Advanced endpoint detection and response agents can help play a critical role in an organization’s threat detection and response strategy. The AlienApp for Microsoft Defender ATP helps to enhance the threat detection and response capabilities of USM Anywhere by collecting and analyzing log data from Defender's API and also provides orchestration actions to streamline incident response activities.
The app includes the following capabilities:
Log collection
- Customize log collection via the Microsoft API
- Correlation rules from AT&T Alien Labs automatically detect security incidents
Dashboard
A special MS Defender dashboard is automatically available within USM Anywhere when data is being collected from MS Defender ATP and includes the following data elements:
- Events trend
- Action type
- Security Score
- Top 10 machine at risks
- Top 10 Users at risks
- Top quarantined Files
- Top quarantined machines
- Top Suspicious URLs
- Top suspicious IPs
Orchestration Actions
The AlienApp for MS Defender ATP provides a set of orchestration actions that help enable customers to quickly take various actions on the endpoint. These actions can be taken manually by the SOC operator in response to a USM Anywhere alarm or event or can be configured to run automatically with no user involvement. Actions include:
- Isolate a machine from the network with the self-quarantine feature
- Quarantine/block a file - stop the endpoint from being able to access or execute a local file
- Collect investigation package for an in-depth evaluation of an endpoint
- Set IOCs - files, hosts, domains that should be blocked
- Get File statistics
- Get Domain statistics
