Microsoft Defender Security Center

Over the past few years, Microsoft has implemented better Security features into all of its cloud offerings. Microsoft Defender capabilities are now very sophisticated and offer deep inspection into not only cloud services but also on-premises from Windows 10 devices. The “Microsoft Defender Security Center” is your central entry point to identify, potential breach activity, overall security score, and threat analytics. If you have the required license, you can access the dashboard from here: Once authenticated, the primary Security operations dashboard loads displaying the following:

  • Active Alerts
  • Active automated investigations
  • Automated investigations statistics
  • Machines at risk
  • Users at risk
  • Machines with sensor issues
  • Service health
  • Detection sources
  • Daily machines reporting

Each report allows you to click into further details. For example, clicking on the “Suspicious process injection observed” takes me to all the features needed to investigate further.

Upon clicking further, firstly, you are presented with base details of the overall issue and recommended actions. The actions dropdown allows you to drill deeper and see, for example, the “Timeline” of events.

For example, looking deeper into this injection, we can see that an “Anomalous memory allocation” was identified within “PowerShell.”

Clicking further into the backdoor reveals the command line used as well as process name, execution time, and process id.

Going back to the specific injection, we can use the “Alert process tree” to see the identified anomalous process.

To get a better view of attacks like this, we can expand the menu item “Automated investigations” and click the first submenu item.

Clicking into any of the same observed injections will display the “Investigation graph” that identifies any Alerts, Machines, Key findings, Entities, Logs and offers specific Actions.

If we now click on the “Threats found” icon, the “Key findings” are listed.

If we now click on a row, we can then complete the “Approve or Reject” action.

As you can see, the tooling is excellent at traversing an observed anomaly or malicious attack. If we expand the “Threat & Vulnerability Management” menu and click “Dashboard,” we get a breakdown of our security posture based on a detailed analysis of the tenant.

You can also see in the bottom table a list of software that either needs patching, is out of date or is vulnerable.

Clicking onto the “Windows 10” row displays further details. If you then click “Open software page,” and then click “Update Windows 10“, you are presented with a list of the “Exposed machines” and “CVEs” that are addressed by the various patches.

The last things that are extremely helpful are the “Security recommendations.” It provides a simple list of activities for completion, that will increase your overall security.

All in all, “Windows Defender ATP” and the other components of the “Microsoft Defender Security Center” are advanced enough to protect all areas of your cloud-connected infrastructure.

Liam Cleary

Liam began his career as a Trainer of all things computer-related. He quickly realized that programming, breaking, and hacking was a lot more fun. He spent the next few years working within core infrastructure and security services until he found SharePoint. He is the founder and owner of SharePlicity, a consulting company that focuses on all areas of Technology. His role within SharePlicity is to help organizations implement technology that will enhance internal and external collaboration, document and records management, automate business processes, and of course security controls and protection. Liam also serves as the Principal Technology Advisor at Rencore, where he is helping to develop offerings that help organizations further understand and mitigate security and compliance risks, within SharePoint and Office 365 customization's. His core focus will is to identify, control, and protect whether they are full-fledged customization's or out-of-the-box Office 365 functionality. He is also a thirteen-time Microsoft MVP focusing on Architecture but also crosses the boundary into Development. He is also a Microsoft Certified Trainer (MCT). His specialty over the past few years has been security in SharePoint and its surrounding platforms. He can often be found at user groups or conferences speaking, offering advice, spending time in the community, teaching his kids how to code, raspberry PI programming, hacking the planet or building Lego robots.

You may also like...