MDATP – EDR in block mode [Public Preview]

News Informatique

MDATP – EDR in block mode [Public Preview]

Presentation

When EDR in block mode is enabled, Microsoft Defender ATP leverages behavioral blocking and containment capabilities by blocking malicious artifacts or behaviors that are observed through post-breach protection.

EDR in block mode works behind the scenes to remediate malicious artifacts that are detected post-breach.

When EDR in block mode detects malicious behaviors or artifacts, it stops related running processes, blocking the attack from progressing. These blocks are reported in Microsoft Defender Security Center, where security teams can see details of the threat and remediation status, and use Microsoft Defender ATP’s rich set of capabilities to further investigate and hunt for similar threats as necessary.

alert.png

Prerequisites

PermissionsGlobal Administrator or Security Administrator role assigned in Azure Active Directory. See Basic permissions.
Operating systemOne of the following versions:
– Windows 10 (all releases)
– Windows Server 2016 or later
Windows E5 enrollmentWindows E5 is included in the following subscriptions:
– Microsoft 365 E5
– Microsoft 365 E3 together with the Identity & Threat Protection offering

See Components and features and capabilities for each plan.
Cloud-delivered protectionMake sure Microsoft Defender Antivirus is configured such that cloud-delivered protection is enabled.

See Enable cloud-delivered protection.
Microsoft Defender Antivirus antimalware clientMake sure your client is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator.
In the AMProductVersion line, you should see 4.18.2001.10 or above.
Microsoft Defender Antivirus engineMake sure your engine is up to date. Using PowerShell, run the Get-MpComputerStatus cmdlet as an administrator.
In the AMEngineVersion line, you should see 1.1.16700.2 or above

To get the best protection, make sure to apply security baselines in Intune.

Integration

  1. Go to the Microsoft Defender Security Center (https://securitycenter.windows.com) and sign in.
  2. Choose Settings > Advanced features.
  3. Turn on EDR in block mode.

EDR in block mode can be turned on only in the Microsoft Defender Security Center. You cannot use registry keys, Intune, or group policies to enable or disable EDR in block mode.

Source

https://techcommunity.microsoft.com/t5/microsoft-defender-atp/introducing-edr-in-block-mode-stopping-attacks-in-their-tracks/ba-p/1596617

0 21 August 2020
MDE

No Comments

Add your comment

Thibault CHÂTIRON

Expert Sécurité

À propos de moi

Follow Blog via Email

Enter your email address to follow this blog and receive notifications of new posts

Categories
AADConnect AIP Application Guard Azure Azure ATP Blockchain Conditional Access Copilot Delve DLP eDiscovery ethereum Exchange Online Graph API Guest Hello For Business Information barriers Insider Risk Management Intune MCAS MDE MDI MDO MFA Microsoft 365 Microsoft Threat Protection OneDrive Passwordless Prim'X Purview Sentinel SharePoint Online Solidity SSPR Windows Zed
Recent Posts
August 2020
M T W T F S S
 12
3456789
10111213141516
17181920212223
24252627282930
31  
Categories
Archives

©  2024 Thibault Chatiron