Configure for Alerts & Detections

 



Configure Advanced Features

The Advanced features area in the General Settings area provides many an on/off switch for features within the product. The following are the settings that are alert focused: 

Feature

Description

Live Response

Live Response

Live Response unsigned script execution

Enables using unsigned scripts in Live Response.

Custom network indicators

Configures devices to allow or block connections to IP addresses, domains, or URLs in your custom indicator lists.

Share endpoint alerts with Microsoft Compliance Center

Forwards endpoint security alerts and their triage status to the Microsoft Compliance Center, allowing you to enhance insider risk management policies with alerts and remediate internal risks before they cause harm. Forwarded data is processed and stored in the same location as your Office 365 data.    


Configure Alert Notifications

This feature enables you to identify a group of the individuals who will immediately be informed and can act on the alerts based on their severity. The email notifications can be configured by only those users who have 'Manage security settings' permissions while easily setting the alert severity levels that triggers the notifications and also add or remove recipients of the email notification. 

If you are using Role-based Access Control (RBAC), the recipients will only receive the notifications based on the device groups that were configured in the notification rule and the users assigned to the Global administrator role only can manage the notification rules that were configured for all the device groups.

The email notification includes basic information about the alert and a link to the portal where you can do the further investigation. 

Manage Alert Suppression

There might be the scenarios where you need to suppress alerts from appearing in the portal you can easily do this by creating the suppression rules for the specific alerts known to be innocuous, like known tools or processes in your organization. 

View existing rules

You can readily view a list of all the suppression rules and manage them in one place while also turning an alert suppression rule on or off by completing these actions:
  1. In the navigation pane, select Settings > Alert suppression. The list of suppression rules that the users in your organization have created is displayed.
  2. Select a rule by selecting a check-box beside the rule name.
  3. Select Turn rule on, Edit rule, or Delete rule. When making changes to a rule, you can choose to release alerts that it has already suppressed, regardless of whether or not these alerts match the new criteria.  

Manage Indicators

Indicator of Compromise (IoCs) matching is an essential feature in every endpoint protection solution which gives SecOps the ability to set a list of detection indicators and for blocking (prevention and response). You can create the indicators that defines the detection, prevention, and exclusion of entities. 

Currently, supported sources are cloud detection engine of Defender for Endpoint, the automated investigation and remediation engine, and the endpoint prevention engine (Microsoft Defender AV).

Cloud Detection Engine

The Defender for Endpoint's cloud detection engine regularly scans the collected data and tries to match the indicators you set and whenever there is a match, action will be taken according to the IoC settings you specified.

Endpoint Prevention Engine

The same list of indicators is honored by the prevention agent i.e. if the Microsoft Defender AV is the primary AV configured, the matched indicators will be treated according to the settings. 

Automated Investigation & Remediation Engine

It behaves the same i.e. if an indicator is set to "Allow", automated investigation and remediation will ignore a "bad" verdict for it, but if it is set to "Block", then it will treat it as "bad". 

The current supported actions are- Allow, Alert only, and Alert and block whereas you can easily create an indicator for files, IP addresses, URLs/domains, and certificates. There is a limit of 15,000 indicators per tenant.

To manage indicators:

  • In the navigation pane, select Settings > Indicators.
  • Select the tab of the entity type you'd like to manage.
  • Update the indicator details and select Save or select the Delete button if you'd like to remove the entity from the list.  

Manage Custom Detection

Custom detection rules built from advanced hunting queries allows you to proactively monitor various events and system states, including the suspected breach activity and misconfigured devices.

View existing rules

To view all the existing custom detection rules, you can navigate to Settings > Custom detections. The lists all the rules with the following run information:

  • Last run- When a rule was last run to check for query matches and generate alerts.
  • Last run status- Whether a rule ran successfully.
  • Next run- The next scheduled run.
  • Status- Whether a rule has been turned on or off.  






Comments

Popular posts from this blog

Deployment (Part 3)

Deployment (Part 1)

Project Resourcing (Part 2)