Ms-102 Implement Threat Intelligence in Microsoft Defender Flashcards
(31 cards)
To get to the Alerts Queue in Defender
In the navigation pane, you must select the Incidents & alerts group to expand it, and then select Alerts.
The manage alert pane allows you to
view or specify:
The alert status (New, Resolved, In progress).
The user account which Microsoft Defender XDR assigned to the alert.
The alert’s classification:
Not set. This option is the default setting.
True positive. Use this classification for alerts that accurately indicate a real threat. Specifying the threat type helps your security team see threat patterns and act to defend your organization from them.
Informational, expected activity. Use the options in this category to classify alerts. For example, for security tests, red team activity, and expected unusual behavior from trusted apps and users.
False positive. Use this classification for the type of alerts related to nonmalicious activity. Classifying alerts as false positive helps Microsoft Defender XDR improve its detection quality.
(AIR)
Automated investigation and response
to select an item in the Action center
Go to the Microsoft Defender portal and sign in.
In the navigation pane, select Actions & submissions, and then select Action center.
On the Action center pane, the Pending tab is displayed by default. Select either the Pending or History tab and then select an item. The system displays a detail pane for the selected item.
which of the following items triggers the start of an automated investigation?
An incident, in turn, can start an automated investigation. The automated investigation results in a verdict for each piece of evidence.
How many days of raw data can you explore up to in an advanced threat hunting query?
30 days of raw data.
To access Threat Analytics
Threat Intelligence –> Threat Analytics
Microsoft Defender for Cloud Apps (formerly Microsoft Cloud App Security)
identifies and combats cyberthreats across all your Microsoft and third-party cloud services.
Cloud Discovery
uses an organization’s traffic logs to dynamically discover and analyze the cloud apps that it’s using.
Cloud app catalog
growing catalog of over 25,000 cloud apps. Microsoft ranked and scored the apps based on industry standards.
App connectors
facilitate the integration between the Cloud App Security service and cloud applications.
Policy control
detect risky behavior, violations, or suspicious data points and activities in an organization’s cloud environment.
Access the Defender for Cloud Apps portal
in the Microsoft Defender portal, the Cloud Apps section in the left-hand navigation pane provides links to the Microsoft Defender for Cloud Apps features. Select Settings to navigate to the Settings page.
On the Settings page, select Cloud Apps to navigate to the Settings page for Cloud Apps.
Create a new file policy
On the Microsoft Defender for Cloud Apps portal, select Control in the navigation pane, and then select Policies.
On the Policies page, the All policies tab is displayed by default. Select the Information protection tab.
In the Information protection tab, select +Create policy on the menu bar. In the drop-down menu that appears, select File policy.
Monitor alerts
n the Microsoft Defender portal, in the left-hand navigation pane, select Incidents & alerts to expand the group, and then select Alerts.
On the Alerts page, select Add filter on the menu bar.
Microsoft Defender for Endpoint
enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.
Use: Endpoint behavioral sensors, Cloud security analytics, Threat intelligence
Attack surface reduction.
attack surface reduction capabilities can resist attacks and exploitation. The capabilities also include network protection and web protection. These features regulate access to malicious IP addresses, domains, and URLs.
Microsoft Defender for Endpoint Plan 1
Next-generation protection
Attack surface reduction
Manual response actions
Centralized management
Security reports
APIs
Microsoft Defender for Endpoint Plan 2
Microsoft Defender for Endpoint Plan 1, plus:
Device discovery
Vulnerability management
Threat Analytics
Automated investigation and response
Advanced hunting
Endpoint detection and response
Microsoft Threat Experts
Which Microsoft Defender for Endpoint capability provides the frontline of defense in the stack?
he attack surface reduction set of capabilities provides the frontline of defense in the stack.
Microsoft Defender for endpoint works for what OS’s:
Android
iOS/iPadOS
Windows 10/11
Enable Microsoft Defender for Endpoint in Intune
In the Microsoft Intune admin center, select Endpoint security in the navigation pane.
On the Endpoint security | Overview page, under the Setup section in the middle pane, select Microsoft Defender for Endpoint.
On the Endpoint security | Microsoft Defender for Endpoint page, scroll down to the Shared settings section and select Open the Microsoft Defender Security Center. This step opens the Microsoft Defender portal.
In the Microsoft Defender portal, in the left-hand navigation pane, select Settings, then Endpoints, and then Advanced features.
Set the toggle switch for the Microsoft Intune connection setting to On.
Create the device configuration profile to onboard Windows devices
In the Microsoft Intune admin center, select Endpoint security in the left-hand navigation pane.
In the Endpoint security | Overview page, under the Manage section in the middle pane, select Endpoint detection and response.
In the Endpoint security | Endpoint detection and response page, select +Create Policy on the menu bar.
In the Create a profile pane that appears, select Windows 10 and Later in the Platform field.
In the Profile field, select Endpoint detection and response.
Select Create. Doing so initiates the Create profile wizard.
In the Create profile wizard, on the Basics tab, enter a Name and Description (optional) for the profile, and then select Next.
configuring Microsoft Defender for Endpoint as part of a compliance policy:
In the Microsoft Intune admin center, select Devices in the left-hand navigation pane.
On the Devices | Overview page, under the Policy section in the middle pane, select Compliance policies.
On the Compliance policies | Policies page, select +Create profile on the menu bar.
In the Create a policy pane that appears, select in the Platform field and then select one of the platforms from the drop-down menu that appears. Select Create. Doing so initiates the [selected platform] compliance policy wizard.
In the [selected platform] compliance policy wizard, on the Basics tab, enter a policy Name and Description (optional). Select Next.
