The name changes and new products were mentioned in Microsoft's sprawling "Book of News" publication in various sections, part of this week's Microsoft Ignite online event announcements. Plus, Microsoft announced some new security products this week. Please follow me here, on LinkedIn, and on for: Follow Daniel Chronlund Cloud Tech Blog on WordPress.It's been a year since the last Microsoft Defender product name changes, so brace yourself for more. I hope that the Attack Surface Reduction Dashboard can help you understand the ASR rules and their events in your tenant, and prevent bad configuration, security incidents, and ease deployment. Just do the same procedure in Azure AD workbooks instead: Summary Note that you can do this without Microsoft Sentinel as long as you are exporting your Azure AD audit logs to an Azure Log Analytics workspace. Also set the Title to Attack Surface Reduction Dashboard. Easy!įinally, to permanently save the workbook in Sentinel, click on the save icon at the top and select the same Azure resource group as your Sentinel workspace (or else it won’t show up in Sentinel). The new workbook will now appear and you can start to use it. Replace the JSON content and click on Apply. This will allow you to replace the entire JSON content with the one from my GitHub repo. Click on Edit and the Advanced Editor button.
Add a new workbook.Ī new workbook will appear based on the default template. Go to your Microsoft Sentinel workspace and click on Workbooks.
#Defender 21305 sentinel pro install
Install the Attack Surface Reduction Dashboard in Microsoft Sentinelįirst, download (or copy) the latest version (it’s a JSON file) of Attack Surface Reduction Dashboard from my GitHub. This is incredibly powerful when investigating ASR incidents, or when building exclusion policies during ASR deployment.
Finally, at the bottom, you will get a detailed event log where you can dive into specifics about ASR events, like which application triggered it, and what it tried to do. You will then see pie charts of the number of ASR events by Rule, Device or User.
This is great for understanding when problems arise, key indications in a security incident investigation, etc. The first graph is a timeline of all ASR events in the current time frame. The filters you set will affect all graphs in the dashboard. After that you can, if you want to, filter on specific rules, devices or users. First you need to decide if you are interested in rules running in audit mode or block mode. There are some filters you can apply in the dashboard.
#Defender 21305 sentinel pro how to
The rules reference is followed by some instructions on how to use the dashboard. There are currently (as of 15/6-22) 16 different ASR rules in Windows. What You Can See In The Dashboardīefore showing you the data in your tenant, the dashboard will give you an overview of all available ASR rules in Windows, with descriptions and docs links. The dashboard can filter on rules in Audit mode and Block mode. This dashboard helps you implement the ASR rules of Windows/Defender, and to monitor them over time.
Today I’m happy to announce my new Attack Surface Reduction Dashboard. This is a sister project to my DCToolbox repo. Before we start, my Microsoft Sentinel contributions have a new home on GitHub! I will gather all my Sentinel resources in one central repo called DCSecurityOperations.
0 kommentar(er)
