0
(0)

 Important

The improved Microsoft 365 Defender portal is now available. This new experience brings Defender for Endpoint, Defender for Office 365, Microsoft 365 Defender, and more into the Microsoft 365 Defender portal. Learn what’s new.

Applies to:

  • Microsoft 365 Defender
  • Microsoft Defender for Endpoint

Advanced hunting relies on data coming from various sources, including your devices, your Office 365 workspaces, Azure AD, and Microsoft Defender for Identity. To get the most comprehensive data possible, ensure that you have the correct settings in the corresponding data sources.

Advanced security auditing on Windows devices

Turn on these advanced auditing settings to ensure you get data about activities on your devices, including local account management, local security group management, and service creation.

ADVANCED SECURITY AUDITING ON WINDOWS DEVICES
Data Description Schema table How to configure
Account management Events captured as various ActionType values indicating local account creation, deletion, and other account-related activities DeviceEvents – Deploy an advanced security audit policy: Audit User Account Management
– Learn about advanced security audit policies
Security group management Events captured as various ActionType values indicating local security group creation and other local group management activities DeviceEvents – Deploy an advanced security audit policy: Audit Security Group Management
– Learn about advanced security audit policies
Service installation Events captured with the ActionType value ServiceInstalled, indicating that a service has been created DeviceEvents – Deploy an advanced security audit policy: Audit Security System Extension
– Learn about advanced security audit policies

Microsoft Defender for Identity sensor on the domain controller

If you’re running Active Directory on premises, you need to install the Microsoft Defender for Identity sensor on the domain controller to get data for Microsoft Defender for Identity. When installed and properly configured, this data also feeds into advanced hunting through Microsoft Defender for Identity and provides a more holistic picture of identity information and events in your network. This data also enhances the ability of Microsoft Defender for Identity to generate relevant alerts that are also covered by advanced hunting.

MICROSOFT DEFENDER FOR IDENTITY SENSOR ON THE DOMAIN CONTROLLER
Data Description Schema table How to configure
Domain controller Data from on-premises Active Directory sent to Microsoft Defender for Identity, enriching identity-related information, such as account details, logon activity, and Active Directory queries Multiple tables, including IdentityInfoIdentityLogonEvents, and IdentityQueryEvents – Install the Microsoft Defender for Identity sensor
– Turn on relevant Windows Events

 Note

Some tables in this article might not be available in Microsoft Defender for Endpoint. Turn on Microsoft 365 Defender to hunt for threats using more data sources. You can move your advanced hunting workflows from Microsoft Defender for Endpoint to Microsoft 365 Defender by following the steps in Migrate advanced hunting queries from Microsoft Defender for Endpoint.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.