Microsoft Defender for Endpoint provides you with near-r eal- time detection and response capabilities. This allows you to take actions quickly if a threat is encountered. If a threat is detected, then an alert will be created. Microsoft Defender for Endpoint collects process information, network activity, user login activity, Registry and filesystem changes, and more, which is kept for six months.
To view threats, you can use the Security Operations dashboard. Here you will see an overview of threats that have been detected and when response actions are required. The dashboard shows you an overview of the following, as you can see in Figure 15.10:
■ Active alerts
■ Devices at risk
■ Sensor health
■ Service health
■ Daily devices reporting
■ Active automated investigations
■ Automated investigations statistics
■ Users at risk
■ Suspicious activities
FIGURE 15.10 Security Operations dashboard
From the dashboard, you can quickly explore and investigate alerts and devices to see if there are any threats or suspicious activity. The dashboard also has tiles that you can click that will provide more information on your overall health state.
If you click Active Alerts, you can view the overall number of active alerts for the past 30 days. Alerts are grouped into New and In Progress, as shown in Figure 15.11.
FIGURE 15.11 Active Alerts
You can click the number inside each alert ring to see that category’s queue (New or In Progress). Each will be sorted by their alert severity levels. The Alerts queue will show you a list of alerts that have been flagged from devices on your network. By default, the queue displays any alerts that were seen in the last 30 days, with the most recent alert being at the top of the list. Each row will include an alert severity category and a brief description. If you click an alert, you will see a detailed view. From the Alerts Queue page, you can customize the alerts view to suit your needs. On the top navigation, you can:
■ Add or remove columns
■ Apply filters
■ Display the alerts for a particular duration (1 Day, 3 Days, 1 Week, 30 Days, and 6 Months)
■ Export the alerts list to Microsoft Excel
■ Manage alerts
You will also notice that the Alerts Queue page displays the severity levels by color, as shown in Figure 15.12:
■ High (Red): These alerts indicate a high risk because of the severity of damage they can inflict on devices.
■ Medium (Orange): These alerts indicate endpoint detection and response behaviors that might be a part of an advanced persistent threat (APT) such as Registry changes or the execution of a suspicious file.
■ Low (Yellow): These alerts may be associated with malware attacks, such as logs being cleared. These threats do not indicate that there was an attack, but it’s best to investigate.
■ Informational (Gray): These alerts may not be considered harmful but could indicate a security issue.
Also on the Security Operations dashboard, if you look at the Devices At Risk tile, this will show you a list of devices that have the most active alerts. For each device, the total number of alerts is shown in a circle next to the device name and then further categorized by severity level. To view more details about a device, just click the name of the device. When you select a device to investigate, you will see a device summary page, as shown in Figure 15.13. On the summary page you will see the following:
Device Details This provides information such as the domain, OS, and health state of the device.
Response Actions These are tasks you can perform for the given device.
Tabs (Overview, Alerts, Timeline, Security Recommendations, Software Inventory, Discovered Vulnerabilities, Missing KBs) These tabs provide security and threat prevention information.
Cards (Active Alerts, Logged On Users, Security Assessment, Device Health
Status) Cards display an overview of alerts related to the device and their risk level.
FIGURE 15.13 Device Summary
On the Device Summary page, there are also a number of response actions that you can take, as shown in Figure 15.14. These actions include:
■ Manage Tags
■ Initiate Automated Investigation
■ Initiate Live Response Session
■ Collect Investigation Package
■ Run Antivirus Scan
■ Remove App Restrictions
■ Isolate Device
■ Consult A Threat Expert
■ Action Center
FIGURE 15.14 Response actions
On the Security Operations dashboard, if you look at the Devices With Sensor Issues tile, this will give you information on a device’s ability to provide sensor data to the Microsoft Defender for Endpoint service. It shows how many devices require attention and helps you identify devices that may have problems, as shown in Figure 15.15.
FIGURE 15.15 Devices With Sensor Issues tile
Here you will see two different status indicators:
■ Misconfigured: This is the number of devices that may have configuration errors that need to be corrected.
■ Inactive: This is the number of devices that have stopped reporting to the Microsoft Defender for Endpoint service for more than seven days within the past month.
The Service Health tile shows whether the service is active or if there are issues, as shown in Figure 15.16.
FIGURE 15.16 Service Health tile
If you click this tile, it will open the Service Health page, which shows the health state of each cloud service in a table format, as shown in Figure 15.17.
The default view is the All Services tab, which shows all services, their current health state, and any active incidents or advisories. An icon and status in the Health column indicate the state of each service.
On the Security Operations dashboard, if you look at the Daily Devices Reporting tile (as shown in Figure 15.18), it will show you a bar graph that shows the number of devices that are reporting within the last 30 days. You can hover over an individual bar on the graph to see the exact number of devices reporting that day.
FIGURE 15.18 Daily Devices Reporting tile
If you look at the Active Automated Investigations tile (shown in Figure 15.19), it will show you the number of automated investigations from the last 30 days. The number of investigations are categorized into Pending Action, Waiting For Device, and Running.
FIGURE 15.19 Active Automated Investigations tile
The Automated Investigations Statistics tile (shown in Figure 15.20) shows statistics pertaining to automated investigations within the past seven days.
FIGURE 15.20 Automated Investigations Statistics tile
This tile shows you:
■ The number of completed investigations
■ The number of successfully remediated investigations
■ The average pending time it takes for an investigation to be initiated
■ The average time it takes to remediate an alert
■ The number of alerts investigated
■ The number of hours of automation saved from a typical manual investigation
You can click Automated Investigations, Remediated Investigations, and Alerts Investigated to navigate to the Investigations page.
On the Security Operations dashboard, if you look at the Users At Risk tile (shown in Figure 15.21), it will show you a list of user accounts that have the most active alerts and the number of alerts seen on high, medium, or low alerts.
FIGURE 15.21 Users at Risk tile
By selecting a user account, you can see more details about that user, as shown in Figure 15.22:
■ User account details, Microsoft Defender for Identity alerts, and logged- on devices, role, logon type, and other details
■ Overview of the incidents and the user’s devices
■ Alerts related to this user
■ Observed in organization (devices logged on to)