This article gives an overview of the requirements and tasks for successfully operating Microsoft Defender for Endpoint in your organization. These tasks help your security operations center (SOC) effectively detect and respond to Microsoft Defender for Endpoint detected security threats.
This article also describes daily, weekly, monthly, and ad-hoc tasks your security team can perform for your organization.
Note
These are recommended steps; check them against your own policies and environment to make sure they are fit for purpose.
Prerequisites:
The Microsoft Defender Endpoint should be set up to support your regular security operations process. Although not covered in this document, the following articles provide configuration and setup information:
Configure Microsoft Defender Security Center time zone settings
Set up Microsoft Defender XDR incident notifications
To get email notifications on defined Microsoft Defender XDR incidents, it's recommended that you configure email notifications. See Incident notifications by email.
Review the Microsoft Defender for Endpoint device discovery configuration to ensure it's configured as required. See Device discovery overview.
Daily activities
General
Review actions
In the action center, review the actions that have been taken in your environment, both automated and manual. This information helps you validate that automated investigation and response (AIR) is performing as expected and identify any manual actions that need to be reviewed. See Visit the Action center to see remediation actions.
Security operations team
Monitor the Microsoft Defender XDR Incidents queue
When Microsoft Defender for Endpoint identifies Indicators of compromise (IOCs) or Indicators of attack (IOAs) and generates an alert, the alert is included in an incident and displayed in the Incidents queue in the Microsoft Defender portal (https://security.microsoft.com).
Manage false positive and false negative detections
Review the incident queue, identify false positive and false negative detections and submit them for review. This helps you effectively manage alerts in your environment and make your alerts more efficient. See Address false positives/negatives in Microsoft Defender for Endpoint.
Review threat analytics high-impact threats
Review threat analytics to identify any campaigns that are impacting your environment.
The "High-impact threats" table lists the threats that have had the highest impact to the organization. This section ranks threats by the number of devices that have active alerts. See Track and respond to emerging threats through threat analytics.
Security administration team
Review health reports
Review health reports to identify any device health trends that need to be addressed. The device health reports cover Microsoft Defender for Endpoint AV signature, platform health, and EDR health. See Device health reports in Microsoft Defender for Endpoint.
Check Endpoint detection and response (EDR) sensor health
EDR health is maintaining the connection to the EDR service to make sure that Defender for Endpoint is receiving the required signals to alert and identify vulnerabilities.
Viewing the status of Microsoft Defender Antivirus updates is critical for the best performance of Defender for Endpoint in your environment and up-to-date detections. The device health page shows current status for platform, intelligence, and engine version. See the Device health, Microsoft Defender Antivirus health report.
Weekly activities
General
Message Center
Microsoft Defender XDR uses the Microsoft 365 Message center to notify you of upcoming changes, such as new and changed features, planned maintenance, or other important announcements.
Review the Message center messages to understand any upcoming changes that impact your environment.
These tasks are seen as maintenance for your security posture and are critical for your ongoing protection. But as they may take time and effort, it's recommended that you set a standard schedule that you can maintain to perform these tasks.
Review exclusions
Review exclusions that have been set in your environment to confirm you haven't created a protection gap by excluding things that are no longer required to be excluded.
Review Defender policy configurations
Periodically review your Defender configuration settings to confirm that they're set as required.
Periodically review whether the custom detections that have been created are still valid and effective. See Review custom detection.
Review alerts suppression
Periodically review any alert suppression rules that have been created to confirm they're still required and valid. See Review alerts suppression.
Troubleshooting
The following articles provide guidance to troubleshoot and fix errors that you may experience when setting up your Microsoft Defender for Endpoint service.
To earn this Microsoft Applied Skills credential, learners demonstrate the ability to use Microsoft Defender XDR to detect and respond to cyberthreats. Candidates for this credential should be familiar with investigating and gathering evidence about attacks on endpoints. They should also have experience using Microsoft Defender for Endpoint and Kusto Query Language (KQL).