Endpoint on Adrenaline Two
IntroductionEnable Real time Protection in Defender Antivirus
Enable Cloud-Delivered Protection
Summary: Cloud-Delivered Protection enables features such as ASR rules, cloud sample submission and tamper protection enforcement and as such is critical to the deployment of Defender for Endpoint.
Scope: Windows 7 and Up, Windows Server 2012 R2 and Up
Intune: Navigate to Endpoint Manager admin centre > Device Configuration > Profiles > Select a profile type or create a new one > Properties > Configuration settings: Edit > Microsoft Defender Antivirus. Configure "Cloud Delivered Protection" to "Enable" and "Prompt users before sample submission" to "Send all data automatically".
Endpoint Manager: Navigate to Endpoint Manager Security centre > Endpoint Security > Antivirus > select or create a Defender for Antivirus policy > Properties > Configuration Settings > Edit. Configure "Turn on cloud-delivered protection" to "Yes", "Cloud –delivered protection level" to "High" and "Defender Cloud Extended Timeout in Seconds" to "50".
Group Policy: Open Group Policy Management Console > Computer Configuration > Administrative Templates > Windows Components > Microsoft Defender Antivirus > MAPS. Configure "Join Microsoft MAPS" to "Advanced MAPS" and "Send file samples when further analysis is required" to "Enabled" and "Send all samples".
Intune: Navigate to Endpoint Manager admin centre > Device Configuration > Profiles > Select or Create an Endpoint Protection profile > Windows Defender Exploit Guard > Attack Surface Reduction. Configure all available ASR rules to "Audit Mode".
Group Policy: Group Policy Management Console > Computer configuration > Administrative templates > Windows components > Microsoft Defender Antivirus > Microsoft Defender Exploit Guard > Attack surface reduction > Configure Attack surface reduction rules.
Enter the Below GUIDs and Values:
Once the rules on the previous page are implemented you can review the results of the ASR rules in audit mode by going to security.microsoft.com, clicking reports > Attack surface reduction rules. It can take 4+ hours before results start to appear. Once you have reviewed the results you can then go back to the policy at endpoint.microsoft.com and add any exceptions you require.
Once you have implemented and reviewed the ASR rules you can begin setting them to 'Block' mode. It is highly recommended you utilize several testing rings before the deployment of ASR rules in 'Block' mode. Use the diagram below to identify rules that are most likely to generate issues.
Summary: Automated investigations utilize inspection algorithms to further evaluate detected suspicious activity and then perform remediation actions without the need for a human analyst. Automated Investigations are capable of spanning multiple assets and are valuable feature.
Action: Navigate to Microsoft 365 Defender > Settings > Endpoints > Advanced Features. Enable "Automated Investigations"
Enable Live Response
Summary: Live response enables analysts to perform deeper investigations during incident triage. Often analysts use live response to gather 'point in time' information about artefacts related to an alert. Live response is limited to the following actions:
- Run basic and advanced commands to do investigative work on a device.
- Download files such as malware samples and outcomes of PowerShell scripts.
- Download files in the background.
- Upload a PowerShell script or executable to the library and run it on a device from a tenant level.
- Take or undo remediation actions.
Action: Navigate to Microsoft 365 Defender > Settings > Endpoints > Advanced Features. Enable "Live Response", "Live Response for Servers"
Disable Automatically Resolve Alerts
Action: Navigate to Microsoft 365 Defender > Settings > Endpoints > Advanced Features. Disable "Automatically Resolve Alerts"