Microsoft Defender for Endpoint
1. Introduction
Microsoft Defender for Endpoint, the new name for Microsoft Defender Advanced Threat Protection (MDATP), is a cloud-based online service that provides prevention, detection, and investigation methods that we can use to respond to advanced threats within our organization. MDE can be used as the main anti-virus and EDR tool for organisations.
You can Access through https://securitycenter.windows.com/dashboard (Use Incognito )
2. Alerts
2.1. Coverage
All windows systems (servers and workstation ) are connected with Microsoft Defender for Endpoint.
2.1.1. Coverage report/proces under construction
After move to Log Analytics Workspace
3. Incident sync between portals and sentinel
Between the portals the incident that are created are in sync. and send to the microsoft defender connector to sentinel this done with the below button.
3.2. Azure Sentinel incidents
Incident are visible under
visible under table securityalert in sentinel.
3.3.1. Query’s
Defender hunting
AlertInfo
| whereDetectionSource contains "smartscreen
Sentinel
SecurityAlert| where AlertType == ```WindowsDefenderSmartScreen