Microsoft Defender for Endpoint – MD ATP Daily Operation – Part 1

Hi IT Pros,

I have combined the information for Security Team who monitors, responds and manages the ATP Portal on a daily basis.

Please check it out and give your feedback.

For Alert Notification and Live Response with remediation and remote powershell to target device, please view the “Microsoft Defender for Endpoint – MD ATP Daily Operation – Part 2”



The Alert response could be done as follows:

Change Status of Alert (by your IT Security Team Member)

Alert Status

AlertActionManage AlertStatus


In Progress


Alert Classification

AlertActionManage alertClassification






Defender ATP lets you create suppression rules for specific alerts that are known to be innocuous such as known tools or processes in your organization.

  • Suppression rules can be created from an existing alert. They can be disabled and reenabled if needed.
  • The rule will not affect existing alerts already in the queue, prior to the rule creation.
  • The rule will only be applied on alerts that satisfy the conditions set after the rule is created.

You can choose to suppress alerts on this machine or suppress alert in entire organization

Suppression Rule

  • Create an alert suppression condition based on :

o    File SHA1, File name – wildcard supported,

o    Folder path – wildcard supported,

o    IP address,

o    URL – wildcard supported,

o    Command line – wildcard supported

  • Select the Trigerring IOC (Indicator of Compromise)
  • Specify the action and scope on the alert





Detection Rule

(Customized Detection Rule by running Query)

Action applied to threat detection once it is discovered

  • Within the query of advanced hunting,
  • select Create detection rule 
  • specify Detection name, Frequency — interval for running the query 1-24hrs,
  • Alert title — title displayed with alerts triggered by the rule,
  •  Severity level,
  • Category,Description,
  • Recommended actions —enter your comment on  additional actions that responders might take in response to an alert.
  • Save




Create indicators for files

You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file (.exe and .dll file), you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.

Indicator of compromise (IoCs)

Indicator of compromise (IoCs) is used for detection and for blocking a threat.

You could create IoC based on file hash, External IP address, URL

There are two ways you can create indicators for files:

  • By creating an indicator through the settings page
  • By creating a contextual indicator using the add indicator button from the file details page


  • The Defender client version must be 4.18.1901.x or later.
  • Windows 10, version 1703 or later.


  • The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action
  • Trusted signed files will be treated differently. Microsoft Defender ATP is optimized to handle malicious files. Trying to block trusted signed files, in some cases, may have performance implications.

Create an indicator for files from the settings page

  1. In the navigation pane, select Settings > Indicators.
  2. Select the File hash tab.
  3. Select Add indicator.
  4. Specify the following details:
    • Indicator – Specify the entity details and define the expiration of the indicator.
    • Action – Specify the action to be taken and provide a description.
    • Scope – Define the scope of the machine group.
  5. Review the details in the Summary tab, then click Save.


Create a contextual indicator from the file details page

One of the options when taking response actions on a file is adding an indicator for the file.



Create indicators for IPs and URLs/domains (preview)

Microsoft Defender ATP can block what Microsoft deems as malicious IPs/URLs, through Windows Defender SmartScreen for Microsoft browsers, and through Protection for non-Microsoft browsers or calls made outside of a browser. You can now allow or block IPs, URLs, or domains through the settings page or by machine groups.


  • URL/IP allow and block relies on the Microsoft Defender ATP component Protection to be enabled in block mode. For more information on Protection and configuration instructions, see Protect your network.
  • The client version must be 4.18.1906.x or later.
  • Supported on machines on Windows 10, version 1709 or later.
  • Ensure that Custom network indicators is enabled in Microsoft Defender  > Settings > Advanced features. For more information, see Advanced features.


Only external IPs can be added to the indicator list.

For web protection scenarios, we recommend using the built-in capabilities in Microsoft Edge. Microsoft Edge leverages Network Protection to inspect network traffic and allows blocks for , HTTP, and HTTPS ().

For all other processes, web protection scenarios leverage Network Protection for inspection and enforcement:

  • Full URL path blocks can be applied on the domain level and all unencrypted URLs
  • There may be up to 2 hours latency (usually less) between the time the action is taken, and the URL and IP being blocked.
  • There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.

Create an indicator for IPs, URLs, or domains from the settings page

  1. In the navigation pane, select Settings > Indicators.
  2. Select the IP addresses or URLs/Domains tab.
  3. Select Add indicator.
  4. Specify the following details:
    • Indicator – Specify the entity details and define the expiration of the indicator.
    • Action – Specify the action to be taken and provide a description.
    • Scope – Define the scope of the machine group.
  5. Review the details in the Summary tab, then click Save.

Import from a CSV list to create multiple IoCs

You can also choose to upload a CSV file that defines the attributes of indicators, the action to be taken, and other details.

Download the sample CSV to know the supported column attributes.

  1. In the navigation pane, select Settings > Indicators.
  2. Select the tab of the entity type you'd like to import indicators for.
  3. Select Import > Choose file.
  4. Select Import. Do this for all the files you'd like to import.
  5. Select Done.
  • Make sure the setting for Custom Network Indicator setting was turned on if we have  IoC items configured by IP addresses, Url, Domain Name.

Threat & Vulnerability Management dashboard

You can use the Threat & Vulnerability Management capability in Microsoft Defender Security Center to:

  • View exposure and configuration scores side-by-side with top security recommendations, software vulnerability, remediation activities, and exposed machines
  • Correlate EDR insights with endpoint vulnerabilities and process them
  • Select remediation options, triage and track the remediation tasks
  • Select exception options and track active exceptions

Exposure score

See the current state of your organization's device exposure to threats and vulnerabilities.

Several factors affect your organization's exposure score: weaknesses discovered in your

devices, likelihood of your devices to be breached, value of the devices to your

organization, and relevant alerts discovered with your devices. The goal is to lower

the exposure score of your organization to be more secure. To reduce the score,

you need to remediate the related security configuration issues listed in the

security recommendations.

Configuration score

See the security posture of the operating system, applications, network, accounts and

security controls of your organization. The goal is to remediate the related security

configuration issues to increase your configuration score. Selecting the bars will take

you to the Security recommendation page.


The Weaknesses page lists down the vulnerabilities found in the infected software running

in your organization by listing the Common Vulnerabilities and Exposures (CVE) ID, the severity,

Common Vulnerability Scoring System (CVSS) rating, prevalence in your organization,

corresponding breach, and threat insights.

Indicator of compromise (IoCs)

Indicator of compromise (IoCs) matching is an essential feature in every endpoint protection solution. This capability gives SecOps the ability to set a list of indicators for detection and for blocking (prevention and response).

Create indicators that define the detection, prevention, and exclusion of entities. You can define the action to be taken as well as the duration for when to apply the action as well as the scope of the machine group to apply it to.

Group Machines based on OS, Name Prefix, …

  • Settings
  • PermissionsDevice Groups
  • Add New Device Group
  • ….    


  • User Access
  • Assign User Group to Role
  • Apply change                                                                                                                                                                                                                                                                                                            tantran55_7-1596459568638.png

    Adding Custom Role for ATP Service:

You could add multiple different custom roles based on different permission sets:

  • View Data
  • Active Remediation Action
  • Alert investigation
  • Live response.

To Add a Role:

  • Settings
  • PermissionsRoles
  • Add item, …


  • Optional, Click on User Access and assign the Azure Security Group who control the related Machine Group.
  • Save

ATP related documents are located at :


I hope the information is useful to your daily operation of ATP.

On “ATP Daily Operation – Part 2” of this blogpost series, we will explore the Live Response feature with remote client's powershell session and other ATP features.



This article was originally published by Microsoft's Azure Blog. You can find the original article here.