Wazuh SIEM Integrations (III) — Microsoft Defender for Endpoint

Introduction

Microsoft Defender for Endpoint is an enterprise endpoint security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

Defender for Endpoint can provide:

Next-Generation Protection: Designed to catch all types of emerging threats.

Microsoft Defender Antivirus: Cloud-delivered protection for near-instant detection and blocking of new and emerging threats. Always-on scanning using advanced file and process behavior monitoring and other heuristics (also known as “real-time protection”).

Real-time endpoint detection and response insights correlated with endpoint vulnerabilities.

Threat and Vulnerability Management: Discovers vulnerabilities and misconfigurations in real time.

Always remediate PUA: Potentially unwanted applications (PUA) are a category of software that can cause your machine to run slowly, display unexpected ads, or at worst, install other software, which might be unexpected or unwanted.

Tamper protection: During some kinds of cyber-attacks, bad actors try to disable security features, such as anti-virus protection, on your machines.

Web content filtering: Block access to websites containing unwanted content and track web activity across all domains.

Microsoft DFE — Wazuh SIEM Integration

(All details can be found in SOCFortress Github repo)

Alerts, events, telemetry and other info:

• Alerts
• Indicators
• Machines
• Domain
• Recommendations
• Exposure Score by Group
• Software
• Machine Vulnerabilities

MS-DFE events and visualizations in SOCFortress Platform

Alerts — Summary:

Alerts by threat family and Name:

System (OS) and Software Vulnerabilities:

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Platform Demo: https://www.socfortress.co/demo_access.html