Comprehensive Configuration
    • 18 Jun 2024
    • 3 Minutes to read
    • PDF

    Comprehensive Configuration

    • PDF

    Article summary

    This article extends the configuration options suggested in Configuration Essentials. This article is an adaptation of a presentation. You can view the slides, which contain additional details and images, by clicking the image below.

    mceclip0.png

    Microsoft Defender for Endpoint offers a variety of options which enable you to fine-tune its performance. Red Canary configuration suggestions can be applied to Defender for Endpoint using several different management solutions, depending on your architecture. For example, Endpoint Manager (Intune), Group Policy, and so on. You only need to apply these configurations in your primary configuration management solution.

    For a guided walkthrough of these sections, review this video:

    Configure network protection capabilities

    Defender for Endpoint enables the automated banning of domains and IP addresses using its network protection capabilities in block mode. You can take advantage of this functionality by adding them as automate actions to a playbook in Red Canary. For more information, see the Red Canary help article Automate Actions: Ban Domain / Ban IP

    Enable block mode

    Defender for Endpoint can block potentially threatening activity automatically, improving the resilience of endpoints even when Microsoft Defender Antivirus isn't the only antivirus solution.

    Note: Block mode is only compatible with certain versions of Defender for Endpoint. For more information, see What is EDR in block mode?

    1. Log in to https://security.microsoft.com/.

    2. Click SettingsEndpoints, and then select Advanced Features.

    3. Turn on Enable EDR in block mode.

    4. Click Save preferences.

    Measure and tune your antivirus’s performance

    Defender for Endpoint has native performance analysis tools, which allows you to measure the performance impacts of configuration changes:

    • New-MpPerformanceRecording, which creates a performance recording of an event on the host.

    • Get-MpPerformanceReport, which analyzes and displays the performance report.

    For more information about using these tools, see Performance analyzer for Microsoft Defender Antivirus.

    Tip: Policy settings have the greatest impact on antivirus performance. For a full list of policy settings, see Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices.

    Enable automated investigations

    Defender for Endpoint has automated investigation features, which mimic the actions of security analysts. You can enable automated investigations in 365 Defender.

    1. Log in to https://security.microsoft.com/.

    2. Click SettingsEndpoints, and then select Advanced Features.

    3. Turn on Enable EDR in block mode.

    4. Click Save preferences.

    5. Turn on Automated Investigation.

    6. Turn on Automatically resolve alerts.

    7. Click Save preferences.

    If you need to exclude certain machines from automated investigation, you can configure a device group. For more information, see Create and manage device groups.

    Enable live response

    Live response allows you to access hosts using a remote shell. You can use this feature to execute scripts, perform investigations, and remediate threats.

    Note: Live response is only available on certain operating systems. For more information, see Investigate entities on devices using live response.

    1. Log in to https://security.microsoft.com/.

    2. Click SettingsEndpoints, and then select Advanced Features.

    3. Turn on Live Response. Optionally, turn on Live Response for Servers and Live Response unsigned script execution.

    4. Click Save preferences.

    Tip: There are two permissions levels for live response actions: basic and advanced. Basic actions are read only, and don't impact your host system. Advanced actions can take action directly on the host. To learn more about configuring permissions, see Create and manage roles for role-based access control.

    Enable Microsoft 365 Defender integrations

    Defender for Endpoint integrates with several 365 Defender products: Defender for Identity, Office 365 Threat Intelligence, Defender for Cloud Apps, and Intune.

    1. Log in to https://security.microsoft.com/.

    2. Click SettingsEndpoints, and then select Advanced Features.

    3. Turn on any or all of the following integrations:

      • Microsoft Defender for Identity integration

      • Office 365 Threat Intelligence connection

      • Microsoft Defender for Cloud Apps

      • Microsoft Intune connection

    4. Click Save preferences.

    Configure advanced policy tuning options

    You can modify the Next Generation Protection (NGAV) policy settings directly. This allows you to optimize Microsoft Defender Antivirus performance across your environment. Policy options include cloud protection, restricted folders, scanning options, and more.

    1. Log in to https://endpoint.microsoft.com/.

    2. Click Endpoint securityAntivirus, then click Create Policy.

    3. Under Platform, select the appropriate operating system.

    4. Under Profile, select Microsoft Defender Antivirus.

    5. Click Create, enter a name and description, then click Next.

    6. Modify the following settings to your liking:

      • Cloud protection

      • Microsoft Defender Antivirus Exclusions

      • Real-time protection

      • Remediation

      • Scan

      • Updates

      • User experience

    7. Click Next three times, and then click Create.

    Configure threat and vulnerability management

    Defender for Endpoint's threat and vulnerability management (TVM) feature allows you to dynamically assess risk, and to create an awareness of existing vulnerabilities in your environment. This feature is enabled by default, but Red Canary recommends that you walk through the TVM dashboard and take advantage of Microsoft's guidance.

    1. Log in to https://security.microsoft.com/.

    2. Click Vulnerability management.

    3. Follow the recommendations of the following pages:

      • Dashboard

      • Recommendations

      • Remediation

    For more information about threat and vulnerability management, see Threat and vulnerability management walk-through.


    Was this article helpful?