Perform Device Investigations (part 1)
To read part 2 please click here
The Device Inventory List
The device inventory page shows a list of the devices in your network where alerts were generated. By default, the queue displays the devices with alerts seen in the last 30 days and the device page can also be accessed from the various investigation pages like Incidents and Alerts. At a glance, you will see the information such as domain, risk level, OS platform, and the other details for easy identification of the devices mostly at risk.
Risk Level
The risk level reflects the overall risk assessment of the device based on a combination of the factors, including the types and severity of the active alerts on the device and by resolving the active alerts, approving remediation activities, and suppressing the subsequent alerts can lower the risk level.
Exposure Level
The exposure level reflects the current exposure of the device based on the cumulative impact of its pending security recommendations and if the exposure level says, "No data available", there are a few reasons why this may be the case:
- The device stopped reporting for more than 30 days- in that case, it is considered inactive, an the exposure isn't computed
- The device OS is not supported- see minimum requirements for the Microsoft Defender for Endpoint
- The device has a stale agent (very unlikely)
Health State
The following device health states:
- Active- devices that are actively reporting sensor data to the service
- Inactive- devices that have stopped sending signals for more than seven days
- Misconfigured- devices that impaired communications with service or are unable to send sensor data. These devices can be further classified to no sensor data and impaired communications.
Antivirus Status
The antivirus status for Windows 10 devices only:
- Disabled- Virus and threat protection is turned off
- Not reporting- Virus and threat protection not reporting
- Not updated- Virus and threat protection is not up to date
Investigate the device
You should investigate the details of an alert raised on a specific device to identify the other behaviors or events that might be related to the alert or the potential scope of the breach. Affected devices are identified in the following cases:
- Devices list
- Alerts queue
- Security operations dashboard
- Any individual alert
- Any individual file details view
- Any IP address or domain details view
Whenever you investigate a specific device. you will see:
- Device details
- Response actions
- Tabs (overview, alerts, timeline, security recommendations, software inventory, discovered vulnerabilities, missing KBs)
- Cards (active alerts, logged on users, security assessment)
To read part 2 please click here
Comments
Post a Comment