Defender for Endpoint Defender for Endpoint
Level-500-Referenz zu Architektur, Onboarding, ASR, EDR, Device Control, Advanced Hunting, APIs und Intune-Steuerung für Microsoft Defender for Endpoint. Level-500 reference for architecture, onboarding, ASR, EDR, device control, advanced hunting, APIs, and Intune control for Microsoft Defender for Endpoint.
Plattformen
Platforms
Windows, Server, macOS, Linux, iOS und Android teilen sich dieselbe Cloud-Konsole, aber nicht dieselbe Sensorik oder Remediation-Tiefe. Windows, Server, macOS, Linux, iOS, and Android share the same cloud console, but not the same sensor depth or remediation capability.
Prevention
Prevention
ASR, Next-Gen AV, Network Protection, Web Protection und Controlled Folder Access bilden die präventive Schicht. ASR, next-gen AV, network protection, web protection, and controlled folder access form the preventive layer.
Detection & Response
Detection & response
EDR, Advanced Hunting, Device Timeline, AIR und Live Response decken Investigation und Containment ab. EDR, advanced hunting, device timeline, AIR, and live response cover investigation and containment.
Governance
Governance
Device Groups, RBAC, TVM, APIs und Intune-Security-Baselines bestimmen den Betriebsstandard im großen Maßstab. Device groups, RBAC, TVM, APIs, and Intune security baselines define the operating model at scale.
ℹ️ Architekturprinzip
ℹ️ Architecture principle
Defender for Endpoint ist kein isoliertes AV-Produkt. Der höchste Reifegrad entsteht durch Kopplung mit Intune, Entra Conditional Access, Defender XDR und sauber segmentierter Device-Group-Strategie. Defender for Endpoint is not an isolated AV product. The highest maturity comes from coupling it with Intune, Entra Conditional Access, Defender XDR, and a well-segmented device group strategy.
Architektur und Kernkomponenten Architecture and core components
| Komponente Component | Rolle Role | Tiefe Deep detail |
|---|---|---|
| Sensor Sensor | Erzeugt Prozess-, Netzwerk-, File-, Registry- und Benutzertelemetrie Generates process, network, file, registry, and user telemetry | Windows liefert die tiefste Telemetrie; macOS und Linux nähern sich an, unterscheiden sich aber in Actions und Tamper Controls. Windows provides the deepest telemetry; macOS and Linux are converging but still differ in actions and tamper controls. |
| Microsoft Defender Portal Microsoft Defender portal | Zentrale Konsole für Alerts, Device Inventory und Hunting Central console for alerts, device inventory, and hunting | Das Portal bündelt Endpoint, Identity, Office 365 und Cloud Apps im XDR-Modell. The portal unifies endpoint, identity, Office 365, and cloud apps in the XDR model. |
| EDR Pipeline EDR pipeline | Korrelierte Alerts, Incident-Bildung und Device Timeline Correlated alerts, incident formation, and the device timeline | Hochwertige Detection entsteht erst durch EDR-Korrelation und Context Enrichment, nicht nur durch AV-Treffer. High-quality detection comes from EDR correlation and context enrichment, not only from AV hits. |
| TVM TVM | Exposure- und Schwachstellenmanagement Exposure and vulnerability management | TVM priorisiert nicht nur CVEs, sondern zeigt auch Security Recommendations und Exposure-Scores pro Gerät. TVM prioritizes not only CVEs but also security recommendations and exposure scores per device. |
| Security Settings Management Security settings management | MDE verwaltet Defender-Policies auch ohne volles Intune MDE manages Defender policies even without full Intune | Hilfreich für Server oder Sonderumgebungen, in denen nur AV/ASR-Steuerung benötigt wird. Useful for servers or niche environments where only AV/ASR control is needed. |
| API Layer API layer | Automatisierung und Integrationen Automation and integrations | Alerts, indicators, machine actions, advanced queries und TVM können per API in SOAR oder CMDB integriert werden. Alerts, indicators, machine actions, advanced queries, and TVM can be integrated into SOAR or CMDB through APIs. |
Onboarding aller Plattformen Onboarding all platforms
| Plattform Platform | Typische Methode Typical method | Wichtige Besonderheit Key consideration |
|---|---|---|
| Windows 10/11 Windows 10/11 | Intune, GPO, Configuration Manager, Autopilot, Script Intune, GPO, Configuration Manager, Autopilot, script | Am besten zusammen mit Defender Antivirus im Active Mode, Tamper Protection und Attack Surface Reduction ausrollen. Prefer deployment with Defender Antivirus in active mode, tamper protection, and attack surface reduction. |
| Windows Server 2012 R2/2016 Windows Server 2012 R2/2016 | Unified agent / scripted onboarding Unified agent / scripted onboarding | Down-level Server benötigen die moderne Unified-Lösung und besondere Proxy-/Live-Response-Validierung. Down-level servers need the modern unified solution and extra proxy/live response validation. |
| Windows Server 2019/2022/2025 Windows Server 2019/2022/2025 | Server onboarding package, Arc, Intune, Security Settings Management Server onboarding package, Arc, Intune, security settings management | Server-Hardening und Ausschlüsse müssen workloadspezifisch mit SQL, Exchange oder Dritt-AV abgestimmt werden. Server hardening and exclusions must be aligned with workloads such as SQL, Exchange, or third-party AV. |
| macOS macOS | Intune, Jamf Pro, Local deployment package Intune, Jamf Pro, local deployment package | System Extensions, Full Disk Access und Network Filters sind obligatorisch für vollständigen Schutz. System extensions, full disk access, and network filters are mandatory for full protection. |
| Linux Linux | Repository package, Ansible, Puppet, Shell Script Repository package, Ansible, Puppet, shell script | Unterstützte Distributionen und Kernel-Versionen vorab prüfen; Proxy und eBPF-/auditd-Abhängigkeiten dokumentieren. Validate supported distributions and kernel versions first; document proxy and eBPF/auditd dependencies. |
| iOS iOS | Intune App Protection oder Device Enrollment Intune app protection or device enrollment | iOS ist stärker auf Web Protection, Phishing-Abwehr und Device Risk für Conditional Access fokussiert. iOS focuses more on web protection, anti-phishing, and device risk for Conditional Access. |
| Android Android | Android Enterprise mit Intune, App Protection für BYOD Android Enterprise with Intune, app protection for BYOD | Unterstützt Corporate-Owned, Work Profile und BYOD-Szenarien mit differenzierten Datenschutzeinstellungen. Supports corporate-owned, work profile, and BYOD scenarios with differentiated privacy settings. |
| Bereitstellungspfad Deployment path | Wann passend When appropriate | Hinweis Note |
|---|---|---|
| Intune Endpoint Security Intune endpoint security | Standard für moderne Geräteverwaltung Standard for modern device management | Kombiniert Onboarding, Antivirus, ASR, Firewall, Device Control und Compliance in einem MDM-Modell. Combines onboarding, antivirus, ASR, firewall, device control, and compliance in one MDM model. |
| Configuration Manager Configuration Manager | Co-managed oder traditionelle Windows-Flotten Co-managed or traditional Windows fleets | Nützlich für große Windows-Bestände, aber langfristig Migrationsstrategie zu Intune definieren. Useful for large Windows estates, but define a long-term migration path to Intune. |
| Group Policy Group Policy | Schnelle Aktivierung von AV/ASR in AD-dominierten Umgebungen Fast activation of AV/ASR in AD-centric environments | Gut für Basiskontrollen, schwächer für Plattform-Mix, Reporting und Cloud-only Clients. Good for baseline controls, weaker for mixed platforms, reporting, and cloud-only clients. |
| Scripted onboarding Scripted onboarding | VDI, Sondergeräte, Change-Fenster VDI, special devices, change windows | Setze Signaturen und Secret-Handling sauber um; Rollback und Health Checks sind Pflicht. Handle signatures and secrets correctly; rollback and health checks are mandatory. |
| Jamf / Linux Config Management Jamf / Linux config management | Nicht-Windows-Ökosysteme Non-Windows ecosystems | macOS und Linux benötigen eigene Betriebsrunbooks für Updates, Troubleshooting und Policy Drift. macOS and Linux need their own operational runbooks for updates, troubleshooting, and policy drift. |
Attack Surface Reduction (ASR) Attack Surface Reduction (ASR)
Microsoft Learn dokumentiert aktuell 19 produktive ASR-Regeln. Die folgende Tabelle bildet den vollständigen aktuellen Satz inklusive GUIDs ab. Für Rollout-Reife empfiehlt sich Audit auf Pilotgeräten, dann schrittweise Block/Warn je Rule-Kategorie. Microsoft Learn currently documents 19 production ASR rules. The following table captures the full current set including GUIDs. For rollout maturity, use audit on pilot devices first and then phase into block/warn by rule category.
| Regel Rule | GUID GUID | Zweck Purpose | Empfohlener Startmodus Recommended starting mode |
|---|---|---|---|
| Block abuse of exploited vulnerable signed drivers (Device) Block abuse of exploited vulnerable signed drivers (Device) | 56a863a9-875e-4185-98a7-b882c64b5ce5 56a863a9-875e-4185-98a7-b882c64b5ce5 | Kernel- und Treiber-Missbrauch unterbinden Kernel- und Treiber-Missbrauch unterbinden | Block Block |
| Block credential stealing from the Windows local security authority subsystem Block credential stealing from the Windows local security authority subsystem | 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2 | LSASS-Zugriff von Credential-Dumping-Tools blockieren LSASS-Zugriff von Credential-Dumping-Tools blockieren | Block Block |
| Block persistence through WMI event subscription Block persistence through WMI event subscription | e6db77e5-3df2-4cf1-b95a-636979351e5b e6db77e5-3df2-4cf1-b95a-636979351e5b | WMI-basierte Persistenz verhindern WMI-basierte Persistenz verhindern | Audit → Block Audit → Block |
| Block Adobe Reader from creating child processes Block Adobe Reader from creating child processes | 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c 7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c | Exploit-Ketten über Reader stoppen Exploit-Ketten über Reader stoppen | Audit → Block Audit → Block |
| Block all Office applications from creating child processes Block all Office applications from creating child processes | d4f940ab-401b-4efc-aadc-ad5f3c50688a d4f940ab-401b-4efc-aadc-ad5f3c50688a | Makro- und LOLBin-Starts aus Office verhindern Makro- und LOLBin-Starts aus Office verhindern | Block Block |
| Block executable content from email client and webmail Block executable content from email client and webmail | be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 be9ba2d9-53ea-4cdc-84e5-9b1eeee46550 | Direktes Starten riskanter Anhänge blockieren Direktes Starten riskanter Anhänge blockieren | Block Block |
| Block executable files from running unless they meet a prevalence, age, or trusted list criterion Block executable files from running unless they meet a prevalence, age, or trusted list criterion | 01443614-cd74-433a-b99e-2ecdc07bfc25 01443614-cd74-433a-b99e-2ecdc07bfc25 | Unknown/rare executable payloads reduzieren Unknown/rare executable payloads reduzieren | Audit → Warn/Block Audit → Warn/Block |
| Block execution of potentially obfuscated scripts Block execution of potentially obfuscated scripts | 5beb7efe-fd9a-4556-801d-275e5ffc04cc 5beb7efe-fd9a-4556-801d-275e5ffc04cc | Verschleierte PowerShell/JScript-Angriffe erkennen Verschleierte PowerShell/JScript-Angriffe erkennen | Block Block |
| Block JavaScript or VBScript from launching downloaded executable content Block JavaScript or VBScript from launching downloaded executable content | d3e037e1-3eb8-44c8-a917-57927947596d d3e037e1-3eb8-44c8-a917-57927947596d | Script-basierte Dropper-Ketten stoppen Script-basierte Dropper-Ketten stoppen | Block Block |
| Block Office applications from creating executable content Block Office applications from creating executable content | 3b576869-a4ec-4529-8536-b80a7769e899 3b576869-a4ec-4529-8536-b80a7769e899 | Makros dürfen keine PE-Dateien erzeugen Makros dürfen keine PE-Dateien erzeugen | Block Block |
| Block Office applications from injecting code into other processes Block Office applications from injecting code into other processes | 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 75668c1f-73b5-4cf0-bb93-3ecf5cb7cc84 | Process Injection aus Office-Kontext blockieren Process Injection aus Office-Kontext blockieren | Block Block |
| Block Office communication application from creating child processes Block Office communication application from creating child processes | 26190899-1602-49e8-8b27-eb1d0a1ce869 26190899-1602-49e8-8b27-eb1d0a1ce869 | Teams/Outlook-Child-Process-Missbrauch einschränken Teams/Outlook-Child-Process-Missbrauch einschränken | Audit → Block Audit → Block |
| Block process creations originating from PSExec and WMI commands Block process creations originating from PSExec and WMI commands | d1e49aac-8f56-4280-b9ba-993a6d77406c d1e49aac-8f56-4280-b9ba-993a6d77406c | Laterale Bewegung über PSExec/WMI unterbinden Laterale Bewegung über PSExec/WMI unterbinden | Audit → Block Audit → Block |
| Block rebooting machine in Safe Mode Block rebooting machine in Safe Mode | 33ddedf1-c6e0-47cb-833e-de6133960387 33ddedf1-c6e0-47cb-833e-de6133960387 | Ransomware Safe-Mode-Bypass stoppen Ransomware Safe-Mode-Bypass stoppen | Block Block |
| Block untrusted and unsigned processes that run from USB Block untrusted and unsigned processes that run from USB | b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4 | USB-basierte Malware und Portable Tools eindämmen USB-basierte Malware und Portable Tools eindämmen | Audit → Block Audit → Block |
| Block use of copied or impersonated system tools Block use of copied or impersonated system tools | c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb c0033c00-d16d-4114-a5a0-dc9b3a7d2ceb | Kopierte LOLBins wie renamed cmd.exe erkennen Kopierte LOLBins wie renamed cmd.exe erkennen | Audit → Block Audit → Block |
| Block Webshell creation for Servers Block Webshell creation for Servers | a8f5898e-1dc8-49a9-9878-85004b8a61e6 a8f5898e-1dc8-49a9-9878-85004b8a61e6 | Serverseitige Webshell-Artefakte unterdrücken Serverseitige Webshell-Artefakte unterdrücken | Audit → Block Audit → Block |
| Block Win32 API calls from Office macros Block Win32 API calls from Office macros | 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b 92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b | Makros dürfen keine Low-Level API-Aufrufe missbrauchen Makros dürfen keine Low-Level API-Aufrufe missbrauchen | Block Block |
| Use advanced protection against ransomware Use advanced protection against ransomware | c1db55ab-c21a-4637-bb3f-a12568109d35 c1db55ab-c21a-4637-bb3f-a12568109d35 | Cloud-delivered Heuristics für Ransomware-Verhalten nutzen Cloud-delivered Heuristics für Ransomware-Verhalten nutzen | Block Block |
Controlled Folder Access, Exploit, Network und Web Protection Controlled Folder Access, exploit, network, and web protection
| Kontrolle Control | Fokus Focus | Betriebshinweis Operational note |
|---|---|---|
| Controlled Folder Access Controlled Folder Access | Schutz sensibler Ordner vor Ransomware Protect sensitive folders from ransomware | Audit-Mode zuerst aktivieren, line-of-business Apps erlauben und nur klar definierte Speicherorte schützen. Enable audit mode first, allow line-of-business apps, and protect only clearly defined storage locations. |
| Exploit Protection Exploit protection | Speicher-, DEP-, ASLR- und App-spezifische Mitigations Memory, DEP, ASLR, and app-specific mitigations | Am besten per XML-Baseline versionieren und App-Ausnahmen gezielt dokumentieren. Version it through an XML baseline and document application exceptions deliberately. |
| Network Protection Network protection | Blockiert bekannte bösartige oder low-reputation Ziele Blocks known malicious or low-reputation destinations | Wirkt besonders gut mit SmartScreen, Web Content Filtering und Indicators zusammen. Works especially well with SmartScreen, web content filtering, and indicators. |
| Web Protection Web protection | Phishing-, Malware- und benutzerdefinierte URL/IP-Kontrolle Phishing, malware, and custom URL/IP control | Auf mobilen Plattformen ist Web Protection häufig der wichtigste MDE-Kontrollpunkt. On mobile platforms, web protection is often the most important MDE control point. |
| Tamper Protection Tamper protection | Schützt Defender-Einstellungen vor Manipulation Protects Defender settings from tampering | Sollte nahezu überall aktiv sein; Ausnahmen nur für klar begründete Betriebsszenarien. Should be enabled almost everywhere; exceptions only for clearly justified operational scenarios. |
EDR, Alerts, Timeline, AIR und Remediation EDR, alerts, timeline, AIR, and remediation
| Feature Feature | Analystenwert Analyst value | Besonderheit Special note |
|---|---|---|
| Device Timeline Device timeline | Chronologische Sicht auf Prozesse, Logons, Registry und Netzwerk Chronological view of processes, logons, registry, and network | Die Timeline ist oft schneller als Advanced Hunting für erste Hypothesenprüfung. The timeline is often faster than advanced hunting for initial hypothesis testing. |
| Alerts Alerts | Kuratierte Detections mit Evidence und MITRE-Mapping Curated detections with evidence and MITRE mapping | High-fidelity Alerts stammen häufig aus XDR-Korrelation, nicht nur aus Einzelereignissen. High-fidelity alerts often come from XDR correlation, not only single events. |
| AIR AIR | Automatisiert Analyse und Remediation Automates investigation and remediation | AIR sollte mit klaren Approval- und Rollback-Prozessen an Device Groups gekoppelt werden. AIR should be paired with clear approval and rollback processes per device group. |
| Machine actions Machine actions | Isolate, AV scan, restrict app execution, collect package Isolate, AV scan, restrict app execution, collect package | Diese Aktionen sind stark und müssen mit RBAC, PIM und Break-Glass-Prozessen abgesichert sein. These actions are powerful and must be secured with RBAC, PIM, and break-glass processes. |
| Remediation center Remediation center | Nachverfolgung von Quarantäne-, Delete- und Restore-Aktionen Tracking of quarantine, delete, and restore actions | Wichtig für Audit, Reversibilität und Lessons Learned nach False Positives. Important for audit, reversibility, and lessons learned after false positives. |
Device Control, USB, Drucker und Bluetooth Device control, USB, printer, and Bluetooth
| Steuerung Control | Typische Policy Typical policy | Beispiel Example |
|---|---|---|
| USB Mass Storage USB mass storage | Block, Audit, ReadOnly oder Allow via Gruppen Block, audit, read-only, or allow via groups | Erlaube signierten IT-Administratoren verschlüsselte Sticks, blockiere anonyme Speichermedien. Allow encrypted media for signed IT admins and block anonymous storage devices. |
| Printer Printer | Druck auf erlaubte Geräte einschränken Restrict printing to approved devices | Hilfreich für Exfil-Schutz in Finance, Legal oder regulierten Arbeitsplätzen. Useful for exfil protection in finance, legal, or regulated workstations. |
| Bluetooth Bluetooth | Pairing oder File Transfer begrenzen Limit pairing or file transfer | Besonders relevant für Kioske, Shared Devices und hochregulierte Segmente. Especially relevant for kiosks, shared devices, and highly regulated segments. |
| Removable media allow list Removable media allow list | Geräte per Hardware-ID oder Certificate erlauben Allow devices by hardware ID or certificate | Reduziert Ausnahmeprozesse, ohne generellen USB-Block aufzuweichen. Reduces exception handling without weakening a general USB block. |
Web Content Filtering Kategorien Web content filtering categories
| Kategorie Category | Typischer Zweck Typical objective | Kommentar Comment |
|---|---|---|
| Adult content Adult content | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Gambling Gambling | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Hate and intolerance Hate and intolerance | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Legal drugs Legal drugs | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Illegal drugs Illegal drugs | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Violence Violence | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Weapons Weapons | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Streaming media Streaming media | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Peer-to-peer Peer-to-peer | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Dynamic DNS Dynamic DNS | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Newly registered domains Newly registered domains | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Parked domains Parked domains | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Malware Malware | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Phishing Phishing | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Command and control Command and control | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Cryptomining Cryptomining | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Anonymizers Anonymizers | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Remote access Remote access | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Social networking Social networking | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Personal email Personal email | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Search engines Search engines | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Productivity Productivity | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| News and media News and media | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
| Web ads and trackers Web ads and trackers | Akzeptanzrichtlinie, Risiko- oder Compliance-Steuerung Acceptable use, risk, or compliance control | Mit Device Groups und Reporting abstimmen; Block ohne Kommunikation erzeugt Helpdesk-Spikes. Align with device groups and reporting; blocking without communication creates helpdesk spikes. |
Indicators für URL, IP, Domain, Datei und Zertifikat Indicators for URL, IP, domain, file, and certificate
| Typ Type | Aktionen Actions | Typischer Einsatz Typical use |
|---|---|---|
| URL URL | Allow, Warn, Block Allow, warn, block | Bekannte Phishing-Landingpages oder benign/business URLs mit Ausnahmen steuern. Control known phishing landing pages or approved business URLs with exceptions. |
| Domain Domain | Allow oder Block Allow or block | Geeignet für C2-Domains, Typosquatting oder kompromittierte SaaS-Endpunkte. Suitable for C2 domains, typosquatting, or compromised SaaS endpoints. |
| IP Address IP address | Allow oder Block Allow or block | Für sinkholes, botnet destinations oder temporäre Containment-Ziele. For sinkholes, botnet destinations, or temporary containment targets. |
| File Hash File hash | Allow, Block and remediate, Alert and block Allow, block and remediate, alert and block | Nützlich bei Malware Reuse, False-Positive-Ausnahmen oder internen Toolchains. Useful for malware reuse, false-positive exceptions, or internal toolchains. |
| Certificate Certificate | Allow oder Block Allow or block | Unterbindet signierte, aber missbrauchte Publisher oder erlaubt bekannte interne Signaturen. Blocks abused signed publishers or allows known internal signing chains. |
Live Response: Befehlsreferenz Live Response: command reference
| Befehl Command | DE Kurzbeschreibung DE summary | EN Summary EN summary | Level Level |
|---|---|---|---|
| cd cd | Arbeitsverzeichnis wechseln Arbeitsverzeichnis wechseln | Change current working directory Change current working directory | Basic Basic |
| cls cls | Konsole leeren Konsole leeren | Clear the console Clear the console | Basic Basic |
| connect connect | Sitzung zum Gerät initiieren Sitzung zum Gerät initiieren | Initiate a session to the device Initiate a session to the device | Basic Basic |
| connections connections | Aktive Verbindungen anzeigen Aktive Verbindungen anzeigen | Show active connections Show active connections | Basic Basic |
| dir dir | Dateien und Unterordner auflisten Dateien und Unterordner auflisten | List files and subfolders List files and subfolders | Basic Basic |
| drivers drivers | Installierte Treiber anzeigen Installierte Treiber anzeigen | Show installed drivers Show installed drivers | Basic Basic |
| fg <job> fg <job> | Hintergrundjob in den Vordergrund holen Hintergrundjob in den Vordergrund holen | Bring a background job to the foreground Bring a background job to the foreground | Basic Basic |
| fileinfo fileinfo | Dateiinformationen lesen Dateiinformationen lesen | Read file information Read file information | Basic Basic |
| findfile findfile | Dateien nach Namen suchen Dateien nach Namen suchen | Find files by name Find files by name | Basic Basic |
| getfile getfile | Datei herunterladen Datei herunterladen | Download a file Download a file | Basic Basic |
| help help | Hilfe zu Befehlen abrufen Hilfe zu Befehlen abrufen | Get help for commands Get help for commands | Basic Basic |
| jobs jobs | Laufende Jobs prüfen Laufende Jobs prüfen | Inspect running jobs Inspect running jobs | Basic Basic |
| persistence persistence | Bekannte Persistenzmechanismen anzeigen Bekannte Persistenzmechanismen anzeigen | Show known persistence methods Show known persistence methods | Basic Basic |
| processes processes | Laufende Prozesse anzeigen Laufende Prozesse anzeigen | Show running processes Show running processes | Basic Basic |
| registry registry | Registry-Werte lesen Registry-Werte lesen | Read registry values Read registry values | Basic Basic |
| scheduledtasks scheduledtasks | Geplante Aufgaben anzeigen Geplante Aufgaben anzeigen | Show scheduled tasks Show scheduled tasks | Basic Basic |
| services services | Dienste anzeigen Dienste anzeigen | Show services Show services | Basic Basic |
| startupfolders startupfolders | Startup-Ordner prüfen Startup-Ordner prüfen | Review startup folders Review startup folders | Basic Basic |
| status status | Status eines Jobs oder Befehls prüfen Status eines Jobs oder Befehls prüfen | Check command or job status Check command or job status | Basic Basic |
| trace trace | Debug Logging aktivieren Debug Logging aktivieren | Enable debug logging Enable debug logging | Basic Basic |
| analyze analyze | Datei oder Prozess mit Analyse-Engines bewerten Datei oder Prozess mit Analyse-Engines bewerten | Evaluate a file or process with analysis engines Evaluate a file or process with analysis engines | Advanced Advanced |
| collect collect | Forensikpaket einsammeln Forensikpaket einsammeln | Collect a forensic package Collect a forensic package | Advanced Advanced |
| isolate isolate | Gerät vom Netzwerk isolieren Gerät vom Netzwerk isolieren | Isolate the device from the network Isolate the device from the network | Advanced Advanced |
| release release | Netzwerkisolation aufheben Netzwerkisolation aufheben | Release network isolation Release network isolation | Advanced Advanced |
| run run | PowerShell-/Bash-Skript aus der Library ausführen PowerShell-/Bash-Skript aus der Library ausführen | Run a PowerShell/Bash script from the library Run a PowerShell/Bash script from the library | Advanced Advanced |
| library library | Dateien in der Live-Response-Library verwalten Dateien in der Live-Response-Library verwalten | Manage files in the live response library Manage files in the live response library | Advanced Advanced |
| putfile putfile | Datei aus Library auf Gerät kopieren Datei aus Library auf Gerät kopieren | Copy a file from the library to the device Copy a file from the library to the device | Advanced Advanced |
| remediate remediate | Datei, Prozess, Service, Registry oder Task beseitigen Datei, Prozess, Service, Registry oder Task beseitigen | Remediate a file, process, service, registry item, or task Remediate a file, process, service, registry item, or task | Advanced Advanced |
| scan scan | AV-Schnellscan starten AV-Schnellscan starten | Launch a quick antivirus scan Launch a quick antivirus scan | Advanced Advanced |
| undo undo | Remediation zurücksetzen Remediation zurücksetzen | Undo a remediation action Undo a remediation action | Advanced Advanced |
Console
Console
connections -output json
processes -name powershell.exe
fileinfo C:\Users\Public\invoice.hta
getfile C:\ProgramData\suspicious.dll
Threat Analytics, Device Discovery, TVM, Device Groups und RBAC Threat analytics, device discovery, TVM, device groups, and RBAC
| Bereich Area | Mehrwert Value | Worauf achten Watch out for |
|---|---|---|
| Threat Analytics Threat analytics | Kuratiertes Lagebild zu aktiven Kampagnen und Exposure Curated situational awareness for active campaigns and exposure | Nur dann wirksam, wenn Empfehlungen in Patch-, Hardening- und Detection-Programme übersetzt werden. Only effective when recommendations are translated into patching, hardening, and detection work. |
| Device Discovery Device discovery | Erkennt unmanaged oder wenig bekannte Geräte im Netz Discovers unmanaged or less-known devices on the network | Nutze Discovery-Ergebnisse, um Schatten-Assets in TVM und Segmentierung aufzunehmen. Use discovery results to bring shadow assets into TVM and segmentation scope. |
| TVM TVM | Exposure Score, Secure Score for Devices, Recommendations Exposure score, Secure Score for Devices, recommendations | Priorisiere nach exploitable CVEs plus business criticality, nicht nur nach CVSS. Prioritize by exploitable CVEs plus business criticality, not only CVSS. |
| Device Groups Device groups | Segmentieren Sichtbarkeit und Actions Segment visibility and actions | Device Groups sind gleichzeitig Scope für RBAC, Automation und oftmals Policy-Ausnahmeprozesse. Device groups are simultaneously the scope for RBAC, automation, and often policy exception workflows. |
| RBAC RBAC | Least Privilege für SOC und Operations Least privilege for SOC and operations | Kombiniere RBAC mit Entra PIM und Break-Glass-Konten für Machine Actions. Combine RBAC with Entra PIM and break-glass accounts for machine actions. |
API-Oberflächen API surfaces
| API API | Was abrufen oder steuern What to retrieve or control | Typischer Use Case Typical use case |
|---|---|---|
| Alerts API Alerts API | Alerts, evidence und statusbezogene Updates Alerts, evidence, and status updates | SOAR, Ticketing und Datensynchronisation in SIEM-of-SIEM-Szenarien. SOAR, ticketing, and synchronization in SIEM-of-SIEM scenarios. |
| Advanced Hunting API Advanced hunting API | KQL-Abfragen auf Device-, Email-, Identity- und Cloud-Tabellen KQL queries across device, email, identity, and cloud tables | Scheduled reporting, custom detections oder Case Enrichment aus Drittportalen. Scheduled reporting, custom detections, or case enrichment from third-party portals. |
| Indicators API Indicators API | URL-, IP-, Domain-, File- und Certificate-IoCs URL, IP, domain, file, and certificate IOCs | Automatischer Import aus TIPs oder Blocklists in den Endpoint-Layer. Automatic import from TIPs or blocklists into the endpoint layer. |
| Machine Actions API Machine Actions API | Isolate, collect package, run AV scan, tag devices Isolate, collect package, run AV scan, tag devices | Automatisches Containment nach Hochrisiko-Incidents oder SOAR-Playbooks. Automatic containment after high-risk incidents or SOAR playbooks. |
| TVM API TVM API | Schwachstellen, Recommendations, Exposure Vulnerabilities, recommendations, exposure | CMDB-Abgleich, Patch Prioritization und Executive Reporting. CMDB reconciliation, patch prioritization, and executive reporting. |
Advanced Hunting: Beispielqueries Advanced hunting: sample queries
PowerShell Download Cradle PowerShell download cradle
KQL
KQL
DeviceProcessEvents
| where FileName in~ ("powershell.exe", "pwsh.exe")
| where ProcessCommandLine has_any ("Invoke-WebRequest", "DownloadString", "iwr", "irm")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine
LSASS Access LSASS access
KQL
KQL
DeviceEvents
| where ActionType in ("AsrLsassCredentialTheftAudited", "AsrLsassCredentialTheftBlocked")
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine
Ransomware Note Creation Ransomware note creation
KQL
KQL
DeviceFileEvents
| where FileName matches regex @"(?i)(readme|recover|decrypt|how_to).*"
| summarize Notes = count() by DeviceName, FolderPath, bin(Timestamp, 10m)
| where Notes > 5
Unsigned Processes from Temp Unsigned processes from temp
KQL
KQL
DeviceProcessEvents
| where FolderPath has_any ("\Temp\", "\AppData\Local\Temp\")
| where InitiatingProcessSignerType !~ "Microsoft"
| project Timestamp, DeviceName, FileName, FolderPath, InitiatingProcessSignerType
Office spawning LOLBins Office spawning LOLBins
KQL
KQL
DeviceProcessEvents
| where InitiatingProcessFileName in~ ("winword.exe", "excel.exe", "powerpnt.exe", "outlook.exe")
| where FileName in~ ("cmd.exe", "powershell.exe", "rundll32.exe", "regsvr32.exe", "mshta.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, FileName, ProcessCommandLine
PsExec/WMI lateral movement PsExec/WMI lateral movement
KQL
KQL
DeviceProcessEvents
| where FileName in~ ("psexec.exe", "wmic.exe", "wmiprvse.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine
New local admins New local admins
KQL
KQL
DeviceEvents
| where ActionType in ("UserAccountAddedToLocalGroup", "LocalUserAccountCreated")
| project Timestamp, DeviceName, AccountName, AdditionalFields
USB file copy burst USB file copy burst
KQL
KQL
DeviceFileEvents
| where InitiatingProcessAccountName !startswith "NT AUTHORITY"
| where FolderPath startswith "\\?\USBSTOR" or FolderPath has "Removable"
| summarize Files=count() by DeviceName, InitiatingProcessAccountName, bin(Timestamp, 15m)
| where Files > 100
Suspicious browser credential access Suspicious browser credential access
KQL
KQL
DeviceProcessEvents
| where ProcessCommandLine has_any ("Login Data", "Cookies", "Web Data")
| where FileName in~ ("cmd.exe", "powershell.exe", "python.exe", "7z.exe")
Internet-exposed vulnerable devices Internet-exposed vulnerable devices
KQL
KQL
DeviceTvmSoftwareVulnerabilities
| where VulnerabilitySeverityLevel == "High"
| summarize Vulns=count() by DeviceId, CveId
| top 50 by Vulns desc
Sensor health gaps Sensor health gaps
KQL
KQL
DeviceInfo
| where OnboardingStatus != "Onboarded" or SensorHealthState != "Active"
| project Timestamp, DeviceName, OnboardingStatus, SensorHealthState, OSPlatform
Intune-Konfiguration und PowerShell Intune configuration and PowerShell
PowerShell
PowerShell
# ASR-Regeln lokal setzen
$ids = @(
"d4f940ab-401b-4efc-aadc-ad5f3c50688a",
"92e97fa1-2edf-4476-bdd6-9dd0b4dddc7b",
"d1e49aac-8f56-4280-b9ba-993a6d77406c"
)
$actions = @(1,1,1)
Add-MpPreference -AttackSurfaceReductionRules_Ids $ids -AttackSurfaceReductionRules_Actions $actions
Set-MpPreference -EnableControlledFolderAccess Enabled
Set-MpPreference -EnableNetworkProtection Enabled
JSON
JSON
{
"platforms": "windows10",
"technologies": "mdm,microsoftSense",
"settings": [
{"settingDefinitionId": "device_vendor_msft_policy_config_defender_attacksurfacereductionrules", "value": "Configured"},
{"settingDefinitionId": "device_vendor_msft_policy_config_defender_networkprotection", "value": "block"},
{"settingDefinitionId": "device_vendor_msft_policy_config_defender_tamperprotection", "value": "enabled"}
]
}