Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry

Post-Image

Microsoft Defender for Endpoint Internals 0x02 — Audit Settings and Telemetry

In the previous article of this series, I’ve put Microsoft Defender for Endpoint (MDE) next to Sysmon and highlighted some of the differences and attention points in terms of sampling. This time, I want to focus on configuration and telemetry implications.

As we also have established in the previous article of this series, the two primary ways MDE collects telemetry are a) Kernel Callbacks via a driver and b) Event Tracing for Windows (ETW).

On the surface, an MDE deployment looks fairly simple, and it in most cases will be. However, there are some additional configurations that are not all that well documented and will limit the experience and breadth of your detections.

TL;DR: Check your audit policy settings for all of the OUs that are set to system groups where you have MDE deployed. You might have unintentional blind spots and don’t gain the full advantage from your EDR.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/microsoft-defender-for-endpoint-internals-0x02-audit-settings-and-telemetry-1d0af3ebfb27