Advanced Configuration
- 18 Jun 2024
- 2 Minutes to read
- PDF
Advanced Configuration
- Updated on 18 Jun 2024
- 2 Minutes to read
- PDF
Article summary
Did you find this summary helpful?
Thank you for your feedback
This article extends the configuration options suggested in Configuration Essentials and Comprehensive Configuration. This article is an adaptation of a presentation. You can view the slides, which contain additional details and images, by clicking the image below.
Microsoft Defender for Endpoint offers a variety of options which enable you to fine-tune its performance. You can apply Red Canary configuration suggestions to Defender for Endpoint using several different management solutions, depending on your system architecture. For example, Endpoint Manager (Intune), Group Policy, and so on. You only need to apply these configurations in your primary configuration management solution.
For a guided walkthrough of these sections, review this video:
Create custom detections
Defender for Endpoint allows users to define custom detection rules using Kusto queries. These custom queries function like advanced hunting queries, but they evaluate anywhere from once per hour to once per twenty-four hours. Additionally, custom detections enable you to specify the metadata associated with a detection.
To learn how to create custom detection rules, see Create and manage custom detections rules.
Note: Only users with Security Administrator or Security Operator permissions can create custom detection rules.
Implement attack surface reduction rules
Attack surface reduction rules are rules intended to reduce risk by inhibiting certain malicious behaviors associated with attacks. However, because some rules prohibit the behaviors of legitimate applications, it's important to assess the risk to your environment before deciding which rules to apply. You can use Defender for Endpoint's audit mode to evaluate the impact of a rule on the objects in your environment.
Log in to https://endpoint.microsoft.com/.
Click Endpoint security, and then select Attack surface reduction.
Click Create Policy.
Under Platform, select Windows 10 and later.
Under Profile, select Attack surface reduction rules.
Click Create, enter a name and description, then click Next.
Under Attack Surface Reduction Rules, set all rules to Audit mode.
Step through the rest of the setup wizard, and assign the appropriate device scope.
Configure a security baseline
Defender for Endpoint has its own unique security baseline that can be enabled via configuration management, or from endpoint management policies. The baseline contains settings for many components, including the following:
Attack surface reduction
Bitlocker
Device guard
Device installation
DMA guard
Firewall
Microsoft Defender
Smart screen
Security baselines are one of the strongest ways to enforce policy across an organization.
Caution: Security baselines edit multiple security policies at once, and can impact performance and accessibility. Use extreme caution when reviewing and implementing security baselines.
Log in to https://endpoint.microsoft.com/.
Click Endpoint security, and then select Security baselines.
Click Create profile.
Enter a name and description, and then click Next.
Carefully review the configuration settings for all categories.
Assign the policy to the correct scope, group, or users.
Click Create.
Was this article helpful?
