Microsoft Defender for Endpoint Security Operations Guide

Applies to:

This article gives an overview of the requirements and tasks for successfully operating Microsoft Defender for Endpoint in your organization. These tasks help your security operations center (SOC) effectively detect and respond to Microsoft Defender for Endpoint detected security threats.

This article also describes daily, weekly, monthly, and ad-hoc tasks your security team can perform for your organization.

Note

These are recommended steps; check them against your own policies and environment to make sure they are fit for purpose.

Prerequisites:

The Microsoft Defender Endpoint should be set up to support your regular security operations process. Although not covered in this document, the following articles provide configuration and setup information:

Daily activities

General

  • Review actions

    In the action center, review the actions that have been taken in your environment, both automated and manual. This information helps you validate that automated investigation and response (AIR) is performing as expected and identify any manual actions that need to be reviewed. See Visit the Action center to see remediation actions.

Security operations team

Security administration team

  • Review health reports

    Review health reports to identify any device health trends that need to be addressed. The device health reports cover Microsoft Defender for Endpoint AV signature, platform health, and EDR health. See Device health reports in Microsoft Defender for Endpoint.

  • Check Endpoint detection and response (EDR) sensor health

    EDR health is maintaining the connection to the EDR service to make sure that Defender for Endpoint is receiving the required signals to alert and identify vulnerabilities.

    Review unhealthy devices. See Device health, Sensor health & OS report.

  • Check Microsoft Defender Antivirus health

    Viewing the status of Microsoft Defender Antivirus updates is critical for the best performance of Defender for Endpoint in your environment and up-to-date detections. The device health page shows current status for platform, intelligence, and engine version. See the Device health, Microsoft Defender Antivirus health report.

Weekly activities

General

  • Message Center

    Microsoft Defender XDR uses the Microsoft 365 Message center to notify you of upcoming changes, such as new and changed features, planned maintenance, or other important announcements.

    Review the Message center messages to understand any upcoming changes that impact your environment.

    You can access this in the Microsoft 365 admin center under the Health tab. See How to check Microsoft 365 service health.

Security operations team

Security administration team

  • Review threat and vulnerability (TVM) status

    Review TVM to identify any new vulnerabilities and recommendations that require action. See Vulnerability management dashboard.

  • Review attack surface reduction reporting

    Review ASR reports to identify any files that affect your environment. See Attack surface reduction rules report.

  • Review web protection events

    Review the web defense report to identify any IP addresses or URLs that are blocked. See Web protection.

Monthly activities

General

Review the following articles to understand recently released updates:

Security administration team

Periodically

These tasks are seen as maintenance for your security posture and are critical for your ongoing protection. But as they may take time and effort, it's recommended that you set a standard schedule that you can maintain to perform these tasks.

  • Review exclusions

    Review exclusions that have been set in your environment to confirm you haven't created a protection gap by excluding things that are no longer required to be excluded.

  • Review Defender policy configurations

    Periodically review your Defender configuration settings to confirm that they're set as required.

  • Review automation levels

    Review automation levels in automated investigation and remediation capabilities. See Automation levels in automated investigation and remediation.

  • Review custom detections

    Periodically review whether the custom detections that have been created are still valid and effective. See Review custom detection.

  • Review alerts suppression

    Periodically review any alert suppression rules that have been created to confirm they're still required and valid. See Review alerts suppression.

Troubleshooting

The following articles provide guidance to troubleshoot and fix errors that you may experience when setting up your Microsoft Defender for Endpoint service.

Tip

Do you want to learn more? Engage with the Microsoft Security community in our Tech Community: Microsoft Defender for Endpoint Tech Community.