides a way to detect and block new malware within seconds. When Microsoft Defender Antivirus encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend applies heuristics, machine learning, and automated analysis of the file to determine whether the files are malicious or not a threat. This feature and its required settings are enabled by default when certain prerequisite settings are <SPAN class="GramE">enabled, but</SPAN> will not work without Microsoft Defender Antivirus.&nbsp;</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Detect and block potentially unwanted applications</SPAN></U>: <SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">Potentially unwanted applications (PUA) are not considered viruses, malware, or other types of threats, but they might perform actions on endpoints which adversely affect endpoint performance or use. PUA can also refer to an application that has a poor reputation, as assessed by Microsoft Defender for Endpoint, due to certain kinds of undesirable behavior. This feature is powered by Microsoft Defender SmartScreen.</SPAN> <SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">Microsoft Defender Antivirus blocks detected PUA files and any attempts to download, move, run, or install them. Blocked PUA files are then moved to quarantine.</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Attack surface reduction, controlled folder access, SmartScreen</SPAN></U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">: Preventive blocking capabilities like attack surface reduction rules, controlled folder access, and SmartScreen alerts will not work without Microsoft Defender AV. Microsoft Defender AV with SmartScreen enabled provides a rich source of signals to Defender for Endpoint, as well as process chain information in alerts. This includes events like LSASS potential credential theft, execution of files that have low reputation by Microsoft, potential ransomware execution, and more.</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Audit</SPAN></U><U> Logs</U>: It is important to recognize that the audit events will not capture the proper audit without Microsoft Defender Antivirus. Without proper audit, basic functionality such as tracking which machines have up to date of Antivirus definitions will not be available for administrators. An example we encountered of improper audit log led to domain compromise. The attacker compromised a common user machine and downloaded malware into it. Microsoft Defender Antivirus is able to catch and report when attackers reuse known malware. Without proper auditing, such reports will not reach the attention of administrators. As a result, attackers will be able to keep testing malware till one malware that the antivirus misses works, and then will reuse the same malware to attack other machines.</LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Detailed information on blocked malware</SPAN></U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">: When a file is blocked by Microsoft Defender Antivirus, the alert, assessment of machine risk, and actions taken across the organization are recorded. This provides for accountability and traceability. The ability to allow or block a file directly from the Microsoft Defender for Endpoint is already available. This also includes the ability to request a download or collect the file. If a third-party solution blocks malware, your organization has much less visibility and fewer available reactive actions.</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Microsoft Secure Score for devices</SPAN></U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">: Microsoft Secure Score is a measurement of an organization's security posture, with a higher number indicating more improvement actions taken. Many components require Microsoft Defender Antivirus to collect the underlying system data. Many of these features will be limited without Microsoft Defender Antivirus, which significantly reduces available detailed information. For example, “Top exposed devices” can be inaccurate if a third-party antivirus solution is used. Microsoft Defender Antivirus provides details such as when the device was last scanned for malware and when antivirus signatures were updated. Such details provide much richer detail and context as well as a better assessment of an organization’s security posture with Secure Score when Microsoft Defender Antivirus is used.</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Compliance and Geolocation</SPAN></U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">: Microsoft Defender Antivirus, including Defender for Endpoint, components within Microsoft Defender and geo-location of data, are under the same ISO 27001 compliance. When you use the Defender for Endpoint platform, you get data related to the geo sovereignty, ISO compliance, and data retention. You can avoid a potential risk of using a third-party vendor with a different level of compliance or the task of validating compliance with the third-party vendor.</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Better threat intel</SPAN></U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">: Because of our deep integration across components, Microsoft Defender Antivirus learns from Defender EDR detections, and vice versa. With Microsoft Defender Antivirus, suspicious files can be collected and sent to Microsoft for analysis. The result is that Microsoft products can share the signals across the enterprise and globally to be a stronger single platform.&nbsp;</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Tamper protection</SPAN></U>:<SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;"> Many bad actors&nbsp;may attempt to disable security features including antivirus protection to further expediate their malicious activities. Our investments in tamper protection help to harden systems against these types of tactics. Microsoft Defender Antivirus together with Microsoft Defender for Endpoint enable security teams to detect and manage tampering attempts on endpoints. Tampering alerts are raised in the Microsoft Defender Security Center, giving security teams an additional data point in understanding an attack, as well as the ability to investigate and resolve these attempts.</SPAN></LI> <LI><U style="font-family: inherit; text-indent: -0.25in;"><SPAN>Industry leading endpoint security</SPAN></U>:<SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;Organizations are looking to use best of breed solutions while also simplifying their security. Microsoft Defender for Endpoint has been recognized by industry analysts as a leading endpoint security product and we are proud of our performance and coverage in the MITRE ATT&amp;CK evaluations. Additionally, Microsoft Defender’s antimalware capabilities have <A href="#" target="_blank" rel="noopener">consistently achieved high scores</A> in independent AV tests such as AV-TEST, AV-Comparatives, and SE-Labs.</SPAN></LI> </OL> <P class="paragraph" style="vertical-align: baseline; margin: 0in 0in 0in .25in;"><SPAN style="font-size: 9.0pt; font-family: 'Calibri',sans-serif; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi;">&nbsp;</SPAN><SPAN style="font-size: 9.0pt; font-family: 'Calibri',sans-serif; mso-ascii-theme-font: minor-latin; mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast; mso-hansi-theme-font: minor-latin; mso-bidi-font-family: Arial; mso-bidi-theme-font: minor-bidi;">&nbsp;</SPAN></P> <P class="MsoNormal"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">In a recent DART incident response scenario, a customer had a third-party antivirus solution in place and was working on a proof-of-concept for Defender for Endpoint using Windows 7. For several days, there were no serious alarming detections. One day, a warning for a well-known credential theft tool was detected by Defender for Endpoint. An immediate investigation was activated in response. During the investigation, it became clear that the credential theft tool was written in a particular way and stored in an exclusion folder to completely avoid the third-party antivirus. After much tracing, it turned out that the workstations that were initially infected had multiple alerts from the third-party antivirus. No alerts were observed because the warnings weren’t sent <SPAN class="GramE">anywhere</SPAN> and Microsoft Defender Antivirus was in passive mode. The attacker was eventually able to produce a tool that avoided the antivirus detection and managed to steal high-privileged account credentials leading to data exfiltration. The entire investigation was only triggered when a Windows 10 machine was set up in the environment with Microsoft Defender Antivirus active and the machine onboarded to Microsoft Defender for Endpoint. Defender was able to quickly detect the malware based on the malicious behaviors.</SPAN></P> <P class="MsoNormal">&nbsp;</P> <P class="MsoNormal"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">Defender for Endpoint sensors are designed to work together as part of a solution, actively sharing data with each other and other Microsoft security stack products. Introducing non-Microsoft sensors could impact the value of alerts and incident intelligence. As mentioned in this article, there are multiple advantages to combining both Microsoft Defender Antivirus and Defender for Endpoint. Hopefully, through discussing all the key points, it might just be worth your time to review your organization’s current cybersecurity antivirus and EDR solution.</SPAN></P> <P class="MsoNormal">&nbsp;</P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">So many times, I have heard from customers’ operations and administrators that they don’t know what AV products they are using, how to configure their AV solutions, how to troubleshoot their AV solutions, how many different AV solutions they support, and so on. Because having too many AV vendors can be an operational risk, consider reducing the number of AV vendors your organization uses. </SPAN></P> <P class="MsoNormal" style="margin-bottom: 0in; vertical-align: baseline;"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;</SPAN></P> <P class="MsoNormal"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">If you’re still not convinced of the value of running both Microsoft Defender Antivirus and Microsoft Defender for Endpoint, you can still get an added layer of protection with </SPAN>EDR in block mode<SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">. EDR in block mode is designed to block malicious behavior during post breach that might get missed by the primary antivirus solution. You can read more about this feature </SPAN><A href="#" target="_blank" rel="noopener"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">in our documentation</SPAN></A> as well as our recent <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-edr-in-block-mode-general-availability/ba-p/1972064" target="_blank" rel="noopener">blog post</A>.</P> <P class="MsoNormal"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;</SPAN></P> <P class="MsoNormal"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">If you’re not yet taking advantage of Microsoft Defender for Endpoint’s industry leading security optics and detection capabilities, we encourage you to <A href="#" target="_blank" rel="noopener">sign up for a free trial</A> today. </SPAN></P> <P class="MsoNormal"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">Thank you.</SPAN></P> <P class="MsoNormal"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;</SPAN></P> <P class="MsoNormal"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">&nbsp;</SPAN></P> <P class="MsoNormal"><STRONG><U><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast;">References</SPAN></U></STRONG></P> <P class="MsoNormal"><SPAN style="mso-fareast-font-family: 'MS Mincho'; mso-fareast-theme-font: minor-fareast; mso-bidi-font-family: Calibri; mso-bidi-theme-font: minor-latin;">&nbsp;</SPAN></P> <P><STRONG>Microsoft Defender for Endpoint</STRONG></P> <P><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection</A></P> <P>&nbsp;</P> <P><STRONG>More information on next-generation protection in Windows 10, Windows Server 2016, and Windows Server 2019</STRONG></P> <P><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10</A></P> <P>&nbsp;</P> <P><STRONG>Microsoft Defender Antivirus compatibility</STRONG></P> <P><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility</A></P> <P>&nbsp;</P> <P><STRONG>Tamper protection</STRONG></P> <P><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection</A></P> <P>&nbsp;</P> <P><STRONG>Behavioral blocking and containment: Transforming optics into protection</STRONG></P> <P><A href="#" target="_blank" rel="noopener">https://www.microsoft.com/security/blog/2020/03/09/behavioral-blocking-and-containment-transforming-optics-into-protection</A></P> <P>&nbsp;</P> <P><STRONG>Feedback-loop blocking</STRONG></P> <P><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/feedback-loop-blocking</A></P> <P>&nbsp;</P> <P><STRONG>Endpoint detection and response (EDR) in block mode</STRONG></P> <P><A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/edr-in-block-mode</A></P> <P>&nbsp;</P> <P><STRONG>Turn on block at first sight </STRONG></P> <P><A href="#" target="_blank" rel="noopener">Enable block at first sight to detect malware in seconds - Windows security | Microsoft Docs</A></P> <P class="MsoNormal" style="line-height: 150%;">&nbsp;</P> </DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Mon, 08 Feb 2021 16:17:45 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-antivirus-12-reasons-why-you-need-it/ba-p/2115116 KimHwee 2021-02-08T16:17:45Z Join us for our next AMA on threat and vulnerability management! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/join-us-for-our-next-ama-on-threat-and-vulnerability-management/ba-p/2115891 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TVM_AMA.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/252798iF725BDDF6187C61D/image-size/large?v=v2&amp;px=999" role="button" title="TVM_AMA.png" alt="TVM_AMA.png" /></span></P> <P>We’re excited to invite you to the next Microsoft Defender for Endpoint AMA (ask me anything) on the Microsoft TechCommunity. This time, the topic will be our threat and vulnerability management capabilities.</P> <P>&nbsp;</P> <P>This AMA will be on Wednesday, February 17, 2021, from 8:00-9:00am Pacific Time. Bring all your questions about threat and vulnerability management – our disruptive, risk driven approach that helps accelerate the maturity of your vulnerability management program. Our team is excited to chat with you!</P> <P>&nbsp;</P> <P><STRONG>Details: </STRONG></P> <P>Microsoft Defender for Endpoint AMA – threat and vulnerability management</P> <P>Date: Wednesday, February 17, 2021</P> <P>Time: 8:00-9:00am PT</P> <P>Place: <A href="#" target="_blank" rel="noopener">https://aka.ms/ama/DefenderforEndpoint</A></P> <P>&nbsp;</P> <P>Save the .ics file to ensure you have this on your calendar!</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Fri, 05 Feb 2021 20:25:58 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/join-us-for-our-next-ama-on-threat-and-vulnerability-management/ba-p/2115891 Kasia Kaplinska 2021-02-05T20:25:58Z Extending threat and vulnerability management to more devices https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/extending-threat-and-vulnerability-management-to-more-devices/ba-p/2111253 <P>As Microsoft Defender for Endpoint evolves, we are continuously expanding <A href="#" target="_blank" rel="noopener">threat and vulnerability management</A> to cover additional devices, <A href="#" target="_blank" rel="noopener">OS platforms</A>, and channels to inform customers. Today, we’re excited to share the latest updates.</P> <P>&nbsp;</P> <P><STRONG>Threat and vulnerability management for macOS is now generally available</STRONG></P> <P>Vulnerability assessment for macOS devices is now <STRONG>generally available</STRONG> to all customers. This capability expansion enables organizations to discover, prioritize, and remediate both software and operating system vulnerabilities on devices running macOS.</P> <P>&nbsp;</P> <P>After <A href="#" target="_blank" rel="noopener">onboarding</A> your macOS devices to Microsoft Defender for Endpoint, you'll get the latest security recommendations, review recently discovered vulnerabilities in installed applications, and issue remediation tasks, just like you can with Windows devices.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/251404i4F85F57565978E60/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Picture1.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Support for Windows 8.1 devices in public preview</STRONG></P> <P>As we continue to enrich threat and vulnerability management with new features and capabilities, we are committed to help all customers running a variety of platforms to protect their organizations and resolve vulnerabilities.</P> <P>&nbsp;</P> <P>We’re excited to announce that we're extending vulnerability assessment and security configuration assessment capabilities to devices running the Windows 8.1 operating system. This has been an ask from some of our top customers and we’re happy to be able to deliver the capability. In public preview as of today, customers will see Windows 8.1 devices contribute to Microsoft Secure Score for Devices and be included in threat and vulnerability dashboards such as Security recommendations, Software inventory, Remediation, Weaknesses, and Event timeline. Windows 8.1 devices will be included in prioritized recommendations and customers can kick off remediation actions like they can with Windows 10 devices. You can see detailed information about threat and vulnerability management support for operating systems versions and platforms in the <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <P>To get started with Microsoft Defender for Endpoint public preview capabilities, we encourage customers to turn on <A href="#" target="_blank" rel="noopener">preview features</A> in Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P><STRONG>Introducing email notifications for vulnerability events in public preview</STRONG></P> <P>Security admins need to stay up to date on the exposure level of their organization and be informed of any new threat that affects the security posture and compliance of their devices.</P> <P>&nbsp;</P> <P>Threat and vulnerability management continuously monitors your devices and provides real-time information on new threats affecting your organization. These vulnerable events, like new public exploits, are available today through the recently added&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/introducing-event-timeline-an-innovative-new-way-to-manage-your/ba-p/1505208" target="_self">Event timeline</A> feature.</P> <P>&nbsp;</P> <P>We’ve introduced the ability to set up email notification rules in threat and vulnerability management, so that all appropriate stakeholders will immediately be informed of these new vulnerability events by email.</P> <P>&nbsp;</P> <P>Follow these steps to create an email notification rule:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture2.png" style="width: 292px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/251409i387C0A0540BBD1F9/image-size/large?v=v2&amp;px=999" role="button" title="Picture2.png" alt="Picture2.png" /></span></P> <P>&nbsp;</P> <P>Set the vulnerability events that trigger notifications and specify device groups.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture3.png" style="width: 640px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/251410i93E38E88FA804DD4/image-size/large?v=v2&amp;px=999" role="button" title="Picture3.png" alt="Picture3.png" /></span></P> <P>&nbsp;</P> <P>Add specific recipients who’ll be informed immediately when vulnerability events&nbsp;<SPAN>occur so they can act accordingly. </SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture4.png" style="width: 604px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/251411i9B6C63E3B1783C12/image-size/large?v=v2&amp;px=999" role="button" title="Picture4.png" alt="Picture4.png" /></span></P> <P>&nbsp;</P> <P>Recipients who receive the email notification can view basic information about the vulnerability event. There will also be links to filtered views of the threat and vulnerability management&nbsp;<A href="#" target="_blank" rel="noopener">Security recommendations</A>&nbsp;and&nbsp;<A href="#" target="_blank" rel="noopener">Weaknesses</A>&nbsp;pages so they can further investigate. For example, they could get a list of all exposed devices or get additional details about the vulnerability.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture5.png" style="width: 485px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/251412i2F38A4A4A8C905F6/image-size/large?v=v2&amp;px=999" role="button" title="Picture5.png" alt="Picture5.png" /></span></P> <P>&nbsp;</P> <P>Threat and vulnerability management takes a disruptive, risk-driven approach to help organizations reduce and remediate software vulnerabilities and system misconfigurations. Threat and vulnerability management is one of many Microsoft Defender for Endpoint capabilities that empowers organizations to reduce their cybersecurity threat exposure and accelerate the maturity of their vulnerability management program.</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading endpoint security solution, <A href="#" target="_blank" rel="noopener">sign up for a free Microsoft Defender for Endpoint trial</A> today.</P> Wed, 03 Feb 2021 02:49:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/extending-threat-and-vulnerability-management-to-more-devices/ba-p/2111253 Tomer_Reisner 2021-02-03T02:49:35Z Windows Virtual Desktop support is now generally available https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/windows-virtual-desktop-support-is-now-generally-available/ba-p/2103712 <P>Microsoft is committed to continually extending Microsoft Defender for Endpoint capabilities across all the endpoints you need to secure, and today we’re excited to announce that Defender for Endpoint for Windows Virtual Desktop is now generally available! In this post we’ll briefly go over what this means, and what the experience looks like in the Microsoft Defender Security Center.</P> <P><BR />Defender for Endpoint now supports Windows Virtual Desktop for Windows 10 Enterprise multi-session (listed here as “Microsoft Windows 10 Enterprise for Virtual Desktops”)</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_0-1611780972526.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250027iD473439C176EE083/image-size/large?v=v2&amp;px=999" role="button" title="JesseEsquivel_0-1611780972526.png" alt="JesseEsquivel_0-1611780972526.png" /></span></P> <P>&nbsp;</P> <P>Single session scenarios on Windows 10 Enterprise are fully supported and onboarding your Windows Virtual Desktop machines into Defender for Endpoint has not changed.</P> <P>&nbsp;</P> <P>There are several new items in the Microsoft Defender Security Center that you’ll see have been added to support Windows Virtual Desktop, we’ll detail them in the following sections.</P> <P>&nbsp;</P> <P><U><STRONG>Device Inventory Page</STRONG></U></P> <P><BR />On the device inventory page, select “filters” to see a new “Windows 10 WVD” filter under OS Platform that you can use to view only Windows Virtual Desktop machines. Identify Windows Virtual Desktop machines by looking for “Windows 10 WVD” in the OS platform column of the table.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="WVD2.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250322i4F7DB450B944EAE0/image-size/large?v=v2&amp;px=999" role="button" title="WVD2.jpg" alt="WVD2.jpg" /></span></P> <P>&nbsp;</P> <P><U><STRONG>Device Page</STRONG></U></P> <P><BR />On the device page in the left fly out, you’ll also see that Windows Virtual Desktop is reflected under the device details section. Under “OS” you’ll see “Windows 10 WVD x64” indicating that it’s a Windows Virtual Desktop machine.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_0-1611852617708.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250324i00C0437534B87825/image-size/large?v=v2&amp;px=999" role="button" title="JesseEsquivel_0-1611852617708.png" alt="JesseEsquivel_0-1611852617708.png" /></span></P> <P>&nbsp;</P> <P>The device page will also show the number of logged on users in the past 30 days on the overview tab.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_1-1611852755369.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250325i9AD13380EA1BCFC2/image-size/large?v=v2&amp;px=999" role="button" title="JesseEsquivel_1-1611852755369.png" alt="JesseEsquivel_1-1611852755369.png" /></span></P> <P>&nbsp;</P> <P>Selecting the “See all users” link will allow you to see the complete list of users. You’ll have a number of columns at your disposal including “Logon Type,” which for Windows Virtual Desktop will be “logon type 10” or “RemoteInteractive.”</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_5-1611781345312.png" style="width: 574px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250036iA9648E1C8AA43223/image-dimensions/574x498?v=v2" width="574" height="498" role="button" title="JesseEsquivel_5-1611781345312.png" alt="JesseEsquivel_5-1611781345312.png" /></span></P> <P>&nbsp;</P> <P>The changes thus far are there to help you identify Windows Virtual Desktop machines in the Microsoft Defender Security Center. The data that is collected, and the investigation experience that you are used to with all other supported endpoint types, remains mostly unchanged. You can expect the majority of the functionality and capabilities such as the device page, response actions, threat and vulnerability management, Microsoft Secure Score for Devices, software inventory, etc. to all still work in the same way they do for Windows 10 and other supported devices. However, there are some things to take note of in a few key areas of the security center which we’ll walk through below.</P> <P>&nbsp;</P> <P><U><STRONG>Machine Timeline</STRONG></U></P> <P><BR />The machine timeline will be populated with cyber telemetry from all active user sessions on the Windows Virtual Desktop machine. This allows analysts to see all events happening on the machine and also gives the option to investigate timeline events that are specific to a particular user session. As an example, I’ve flagged a couple of events in the machine timeline from five different users who are logged on concurrently to a Windows Virtual Desktop machine:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_6-1611854438829.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250334i04393544CA1BE093/image-size/large?v=v2&amp;px=999" role="button" title="JesseEsquivel_6-1611854438829.png" alt="JesseEsquivel_6-1611854438829.png" /></span></P> <P>&nbsp;</P> <P>If you want to see all activity related to a specific user, simply search for the username to display all associated cyber telemetry:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_4-1611854264795.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250331i96BAEB47C71621E6/image-size/large?v=v2&amp;px=999" role="button" title="JesseEsquivel_4-1611854264795.png" alt="JesseEsquivel_4-1611854264795.png" /></span></P> <P>&nbsp;</P> <P>All of the machine timeline capabilities such as search, filters, flagging, columns, time span, etc. still work the same way as they do with other devices.</P> <P>&nbsp;</P> <P><U><STRONG>Advanced Hunting</STRONG></U></P> <P><BR />All of the cyber telemetry data reported by Windows Virtual Desktop machines will be available in advanced hunting. For example, you may want to see process events or image loads related to a specific user session and this can be accomplished by using columns that are already present in the advanced hunting schema:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_7-1611854682935.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250337iDD1E573FC16B735C/image-size/large?v=v2&amp;px=999" role="button" title="JesseEsquivel_7-1611854682935.png" alt="JesseEsquivel_7-1611854682935.png" /></span></P> <P>&nbsp;</P> <P>Perhaps you want to check browser network events by user on a Windows Virtual Desktop host for the last 24 hours:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_8-1611854745171.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250338i50C09408117C57AC/image-size/large?v=v2&amp;px=999" role="button" title="JesseEsquivel_8-1611854745171.png" alt="JesseEsquivel_8-1611854745171.png" /></span></P> <P>&nbsp;</P> <P>For the last example, you may want to check for currently logged on users via the DeviceInfo table, as you can see here at 1/13/2021 1:25:19 there are five users concurrently logged on to this specific Windows Virtual Desktop host:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_9-1611854812607.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250339iE48D1BA374ECB59F/image-size/large?v=v2&amp;px=999" role="button" title="JesseEsquivel_9-1611854812607.png" alt="JesseEsquivel_9-1611854812607.png" /></span></P> <P>&nbsp;</P> <P>These are just a few examples that target all or specific user sessions for data insights via advanced hunting. Continue to reference the schema and use your imagination and creativity for unique data insights!</P> <P>&nbsp;</P> <P><U><STRONG>Incidents and Alerts</STRONG></U></P> <P><BR />This experience in the portal remains unchanged, here is an example alert that is triggered for a user on a Windows Virtual Desktop machine:</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JesseEsquivel_10-1611854938165.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/250340i7944CE447790D2E1/image-size/large?v=v2&amp;px=999" role="button" title="JesseEsquivel_10-1611854938165.png" alt="JesseEsquivel_10-1611854938165.png" /></span></P> <P>&nbsp;</P> <P>Note on licensing: When using Windows 10 Enterprise multi-session, depending on your requirements, you can choose to either have all users licensed through Microsoft Defender for Endpoint (per user), Windows Enterprise E5, Microsoft 365 Security, or Microsoft 365 E5, or have the VM licensed through Azure Defender.</P> <P><BR />We’re excited to share this milestone with everyone, and we hope this better enables organizations who are embracing user productivity virtualization to protect these unique Windows Virtual Desktop assets. Let us know what you think by leaving a comment below!</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, <A href="#" target="_self">sign up for a free trial</A> of Microsoft Defender for Endpoint today.<BR /><BR />Jesse Esquivel, Program Manager<BR />Microsoft Defender for Endpoint</P> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Mon, 22 Feb 2021 18:02:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/windows-virtual-desktop-support-is-now-generally-available/ba-p/2103712 JesseEsquivel 2021-02-22T18:02:13Z How to use tagging effectively (Part 3) - Scripting tags https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-3-scripting-tags/ba-p/1964073 <P>Welcome to the third and final blog post in our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Tagging%20effectively" target="_blank" rel="noopener">series on how to use tagging effectively in Microsoft Defender for Endpoint</A>. We hope you’ve enjoyed this series and look forward to your feedback on this topic and what you’d like to see in the future.</P> <P><BR /><FONT size="6">Tagging using the API</FONT><BR />Microsoft Defender for Endpoint APIs allow you to do many things through scripting to both query and change elements within your Microsoft Defender for Endpoint instance.&nbsp; As part of this blog on tagging we wanted cover how you can use scripting to apply tags to machines directly using an API.</P> <P><BR />Within Advanced Hunting you can create a custom detection that runs the query on a regular basis to generate an alert.&nbsp; You can also enable response actions as a result of this detection to affect the machines contained in the results:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag2Picture1.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239636iE450D12C628DBDD8/image-size/large?v=v2&amp;px=999" role="button" title="Tag2Picture1.png" alt="Tag2Picture1.png" /></span></P> <P>You will notice however that tagging the resultant machines is not one of the options available.&nbsp; Instead, it is possible to take the advanced hunting query and use it as an input to the script that applies the tag through the API.</P> <P>&nbsp; &nbsp;</P> <H2>Setting up API access</H2> <P>Before you can use PowerShell to query against the API you need to set up the API application in Azure.</P> <P>&nbsp;</P> <P>In the Azure Active Directory section of <A href="#" target="_blank" rel="noopener">https://portal.azure.com</A> you need to click on new App Registration and create a new app:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag2Picture2.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240234i3B1A2A1B2F770B1A/image-size/large?v=v2&amp;px=999" role="button" title="Tag2Picture2.png" alt="Tag2Picture2.png" /></span></P> <P>Once you have completed this part you will be presented with the following screen:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag2Picture3.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240236i2C4D2DC2FA8F33C6/image-size/large?v=v2&amp;px=999" role="button" title="Tag2Picture3.png" alt="Tag2Picture3.png" /></span></P> <P>Take a note of the Application ID and the Directory ID, you will need these for your script.&nbsp; Then click on “View API permissions”.&nbsp; It is here that you define how the API can be accessed.</P> <OL> <LI>Select “Add a permission”</LI> <LI>Click “APIs my organization uses”</LI> <LI>Type “Windows” into the search box and then select the "WindowsDefenderATP" API</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag2Picture4.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240238i0818B9B530FB242D/image-size/large?v=v2&amp;px=999" role="button" title="Tag2Picture4.png" alt="Tag2Picture4.png" /></span></P> <P>When accessing the API, it is possible to use either user permissions or application permissions.&nbsp; Using application permissions means that it doesn’t matter who is logged in to run the script and instead utilises the client secret to authenticate against the application.</P> <P>For the purposes of what we are enabling we need specific permissions set.&nbsp; We are running an Advance Hunting query so we need the “AdvanceQuery.Read.All” permission and we are also applying a tag to the machine so we need the “Machine.ReadWrite.All”</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag2Picture5.png" style="width: 364px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240239iF20B8FE6300DDE4D/image-size/large?v=v2&amp;px=999" role="button" title="Tag2Picture5.png" alt="Tag2Picture5.png" /></span></P> <P>If you are using this scripting method for other actions, i.e. isolating a machine, then you would need to apply the appropriate permissions.</P> <P>The final stage of the application registration is to create the client secret that will be used for authenticating.</P> <P>In the app properties, click onto “Certificates &amp; secrets” and create a new secret:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag2Picture6.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240240i48A8F3CD48939D8F/image-size/large?v=v2&amp;px=999" role="button" title="Tag2Picture6.png" alt="Tag2Picture6.png" /></span></P> <P>Then take note of the client secret that is created as you will need this alongside your Application ID and Directory ID for your script:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag2Picture7.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240275i70E0EF64685CCF61/image-size/large?v=v2&amp;px=999" role="button" title="Tag2Picture7.png" alt="Tag2Picture7.png" /></span></P> <P>Now that you have your application created you can use PowerShell scripting to query against it and then write a tag back on the devices in the results.</P> <P>&nbsp;</P> <H1>Using an Advanced Hunting query for your tagging criteria</H1> <P>Advanced Hunting in Microsoft Defender for Endpoint is a powerful query tool that allows you to create complex queries based upon the telemetry that is gathered from the managed endpoints.&nbsp; When writing these queries, it is possible to enable them as a custom detection, meaning they run at a regular interval and can apply actions against any device presented in the results.&nbsp; However, there are only certain actions that can be applied against these devices and tagging isn’t one of them:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag2Picture8.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/240276iDB44A5A46D808778/image-size/large?v=v2&amp;px=999" role="button" title="Tag2Picture8.png" alt="Tag2Picture8.png" /></span></P> <P>&nbsp;</P> <P>Therefore, if you want to tag a device based upon a query then you need to utilise the API.&nbsp; Let’s say for example if you want to tag all devices in a certain subnet, the first step is to create the Advanced Hunting script:</P> <P>&nbsp;</P> <P><FONT color="#0000FF"><EM>DeviceNetworkInfo</EM></FONT></P> <P><FONT color="#0000FF"><EM>| mvexpand parse_json(IPAddresses)</EM></FONT></P> <P><FONT color="#0000FF"><EM>//| Subnet=IPAddresses.SubnetPrefix</EM></FONT></P> <P><FONT color="#0000FF"><EM>| where IPAddresses contains "192.168.254" and IPAddresses.SubnetPrefix contains "24"</EM></FONT></P> <P><FONT color="#0000FF"><EM>| summarize by DeviceId</EM></FONT></P> <P><FONT color="#0000FF"><EM>| project DeviceId</EM></FONT></P> <P>&nbsp;</P> <P>Obviously, you can use pretty much any Advanced Hunting query in this test file, but it does need to return DeviceID in the results in order for it to be used in the next step.</P> <P>Run the script first in the portal just to verify it is finding the correct data for you then copy the query into a text file to use as input to your API script.</P> <P>The script below takes the query text file and then applies a tag of “DataCenter” against the DeviceIDs that are found by the query:</P> <P>&nbsp;</P> <P><FONT color="#0000FF"><STRONG><EM>#Script to take a file containing an Advanced Hunting query and then apply a tag to the DeviceID shown in the results</EM></STRONG></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;</EM></FONT></P> <P><FONT color="#0000FF"><EM>#Replace ‘XXXXXXXXXXXXXXXXXXXX’ with the appropriate IDs relevant to your tenant/application (quotes required)</EM></FONT></P> <P><FONT color="#0000FF"><EM>$tenantId = ' XXXXXXXXXXXXXXXXXXXX’</EM></FONT></P> <P><FONT color="#0000FF"><EM>$appId = 'XXXXXXXXXXXXXXXXXXXX’</EM></FONT></P> <P><FONT color="#0000FF"><EM>$appSecret = ' XXXXXXXXXXXXXXXXXXXX’</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;</EM></FONT></P> <P><FONT color="#0000FF"><EM>$resourceAppIdUri = '<A href="#" target="_blank" rel="noopener">https://api.securitycenter.windows.com</A>'</EM></FONT></P> <P><FONT color="#0000FF"><EM>$oAuthUri = "<A href="#" target="_blank" rel="noopener">https://login.windows.net/$TenantId/oauth2/token</A>"</EM></FONT></P> <P><FONT color="#0000FF"><EM>$body = [Ordered] @{</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; resource = "$resourceAppIdUri"</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; client_id = "$appId"</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; client_secret = "$appSecret"</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; grant_type = 'client_credentials'</EM></FONT></P> <P><FONT color="#0000FF"><EM>}</EM></FONT></P> <P><FONT color="#0000FF"><EM>$response = Invoke-RestMethod -Method Post -Uri $oAuthUri -Body $body -ErrorAction Stop</EM></FONT></P> <P><FONT color="#0000FF"><EM>$aadToken = $response.access_token</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;</EM></FONT></P> <P><FONT color="#0000FF"><EM>$query = [IO.File]::ReadAllText("c:\temp\Query3.txt"); # Replace with the path to your file</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;</EM></FONT></P> <P><FONT color="#0000FF"><EM>$url = "<A href="#" target="_blank" rel="noopener">https://api.securitycenter.windows.com/api/advancedqueries/run</A>"</EM></FONT></P> <P><FONT color="#0000FF"><EM>$headers = @{ </EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; 'Content-Type' = 'applicationhttps://techcommunity.microsoft.com/json'</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; Accept = 'applicationhttps://techcommunity.microsoft.com/json'</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; Authorization = "Bearer $aadToken" </EM></FONT></P> <P><FONT color="#0000FF"><EM>}</EM></FONT></P> <P><FONT color="#0000FF"><EM>$body2 = ConvertTo-Json -InputObject @{ 'Query' = $query }</EM></FONT></P> <P><FONT color="#0000FF"><EM>$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body2 -ErrorAction Stop</EM></FONT></P> <P><FONT color="#0000FF"><EM>$response2 =&nbsp; $webResponse | ConvertFrom-Json</EM></FONT></P> <P><FONT color="#0000FF"><EM>$results = $response2.Results</EM></FONT></P> <P><FONT color="#0000FF"><EM>$machine = $results.DeviceId</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;</EM></FONT></P> <P><FONT color="#0000FF"><EM>#Take the results from the query and parse through them to apply a tag to each DeviceID</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;</EM></FONT></P> <P><FONT color="#0000FF"><EM>Foreach ($machine in $machine)</EM></FONT></P> <P><FONT color="#0000FF"><EM>{</EM></FONT></P> <P><FONT color="#0000FF"><EM>#Comment sleep statement out if only planning to modify a small number of devices</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;</EM></FONT></P> <P><FONT color="#0000FF"><EM>Start-Sleep -Seconds 3</EM></FONT></P> <P>&nbsp;</P> <P><FONT color="#0000FF"><EM>$url = "<A href="#" target="_blank" rel="noopener">https://api.securitycenter.windows.com/api/machines/</A>" +$machine+ "/tags"</EM></FONT></P> <P><FONT color="#0000FF"><EM>$headers = @{ </EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; 'Content-Type' = 'applicationhttps://techcommunity.microsoft.com/json'</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; Accept = 'applicationhttps://techcommunity.microsoft.com/json'</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;&nbsp;&nbsp; Authorization = "Bearer $aadToken" </EM></FONT></P> <P><FONT color="#0000FF"><EM>}</EM></FONT></P> <P><FONT color="#0000FF"><EM>$tag= @{</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp; 'Value' = 'Datacenter'</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp; 'Action' = 'Add'</EM></FONT></P> <P><FONT color="#0000FF"><EM>}</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;</EM></FONT></P> <P><FONT color="#0000FF"><EM>#Output</EM></FONT></P> <P><FONT color="#0000FF"><EM>$body3 = ConvertTo-Json -InputObject $tag</EM></FONT></P> <P><FONT color="#0000FF"><EM>&nbsp;</EM></FONT></P> <P><FONT color="#0000FF"><EM>$webResponse = Invoke-WebRequest -Method Post -Uri $url -Headers $headers -Body $body3 -ErrorAction Stop</EM></FONT></P> <P><FONT color="#0000FF"><EM>}</EM></FONT></P> <P>&nbsp;</P> <P>We have used the “add” action in this script, but you could just as easily delete tags through this method as well (assuming they haven’t been set via the registry). Simply replace ‘Add’ with ‘Remove’.</P> <P>The other thing to watch out for is API limits. Due to resource constraints, we limit the amount of API calls that can be made to 100 per minute and 1500 per hour.&nbsp; To avoid this, a sleep value has been applied to the script to put a pause in after each API call. Obviously, this can be removed to speed things up if the number of machines you are modifying does not hit this limit.</P> <P>&nbsp;</P> <P>I have talked to you in this part of the blog about how to use scripting against the API, but there is also a great article by <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/automated-machine-tagging-in-just-a-few-simple-steps/ba-p/309377" target="_blank" rel="noopener">Tomer Brand</A> talking about how to achieve this using Microsoft Flow (or Power Automate as it is now), where the same concepts can also be applied to Logic Apps.</P> <P>&nbsp;</P> <P>We hope you've gotten value from this blog series on how to use tags effectively in Microsoft Defender for Endpoint. Make sure to check out <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058" target="_blank" rel="noopener">Part 1</A> and <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-2/ba-p/1962008" target="_blank" rel="noopener">Part 2</A> in the series. We welcome your feedback and questions and look forward to hearing from you.</P> <P>&nbsp;</P> <P>Steve Newby (@steve_newby) and Miriam Wiesner (@miriamxyra)</P> <P>Program Managers @ Microsoft Defender for Endpoint Product Group</P> <P>(Credit also to Thorsten Henking for some of the API scripting input)</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 18 Aug 2021 17:17:10 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-3-scripting-tags/ba-p/1964073 Steve Newby 2021-08-18T17:17:10Z Microsoft Defender for Endpoint: Automation defaults are changing https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-automation-defaults-are-changing/ba-p/2068744 <P>We are excited to announce that we are about to increase our customers’ protection by upgrading the default automation level of our Microsoft Defender for Endpoint customers who have opted into public previews from <STRONG>Semi -</STRONG> <STRONG>require approval for any remediation</STRONG> <SPAN>to <STRONG>Full – remediate threats automatically</STRONG>.</SPAN><SPAN style="font-family: inherit;">&nbsp;</SPAN></P> <P>&nbsp;</P> <P><STRONG>Auto investigation and remediation overview</STRONG></P> <P>When an alert is raised in Microsoft Defender for Endpoint, an automated investigation immediately starts running on the machine where the suspicious activity was detected. It begins with an analysis of the malicious entities that are part of the alert and continues with collection and examination of other entities associated with it. The automated investigation inspects files, processes, services, registry keys, and any area that may contain threat-related evidence.</P> <P>&nbsp;</P> <P>The result of an automated investigation started by an alert is a list of related entities found on a device and their verdicts (malicious, suspicious, or clean). For any malicious entity, the investigation will create a remediation action, an action that, when approved, will remove or contain a malicious entity that was found in the investigation. These actions are defined, managed, and executed by Microsoft Defender for Endpoint without the security operations team having to remotely connect to the device.</P> <DIV id="tinyMceEditorisraelcp_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="4.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/247093i1233DCD09AA94A86/image-size/large?v=v2&amp;px=999" role="button" title="4.jpg" alt="4.jpg" /></span></P> <P>&nbsp;</P> <P>Remediation actions are approved or declined according to the device automation level. When it is set to ‘Full’, the remediation action will be approved automatically, without further waiting. When it is set to ‘Semi’, the action will wait for manual approval, which may lead to losing valuable time in which the malware may cause damage and spread to other devices.</P> <DIV id="tinyMceEditorisraelcp_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="3.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/247092i38C862D860C26A7D/image-size/large?v=v2&amp;px=999" role="button" title="3.jpg" alt="3.jpg" /></span></P> <P>&nbsp;</P> <P>Automated investigation and remediation supports queuing of remediation actions for devices that are not available, so that when they become available, the actions will be triggered immediately. All remediation actions, whether pending, running, or completed, can be viewed in the Action Center. If you’ve determined that a detected device or a file is not actually a threat, you can undo remediation actions that were taken for a specific device or across the entire organization.</P> <P>&nbsp;</P> <P><STRONG>Empowering defenders with automation by default</STRONG></P> <P>When our automated investigation and remediation capabilities were first introduced, the default automation level was set to <STRONG>semi - require approval for any remediation</STRONG>. Since then, we have increased our malware detection accuracy, added the option to undo remediation actions, and improved our automated investigation infrastructure. Throughout this time, we have seen thousands of cases where organizations with fully automated tenants have successfully contained and remediated threats, while other companies, left with the default ‘semi’ level, have remained at high risk due to lengthy pending time for approval of actions.</P> <P>&nbsp;</P> <P>Data collected and analysed over the past year shows that organizations who are using full automation have had 40% more high-confidence malware samples removed than customers using lower levels of automation. Full automation also frees up our customers’ critical security resources so they can focus more on their strategic initiatives.</P> <P>&nbsp;</P> <P>In light of the significant benefits of using automatic approval of remediation actions, and after changing the default automation level for new customers, starting February 16, 2021, tenants who have opted in for public previews in the Microsoft Defender for Endpoint will be automatically upgraded to the new default automation level: <STRONG>Full-remediate threats automatically</STRONG>.</P> <P>&nbsp;</P> <P>The new default automation level can be kept (this is recommended) or changed according to your organizational needs. <STRONG><U>This change does not impact or override device group definitions that were previously set to control automation level.</U></STRONG></P> <P>&nbsp;</P> <P>To get started with Microsoft Defender for Endpoint public preview capabilities, we encourage customers to turn on&nbsp;<A href="#" target="_blank" rel="noopener">preview features</A>&nbsp;in Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities, <A href="#" target="_blank" rel="noopener">sign up for a free trial</A> of Microsoft Defender for Endpoint today.</P> <P>&nbsp;</P> <P><STRONG>Additional resources: </STRONG></P> <P><A href="#" target="_blank" rel="noopener">Create and manage device groups</A></P> <P><A href="#" target="_blank" rel="noopener">Automation levels in automated investigation and remediation capabilities</A></P> <P><A href="#" target="_blank" rel="noopener">Review and approve remediation actions following an automated investigation</A></P> Wed, 09 Jun 2021 21:52:46 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-automation-defaults-are-changing/ba-p/2068744 israelcp 2021-06-09T21:52:46Z EDR for Linux is now generally available https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-generally-available/ba-p/2048539 <DIV id="tinyMceEditorTomer_Hevlin_10" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>We are excited to announce that endpoint detection and response (EDR) capabilities in Microsoft Defender for Endpoint on Linux server are now generally available.</P> <P>&nbsp;</P> <P>Over the course of the last year, Microsoft Defender for Endpoint was extended to support all major platforms (Windows, Linux, macOS, Android, and iOS). Today we are taking the next step by adding endpoint detection and response (EDR) for Linux. EDR is essential for navigating today’s Linux threat landscape.</P> <P>&nbsp;</P> <P>The full set of Microsoft Defender for Endpoint (Linux) preventive and detection and response capabilities are supported across the six most common Linux server distributions:</P> <UL> <LI>RHEL 7.2+</LI> <LI>CentOS Linux 7.2+</LI> <LI>Ubuntu 16 LTS, or higher LTS</LI> <LI>SLES 12+</LI> <LI>Debian 9+</LI> <LI>Oracle Linux 7.2</LI> </UL> <P>The Linux solution can be deployed and configured using Puppet, Ansible, or using your existing Linux configuration management tool.</P> <P>&nbsp;</P> <P>Our customers have joined us on this evolution and given us feedback in every step of the way. For this, we are truly grateful and look forward to the continued partnership.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_0-1610373070035.png" style="width: 200px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245240i3890FAFD35F4296B/image-size/small?v=v2&amp;px=200" role="button" title="Tomer_Hevlin_0-1610373070035.png" alt="Tomer_Hevlin_0-1610373070035.png" /></span></P> <P><STRONG><EM>“The upcoming release is an amazing milestone providing us a 360 view on all our platforms for our threat hunting strategy “</EM></STRONG></P> <UL> <LI><EM>Guy Fridman, Head Of Security Operation And Response &nbsp;</EM></LI> </UL> <H2>&nbsp;</H2> <H2>Detections with context</H2> <P>&nbsp;</P> <P>About 6 months ago, we announced the availability of Microsoft Defender for Endpoint (Linux) with&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-for-linux-is-now-generally-available/ba-p/1482344" target="_blank" rel="noopener">preventive antivirus capabilities</A>. Customers can better protect Linux servers, get these devices onboarded in the same portal as their Windows, macOS, and mobile devices, and expand the single pane of glass experience to include Linux-related alerts. With the newly enabled EDR support, security operations can view detections with even richer context. The below device timeline example demonstrates this enriched capability.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_1-1610373070051.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245241iE69FB6FEF13112F0/image-size/large?v=v2&amp;px=999" role="button" title="Tomer_Hevlin_1-1610373070051.png" alt="Tomer_Hevlin_1-1610373070051.png" /></span></P> <P>&nbsp;</P> <P>The&nbsp;<A href="#" target="_blank" rel="noopener">timeline tab</A> includes information about process creation, network connections, file creations and login events.</P> <P>&nbsp;</P> <P>In the Microsoft Defender for Endpoints (Linux)&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-available-in-public-preview/ba-p/1890536" target="_blank" rel="noopener">EDR public preview announcement</A>,&nbsp;we also discussed the post-breach detection capability with an example scenario that customers can use to experience the feature. The below “Suspicious process launched from a world-writable directory” alert is another post-breach detection example.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_2-1610373070073.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245242i7F166A3C10D0D10E/image-size/large?v=v2&amp;px=999" role="button" title="Tomer_Hevlin_2-1610373070073.png" alt="Tomer_Hevlin_2-1610373070073.png" /></span></P> <H2>&nbsp;</H2> <H2>Unified investigation experience</H2> <P>&nbsp;</P> <P>The timeline is just one piece of the investigation story. Microsoft Defender for Endpoint’s popular&nbsp;<A href="#" target="_blank" rel="noopener">advanced hunting</A>&nbsp;tool allows customers to perform free-form investigations using a powerful query engine and an ever-growing set of useful shared queries. Now, customers can use this capability to search for threats across Linux servers, exploring up to 30 days of raw data.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_3-1610373070096.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245245iE5426AC9252504EB/image-size/large?v=v2&amp;px=999" role="button" title="Tomer_Hevlin_3-1610373070096.png" alt="Tomer_Hevlin_3-1610373070096.png" /></span></P> <P>&nbsp;</P> <P>The well designed architecture also seamlessly enables&nbsp;<A href="#" target="_blank" rel="noopener">custom detections</A>&nbsp;on top of the advanced hunting capabilities.</P> <P>&nbsp;</P> <P>The rest of the investigation experience, such as the hyperlinked exploration between the different monitored entities, is consistent with the familiar experience for Windows devices. The monitored entities (e.g. files, processes, network connections, alerts) are available for exploration on Linux devices. Here are a few examples:</P> <H3>&nbsp;</H3> <H3><STRONG>File page</STRONG></H3> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_0-1610376305334.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245253i11489275A326DCC1/image-size/large?v=v2&amp;px=999" role="button" title="Tomer_Hevlin_0-1610376305334.png" alt="Tomer_Hevlin_0-1610376305334.png" /></span></P> <H3><STRONG>IP Address Page</STRONG></H3> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_1-1610376339154.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/245254i54FD7C27B1EB8DD7/image-size/large?v=v2&amp;px=999" role="button" title="Tomer_Hevlin_1-1610376339154.png" alt="Tomer_Hevlin_1-1610376339154.png" /></span></P> <P>&nbsp;</P> <H2>How to get started</H2> <P>&nbsp;</P> <P>Microsoft Defender for Endpoint (Linux) requires the Servers license. You can find this information in our&nbsp;<A href="#" target="_blank" rel="noopener">product terms</A>. Please reach out to your account team for more information and eligibility.</P> <P>&nbsp;</P> <P>To get started, visit our <A href="#" target="_blank" rel="noopener">documentation</A>. &nbsp;If you are already evaluating public preview of&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-available-in-public-preview/ba-p/1890536" target="_blank" rel="noopener">Microsoft Defender for Endpoint (Linux) EDR</A>, make sure you update the agent to a released version 101.18.53 or higher.</P> <P>&nbsp;</P> <P>If you are already running Microsoft Defender for Endpoint (Linux) preventive AV in production, your devices will seamlessly receive the new EDR capability as soon as you update the agent to version 101.18.53 or higher.</P> <P>&nbsp;&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints,&nbsp;<A href="#" target="_blank" rel="noopener">sign up for a free trial</A>&nbsp;of Microsoft Defender for Endpoint today.</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint team</EM></P> <P>&nbsp;</P> <P>&nbsp;</P> <DIV id="tinyMceEditorTomer_Hevlin_11" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorTomer_Hevlin_12" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorTomer_Hevlin_13" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorTomer_Hevlin_14" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorTomer_Hevlin_15" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorTomer_Hevlin_16" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorTomer_Hevlin_17" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorTomer_Hevlin_18" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorTomer_Hevlin_19" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorTomer_Hevlin_20" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Thu, 10 Jun 2021 18:08:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-generally-available/ba-p/2048539 Tomer_Hevlin 2021-06-10T18:08:09Z How to use tagging effectively (Part 2) https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-2/ba-p/1962008 <P data-unlink="true"><SPAN>In <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058" target="_blank" rel="noopener">Part 1</A></SPAN><SPAN>&nbsp;of this blog series, we learnt about why tags are useful and how to maximise their potential for administration of Microsoft Defender for Endpoint. In the next two parts of this <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Tagging%20effectively" target="_blank" rel="noopener">blog series</A>,&nbsp;</SPAN><SPAN>we wanted to cover some advanced scenarios for applying tags, starting with…</SPAN></P> <H2>&nbsp;</H2> <H2>Tagging your Microsoft Defender for Endpoint devices by OU path</H2> <P>Sometimes when working with Microsoft Defender for Endpoint you might want to display your Organizational Unit (OU) structure within Defender for Endpoint to build device groups to get better transparency for reporting.</P> <P>&nbsp;</P> <P>To realize this scenario with Group Policies, we will create one script file in the process:</P> <UL> <LI>DefenderTagging.ps1</LI> </UL> <P>Create this script file and copy it to a location where you have access from a Domain Controller.</P> <H3>Contents of MSDETagging.ps1</H3> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">$DN = (Get-ItemProperty -Path&nbsp; "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine" -Name Distinguished-Name)."Distinguished-Name" $OU = $DN.Substring($DN.IndexOf('OU=')) $registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" $name = "Group" IF(!(Test-Path $registryPath)) &nbsp; { &nbsp;&nbsp;&nbsp; New-Item -Path $registryPath -Force | Out-Null &nbsp;&nbsp;&nbsp; Set-ItemProperty -Path $registryPath -Name $name -Value $OU &nbsp; } &nbsp;ELSE { &nbsp;&nbsp;&nbsp; Set-ItemProperty -Path $registryPath -Name $name -Value $OU &nbsp; }</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><SPAN>Depending on how many OUs your environment contains, you might want to fine grain the $OU selection done by this script: configuring too many tags could impact the performance when working in the Microsoft Defender Security Center.</SPAN></P> <H2>&nbsp;</H2> <H2>Getting our scripts to run: Execution Policy</H2> <P>The Execution Policy restricts the execution of PowerShell Scripts on the system. On newer systems the default setting is “Restricted”. Having this setting configured, the system does not run scripts at all, therefore this setting needs to be changed before we can run the tagging script.</P> <P>&nbsp;</P> <P>Execution Policy is not a real security feature, although some documentation states so. It is rather a feature that keeps you from running scripts unintentionally.</P> <P>&nbsp;</P> <P>To maintain protection from running scripts unintentionally, but to have the ability to run scripts nevertheless, the setting “RemoteSigned” is a good approach:<BR />Only local scripts (scripts within the local domain and signed scripts) can be run, unsigned scripts from the internet will be blocked from running.</P> <P>&nbsp;</P> <P>You can either configure this option manually using the following PowerShell command:</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <LI-CODE lang="powershell">Set-ExecutionPolicy RemoteSigned</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Or since configuring it manually can take quite some effort, you can also configure it via Group Policy.</P> <H2>&nbsp;</H2> <H2>Getting started with the Group Policy</H2> <P>Create a new Group Policy Object which is linked to the root folder in which all your Defender protected devices are located.</P> <P>&nbsp;</P> <P>Then navigate to <EM>Computer Configuration &gt; Administrative Templates &gt; Windows Components &gt; Windows PowerShell</EM>.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_0-1607335344610.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238218iC1E46EBFAC8149CA/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_0-1607335344610.png" alt="miriamwiesner_0-1607335344610.png" /></span></P> <P>&nbsp;</P> <P>Configure the Setting <EM>“Turn on Script Execution”</EM> and choose the option <EM>“Allow local scripts and remote signed scripts”</EM>, which configures the Execution Policy to <EM>“RemoteSigned”</EM>.</P> <P>&nbsp;</P> <P>This setting is the foundation that our PowerShell script will be executed on the systems on which you want to configure your custom tagging.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_1-1607335344617.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238219i165F30A654D9AA77/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_1-1607335344617.png" alt="miriamwiesner_1-1607335344617.png" /></span></P> <H2>&nbsp;</H2> <H2>Configuring the script in your Group Policy</H2> <P>In the Group Policy Object, navigate to <EM>Computer Configuration &gt; Policies &gt; Windows Settings &gt; Scripts (Startup/Shutdown)</EM> and open the properties of “<EM>Startup”</EM>.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_2-1607335344623.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238217i6F6FC00D4C8E261E/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_2-1607335344623.png" alt="miriamwiesner_2-1607335344623.png" /></span></P> <P>&nbsp;</P> <P>Once the properties window opens, navigate to the tab <EM>PowerShell Scripts,</EM> and click on “<EM>Add</EM>”. The “Edit Script” window will open. Click on “<EM>Browse…</EM>” which opens a file browser window.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_3-1607335344626.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238222i1F0AD9341FDF63B2/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_3-1607335344626.png" alt="miriamwiesner_3-1607335344626.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_4-1607335344627.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238220iC65F803CB18319C1/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_4-1607335344627.png" alt="miriamwiesner_4-1607335344627.png" /></span></P> <P>&nbsp;</P> <P>Per default, the location that is opened is already the right location within your Group Policy Object folder.</P> <P>&nbsp;</P> <P>Now copy your DefenderTagging.ps1 script inside this folder and select the script and confirm with “Open”.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_5-1607335344629.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238221iE0CA259AE18FBE57/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_5-1607335344629.png" alt="miriamwiesner_5-1607335344629.png" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_6-1607335344631.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238224iD29323BE5ACFF6C1/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_6-1607335344631.png" alt="miriamwiesner_6-1607335344631.png" /></span></P> <P>&nbsp;</P> <P>Confirm with OK and apply the changes to your Group Policy Object. Your tagging Group Policy is now configured.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_7-1607335344633.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238225i6E83F0DA46FB6216/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_7-1607335344633.png" alt="miriamwiesner_7-1607335344633.png" /></span></P> <H2>&nbsp;</H2> <H2>Verify that your tagging was successful</H2> <P>The next time that your device applies the Group Policy, the settings will be configured, and you can also find your properly tagged machines in the Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P><STRONG>Note:</STRONG><BR />If the Execution Policy needs to be configured first, you might find the new tag after the GPO was applied to your device for the second time. If you want to apply both settings at the same time, you can create two Group Policies and let the one that sets the Execution Policy run before the GP containing the startup script is executed.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_8-1607335344635.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238223i9DFE5C5BB82C78A5/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_8-1607335344635.png" alt="miriamwiesner_8-1607335344635.png" /></span></P> <P>&nbsp;</P> <P>Finding your devices in Defender for Endpoint can take up one day for the devices to sync.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_9-1607335344636.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238227i2942E3BCD9558040/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_9-1607335344636.png" alt="miriamwiesner_9-1607335344636.png" /></span></P> <H2>&nbsp;</H2> <H2>Find your tagged device’s events via advanced hunting:</H2> <P>To find your tagged device, you can use an advanced hunting query such as the one below. Simply replace "DC=xyra,DC=local" with the distinguished name of your Active Directory domain.</P> <P><SPAN>&nbsp;</SPAN></P> <P>DeviceInfo | where RegistryDeviceTag contains "DC=xyra,DC=local"</P> <P><SPAN>&nbsp;</SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="miriamwiesner_10-1607335344637.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238226iDB36D63EF41A5DF5/image-size/medium?v=v2&amp;px=400" role="button" title="miriamwiesner_10-1607335344637.png" alt="miriamwiesner_10-1607335344637.png" /></span></P> <P>&nbsp;</P> <P><SPAN>&nbsp;</SPAN></P> <P><SPAN>This concludes Part 2 of the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Tagging%20effectively" target="_blank" rel="noopener">blog series</A> on how to use tagging effectively. Please join us for Part 3 where Steve Newby will guide you through scripting against the Defender for Endpoint API to apply tags based upon advanced hunting queries.</SPAN></P> <P>&nbsp;</P> <DIV> <P>We welcome your feedback and questions on this or any of the other parts of this tagging blog and look forward to hearing from you.</P> <P>&nbsp;</P> <P>Miriam Wiesner (@miriamxyra) and Steve Newby (@steve_newby)</P> <P>Program Managers @ Microsoft Defender for Endpoint Product Group</P> </DIV> Mon, 11 Jan 2021 17:52:12 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-2/ba-p/1962008 miriamwiesner 2021-01-11T17:52:12Z How to use tagging effectively (Part 1) https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058 <H1>Why Use Tagging?</H1> <P data-unlink="true">One important feature which often isn’t utilised correctly is the use of tags within Microsoft Defender for Endpoint. &nbsp;This is a functionality that was introduced to allow you to apply a granular level of control over how you manage your devices.&nbsp; In this blog we wanted to cover not only the primary uses for the tagging functionality, but also to explain some tips and tricks around how to effectively use this within your organisation.&nbsp; We have split this into three parts&nbsp;to cover the basics but also some advanced scenarios for how to use tagging in your environment, so make sure to stay tuned to the blog for the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Tagging%20effectively" target="_blank" rel="noopener">full series</A>.</P> <P>&nbsp;</P> <H2>Role Based Access Control - RBAC</H2> <P>The primary use for tagging is to allow you to create machine groups that can then be used for applying RBAC permissions.&nbsp; Really the purpose of this is to enable a level of control such that different users can log into the portal and see only the machines that they are responsible for.&nbsp; For example, in a large organisation spanning multiple geos rather than each geo having their own instance of Microsoft Defender for Endpoint, you would have a single instance where access is controlled through the use of roles and machine groups.&nbsp; Having a single instance means that threat hunting and automation has full visibility of all devices across the entire organisation which is critical when a threat is hitting multiple endpoints.</P> <P>&nbsp;</P> <P>The diagram below shows how you would break this down, and how you could further utilise this information to feed data into a SIEM where your SOC analysts can track threats across multiple areas of the infrastructure.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Picture1.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239629iD418FC99BC2508C0/image-size/large?v=v2&amp;px=999" role="button" title="Picture1.png" alt="Picture1.png" /></span></P> <P>&nbsp;</P> <P>Later in this blog we will talk about the different ways you can apply tags to managed devices, but in order to utilise these tags you first need to create a machine group in Microsoft Defender Security Center portal and then apply specific security groups containing the user accounts of the devices you wish you manage. This is simple to do and the setting up of these machine groups is something you would typically do early on in the setup of the tenant, before you actually start doing any onboarding. This means that each time a machine is onboarded it goes straight into the appropriate group and only the correct people have visibility straight away.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239785i6593D60FE248E7F6/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture2.png" alt="Tag1Picture2.png" /></span></P> <H3>Filtering</H3> <P>One of the great benefits of tagging is using them in machine views to present different views of machine lists. &nbsp;Below are some examples of why you would use tags in filtering include:</P> <UL> <LI><STRONG>Lab Machines</STRONG> – There is really no reason to have a separate tenant just for testing when the endpoints that report into Microsoft Defender for Endpoint can exist anywhere without any ties to a specific Azure AD or domain. &nbsp;In this scenario, you might want to identify the specific lab machines with a tag:</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239786i8BE0824C25C6CF0D/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture3.png" alt="Tag1Picture3.png" /></span></P> <P>&nbsp;</P> <P>By using this tag to create a machine group you can then exclude these machines from your threat reports or from threat and vulnerability management.</P> <P>&nbsp;</P> <UL> <LI><STRONG>Decommissioned machines </STRONG>– Something we hear a lot from customers is that they have machines that they have decommissioned which they no longer want to see in their console; however, there is a very good reason why we don’t allow machines to be deleted. Just suppose there is a threat detected on the environment that originated some time back on a machine that had been decommissioned, if you deleted this from the tenant then you would have no way of understanding the source and techniques used in the breach. To address this, a machine record will remain in the tenant until the data retention period of the tenant expires.</LI> </UL> <P><STRONG>&nbsp;</STRONG></P> <P>We do understand though that you may not want to see these machines in the device list or have them show in the threat reports or threat and vulnerability management and so through the use of tags, and also machine groups, it is possible to effectively make these machines invisible.</P> <P>&nbsp;</P> <P>The first stage of this would be to apply a tag against the machines, in the example below we have two machines tagged as “Decommissioned”.&nbsp; Once you have set this tag you can then use the filters to exclude these tagged devices from the Device Inventory view:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture4.png" style="width: 601px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239787iEFAECE5CEDD16D5E/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture4.png" alt="Tag1Picture4.png" /></span></P> <P>&nbsp;</P> <P>Using this method is a quick and simple way to filter on your device inventory but you cannot use tag-based filtering in your reports or in threat and vulnerability management.&nbsp; For this, you need to use machine groups so the next phase would be to create a machine group based on this tag, as described in the RBAC section above, at which point you can then exclude these groups from the threat and vulnerability management assessment:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture5.png" style="width: 601px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239625iB38919952E0AAFFA/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture5.png" alt="Tag1Picture5.png" /></span></P> <P><EM>It should be noted though that inactive machines are automatically excluded from threat and vulnerability management after 30 days anyway.</EM></P> <P><EM>&nbsp;</EM></P> <P>The use of machine groups in this scenario does open up another option which would then give you the desired result of removing a machine from the tenant whilst still maintaining the record for historical threat analysis; effectively hiding it.</P> <P>&nbsp;</P> <P>To achieve this, create a user group with no members and then assign it to the Machine Group:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture6.png" style="width: 601px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239789i3447189BED2D3A76/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture6.png" alt="Tag1Picture6.png" /></span></P> <P>&nbsp;</P> <P>As there are no users assigned to this group, then any users who log into the portal (with the exception of Global Admin or Security Admin) will automatically have their view of any machines with the Decommissioned tag removed from all views, including threat and vulnerability management and reporting. Plus, simply adding the Decommissioned tag to a machine will effectively “delete” the machine from the portal.</P> <P><STRONG>&nbsp;</STRONG></P> <P>&nbsp;</P> <H2>Methods of Tag allocation</H2> <P>To utilise tags for RBAC and filtering you first need to make sure that the relevant machines have the tags applied and there are a number of methods to achieve this.</P> <H3>Registry tagging</H3> <P>This is via direct editing of the registry.&nbsp; By setting the tag value in the DeviceTagging key (HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging) you are assigning a value to the machine that is picked up by Microsoft Defender for Endpoint telemetry.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture7.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239790iE1E03A196F913AF6/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture7.png" alt="Tag1Picture7.png" /></span></P> <P>&nbsp;</P> <P>There are a couple of points to be aware of when you are using the registry to tag a machine:</P> <OL> <LI>The tag is fixed and cannot be changed through the portal, it can only be changed by modifying the registry.</LI> <LI>Only one tag can be specified in the registry.</LI> </OL> <P>In the image above, you can see the relevant key as displayed in Regedit; however, if you are modifying the registry to assign tags to production machines it is unlikely that it is Regedit you will use to set this value.&nbsp; Instead, you are likely to use a script.&nbsp; Obviously when using a script, you can add a lot of variables to determine what the tag value should be, meaning you could have a single script for all tag values you want to create or have multiple scripts that you then use another method with to define the logic.</P> <P>What we have seen with several large organisations is utilising the onboarding script and adding a “REG ADD” command to the script and then using different onboarding scripts for different groups of machines. The value that would need to be added is:</P> <P>&nbsp;</P> <P><EM>REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" /v Group /t REG_SZ /d TAGNAME /f</EM></P> <P>&nbsp;</P> <P>You could use this script and have it as part of a GPO where you target it against an OU or use it in System Center Configuration Manager and target the script at different Collections.</P> <P>However, if you wanted to keep the tagging separate from the onboarding then you may instead want to utilise a Powershell script which again you could apply via System Center Configuration Manager or another management tool.</P> <P>To either have a specific script, or to add to another script, the lines you would need are:</P> <P>&nbsp;</P> <P><FONT color="#0000FF">New-Item -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection" -Name DeviceTagging -force</FONT></P> <P><FONT color="#0000FF">New-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection\DeviceTagging" -Name "Group" -Value "TAGNAME" -PropertyType "String"</FONT></P> <P>&nbsp;</P> <H3>Setting the tag via Intune</H3> <P>When using Intune, it is possible to utilise a custom policy to set the machine tag value in the registry via the WindowsAdvancedThreatProtection CSP (<A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/windows/client-management/mdm/windowsadvancedthreatprotection-csp</A>)</P> <P>This diagram shows the provider:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture8.png" style="width: 602px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239791i4A7243F0AA41B0D0/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture8.png" alt="Tag1Picture8.png" /></span></P> <P>When setting the values in Intune you configure a custom profile and then define the URI to set the device tag.</P> <P>These are the steps for configuring this:</P> <OL> <LI>Create Custom profile:</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture9.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239792i0BB9DAA53F2229A5/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture9.png" alt="Tag1Picture9.png" /></span></P> <P>&nbsp;</P> <OL start="2"> <LI>Give the profile a name and then add the URI value (./Device/Vendor/MSFT/WindowsAdvancedThreatProtection/DeviceTagging/Group), set a data type of “String” and then define the tag you want:</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture10.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239794iFBEA4D08643C4F1E/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture10.png" alt="Tag1Picture10.png" /></span></P> <P>&nbsp;</P> <OL start="3"> <LI>Now you assign the profile.&nbsp; By assigning it to a specific group in Azure AD it means that you can base your tagging, and therefore RBAC and filtering on existing device groups you may already have in Azure AD:</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture11.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239795i8E1D53070D1604F3/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture11.png" alt="Tag1Picture11.png" /></span></P> <P>&nbsp;</P> <OL start="4"> <LI>You can add Applicability Rules if you want, to target it at specific Windows versions/editions, but this shouldn’t really be necessary in the case of Machine Tagging. So then it is simply a case of reviewing the profile and applying it:</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture12.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239796i8E288A2F0CB8DA8A/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture12.png" alt="Tag1Picture12.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Manual tagging</H3> <P>One of the easiest ways to tag a device is to simply add a tag value through the machine page in the portal. &nbsp;Through this method you can add multiple tags or remove existing tags (although not if they have been defined in the registry).</P> <P>Clicking onto the device page presents you with an option to “Manage Tags” where you can add and remove as required:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tag1Picture13.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/239797i08842D90A25308EF/image-size/large?v=v2&amp;px=999" role="button" title="Tag1Picture13.png" alt="Tag1Picture13.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3>Tagging via API</H3> <P>While manual tagging is great and allows you to specify multiple tags against a device to assist with RBAC and filtering, however what if you have 100’s or 1000’s of devices that you want to assign the same tag value to? In this scenario, you can use the API to mass-assign tags, we will be covering this advanced use case in Part 3 of our blog.</P> <H3>Setting the tag on macOS</H3> <P>Obviously, you may not just be managing Windows endpoints in your environment. Microsoft Defender for Endpoint also supports tagging macOS machines. To apply tags on this platform, you can utilise the manual method or the API method. However, if you want to automate this process, then you can push out the settings as part of a Configuration Profile (a .plist file).</P> <P>When you are creating the .plist file, you would need to add the following entry in order to configure the tag:</P> <P>&nbsp;</P> <P>&nbsp; &nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;<FONT color="#0000FF">&nbsp; &lt;dict&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;key&gt;tags&lt;/key&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;array&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;dict&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;key&gt;key&lt;/key&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;string&gt;GROUP&lt;/string&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;key&gt;value&lt;/key&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;string&gt;ExampleTag&lt;/string&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/dict&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/array&gt;</FONT></P> <P><FONT color="#0000FF">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; &lt;/dict&gt;</FONT></P> <P>&nbsp;</P> <P>You can find details of how to do that here: <A href="#" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/mac-jamfpro-policies#step-3-configure-microsoft-defender-atp-settings</A></P> <P>&nbsp;</P> <P>This concludes Part 1 of our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/bg-p/MicrosoftDefenderATPBlog/label-name/Tagging%20effectively" target="_blank" rel="noopener">blog series on how to use tagging effectively</A>. &nbsp;Please join us for Part 2 where Miriam Wiesner will guide you through applying tags based upon the Organisational Unit placement of the device within Active Directory.</P> <P>&nbsp;</P> <P>We welcome your feedback and questions on this or any of the other parts of this tagging blog and look forward to hearing from you.</P> <P>&nbsp;</P> <P>Steve Newby (@steve_newby) and Miriam Wiesner (@miriamxyra)</P> <P>Program Managers @ Microsoft Defender for Endpoint Product Group</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 06 Jan 2021 00:58:55 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-to-use-tagging-effectively-part-1/ba-p/1964058 Steve Newby 2021-01-06T00:58:55Z Announcing EDR in block mode general availability https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-edr-in-block-mode-general-availability/ba-p/1972064 <P>We’re very excited to announce today that endpoint detection and response (EDR) in block mode is generally available.</P> <P>&nbsp;</P> <P>As we announced in our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617" target="_blank" rel="noopener">public preview</A> blog, EDR in block mode is a feature in Microsoft Defender for Endpoint that turns EDR detections into blocking and containment of malicious behaviors. This capability uses Microsoft Defender for Endpoint’s industry-leading visibility and detection capabilities and Microsoft Defender Antivirus’s built-in blocking function to provide an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus (AV) solution might miss.</P> <P>&nbsp;</P> <P>This feature has already helped a number of organizations stop a variety of threats where Microsoft was not their primary AV and we’re thrilled to make it now generally available for all customers.</P> <P>&nbsp;</P> <P>Recently, EDR in block mode was responsible for helping to thwart the IcedID campaign. EDR in block mode kicked in and was able to protect the device from several malicious activities including evasive attacker techniques like process hollowing and steganography that lead to the deployment of the info stealing IcedID malware. Read all about how this attack went down and was stopped “ice cold” in its tracks here: <A href="#" target="_blank" rel="noopener">EDR in block mode stops IcedID cold</A>.</P> <P>&nbsp;</P> <P>To learn more about this capability and learn now it also stopped a NanoCore RAT attack, watch the video below and check out our <A href="#" target="_blank" rel="noopener">documentation</A> for guidance on how to enable the feature.</P> <P>&nbsp;</P> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4HjW2" width="890" height="550" allowfullscreen="allowfullscreen" wmode="transparent" data-mce-fragment="1"></IFRAME></P> <P>&nbsp;</P> <P>We’re excited to bring this new functionality to our customers and look forward to hearing your feedback!</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading optics and endpoint detection capabilities, <A href="#" target="_blank" rel="noopener">sign up for a free trial</A> of Microsoft Defender Endpoint today.</P> Wed, 09 Dec 2020 17:03:32 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/announcing-edr-in-block-mode-general-availability/ba-p/1972064 Shweta Jha 2020-12-09T17:03:32Z Microsoft Defender for Endpoint on iOS is generally available https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-on-ios-is-generally-available/ba-p/1962420 <P>Today, we’re excited to announce that Microsoft has reached a new milestone in our cross-platform security commitment with the general availability of our iOS offering for Microsoft Defender for Endpoint, which adds to the already existing Defender offerings on macOS, Linux, and Android.</P> <P>This release delivers the rich set of capabilities we announced in <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824" target="_blank" rel="noopener">public preview</A>, including anti-phishing, blocking unsafe connections, and custom Indicators. In addition, it offers a unified security experience through the Microsoft Defender Security Center, where security teams can get a centralized view of alerts, incidents, and gain additional context to remediate threats across all endpoints.</P> <P>&nbsp;</P> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4G1oj" width="890" height="550" allowfullscreen="allowfullscreen" wmode="transparent"></IFRAME></P> <P>&nbsp;</P> <P>The threats on mobile are unique, with phishing being the biggest and fastest growing threat. More than 85% of these attacks take place outside of email through phishing websites, messaging apps, games, and other apps. Phishing is where we believe we bring the strength of the Microsoft security platform to bear. The scale of our service gives us extensive visibility into the billions of phishing attacks and social engineering techniques our customers face and enables us to detect and prevent these attacks on mobile.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="iOSscreens.png" style="width: 703px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238344iB5010B287A70B89C/image-size/large?v=v2&amp;px=999" role="button" title="iOSscreens.png" alt="iOSscreens.png" /></span></P> <P>&nbsp; &nbsp; &nbsp; &nbsp; &nbsp;&nbsp;</P> <P>Since our public preview announcement, we have also updated how users can get the Microsoft Defender for Endpoint app on their iOS devices. Now, eligible users can download Microsoft Defender for Endpoint from <A href="#" target="_blank" rel="noopener">App Store.</A></P> <P>&nbsp;</P> <P>For more information, including system requirements, prerequisites, deployment, and configuration instructions visit our <A href="#" target="_blank" rel="noopener">documentation</A>.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>In the iOS app, to share feedback, you can use the “send feedback” option:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="iOS3s.png" style="width: 320px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/238345iC491D6C351204BF5/image-size/large?v=v2&amp;px=999" role="button" title="iOS3s.png" alt="iOS3s.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Increasing coverage for</STRONG> <STRONG>Android to include fully managed devices</STRONG></P> <P>We are also excited to share the general availability for Microsoft Defender for Endpoint (Android) support for Android Enterprise fully managed devices. This adds to the already existing support for installation on enrolled devices for the legacy Device Administrator and Android Enterprise Work Profile modes.</P> <P>&nbsp;</P> <P>Android Enterprise fully managed devices are corporate-owned devices associated with a single user and used exclusively for work and not personal use. Admins can manage the entire device and enforce policy controls to work profiles, such as:</P> <UL> <LI>Allowing app installation only from managed Google Play</LI> <LI>Blocking uninstallation of managed apps</LI> <LI>Preventing users from factory resetting devices</LI> </UL> <P>With this change, Android Enterprise fully managed devices will get the full capabilities of our offering on Android including phishing and web protection, malware scanning, and additional breach prevention through integration with Microsoft Endpoint Manager and Conditional Access.</P> <P>For more details, please refer to the documentation <A href="#" target="_blank" rel="noopener">here.</A></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Simplifying onboarding for Android users</STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P>As a part of our commitment to continuously improve the experience for end users, we are now also simplifying end user onboarding. Till now, end users needed to provide VPN permissions to allow the Android and iOS apps to provide anti-phishing protection. With this update, admins will be able to setup configuration and push the device profile for VPN to their users' devices so that VPN related permissions will not have to be provided by end users, thus simplifying their experience.</P> <P>&nbsp;</P> <P>For more details, please refer to the documentation <A href="#" target="_blank" rel="noopener">here.</A></P> <P>&nbsp;</P> <P>We’re excited to be bringing these additional capabilities into mobile threat defense and look forward to hearing about your experiences and your feedback. If you’re not yet taking advantage of Microsoft’s industry leading optics and endpoint detection capabilities, <A href="#" target="_blank" rel="noopener">sign up for a free trial</A> of Microsoft Defender Endpoint today.</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 09 Dec 2020 01:03:35 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-on-ios-is-generally-available/ba-p/1962420 Kanishka_Srivastava 2020-12-09T01:03:35Z EDR for Linux is now available in public preview https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-available-in-public-preview/ba-p/1890536 <P><EM><STRONG>Update: EDR for Linux is now <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-generally-available/ba-p/2048539" target="_blank" rel="noopener">generally available</A> as of January 11, 2021.&nbsp;</STRONG></EM></P> <P>&nbsp;</P> <P>Today, we are excited to announce the public preview of endpoint detection and response (EDR) capabilities in <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A> on Linux servers.</P> <P>&nbsp;</P> <P>With the new Linux EDR capabilities, Defender for Endpoint customers will have the ability to detect advanced attacks that involve Linux servers, utilize rich experiences, and quickly remediate threats. This builds on the existing <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-for-linux-is-now-generally-available/ba-p/1482344" target="_blank" rel="noopener">preventative antivirus capabilities</A>&nbsp;and centralized reporting available via the Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_0-1605530979880.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233752i287FFFF78FF767C6/image-size/large?v=v2&amp;px=999" role="button" title="Tomer_Hevlin_0-1605530979880.png" alt="Tomer_Hevlin_0-1605530979880.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><STRONG>Linux EDR preview scope</STRONG></H3> <P>&nbsp;</P> <P>Microsoft Defender for Endpoint on Linux supports recent versions of the six most common Linux server distributions:</P> <UL> <LI>RHEL 7.2+</LI> <LI>CentOS Linux 7.2+</LI> <LI>Ubuntu 16 LTS, or higher LTS</LI> <LI>SLES 12+</LI> <LI>Debian 9+</LI> <LI>Oracle Linux 7.2</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P>With Defender for Endpoint EDR capabilities for Linux, your security team can immediately start benefiting from:</P> <P>&nbsp;</P> <OL> <LI><U>Rich investigation experience</U>&nbsp;– including machine timeline, process creation, file creation, network connections, login events and, of course, the popular advanced hunting.</LI> <LI><U>Optimized performance</U>&nbsp;– enhanced CPU utilization in compilation procedures and large software deployments.</LI> <LI><U>In-context AV detections&nbsp;</U>– just like with Windows, get insight into where a threat came from and how the malicious process or activity was created.</LI> </OL> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_1-1605530979900.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233753i10B71DABEA4265D7/image-size/large?v=v2&amp;px=999" role="button" title="Tomer_Hevlin_1-1605530979900.png" alt="Tomer_Hevlin_1-1605530979900.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><STRONG>Getting started with Linux EDR preview</STRONG></H3> <P>&nbsp;</P> <P>To get started with Microsoft Defender for Endpoint public preview capabilities, we encourage customers to turn on <A href="#" target="_blank" rel="noopener">preview features</A> in Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P>If you’re already running Microsoft Defender for Endpoint on Linux, we recommend that you configure some of your Linux servers to&nbsp;Preview mode, by applying the following command on the device:</P> <P>&nbsp;</P> <P><FONT color="#808080"><EM>$&nbsp;sudo&nbsp;mdatp&nbsp;edr&nbsp;early-preview&nbsp;enable&nbsp;</EM></FONT></P> <P>&nbsp;</P> <P>Please make sure you are running version 101.12.99 or higher. The version can be found in the output of “<EM><FONT color="#808080">mdatp health</FONT>”.</EM></P> <P>&nbsp;</P> <P>If you are new to Microsoft Defender for Endpoint on Linux, learn how to get started by visiting our&nbsp;<A href="#" target="_blank" rel="noopener">documentation</A> and then enable the preview mode as explained above.</P> <P><STRONG>&nbsp;</STRONG></P> <H3><STRONG>Experience Linux EDR with simulated attack</STRONG></H3> <P>To test out the functionalities of EDR for Linux, follow the steps below to simulate a detection on your Linux server and investigate the case. Please share your feedback with us!</P> <OL> <LI>Verify that the onboarded Linux server appears in Microsoft Defender Security Center. If this is the first onboarding of the machine, it can take up to 20 minutes until it appears.&nbsp;</LI> <LI>Download and&nbsp;extract&nbsp;the script file from&nbsp;here <A href="#" target="_self">aka.ms/LinuxDIY</A> to an onboarded Linux server and run the following command: <EM>“./mde_linux_edr_diy.sh”</EM></LI> <LI>After a few minutes, should be raised in Microsoft Defender Security Center.</LI> <LI>Look at the alert details, machine timeline, and perform your typical investigation steps.</LI> </OL> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_2-1605530979907.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233751i420115009BDDA544/image-size/large?v=v2&amp;px=999" role="button" title="Tomer_Hevlin_2-1605530979907.png" alt="Tomer_Hevlin_2-1605530979907.png" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <H3><STRONG>Help us innovate Microsoft Defender for Endpoint on Linux</STRONG></H3> <P>We are very excited to share today’s Linux EDR preview news with you and your feedback is highly valuable to us! Join us on the journey to enhance Microsoft Defender for Endpoint on Linux. Try the new Linux EDR capabilities and You can submit feedback by joining the discussion below or by clicking on the ‘send a smile/frown’ icon on the top right corner of the security center.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Tomer_Hevlin_3-1605530979911.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/233754i287FFC9B8E8FB07A/image-size/large?v=v2&amp;px=999" role="button" title="Tomer_Hevlin_3-1605530979911.png" alt="Tomer_Hevlin_3-1605530979911.png" /></span></P> <P>&nbsp;</P> <P><STRONG>&nbsp;</STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities,&nbsp;<STRONG><A href="#" target="_blank" rel="noopener">sign up for a free trial</A>&nbsp;</STRONG>of Microsoft Defender for Endpoint today.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Tomer Hevlin</P> <P><EM>Microsoft Defender for Endpoint Team</EM></P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Fri, 04 Jun 2021 22:53:25 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/edr-for-linux-is-now-available-in-public-preview/ba-p/1890536 Tomer_Hevlin 2021-06-04T22:53:25Z Join us for the Microsoft Defender for Endpoint AMA cross platform edition! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/join-us-for-the-microsoft-defender-for-endpoint-ama-cross/ba-p/1869662 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="X-PLAT_ama_v3.png" style="width: 597px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/232464i983079216BB1D115/image-size/large?v=v2&amp;px=999" role="button" title="X-PLAT_ama_v3.png" alt="X-PLAT_ama_v3.png" /></span></P> <P>&nbsp;</P> <P>We’re excited to invite you to the first Microsoft Defender for Endpoint Ask Me Anything (AMA) on the Microsoft TechCommunity! The product team has missed meeting customers at security and tech conferences and expo halls through the year and so we’d like to engage with you virtually. Our goal is to do these at least on a quarterly basis and have them focused on specific topics related to Microsoft Defender for Endpoint.</P> <P>&nbsp;</P> <P>Our first AMA will be on November 17, from 8:00-9:00am PT and it will be focused on Microsoft Defender for Endpoint capabilities for macOS, Linux, Android, and iOS. Bring all your burning questions! Our product team will be there to answer them. :smiling_face_with_smiling_eyes:</img></P> <P>&nbsp;</P> <P><STRONG>Details:</STRONG></P> <P>Microsoft Defender for Endpoint AMA - cross platform edition</P> <P>Date: Tuesday, November 17, 2020</P> <P>Time: 8-9am PT</P> <P>Place: <A href="#" target="_blank" rel="noopener">https://aka.ms/ama/DefenderforEndpoint</A> &nbsp;</P> <P>&nbsp;</P> <P>Save the .ics file to ensure you have this on your calendar!</P> Tue, 10 Nov 2020 17:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/join-us-for-the-microsoft-defender-for-endpoint-ama-cross/ba-p/1869662 Kasia Kaplinska 2020-11-10T17:00:00Z Introducing a new threat and vulnerability management report https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/introducing-a-new-threat-and-vulnerability-management-report/ba-p/1827448 <P>We are excited to announce a new built-in report for Microsoft Defender for Endpoint’s threat and vulnerability management capability, the <STRONG>vulnerable</STRONG> <STRONG>devices</STRONG> <STRONG>report</STRONG>!</P> <P>&nbsp;</P> <P>Have you ever wondered which devices have the most critical vulnerabilities? Or which devices have the oldest or most exploitable vulnerabilities? Our new report is now in public preview to give you those answers, and much more!</P> <P>&nbsp;</P> <P>The&nbsp;<A href="#" target="_blank" rel="noopener">Vulnerable devices report&nbsp;</A>provides extensive insights into your organization’s vulnerable devices with summaries of the current status and customizable trends over time.&nbsp;</P> <P>&nbsp;</P> <P>Report insights include:</P> <UL> <LI>Device vulnerability severity levels (e.g. all the devices with critical vulnerabilities)</LI> <LI>Device exploit availability (e.g. all the devices with vulnerabilities that have verified exploits)</LI> <LI>Device vulnerability age (e.g. devices with vulnerabilities that were published over 90 days ago)</LI> <LI>Vulnerable devices by operating system</LI> <LI>Vulnerable devices by Windows 10 version</LI> </UL> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="vulrep1.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/229809i06F5A6AAFE281626/image-size/large?v=v2&amp;px=999" role="button" title="vulrep1.png" alt="vulrep1.png" /></span></P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="vulrep2.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/229811iE288E296A7131682/image-size/large?v=v2&amp;px=999" role="button" title="vulrep2.png" alt="vulrep2.png" /></span></P> <P>&nbsp;</P> <DIV id="tinyMceEditorshirfeldman_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>Let’s take some examples:</P> <UL> <LI>If there are a lot of devices with old vulnerabilities, you might want to learn about the MTTR (mean time to remediate) process in your organization.</LI> <LI>If you see multiple devices with <STRONG>Critical</STRONG> or <STRONG>High</STRONG>&nbsp;vulnerabilities, you might want to prioritize those devices first.</LI> </UL> <P>Is there an insight you want to explore further? Select the bar chart to drill down and view a list of relevant devices.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="vulrep3.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/229812iD0DE0D9DDF8E6DCD/image-size/large?v=v2&amp;px=999" role="button" title="vulrep3.png" alt="vulrep3.png" /></span></P> <P>&nbsp;<span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="vulrep4.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/229814i3CF899AC9A10B820/image-size/large?v=v2&amp;px=999" role="button" title="vulrep4.png" alt="vulrep4.png" /></span></P> <P>&nbsp;</P> <P>You can also use the graphs and granular filtering capabilities to easily learn about your security posture and the vulnerable devices in the organization.</P> <P>&nbsp;</P> <P>Are you ready? If you’ve enabled public preview features, you can <A href="#" target="_blank" rel="noopener">check out the new report</A> today! If not, we encourage you to turn on <A href="#" target="_blank" rel="noopener">preview features</A> in Microsoft Defender Security Center to get access to the newest capabilities.</P> <P><BR />If you’re not yet taking advantage of Microsoft’s industry-leading security optics and detection capabilities for endpoints, <SPAN><A href="#" target="_blank" rel="noopener">sign up for a free trial</A></SPAN> of Microsoft Defender for Endpoint today.</P> <P>&nbsp;</P> <P>We welcome your feedback. If you have any comments or questions, let us know!</P> <P>&nbsp;</P> Wed, 28 Oct 2020 17:30:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/introducing-a-new-threat-and-vulnerability-management-report/ba-p/1827448 Shir_Feldman 2020-10-28T17:30:00Z Protecting organizations from the latest evolution of mobile ransomware https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/protecting-organizations-from-the-latest-evolution-of-mobile/ba-p/1765886 <P>Microsoft researchers found a sophisticated Android malware that uses novel techniques to display its ransom note. The new malware, the latest variant of variant of a ransomware family that’s been in the wild for a while but has been evolving non-stop, exemplifies the rapid evolution of mobile threats that we have also observed on other platforms. Read our technical analysis here: <A href="#" target="_blank" rel="noopener"><STRONG>Sophisticated new Android malware marks the latest evolution of mobile ransomware</STRONG></A>.</P> <DIV id="tinyMceEditorEric Avena_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig1b-ransom-note.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/225504i1EEE93C51BB6B4C8/image-size/medium?v=v2&amp;px=400" role="button" title="Fig1b-ransom-note.png" alt="Fig1b-ransom-note.png" /></span></P> <P>&nbsp;</P> <P>Microsoft Defender for Endpoint on Android detects this ransomware (AndroidOS/MalLocker.B) as well as other malicious apps and files using cloud-based protection powered by deep learning and heuristics, in addition to content-based detection. Microsoft Defender for Endpoint on Android, now generally available, extends Microsoft’s industry-leading endpoint protection to Android. Learn more about our <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824" target="_blank" rel="noopener">mobile threat defense capabilities</A> in <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/announcing-microsoft-defender-atp-for-android/ba-p/1480787" target="_blank" rel="noopener">Microsoft Defender for Endpoint</A><SPAN> on Android</SPAN>.</P> <P>&nbsp;</P> <P>Threat data from endpoints are combined with signals from email and data, identities, and apps in <A href="#" target="_blank" rel="noopener">Microsoft 365 Defender</A>, which orchestrates detection, prevention, investigation, and response across domains, providing coordinated defense. Microsoft Defender for Endpoint on Android further enriches organizations’ visibility into malicious activity, empowering them to comprehensively prevent, detect, and respond to against attack sprawl and cross-domain incidents.</P> Fri, 09 Oct 2020 19:35:19 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/protecting-organizations-from-the-latest-evolution-of-mobile/ba-p/1765886 Eric Avena 2020-10-09T19:35:19Z 451 Research publishes a report about Microsoft Defender for Endpoint https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/451-research-publishes-a-report-about-microsoft-defender-for/ba-p/1710647 <P>As much of the business world works from home, we’re relying even more heavily on our mobile devices to stay productive as we multitask our way through this pandemic. That reliance means it’s even more important than ever that these endpoints are secure. Microsoft has been making significant investments in detection and response. Our integrated approach, investments in cross platform support, prioritization of threats, and auto investigation and response are just some of the ways Microsoft Defender for Endpoint takes next-gen endpoint security to a new level.</P> <P>&nbsp;</P> <P>These investments are making an impact. In a report <A href="#" target="_blank" rel="noopener">titled</A> “Microsoft expands capabilities and platforms for Microsoft Defender ATP” published by 451 Research, Microsoft is considered an endpoint security platform by security buyers, according to their Voice of the Enterprise: Information Security, Workloads and Key Project 2020 research.</P> <P>&nbsp;</P> <P>Over the last few years, security leaders have aimed to streamline their security operations by reducing the amount of security tools of tools in their system, and prioritizing solutions that solve more challenges and fit better into their comprehensive security posture, to get closer to a model of Zero Trust. Our broad set of endpoint security capabilities and our deep integration into the Windows operating system and with other security solutions help to address these initiatives to simplify and modernize their infrastructure, while giving valuable time to their SOC.</P> <P>&nbsp;</P> <P>Microsoft Defender for Endpoint offers the following capabilities:</P> <UL> <LI>Agentless approach on Windows 10 and Windows Server – maintains a light footprint on the endpoint.</LI> <LI>Threat and vulnerability management – our risk-based approach to vulnerability management which now includes ServiceNow integration support.</LI> <LI>Attack surface reduction – includes better support for managing firewall rules and certifications and offers visibility and control into web threats.</LI> <LI>Next generation endpoint protection – leverages deep and broad security intelligence across Microsoft with machine learning models and built in OS security features.</LI> <LI>Endpoint detection and response – expanded capabilities to MacOS, alignment with the MITRE ATT&amp;CK framework, integration of live response, and new capabilities in behavioral blocking.</LI> <LI>Auto investigation and remediation – includes integration with Microsoft Defender for Office 365 and Microsoft Defender for Identity, enables the organization to respond quickly at scale, and assists analysts during their investigations.</LI> <LI>Simplified licensing approach so customers understand exactly what they’re getting and how it fits into their existing infrastructure.</LI> </UL> <P>&nbsp;</P> <P>&nbsp;</P> <P><A href="#" target="_blank" rel="noopener">Download the report</A>&nbsp;to get more in-depth details of their assessment.</P> <P>&nbsp;</P> <P>For more information about our industry leading endpoint security solution or to sign up for a trial, visit our <A href="#" target="_blank" rel="noopener">Microsoft Defender for Endpoint page</A>.</P> <P>&nbsp;</P> <P>We are so grateful to our customers who have been on this journey with us and have helped us build an amazing product – thank you!</P> <P>&nbsp;</P> Mon, 28 Sep 2020 16:00:00 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/451-research-publishes-a-report-about-microsoft-defender-for/ba-p/1710647 Kasia Kaplinska 2020-09-28T16:00:00Z SHA-2 signing enforcement on Windows 7 and Windows Server 2008 R2 is almost here! https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/sha-2-signing-enforcement-on-windows-7-and-windows-server-2008/ba-p/1704800 <P>The deadline is fast approaching -- we mentioned in a <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/sha-2-signing-enforcement-on-windows-7-and-windows-server-2008/ba-p/1519584" target="_self">previous blog</A> that any customers running Microsoft Defender for Endpoint on Windows 7 or Windows Server 2008 R2 must take the following actions or their agents will stop sending data:</P> <P>&nbsp;Before&nbsp;<STRONG>November&nbsp;2, 2020</STRONG>, do the following:&nbsp;</P> <OL> <LI>Install the SHA-2 signing Windows updates as described in&nbsp;<A href="#" target="_blank">2019 SHA-2 Code Signing Support requirement for Windows and WSUS</A></LI> <LI>Update to the latest version of the Log Analytics Windows agent (<A href="#" target="_blank">Windows 64-bit agent</A>&nbsp;or&nbsp;<A href="#" target="_blank">Windows 32-bit agent</A>)</LI> </OL> <P>You can find the relevant devices in your environment using an advanced hunting query. You can use the following that is available on GitHub: <A href="#" target="_blank">https://github.com/anthonws/MTPAHQueries/blob/master/Log_Analytics_Agent_SHA2_Support.txt</A></P> <P>&nbsp;</P> <P>Learn more information about SHA-2 signing enforcement in the&nbsp;<A href="#" target="_blank">documentation</A>.</P> <P>&nbsp;</P> <P>For any other questions, please feel free to reach out&nbsp;Microsoft Defender for Endpoint Support.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Thank you,&nbsp;</P> <P>The Microsoft Defender for Endpoint team&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 23 Sep 2020 19:51:09 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/sha-2-signing-enforcement-on-windows-7-and-windows-server-2008/ba-p/1704800 Tomer_Hevlin 2020-09-23T19:51:09Z Microsoft Defender for Endpoint adds depth and breadth to threat defense across platforms https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824 <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MTD_Blog_banner.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220811i61A618C7306899E9/image-size/large?v=v2&amp;px=999" role="button" title="MTD_Blog_banner.png" alt="MTD_Blog_banner.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Update: Microsoft Defender for Endpoint mobile threat defense capabilities for iOS are in public preview as of October 1, 2020. </STRONG></P> <P>&nbsp;</P> <P>We are excited to share with you the next steps in our journey to deliver industry leading endpoint security capabilities across all platforms. Rob Lefferts, Corporate Vice President, Microsoft 365 Security and Compliance, <A href="#" target="_blank" rel="noopener">shared</A> our commitment to build solutions that enable a single view of your entire estate. With Microsoft Defender for Endpoint, that is exactly what we set out to do when we announced just a year ago that we are extending endpoint security beyond Windows to Mac, Linux, Android, and iOS. With Microsoft Defender for Endpoint, now available on all the major platforms, security teams benefit from having a single, unified view of alerts, events, and threat insights, giving them visibility across all endpoints their employees are using to get their jobs done. These capabilities come at a critical time, when many workers are accessing corporate data outside of the office and on their personal devices, making it more difficult for security teams to have the visibility they need.</P> <P>&nbsp;</P> <P>Our customers have joined us on this evolution and given us feedback in every step of the way. For this, we are truly grateful and look forward to the continued partnership.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="prudential2.jpg" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/221121i0112C436F0930ECA/image-size/medium?v=v2&amp;px=400" role="button" title="prudential2.jpg" alt="prudential2.jpg" /></span></P> <P><STRONG><EM>“Microsoft Defender for Endpoint has met our specific security needs as it relates to cross platform feature parity and Microsoft has provided us the support required to meet our rigorous objectives.”</EM></STRONG></P> <P><EM>- Steve Turner, Director, Security Architecture </EM></P> <P><STRONG><EM>&nbsp;</EM></STRONG></P> <P><STRONG>&nbsp;</STRONG></P> <P><STRONG>Delivering on mobile threat defense</STRONG></P> <P>As of today, Microsoft Defender for Endpoint on Android is generally available, delivering the rich set of capabilities we announced in <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/announcing-microsoft-defender-atp-for-android/ba-p/1480787" target="_blank" rel="noopener">public preview</A>, which include phishing and web protection, malware scanning, and additional breach prevention through integration with Microsoft Endpoint Manager and Conditional Access. These capabilities offer protection against some of the most sophisticated malware threats we’ve seen on the platform.</P> <P>&nbsp;</P> <P><IFRAME src="https://www.microsoft.com/en-us/videoplayer/embed/RE4G1oj" width="890" height="550" allowfullscreen="allowfullscreen" wmode="transparent"></IFRAME></P> <P data-unlink="true">&nbsp;</P> <P data-unlink="true">Since our public preview announcement, we have also updated how users can get the Microsoft Defender for Endpoint app on their Android devices. Now, eligible users can download Microsoft Defender for Endpoint from <A href="#" target="_self">Google Play</A>.&nbsp;</P> <P>&nbsp;</P> <P>For additional information on how to get started, check out the <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>&nbsp;</P> <P>The threat landscape on mobile is truly unique. The biggest threat on mobile devices is phishing attacks, where the majority of these happen outside of the bounds of email, in places like messaging apps, SMS, phishing websites, and other apps. What makes these threats even more challenging is the nature of user interaction with mobile devices. Smaller screens coupled with touch input and gestures create the ideal situation for a user to accidentally touch, scroll, or click on something that might be malicious. It’s much harder to see if there’s an overlay on the screen, or the full URL of a potential phishing site. Users can’t check if links are malicious, like they easily can on a desktop. The inherent characteristics of mobile devices are what make it much easier for anyone to fall victim to a phishing attack.</P> <P>&nbsp;</P> <P>Phishing is where we believe we bring the strength of the Microsoft security platform to bear. The scale of our service gives us extensive visibility into the billions of phishing attacks and social engineering techniques our customers face and enables us to detect and prevent these attacks on mobile.</P> <P>&nbsp;</P> <P><STRONG><EM>Mobile threat defense for iOS</EM></STRONG></P> <P>Given the considerable challenges of phishing on mobile, we have invested in extending phishing and web protection to iOS as well. We’re excited to share that in the coming weeks, Microsoft Defender for Endpoint will be arriving in public preview for iOS.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MSDE_iOS2.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220686iDE4580CB8F3317D6/image-size/large?v=v2&amp;px=999" role="button" title="MSDE_iOS2.jpg" alt="MSDE_iOS2.jpg" /></span></P> <P>&nbsp;</P> <P>For devices running iOS 11.0 and higher, Microsoft Defender for Endpoint offers:</P> <UL> <LI><STRONG><EM>Anti-phishing:</EM></STRONG> Access to unsafe websites from SMS/text, WhatsApp, email, browsers, and other apps is instantly blocked. To do this, we leverage the Microsoft Defender SmartScreen service to help determine whether a URL is potentially malicious. If access to a malicious site is blocked, the device user gets a notification about this with the options to allow the connection, report it safe, or dismiss the notification. Security teams are notified about attempts to access malicious sites via an alert in the Microsoft Defender Security Center.</LI> <LI><STRONG><EM>Blocking unsafe connections: </EM></STRONG>The same Microsoft Defender SmartScreen technology is used to also block unsafe network connections that apps automatically might make on the user’s behalf without them knowing. Just as in the phishing example, the user is immediately informed that this activity is blocked and is given the same choices to allow it, report it as unsafe, or dismiss the notification. When these connections are attempted on a user’s device, security teams are notified of this via an alert in the Microsoft Defender Security Center.&nbsp;</LI> <LI><STRONG><EM>Custom indicators:</EM></STRONG> Security teams can create custom indicators, giving them more fine-grained control over allowing and blocking URLs and domains users connect to from their iOS devices. This can be done in the Microsoft Defender Security Center and is an extension of our custom indicators capability already available for Windows.</LI> </UL> <P>&nbsp;</P> <P>Security teams will get the same unified SecOps experience in Microsoft Defender Security Center as they get with all the other platforms – offering them a true single pane of glass view of alerts and threats across endpoints, no matter what the OS.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MDSC_iOS Phish_blog.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220703i8912821EF98654BD/image-size/large?v=v2&amp;px=999" role="button" title="MDSC_iOS Phish_blog.jpg" alt="MDSC_iOS Phish_blog.jpg" /></span></P> <P>&nbsp;</P> <P>For more information, including system requirements, prerequisites, deployment, and configuration instructions visit our <A href="#" target="_blank" rel="noopener">documentation</A>.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>In both apps, on Android and iOS, to share feedback, you can use the “send feedback” option:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="MTD_Feedback_Updated.png" style="width: 400px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220705i874ADD72DA5C4B23/image-size/medium?v=v2&amp;px=400" role="button" title="MTD_Feedback_Updated.png" alt="MTD_Feedback_Updated.png" /></span></P> <P>Admins and security teams can also share feedback through the Microsoft Defender Security Center.</P> <P>&nbsp;&nbsp;&nbsp;</P> <P><STRONG>Advancing our solution for Mac</STRONG></P> <P>Extending our endpoint security capabilities to macOS was the first step in our journey. Today, we are thrilled to announce our next milestone! <A href="#" target="_blank" rel="noopener">Threat and vulnerability management</A> for macOS will go into public preview this week, expanding your visibility into vulnerabilities across your environment and providing a more comprehensive view of organizational risks. Effectively identifying, assessing, and remediating endpoint weaknesses is critical in running a healthy security program and reducing organizational risk. Threat and vulnerability management serves as a solution for reducing organizational exposure, hardening endpoint surface area, and increasing organizational resilience. Threat and vulnerability management for macOS will continuously detect vulnerabilities on your macOS devices and will help you prioritize remediation by focusing on risk, which reflects Microsoft's threat intelligence, and accounts for severity, criticality, and business value of an asset in addition to being threat aware.</P> <P>&nbsp;</P> <P>In the Microsoft Defender Security Center, customers will be able to see macOS included in the software inventory and security recommendations. Just like with other software, security teams will get information about macOS specific Common Vulnerabilities and Exposures (CVEs) along with their level of severity and how many devices are exposed in their environment.</P> <P>&nbsp;</P> <P>Once vulnerabilities have been discovered and prioritized based on risk, security teams can either remediate them or create an exception to indicate that remediation is planned, or remediation through a third-party control is being employed. If they choose to remediate, threat and vulnerability management enables simple and effective collaboration with IT. Security teams can open a remediation ticket directly in Microsoft Intune for Azure Active Directory joined devices and set a priority and due date for the action. As the IT team works to remediate the vulnerability, the security team can monitor real-time progress within the Remediation dashboard which gives visibility into all remediation activities in progress. Using data filters, teams can analyze remediations by activity, the related component, priority level, status, etc. These views can be exported for reporting.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TVMforMac_blog.jpg" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/220711iBD28C19C345737FA/image-size/large?v=v2&amp;px=999" role="button" title="TVMforMac_blog.jpg" alt="TVMforMac_blog.jpg" /></span></P> <P>&nbsp;</P> <P>We’re excited for you to see what’s next on macOS and look forward to &nbsp;deliver improvements to the experience such as our recent move to <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/microsoft-defender-atp-for-mac-is-moving-to-system-extensions/ba-p/1608736" target="_blank" rel="noopener">system extensions</A> in preparation for macOS 11 Big Sur as well as a <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/deploy-microsoft-defender-atp-for-mac-in-just-a-few-clicks/ba-p/1341619" target="_blank" rel="noopener">simplified deployment and configuration</A> experience through Microsoft Endpoint Manager.</P> <P>&nbsp;</P> <P>We've recorded a few sessions for you to learn more about our cross-platform expansion and threat and vulnerability management. Get the latest updates, see some demos, and a get a preview of our roadmaps in these sessions:</P> <UL> <LI>For additional details and demos on our cross-platform capabilities, watch our recorded session:&nbsp;<A href="#" target="_blank" rel="noopener">How Microsoft Defender for Endpoint protects your non-Windows endpoints</A>.</LI> <LI>For a deeper dive into the latest on threat and vulnerability management, watch our recorded session:&nbsp;<A href="#" target="_blank" rel="noopener">Modernize risk management with the latest threat and vulnerability management capabilities</A>.</LI> </UL> <P>&nbsp;</P> <P>To get started with Microsoft Defender for Endpoint public preview capabilities, we encourage customers to turn on <A href="#" target="_blank" rel="noopener">preview features</A> in Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P><STRONG>Licensing requirements</STRONG></P> <P>With the extension of endpoint security capabilities across these various platforms, we wanted to give you an update on how Microsoft Defender for Endpoint is licensed.</P> <P>&nbsp;</P> <P>Eligible Licensed Users may use Microsoft Defender for Endpoint on up to five concurrent devices. Microsoft Defender for Endpoint is also available for purchase from a Cloud Solution Provider (CSP).</P> <P>&nbsp;</P> <UL> <LI>Customers can obtain Microsoft Defender for Endpoint on Mac through a standalone Microsoft Defender for Endpoint license, as part of Microsoft 365 A5/E5, or Microsoft 365 Security.</LI> <LI>Recently announced capabilities of Microsoft Defender for Endpoint on Android and iOS are included in the above mentioned offers as part of the five qualified devices for eligible licensed users.&nbsp;</LI> <LI>Microsoft Defender for Endpoint on Linux is available through the Microsoft Defender for Endpoint (Server) SKU that is available for both commercial and education customers.</LI> </UL> <P>&nbsp;</P> <P>Please contact your account team or CSP for pricing and additional eligibility requirements.</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, <A href="#" target="_blank" rel="noopener">sign up for a free trial</A> of Microsoft Defender for Endpoint today.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Microsoft Defender for Endpoint team</EM></P> Wed, 09 Jun 2021 21:57:38 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-for-endpoint-adds-depth-and-breadth-to-threat/ba-p/1695824 Helen_Allas 2021-06-09T21:57:38Z Microsoft Defender ATP Ninja Training: September 2020 update https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-ninja-training-september-2020-update/ba-p/1676604 <P>We are constantly keeping the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender ATP Ninja training</A>&nbsp;up-to-date to include the latest content. If you want to refresh your knowledge and get updated, here is what has been added since the <A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/microsoft-defender-atp-ninja-training-august-2020-update/ba-p/1585091" target="_blank" rel="noopener">August update</A>:&nbsp;</P> <P>&nbsp;</P> <P>Legend:</P> <TABLE border="1"> <TBODY> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> Product videos</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span> Webcast recordings</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TechCommunity.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205059iE2A42D8A7F13D7BC/image-dimensions/17x19?v=v2" width="17" height="19" role="button" title="TechCommunity.png" alt="TechCommunity.png" /></span> Tech Community</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Docs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Blogs on Microsoft</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GitHub.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205065i083675CF15D6F1EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="GitHub.png" alt="GitHub.png" /></span>&nbsp;GitHub</P> </TD> </TR> <TR> <TD width="209.333px" height="28px"> <P>⤴ External</P> </TD> <TD width="209.333px" height="28px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="InteractiveGuides.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205067iF93A500E533F67FB/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="InteractiveGuides.png" alt="InteractiveGuides.png" /></span>&nbsp;Interactive guides</P> </TD> <TD width="209.333px" height="28px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE width="100%"> <TBODY> <TR> <TD width="50%"> <P><EM><STRONG>Module (ordered by roles SecOps &amp; SecAdmin)</STRONG></EM></P> </TD> <TD width="50%"> <P><STRONG><EM>What's new</EM></STRONG></P> </TD> </TR> <TR> <TD width="50%"> <P>SecOps Intermediate:</P> <P>Module 3. Next generation protection</P> </TD> <TD width="50%"> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Introducing EDR in block mode: Stopping attacks in their tracks</A>&nbsp;</LI> </UL> </TD> </TR> <TR> <TD width="50%">SecOps Intermediate: <P>Module 6. Threat analytics</P> <P>&nbsp;</P> </TD> <TD width="50%"> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span></A><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/a-new-look-for-threat-analytics/ba-p/1608945" target="_blank" rel="noopener">&nbsp;New look! Quickly read through the information you need</A>&nbsp;</LI> </UL> </TD> </TR> <TR> <TD width="50%"> <P>SecAdmin Fundamentals:</P> <P>Module 2. Onboarding</P> <P>&nbsp;</P> </TD> <TD width="50%"> <UL> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span></A><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/microsoft-defender-atp-for-mac-is-moving-to-system-extensions/ba-p/1608736" target="_blank" rel="noopener">&nbsp;Microsoft Defender ATP for Mac is moving to system extensions</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Get started with Microsoft Defender ATP: from zero to hero<SPAN>&nbsp;(</SPAN><A href="#" target="_blank" rel="noopener noreferrer">MP4</A><SPAN>,&nbsp;</SPAN><A href="#" target="_blank" rel="nofollow noopener noreferrer">YouTube</A><SPAN>)</SPAN></LI> </UL> </TD> </TR> <TR> <TD width="50%"> <P>SecAdmin Fundamentals:</P> <P>Module 6. SIEM Integration</P> <P>&nbsp;</P> </TD> <TD width="50%"> <UL> <LI><A href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;Connect to Azure Sentinel</A>&nbsp;</LI> <LI><A href="https://gorovian.000webhostapp.com/?exam=t5/azure-sentinel/what-s-new-azure-sentinel-and-microsoft-defender-atp-improved/ba-p/1562339" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Azure Sentinel and Microsoft Defender ATP improved alert integration</A></LI> </UL> </TD> </TR> <TR> <TD width="50%"> <P>Learn about our partner integrations</P> </TD> <TD width="50%"> <UL> <LI><A href="#" target="_blank" rel="noopener"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span></A>&nbsp;<A href="#" target="_blank" rel="noopener">List of our partner integrations</A></LI> </UL> </TD> </TR> </TBODY> </TABLE> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-underline-position: initial; touch-action: initial; transform: initial; transform-box: initial; transform-origin: initial; transform-style: initial; transition: initial; user-select: initial; vector-effect: initial; vertical-align: initial; visibility: initial; -webkit-app-region: initial; border-spacing: initial; -webkit-border-image: initial; -webkit-box-align: initial; -webkit-box-decoration-break: initial; -webkit-box-direction: initial; -webkit-box-flex: initial; -webkit-box-ordinal-group: initial; -webkit-box-orient: initial; -webkit-box-pack: initial; -webkit-box-reflect: initial; -webkit-highlight: initial; -webkit-hyphenate-character: initial; -webkit-line-break: initial; -webkit-line-clamp: initial; -webkit-mask-box-image: initial; -webkit-mask: initial; -webkit-mask-composite: initial; -webkit-perspective-origin-x: initial; -webkit-perspective-origin-y: initial; -webkit-print-color-adjust: initial; -webkit-rtl-ordering: initial; -webkit-ruby-position: initial; -webkit-tap-highlight-color: initial; -webkit-text-combine: initial; -webkit-text-decorations-in-effect: initial; -webkit-text-emphasis: initial; -webkit-text-emphasis-position: initial; -webkit-text-fill-color: initial; -webkit-text-security: initial; -webkit-text-stroke: initial; -webkit-transform-origin-x: initial; -webkit-transform-origin-y: initial; -webkit-transform-origin-z: initial; -webkit-user-drag: initial; -webkit-user-modify: initial; white-space: initial; widows: initial; width: initial; will-change: initial; word-break: initial; word-spacing: initial; x: initial; y: initial; z-index: initial;">&nbsp;</DIV> Mon, 01 Feb 2021 16:42:03 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-ninja-training-september-2020-update/ba-p/1676604 Heike Ritter 2021-02-01T16:42:03Z Microsoft Defender ATP for Mac is moving to system extensions https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-for-mac-is-moving-to-system-extensions/ba-p/1608736 <P>As part of our commitment to provide the best in market endpoint protection to our customers, we strive to ensure that Microsoft Defender ATP for Mac evolves in lock step with the macOS platform. We are also committed to minimizing security agent related friction as organizations migrate to the next major macOS version. Apple is shifting away from kernel extensions, starting with macOS 11 Big Sur. In alignment with Apple’s strategy, public preview is now open for Microsoft Defender ATP for Mac implementation that leverages the new system extensions instead of kernel extensions.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-left" image-alt="Catalina_system_ext_screen.PNG" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/215913iC393C5BBA7894A4F/image-size/large?v=v2&amp;px=999" role="button" title="Catalina_system_ext_screen.PNG" alt="Catalina_system_ext_screen.PNG" /></span></P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG>How will</STRONG> <STRONG>the system extensions-based update be delivered?</STRONG></P> <P>&nbsp;</P> <P>The system extensions-based version of Microsoft Defender ATP for Mac will be delivered to all macOS devices via the existing Microsoft AutoUpdate (MAU) channel.</P> <P>&nbsp;</P> <P>Refer to our <A href="#" target="_blank" rel="noopener">system extensions-based update documentation</A>&nbsp;for additional update related details and how to determine if a device is running the new version based on system extensions.</P> <P>&nbsp;</P> <P>After successfully deploying and activating the update, the on-device experience will remain unchanged.</P> <P>&nbsp;</P> <P><STRONG>What devices are eligible for the system extensions-based update?</STRONG></P> <P>&nbsp;</P> <P>To experience the new system extensions-based implementation during public preview, you’ll need to have preview features turned on in the Microsoft Defender Security Center. If you have not yet opted into previews, we encourage you to&nbsp;<A href="#" target="_blank" rel="noopener">turn on preview features</A>&nbsp;in the Microsoft Defender Security Center today.</P> <P>&nbsp;</P> <P>Prior to the general availability of macOS 11 Big Sur, the new system extensions-based code path can be activated on devices running macOS Catalina version 10.15.4 or later and registered for the InsiderFast MAU update channel.</P> <P>Once macOS 11 Big Sur is generally available, the new system extensions-based implementation will be activated on all devices running macOS 11.</P> <P>&nbsp;</P> <P><STRONG>How to prepare for activation of the system extensions-based update</STRONG></P> <P>&nbsp;</P> <P>To ensure that the Microsoft Defender ATP for Mac system extensions-based update is delivered and applied seamlessly from an end-user experience perspective, a <A href="#" target="_blank" rel="noopener">new remote configuration</A> must be deployed to all eligible macOS devices before the new code path is activated. If the configuration is not deployed prior to the activation of the new Microsoft Defender ATP for Mac agent implementation, end-users will be presented with a series of system dialogs asking to grant the agent all necessary permissions associated with the new system extensions. Refer to our <A href="#" target="_blank" rel="noopener">system extensions-based update documentation</A>&nbsp;to learn in detail what to expect without applying the new remote configuration.</P> <P>&nbsp;</P> <P><STRONG>Benefits of taking action ahead of broader update applicability</STRONG></P> <P>&nbsp;</P> <P>The new Microsoft Defender ATP for Mac system extension-based implementation is currently only applicable to devices running macOS version 10.15.4 or later and in InsiderFast MAU ring. However, deploying configuration proactively across the entire macOS fleet ensures that all Mac devices are prepared for macOS 11 Big Sur on its release day. It also ensures that Microsoft Defender ATP for Mac continues protecting all macOS devices immediately post-upgrade to Big Sur. The new remote configuration is supplemental to any prior Microsoft Defender ATP for Mac configuration and will have no adverse effect on devices that still run the kernel extension-based version.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>We invite you to monitor the <A href="#" target="_blank" rel="noopener">What's new in Microsoft Defender ATP for Mac page</A> for upcoming announcements (including general availability of the system extensions-based update).&nbsp;</P> <P>&nbsp;</P> <P>We welcome your feedback and look forward to hearing from you!</P> <P>You can submit feedback by opening Microsoft Defender ATP for Mac on your device and navigating to&nbsp;<EM>Help &gt; Send feedback.</EM>&nbsp;Another option is to submit feedback via&nbsp;the Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading optics and detection capabilities,&nbsp;<A href="#" target="_blank" rel="noopener">sign up for free trial</A><STRONG>&nbsp;</STRONG>of Microsoft Defender ATP today.&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><EM>Helen Allas</EM></P> <P><EM>Microsoft Defender ATP team</EM></P> Fri, 06 Nov 2020 00:14:53 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-for-mac-is-moving-to-system-extensions/ba-p/1608736 Helen_Allas 2020-11-06T00:14:53Z How behavioral blocking & containment stops post-exploitation tools like BloodHound, Kerberoasting https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-behavioral-blocking-amp-containment-stops-post-exploitation/ba-p/1619501 <P><A href="#" target="_blank" rel="noopener">Behavioral blocking and containment capabilities</A> in Microsoft Defender Advanced Threat Protection (ATP) use protection engines that specialize in detecting and stopping threats by analyzing behavior. One of these engines leverages insights from <A href="#" target="_blank" rel="noopener">Antimalware Scan Interface (AMSI)</A>, which has visibility into script content and behavior, and pairs of machine learning models on the client and in the cloud working together to detect and stop malicious scripts post-execution. &nbsp;<SPAN>&nbsp;</SPAN></P> <DIV id="tinyMceEditorEric Avena_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="AMSI-ML-tech-comm.png" style="width: 700px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/215263i939317AFBCE6B23B/image-size/large?v=v2&amp;px=999" role="button" title="AMSI-ML-tech-comm.png" alt="AMSI-ML-tech-comm.png" /></span></P> <P>&nbsp;</P> <P>These pairs of AMSI-powered machine learning classifiers, one pair for each scripting engine, allow Microsoft Defender ATP to detect malicious behavior and stop post-exploitation techniques and other script-based attacks, such as BloodHound and Kerberoasting attacks.</P> <P>&nbsp;</P> <P>To learn more, read our latest blog post: <A href="#" target="_blank" rel="noopener"><STRONG>Stopping Active Directory attacks and other post-exploitation behavior with AMSI and machine learning</STRONG></A>.</P> Fri, 28 Aug 2020 16:36:13 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/how-behavioral-blocking-amp-containment-stops-post-exploitation/ba-p/1619501 Eric Avena 2020-08-28T16:36:13Z A new look for threat analytics https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/a-new-look-for-threat-analytics/ba-p/1608945 <P><STRONG>Update Sep 14, 2020:</STRONG><SPAN>&nbsp;The new design for threat analytics is now available to all Microsoft Defender ATP customers. &nbsp;</SPAN></P> <P>&nbsp;</P> <P>With threat analytics, you get a quick overview of the most relevant threats and how they impact your organization. For each threat we cover, you can conveniently read through detailed analyst reports and review relevant vulnerability patches and configuration recommendations. To make your threat analytics experience even better, we’ve delivered some exciting look-and-feel enhancements that you can now access on in public preview in the Microsoft Defender Security Center.</P> <P>&nbsp;</P> <P>With the new design, you can easily locate and read through the information you need in three separate tabs: <EM>Overview</EM>, <EM>Analyst report, </EM>and <EM>Mitigations</EM>.</P> <P>&nbsp;</P> <P>The <STRONG>Overview</STRONG> tab provides a quick preview of the detailed report as well as enhanced charts that highlight threat impact and organizational exposure through misconfigured and unpatched devices.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="overview.png" style="width: 866px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/214496i9C699FEF29F317AA/image-size/large?v=v2&amp;px=999" role="button" title="overview.png" alt="overview.png" /></span></P> <P>&nbsp;</P> <P>Go to the <STRONG>Analyst</STRONG> <STRONG>report</STRONG> tab to read through the detailed expert write-up. In this new tab, you’re not limited to a constrained view and can fully appreciate the coverage of threat behaviors, exhaustive lists of recommendations, and powerful hunting guidance.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="report.png" style="width: 868px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/214499iC651951A1BD01C1A/image-size/large?v=v2&amp;px=999" role="button" title="report.png" alt="report.png" /></span></P> <P>&nbsp;</P> <P>To get a detailed picture of your defenses and exposures, go to the <STRONG>Mitigations</STRONG> tab where we’ve provided the full list of tracked mitigations and the status of your devices.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="mitigations.png" style="width: 868px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/214501i1AE0E79CB28AE3A0/image-size/large?v=v2&amp;px=999" role="button" title="mitigations.png" alt="mitigations.png" /></span></P> <P>&nbsp;</P> <P><STRONG>Check it out now</STRONG></P> <P>&nbsp;</P> <P>These enhancements are now available to customers who have public preview features turned on. If you haven’t opted in yet, start getting the latest enhancements across all the capabilities by <A href="#" target="_blank" rel="noopener">turning on preview features</A>.</P> <P>&nbsp;</P> <P>To learn more about threat analytics in Microsoft Defender ATP, please read our <A href="#" target="_blank" rel="noopener">documentation</A>.</P> <P>If you’re not yet taking advantage of Microsoft’s industry leading security optics and detection capabilities for endpoints, <A href="#" target="_blank" rel="noopener">sign up for a free trial</A> of Microsoft Defender ATP today.</P> <P>&nbsp;</P> <P>Your feedback counts! Let us know what you think in the comments section below.</P> Thu, 15 Oct 2020 16:46:46 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/a-new-look-for-threat-analytics/ba-p/1608945 Dana_Bargury 2020-10-15T16:46:46Z Introducing EDR in block mode: Stopping attacks in their tracks https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617 <P><STRONG>Endpoint detection and response (EDR) in block mode</STRONG> is a new capability in Microsoft Defender Advanced Threat Protection (<A href="#" target="_blank" rel="noopener">Microsoft Defender ATP</A>) that turns EDR detections into blocking and containment of malicious behaviors. This capability uses Microsoft Defender ATP’s industry-leading visibility and detection capability to provide an additional layer of post-breach blocking of malicious behavior, malware, and other artifacts that your primary antivirus solution might miss.</P> <P>&nbsp;</P> <P>Through built-in machine learning models in Microsoft Defender ATP, EDR in block mode extends <A href="#" target="_blank" rel="noopener">behavioral blocking and containment</A>, which uses machine learning-driven protection engines that specialize in detecting threats by analyzing behavior. The ability of this feature to detect and stop threats in real time, even after they have started running, empowers organizations to thwart cyberattacks, maintain security posture, and reduce the manual steps and time to respond to threats.</P> <P>&nbsp;</P> <P>When EDR in block mode detects malicious behaviors or artifacts, it stops related running processes, blocking the attack from progressing. These blocks are reported in Microsoft Defender Security Center, where security teams can see details of the threat and remediation status, and use Microsoft Defender ATP’s rich set of capabilities to further investigate and hunt for similar threats as necessary.</P> <DIV id="tinyMceEditorShweta Jha_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <DIV id="tinyMceEditorShweta Jha_1" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="alert.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213105iAEC61541F35C10C2/image-size/large?v=v2&amp;px=999" role="button" title="alert.png" alt="alert.png" /></span></P> <P class="lia-align-center"><EM>Figure 1. Sample Microsoft Defender ATP alert on threat caught by EDR in block mode</EM></P> <P>&nbsp;</P> <P>EDR in block mode was developed in close collaboration with customers, and is in <A href="#" target="_blank" rel="noopener">public preview</A> starting today. We thank our customers for the partnership and for the invaluable feedback during the limited preview, during which the feature blocked multiple real-world attacks. In this blog, we’ll share details about one of these attacks.</P> <P>&nbsp;</P> <H2>EDR block mode in action</H2> <P>&nbsp;</P> <P>In April of this year, EDR in block mode protected and blocked a NanoCore RAT attack that aimed to steal credentials, spy using a device’s camera, and pilfer other information. The attack started with a spear-phishing email carrying a malicious Excel attachment. The Excel file contained a malicious macro that, when enabled, ran a PowerShell code that in turn downloaded and ran a file from <EM>hxxp://office-services-labs[.]com/Scan.exe</EM>.</P> <P>&nbsp;</P> <P class="lia-align-center"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig2-malicious-Excel-file.png" style="width: 700px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213118i04E452B73A086189/image-size/large?v=v2&amp;px=999" role="button" title="Fig2-malicious-Excel-file.png" alt="Fig2-malicious-Excel-file.png" /></span></P> <P class="lia-align-center"><EM>Figure 2. Malicious Excel file used in NanoCore campaign</EM></P> <P class="lia-align-center">&nbsp;</P> <P>The organization’s non-Microsoft antivirus solution didn’t detect the Excel file or its behavior, but Microsoft Defender ATP did. EDR in block mode kicked in, stopping the download behavior and blocking the PowerShell code and Excel file. This was reported in the Microsoft Defender Security Center, alerting the security team about the blocked behavior. While the threat was automatically remediated, the alert empowers the security team to perform additional investigation and hunting for similar threats.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-center" image-alt="Fig3-Microsoft-Defender-ATP-alert-Nano-Core.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213117iC620AC63CAD232FB/image-size/large?v=v2&amp;px=999" role="button" title="Fig3-Microsoft-Defender-ATP-alert-Nano-Core.png" alt="Fig3-Microsoft-Defender-ATP-alert-Nano-Core.png" /></span></P> <P class="lia-align-center">&nbsp;<EM style="font-family: inherit;">Figure 3. EDR in block mode alert in Microsoft Defender Security Center</EM></P> <P class="lia-align-center">&nbsp;</P> <P>Had the attack been allowed to continue, the downloaded file <EM>Scan.exe</EM> would have run the following PowerShell commands, which would have downloaded the payload, a NanoCore variant, from <EM>hxxp://paste[.]ee/r/Pym5k</EM>:</P> <P>&nbsp;</P> <P class="lia-align-center"><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Fig4-PowerShell.png" style="width: 935px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213119i70F938370F90F22D/image-size/large?v=v2&amp;px=999" role="button" title="Fig4-PowerShell.png" alt="Fig4-PowerShell.png" /></span></P> <P class="lia-align-center"><EM>Figure 4. Malicious PowerShell commands used by NanoCore campaign</EM></P> <P class="lia-align-center">&nbsp;</P> <P>NanoCore is a family of remote access Trojans (RAT) that gather info about the affected device and operating system. It is designed to steal credentials, spy through cameras, and carry out other malicious activities. With EDR in block mode, Microsoft Defender ATP protected against the damaging impact of a successful NanoCore infection.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="kill chain.png" style="width: 975px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213110i80BFDBF872F0820B/image-size/large?v=v2&amp;px=999" role="button" title="kill chain.png" alt="kill chain.png" /></span></P> <P class="lia-align-center"><EM>Figure 5. NanoCore RAT attack chain</EM></P> <P class="lia-align-center">&nbsp;</P> <H2>Turning on EDR in block mode</H2> <P>&nbsp;</P> <P>EDR in block mode is in public preview starting today, so if you have <A href="#" target="_blank" rel="noopener">preview features turned on</A> in Microsoft Defender Security Center, you can try it now. Once you’ve opted in, turning on EDR in block mode is simple. Go to Settings &gt; Advanced features. Switch the toggle for “Enable EDR in block mode” to On.</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="setting.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213111iC0938E8533DA6415/image-size/large?v=v2&amp;px=999" role="button" title="setting.png" alt="setting.png" /></span></P> <P class="lia-align-center"><EM>Figure 6. Microsoft Defender Security Center Advanced features settings</EM></P> <P class="lia-align-center">&nbsp;</P> <P>Security teams are also informed about this feature via the security recommendation titled, “Enable EDR in block mode” in threat and vulnerability management.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TVM.png" style="width: 999px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/213112i6943024445437B23/image-size/large?v=v2&amp;px=999" role="button" title="TVM.png" alt="TVM.png" /></span></P> <P class="lia-align-center"><EM>Figure 7. EDR in block mode in security recommendations</EM></P> <P class="lia-align-center">&nbsp;</P> <P>To learn more about the behavioral blocking and containment capabilities in Microsoft Defender ATP watch this <A href="#" target="_blank" rel="noopener">SANS Webcast</A>, refer to our <A href="#" target="_blank" rel="noopener">documentation</A><SPAN>,</SPAN> and read this <A href="#" target="_blank" rel="noopener">blog</A>.</P> <P>&nbsp;</P> <P>If you’re not yet taking advantage of Microsoft’s industry-leading security optics and detection capabilities for endpoints, <A href="#" target="_blank" rel="noopener">sign up for a free trial</A> of Microsoft Defender ATP today.</P> <P>&nbsp;</P> <P>We welcome your feedback. If you have any comments or questions, let us know.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P><STRONG><EM>Jeong Mun and Shweta Jha </EM></STRONG></P> <P><EM>Microsoft Defender ATP team</EM></P> <P class="lia-align-center">&nbsp;</P> Tue, 18 Aug 2020 17:43:08 GMT https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617 Shweta Jha 2020-08-18T17:43:08Z Microsoft Defender ATP Ninja Training: August 2020 update https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-for-endpoint/microsoft-defender-atp-ninja-training-august-2020-update/ba-p/1585091 <P>We are constantly keeping the&nbsp;<A href="#" target="_blank" rel="noopener">Microsoft Defender ATP Ninja training</A>&nbsp;up-to-date to include the latest content. If you want to refresh your knowledge and get updated, here is what has been added since it was published in July:&nbsp;</P> <P>&nbsp;</P> <P>Legend:</P> <TABLE border="1"> <TBODY> <TR> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span> Product videos</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span> Webcast recordings</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="TechCommunity.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205059iE2A42D8A7F13D7BC/image-dimensions/17x19?v=v2" width="17" height="19" role="button" title="TechCommunity.png" alt="TechCommunity.png" /></span> Tech Community</P> </TD> </TR> <TR> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span> Docs on Microsoft</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Blogs on Microsoft</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="GitHub.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205065i083675CF15D6F1EF/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="GitHub.png" alt="GitHub.png" /></span>&nbsp;GitHub</P> </TD> </TR> <TR> <TD width="208.889px" height="27px"> <P>⤴ External</P> </TD> <TD width="208.889px" height="27px"> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="InteractiveGuides.png" style="width: 18px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205067iF93A500E533F67FB/image-dimensions/18x18?v=v2" width="18" height="18" role="button" title="InteractiveGuides.png" alt="InteractiveGuides.png" /></span>&nbsp;Interactive guides</P> </TD> <TD width="208.889px" height="27px">&nbsp;</TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <TABLE width="100%"> <TBODY> <TR> <TD width="50%" height="28px" style="width: 30%;"> <P><STRONG><EM>Module (ordered by roles SecOps &amp; SecAdmin)</EM></STRONG></P> </TD> <TD width="50%" height="28px"> <P><STRONG><EM>What's new</EM></STRONG></P> </TD> </TR> <TR> <TD width="50%" height="81px"> <P><FONT size="3">SecOps Fundamentals: <BR /><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/become-a-microsoft-defender-atp-ninja/ba-p/1515647#_Toc45281204" target="_blank" rel="noopener">Module 4. Attack surface reduction</A></FONT></P> <P>&nbsp;</P> </TD> <TD width="50%" height="81px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Track and regulate access to websites with web content filtering</A></LI> </UL> </TD> </TR> <TR> <TD width="50%">SecOps Intermediate: <BR /><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/become-a-microsoft-defender-atp-ninja/ba-p/1515647#_Toc45281214" target="_blank" rel="noopener">Module 2. Threat and vulnerability management</A> <H2>&nbsp;</H2> </TD> <TD width="50%"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/announcing-high-value-asset-tagging-in-microsoft-defender-atp/ba-p/1521459" target="_blank" rel="noopener">Tag your high value assets for better prioritization</A></LI> </UL> </TD> </TR> <TR> <TD width="50%"> <P>SecOps Expert: <BR /><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/become-a-microsoft-defender-atp-ninja/ba-p/1515647#_Toc45281226" target="_blank" rel="noopener">Module 4. Advanced hunting</A></P> </TD> <TD width="50%"> <P>&nbsp;</P> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Webinar series, episode 1: KQL fundamentals (<A href="#" target="_blank" rel="noopener">MP4</A>, <A href="#" target="_blank" rel="noopener">YouTube</A>)</LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Webinar series, episode 2: Joins (<A href="#" target="_blank" rel="noopener">MP4</A>, <A href="#" target="_blank" rel="noopener">YouTube</A>)</LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Webinar series, episode 3: Summarizing, pivoting, and visualizing Data (<A href="#" target="_blank" rel="noopener">MP4</A>, <A href="#" target="_blank" rel="noopener">YouTube</A>)</LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="webcast.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205058iFD24F42AC1504A48/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="webcast.png" alt="webcast.png" /></span>&nbsp;Webinar series, episode 4: Let’s hunt!&nbsp;Applying KQL to incident tracking (<A href="#" target="_blank" rel="noopener">MP4</A>, <A href="#" target="_blank" rel="noopener">YouTube</A>)<BR /><BR /></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="120px"> <P>SecAdmin Fundamentals: <BR /><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/become-a-microsoft-defender-atp-ninja/ba-p/1515647#_Toc45281233" target="_blank" rel="noopener">Module 3. Grant and control access</A></P> <H2>&nbsp;</H2> </TD> <TD width="50%" height="120px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="vid.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205057i34B332A44C6F17B2/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="vid.png" alt="vid.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Multi-tenant access for Managed Security Service Providers</A>&nbsp;</LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;Step-by-step:&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/multi-tenant-access-for-managed-security-service-providers/ba-p/1533440" target="_blank" rel="noopener">Multi-tenant access for Managed Security Service Providers</A>&nbsp;</LI> </UL> </TD> </TR> <TR> <TD width="50%" height="120px">SecAdmin Intermediate: <BR /><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/become-a-microsoft-defender-atp-ninja/ba-p/1515647#_Toc45281238" target="_blank" rel="noopener">Module 1. Threat and vulnerability management</A></TD> <TD width="50%" height="120px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/introducing-event-timeline-an-innovative-new-way-to-manage-your/ba-p/1505208" target="_blank" rel="noopener">Manage your security exposure with the event timeline</A></LI> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/announcing-high-value-asset-tagging-in-microsoft-defender-atp/ba-p/1521459" target="_blank" rel="noopener">Tag your high value assets for better prioritization</A>&nbsp;</LI> </UL> </TD> </TR> <TR> <TD width="50%" height="66px"> <P>SecAdmin Intermediate: <BR /><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/become-a-microsoft-defender-atp-ninja/ba-p/1515647#_Toc45281239" target="_blank" rel="noopener">Module 2. Attack surface reduction</A></P> </TD> <TD width="50%" height="66px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="docs.png" style="width: 17px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205061iC265623042FF4E62/image-dimensions/17x18?v=v2" width="17" height="18" role="button" title="docs.png" alt="docs.png" /></span>&nbsp;<A href="#" target="_blank" rel="noopener">Track and regulate access to websites with web content filtering</A></LI> </UL> </TD> </TR> <TR> <TD width="50%" height="54px"> <P>SecAdmin Expert: <BR /><A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-defender-atp/become-a-microsoft-defender-atp-ninja/ba-p/1515647#_Toc45281247" target="_blank" rel="noopener">Module 2. Advanced hunting</A></P> </TD> <TD width="50%" height="54px"> <UL> <LI><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="blogs.png" style="width: 19px;"><img src="https://techcommunity.microsoft.com/t5/image/serverpage/image-id/205062i0E592B86DF2C2CCF/image-dimensions/19x19?v=v2" width="19" height="19" role="button" title="blogs.png" alt="blogs.png" /></span>&nbsp;<A href="https://gorovian.000webhostapp.com/?exam=t5/microsoft-threat-protection/on-demand-webcast-series-tracking-the-adversary/ba-p/1579366" target="_blank" rel="noopener">Webcast series "Tracking the adversary"</A></LI> </UL> </TD> </TR> </TBODY> </TABLE> <P>&nbsp;</P> <DIV class="ms-editor-squiggler" style="color: initial; font: initial; font-feature-settings: initial; font-kerning: initial; font-optical-sizing: initial; font-variation-settings: initial; forced-color-adjust: initial; text-orientation: initial; text-rendering: initial; -webkit-font-smoothing: initial; -webkit-locale: initial; -webkit-text-orientation: initial; -webkit-writing-mode: initial; writing-mode: initial; zoom: initial; place-content: initial; place-items: initial; place-self: initial; alignment-baseline: initial; animation: initial; appearance: initial; aspect-ratio: initial; backdrop-filter: initial; backface-visibility: initial; background: initial; background-blend-mode: initial; baseline-shift: initial; block-size: initial; border-block: initial; border: initial; border-radius: initial; border-collapse: initial; border-end-end-radius: initial; border-end-start-radius: initial; border-inline: initial; border-start-end-radius: initial; border-start-start-radius: initial; inset: initial; box-shadow: initial; box-sizing: initial; break-after: initial; break-before: initial; break-inside: initial; buffered-rendering: initial; caption-side: initial; caret-color: initial; clear: initial; clip: initial; clip-path: initial; clip-rule: initial; color-interpolation: initial; color-interpolation-filters: initial; color-rendering: initial; color-scheme: initial; columns: initial; column-fill: initial; gap: initial; column-rule: initial; column-span: initial; contain: initial; contain-intrinsic-size: initial; content: initial; content-visibility: initial; counter-increment: initial; counter-reset: initial; counter-set: initial; cursor: initial; cx: initial; cy: initial; d: initial; display: block; dominant-baseline: initial; empty-cells: initial; fill: initial; fill-opacity: initial; fill-rule: initial; filter: initial; flex: initial; flex-flow: initial; float: initial; flood-color: initial; flood-opacity: initial; grid: initial; grid-area: initial; height: initial; hyphens: initial; image-orientation: initial; image-rendering: initial; inline-size: initial; inset-block: initial; inset-inline: initial; isolation: initial; letter-spacing: initial; lighting-color: initial; line-break: initial; list-style: initial; margin-block: initial; margin: initial; margin-inline: initial; marker: initial; mask: initial; mask-type: initial; max-block-size: initial; max-height: initial; max-inline-size: initial; max-width: initial; min-block-size: initial; min-height: initial; min-inline-size: initial; min-width: initial; mix-blend-mode: initial; object-fit: initial; object-position: initial; offset: initial; opacity: initial; order: initial; origin-trial-test-property: initial; orphans: initial; outline: initial; outline-offset: initial; overflow-anchor: initial; overflow-wrap: initial; overflow: initial; overscroll-behavior-block: initial; overscroll-behavior-inline: initial; overscroll-behavior: initial; padding-block: initial; padding: initial; padding-inline: initial; page: initial; page-orientation: initial; paint-order: initial; perspective: initial; perspective-origin: initial; pointer-events: initial; position: initial; quotes: initial; r: initial; resize: initial; ruby-position: initial; rx: initial; ry: initial; scroll-behavior: initial; scroll-margin-block: initial; scroll-margin: initial; scroll-margin-inline: initial; scroll-padding-block: initial; scroll-padding: initial; scroll-padding-inline: initial; scroll-snap-align: initial; scroll-snap-stop: initial; scroll-snap-type: initial; shape-image-threshold: initial; shape-margin: initial; shape-outside: initial; shape-rendering: initial; size: initial; speak: initial; stop-color: initial; stop-opacity: initial; stroke: initial; stroke-dasharray: initial; stroke-dashoffset: initial; stroke-linecap: initial; stroke-linejoin: initial; stroke-miterlimit: initial; stroke-opacity: initial; stroke-width: initial; tab-size: initial; table-layout: initial; text-align: initial; text-align-last: initial; text-anchor: initial; text-combine-upright: initial; text-decoration: initial; text-decoration-skip-ink: initial; text-indent: initial; text-overflow: initial; text-shadow: initial; text-size-adjust: initial; text-transform: initial; text-underline-offset: initial; text-und