Comprehensive Configuration

Defender for Endpoint enables the automated banning of domains and IP addresses using its network protection capabilities in block mode. You can take advantage of this functionality by adding them as automate actions to a playbook in Red Canary. For more information, see the Red Canary help article Automate Actions: Ban Domain / Ban IP. 

Defender for Endpoint can block potentially threatening activity automatically, improving the resilience of endpoints even when Microsoft Defender Antivirus isn't the only antivirus solution.

Note: Block mode is only compatible with certain versions of Defender for Endpoint. For more information, see What is EDR in block mode?

1. Log in to https://security.microsoft.com/.

2. Click Settings, Endpoints, and then select Advanced Features.

3. Turn on Enable EDR in block mode.

4. Click Save preferences.

Defender for Endpoint has native performance analysis tools, which allows you to measure the performance impacts of configuration changes:

• New-MpPerformanceRecording, which creates a performance recording of an event on the host.

• Get-MpPerformanceReport, which analyzes and displays the performance report.

For more information about using these tools, see Performance analyzer for Microsoft Defender Antivirus.

Tip: Policy settings have the greatest impact on antivirus performance. For a full list of policy settings, see Settings for Microsoft Defender Antivirus policy in Microsoft Intune for Windows devices.

Defender for Endpoint has automated investigation features, which mimic the actions of security analysts. You can enable automated investigations in 365 Defender.

1. Log in to https://security.microsoft.com/.

2. Click Settings, Endpoints, and then select Advanced Features.

3. Turn on Enable EDR in block mode.

4. Click Save preferences.

5. Turn on Automated Investigation.

6. Turn on Automatically resolve alerts.

7. Click Save preferences.

If you need to exclude certain machines from automated investigation, you can configure a device group. For more information, see Create and manage device groups.

Live response allows you to access hosts using a remote shell. You can use this feature to execute scripts, perform investigations, and remediate threats.

Note: Live response is only available on certain operating systems. For more information, see Investigate entities on devices using live response.

1. Log in to https://security.microsoft.com/.

2. Click Settings, Endpoints, and then select Advanced Features.

3. Turn on Live Response. Optionally, turn on Live Response for Servers and Live Response unsigned script execution.

4. Click Save preferences.

Tip: There are two permissions levels for live response actions: basic and advanced. Basic actions are read only, and don't impact your host system. Advanced actions can take action directly on the host. To learn more about configuring permissions, see Create and manage roles for role-based access control.

Defender for Endpoint integrates with several 365 Defender products: Defender for Identity, Office 365 Threat Intelligence, Defender for Cloud Apps, and Intune.

1. Log in to https://security.microsoft.com/.

2. Click Settings, Endpoints, and then select Advanced Features.

3. Turn on any or all of the following integrations:

   • Microsoft Defender for Identity integration

   • Office 365 Threat Intelligence connection

   • Microsoft Defender for Cloud Apps

   • Microsoft Intune connection

4. Click Save preferences.

You can modify the Next Generation Protection (NGAV) policy settings directly. This allows you to optimize Microsoft Defender Antivirus performance across your environment. Policy options include cloud protection, restricted folders, scanning options, and more.

1. Log in to https://endpoint.microsoft.com/.

2. Click Endpoint security, Antivirus, then click Create Policy.

3. Under Platform, select the appropriate operating system.

4. Under Profile, select Microsoft Defender Antivirus.

5. Click Create, enter a name and description, then click Next.

6. Modify the following settings to your liking:

   • Cloud protection

   • Microsoft Defender Antivirus Exclusions

   • Real-time protection

   • Remediation

   • Scan

   • Updates

   • User experience

7. Click Next three times, and then click Create.

Defender for Endpoint's threat and vulnerability management (TVM) feature allows you to dynamically assess risk, and to create an awareness of existing vulnerabilities in your environment. This feature is enabled by default, but Red Canary recommends that you walk through the TVM dashboard and take advantage of Microsoft's guidance.

1. Log in to https://security.microsoft.com/.

2. Click Vulnerability management.

3. Follow the recommendations of the following pages:

   • Dashboard

   • Recommendations

   • Remediation

For more information about threat and vulnerability management, see Threat and vulnerability management walk-through.