Continuing with the Microsoft defender ATP blog series, now we will talk about more technical concepts, how they are implemented and some basic configurations. So let’s start.
Some technical concepts that we need in the WDATP configuration and administration:
It is performed to register a server or windows station in the Windows Defender ATP service.
Microsoft Defender ATP sensor requires Microsoft Windows HTTP (WinHTTP) to report the sensor data and to communicate with the Microsoft Defender ATP service.
The embedded Microsoft Defender ATP sensor runs in system context using the LocalSystem account. The sensor uses Microsoft Windows HTTP Services (WinHTTP) to allow communication with the Microsoft Defender ATP cloud service.
This score reflects the level of vulnerability of an organization to cyber-attacks. A low score is desired because it means that machines are less vulnerable.
How to set it up:
As we know, Microsoft Defender Advanced Threat Protection requires one of the following Microsoft Volume Licensing offers:
- Windows 10 Enterprise E5
- Windows 10 Education E5
- Microsoft 365 E5 (M365 E5) which includes Windows 10 Enterprise E5
- Microsoft 365 A5 (M365 A5)
Then, the first step for configuration is to validate the license. We must log in to our Azure Portal (http://portal.azure.com), navigate to the licensing section and look for any of the licenses mentioned above.
Another method to validate the license is by going to the admin center ( https://admin.microsoft.com) and then go to billing and licenses. In this window, we can see all the provisioned licenses and their current status.
The second step is to configure our security platform (proxy or Firewall) to ensure communication between the sensor and the cloud service.
We ensure that the following URLs are not blocked and allow communication with the Microsoft Defender ATP service via port 80 and 443.
|Service location||Microsoft.com DNS record|
|Common URLs for all locations||crl.microsoft.com|
Once the above-mentioned steps are complete and configured, we proceed to configure the Windows Defender Advanced Threat Protection Service for which we must log in to the security center portal here: https://securitycenter.windows.com.
For our first log in, there will be a setup wizard that will guide us for the initial configuration of the WDTAP cloud service instance.
- The portal will validate that we are authorized to use the product. This step is to configure our permissions and will only be required if we are not currently authorized to access the product.
- After authorization, the welcome screen provides some details about the configuration wizard.
- The third screen will allow us to configure service preferences.
We must configure 4 parameters in this step
- Data Storage Location
We may choose to store our information in the Microsoft Azure datacenters in the United States, European Union, or the United Kingdom. Once configured, we cannot change the location where our data is stored.
- Data Retention Policy
By default, Microsoft Defender will store the data for a period of six months, however, we can configure this parameter for a shorter time. We will not be able to change the time once configured.
- Organization Size
We need to indicate the estimated numbers of employees in the company. This parameter is not related to licenses but optimizes the services according to the size of the organization.
- Preview Features
This setting defines if we will have access to upcoming features. Once configured, we cannot change the selection. It is recommended to enable this feature.
After configuring these 4 parameters, we receive a warning notifying that we cannot change some preferences as mentioned above.
- Click Continue to proceed.
An instance will be created in Microsoft Security Center. It will take about 5 minutes, after that we are ready to incorporate machines in the service.
Stay tuned for the next blog post of the series!