Defender Deception Capability Questions

Question

Hello,

I've read the documentation on the Deception Capability in Defender and I had some additional questions:

1. Will there be additional documentation for the product once it becomes GA?
2. If you turn off the default rule, will the decoys and lures remain on the already deployed devices
   1. Is there a special action/process that needs to be completed after the rule is turned off
3. If it is desired to disable the default rule and the decoys and lures are deployed to a large number of clients, is it better to turn off the rule? Or remove the lures and decoys from the rule first, then disable the rule?
4. Will the (default) rule continue to push decoys and lures to all windows clients as a user environment grows and new devices are added?
   1. Is there a limit to the device count for the default rule?

Thank you

Answer 1

Hi Alyse Hart,

I acknowledge some of the questions here in regards to the documentation. I will escalate this to request that further details are provided.

That being said, Additional information regarding deception in Endpoint is provided in this video https://youtu.be/k2QxyVH--vU by Microsoft's Heike and Dean an MDE product Manager.

To address point 2&3: At the 14.30 mark of the video, Dean clarifies that these Lures or decoys are not actually created instead, the deception technology mimics what that would look like.

Based on my research - I haven't encountered any documentation on limit to the device count for the default rule. _ I will follow up with PG to clarify this.

If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.