5.0 Defender for Endpoint(MDE): Walk through the Portal

In previous posts, we onboarded 1 unmanaged and 1 managed device to the Microsoft Defender for Endpoint (MDE). Let's have a look at the MDE portal (security.microsoft.com) and see what it looks like from where to start with.

Now, security.microsoft.com is the new home for Defender for Endpoint (MDE) portal. Microsoft has combined multiple security portals as a central hub for all security products and services.  Few sections are dedicated to specific products and few are common for all the products like Incidents & Alerts are for all the products. Assets and Endpoints are dedicated to Defender for Endpoint.  We only focus on the Assets, and Vulnerability management section of the portal and will discuss more in another post.

Assets

This section gives us information about the device starting from how many devices on onboarded with their details. We can dig deep to get more information about it.

Go to the security.microsoft.com->Assets-Devices. The image shows various information like device name, domain or workgroup, risk level, exposure level, etc.

We would like to talk more about Risk level and Exposure level. This two are very confusing if we are new to the MDDE. At least it was confusing for me :) These two are very important.

Risk level

It shows if the device is under attack. It shows an active attack and needs to take the action immediately. There is three severity of the risk high, medium, and low.  Action can be manual or we can automate it like linking to compliance policy and when the device is at a high-risk level then make the device noncompliance. When the device is non-compliant then we can create a conditional policy(CA) like blocking the device to access the company data. Will discuss this in detail in another post.

Microsoft's official definition 'The risk level reflects the overall risk assessment of the device based on combination of factors, including the types and severity of active alerts on the device. Resolving active alerts, approving remediation activities, and suppressing subsequent alerts can lower the risk level.'

Risk level can be integrated with compliance and conditional access policy and can achieve greater things. We have described the integration 7.0 Defender for Endpoint(MDE): Integrate with Compliance & Conditional Access Policy.

Exposure level

It shows the vulnerability in terms of configuration, software update, and firmware. This score is calculated based on

Microsoft's official definiiton 'This reflects the current exposure of this device based on the cumulative impact of its pending security recommendations.'

Vulnerability Management

Defender for Endpoint has threat and vulnerability (TVM) features that help the company to identify and remediate the vulnerability. It continuously scans the endpoint and does an assessment.

Naviagte to Endpoints->Vulnerability management->Reccomendation. We can see the list of vulnerability recommendations.

Conclusion

Coming soon...

Hope this was helpful, contact me on Twitter @sakaldeep for any queries.