{"id":34826,"date":"2020-05-06T19:00:12","date_gmt":"2020-05-06T19:00:12","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=91054"},"modified":"2020-05-06T19:00:12","modified_gmt":"2020-05-06T19:00:12","slug":"how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/","title":{"rendered":"How to gain 24\/7 detection and response coverage with Microsoft Defender ATP"},"content":{"rendered":"<p><em>This blog post is part of the Microsoft Intelligence Security Association <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.microsoft.com-252Fsecurity-252Fblog-252Fmicrosoft-2Dintelligent-2Dsecurity-2Dassociation-2Dmisa-252F-26data-3D02-257C01-257Cv-2Dtovand-2540microsoft.com-257C022976ef8c3d41e628f008d7dfbf8d1f-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637223886108623883-26sdata-3D50Jv5Xemwt-252BmaaLyuiRk6AhWsfOLa76j12gndU1QF0Q-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU%26r%3DHwtlcRNqZEEybdajLD5PYOo9HZfKQ61t9IQ-h2Qso5w%26m%3DOx8ZvzBeASwIpzxF7rrxhWIykyA-Yva7C4jiNGSwQeo%26s%3DMKuChJ59b2nwHIrZoMNSuihFad_8UI8IbzwDEjz7xPo%26e%3D&amp;data=02%7C01%7Cv-dabada%40microsoft.com%7Ca8aaaf4dd20644e0909e08d7e6d80c35%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637231687901319973&amp;sdata=x5H8qdKdVHmXywIjbrxV7uE45MJ5u6nkg%2BDei8CaRB0%3D&amp;reserved=0\" target=\"_blank\" rel=\"noopener noreferrer\">guest blog series<\/a>. To learn more about MISA, go <a href=\"https:\/\/nam06.safelinks.protection.outlook.com\/?url=https%3A%2F%2Furldefense.proofpoint.com%2Fv2%2Furl%3Fu%3Dhttps-3A__nam06.safelinks.protection.outlook.com_-3Furl-3Dhttps-253A-252F-252Fwww.microsoft.com-252Fen-2Dus-252Fsecurity-252Fbusiness-252Fintelligent-2Dsecurity-2Dassociation-26data-3D02-257C01-257Cv-2Dtovand-2540microsoft.com-257C022976ef8c3d41e628f008d7dfbf8d1f-257C72f988bf86f141af91ab2d7cd011db47-257C1-257C0-257C637223886108633884-26sdata-3DmQbpsSMQ08CH9KLvmAoNKhE0vKpZvvWqRy0PE-252Bb5KgY-253D-26reserved-3D0%26d%3DDwMGaQ%26c%3DeIGjsITfXP_y-DLLX0uEHXJvU8nOHrUK8IrwNKOtkVU%26r%3DHwtlcRNqZEEybdajLD5PYOo9HZfKQ61t9IQ-h2Qso5w%26m%3DOx8ZvzBeASwIpzxF7rrxhWIykyA-Yva7C4jiNGSwQeo%26s%3DGqmdq3_rfxTcmMSET3aBocHdFuQTPage9MPVudIrsDk%26e%3D&amp;data=02%7C01%7Cv-dabada%40microsoft.com%7Ca8aaaf4dd20644e0909e08d7e6d80c35%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637231687901329970&amp;sdata=l0M1YkrV5avlos4v9P9r9HPu6lwrD8z4OC2GdS%2Bi0Dw%3D&amp;reserved=0\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\n<p>Whether you\u2019re a security team of one or a dozen, detecting and stopping threats around the clock is a challenge. Security incidents don\u2019t happen exclusively during business hours: attackers often wait until the late hours of the night to breach an environment.<\/p>\n<p>At <a href=\"https:\/\/redcanary.com\" target=\"_blank\" rel=\"noopener noreferrer\">Red Canary<\/a>, we work with security teams of all shapes and sizes to improve detection and response capabilities. Our Security Operations Team investigates threats in customer environments 24\/7\/365, removes false positives, and delivers confirmed threats with context. We\u2019ve seen teams run into a wide range of issues when trying to establish after-hours coverage on their own, including:<\/p>\n<ul>\n<li>For global enterprises, around-the-clock monitoring can significantly increase the pressure on a U.S.\u2013based security team. If you have personnel around the world, a security team in a single time zone isn\u2019t sufficient to cover the times that computing assets are used in those environments.<\/li>\n<li>In smaller companies that don\u2019t have global operations, the security team is more likely to be understaffed and unable to handle 24\/7 security monitoring without stressful on-call schedules.<\/li>\n<li>For the security teams of one, being \u201cout of office\u201d is a foreign concept. You\u2019re always on. And you need to set up some way to monitor the enterprise while you\u2019re away.<\/li>\n<\/ul>\n<p>Microsoft Defender Advanced Threat Protection (ATP) is an industry leading endpoint security solution that\u2019s built into Windows with extended capabilities to Mac and Linux servers. Red Canary unlocks the telemetry delivered from <a href=\"https:\/\/redcanary.com\/solutions\/mdr-for-microsoft-threat-protection-demo\/\" target=\"_blank\" rel=\"noopener noreferrer\">Microsoft Defender ATP<\/a> and investigates every alert, enabling you to immediately increase your detection coverage and waste no time with false positives.<\/p>\n<p>Here\u2019s how those who haven\u2019t started with Red Canary yet can answer the question, \u201cHow can I support my 24\/7 security needs with Microsoft Defender ATP?\u201d<\/p>\n<p>No matter how big your security team is, the most important first step is notifying the right people based on an on-call schedule. In this post, we\u2019ll describe two different ways of getting Microsoft Defender ATP alerts to your team 24\u00d77 and how Red Canary has implemented this for our customers.<\/p>\n<h3>Basic 24\/7 via email<\/h3>\n<p>Microsoft Defender Security Center allows you to send all Microsoft Defender ATP alerts to an email address. You can set up email alerts under Settings \u2192 Alert notifications.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-91056\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA1-1024x377.png\" alt=\"MISA1\" width=\"1024\" height=\"377\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA1-1024x377.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA1-300x111.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA1-768x283.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA1.png 1430w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p><em>Email notification settings in Microsoft Defender Security Center.<\/em><\/p>\n<p>These emails will be sent to your team and should be monitored for high severity situations after-hours.<\/p>\n<p>If sent to a ticketing system, these emails can trigger tickets or after-hours pages to be created for your security team. We recommend limiting the alerts to medium and high severity so that you won\u2019t be bothered for informational or low alerts.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-91057\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA2-1024x569.png\" alt=\"MISA2\" width=\"1024\" height=\"569\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA2-1024x569.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA2-300x167.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA2-768x426.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA2.png 1266w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p><em>Setting up alert emails in Microsoft Defender ATP to be sent to a ticketing system.<\/em><\/p>\n<p>Now any future alerts will create a new ticket in your ticketing system where you can assign security team members to on-call rotations and notify on-call personnel of new alerts (if supported). Once the notification is received by on-call personnel, they would then log into Microsoft Defender\u2019s Security Center for further investigation and triage.<sub>&nbsp;<\/sub><\/p>\n<h3>Enhanced 24\/7 via APIs<\/h3>\n<p>What if you want to ingest alerts to a system that doesn\u2019t use email? You can do this by using the Microsoft Defender ATP APIs. First, you\u2019ll need to have an authentication token. You can get the token like we do here:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-91058\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA3-1024x907.png\" alt=\"MISA3\" width=\"1024\" height=\"907\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA3-1024x907.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA3-300x266.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA3-768x680.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA3.png 1314w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p><em>API call to retrieve authentication token.<\/em><\/p>\n<p>Once you\u2019ve stored the authentication token you can use it to poll the Microsoft Defender ATP API and retrieve alerts from Microsoft Defender ATP. Here\u2019s an example of the code to pull new alerts.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-91059\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA4-1024x420.png\" alt=\"MISA4\" width=\"1024\" height=\"420\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA4-1024x420.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA4-300x123.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA4-768x315.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA4-1536x629.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA4.png 1718w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p><em>API call to retrieve alerts from Microsoft Defender ATP.<\/em><\/p>\n<p>The API only returns a subset of the data associated with each alert. Here\u2019s an example of what you might receive.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-91060\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA5-1024x878.png\" alt=\"MISA5\" width=\"1024\" height=\"878\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA5-1024x878.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA5-300x257.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA5-768x659.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA5.png 1266w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p><em>Example of a Microsoft Defender ATP alert returned from the API.<\/em><\/p>\n<p>You can then take this data and ingest it into any of your internal tools. You can learn more about how to access Microsoft Defender ATP APIs in the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/apis-intro\" target=\"_blank\" rel=\"noopener noreferrer\">documentation<\/a>. Please note, the limited information included in an alert email or API response is not enough to triage the behavior. You will still need to log into the Microsoft Defender Security Center to find out what happened and take appropriate action.<\/p>\n<h3>24\/7 with Red Canary<\/h3>\n<p>By enabling Red Canary, you supercharge your Microsoft Defender ATP deployment by adding a proven 24\u00d77 security operations team who are masters at finding and stopping threats, and an automation platform to quickly remediate and get back to business.<\/p>\n<p>Red Canary continuously ingests all of the raw telemetry generated from your instance of Microsoft Defender ATP as the foundation for our service. We also ingest and monitor Microsoft Defender ATP alerts. We then apply <a href=\"https:\/\/redcanary.com\/blog\/breathing-life-detection-capability\/\" target=\"_blank\" rel=\"noopener noreferrer\">thousands of our own proprietary analytics<\/a> to identify potential threats that are sent 24\/7 to a Red Canary detection engineer for review.<\/p>\n<p>Here\u2019s an overview of the process (to go behind the scenes of these operations check out our <a href=\"https:\/\/redcanary.com\/blog\/detection-engineering\/\" target=\"_blank\" rel=\"noopener noreferrer\">detection engineering blog series<\/a>):<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-91061\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA6.png\" alt=\"MISA6\" width=\"960\" height=\"540\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA6.png 960w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA6-300x169.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA6-768x432.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA6-687x385.png 687w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA6-767x431.png 767w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA6-539x303.png 539w\" sizes=\"auto, (max-width: 960px) 100vw, 960px\"><\/p>\n<p><em>Managed detection and response with Red Canary.<\/em><\/p>\n<p>Red Canary is monitoring your Microsoft Defender ATP telemetry and alerts. If anything is a confirmed threat, our team creates a <em>detection<\/em> and sends it to you using a built-in automation framework that supports email, SMS, phone, Microsoft Teams\/Slack, and more. Below is an example of what one of those detections might look like.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-91062\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA7-1024x830.png\" alt=\"MISA7\" width=\"1024\" height=\"830\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA7-1024x830.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA7-300x243.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA7-768x622.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA7.png 1129w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p><em>Red Canary confirms threats and prioritizes them so you know what to focus on.<\/em><\/p>\n<p>At the top of the detection timeline you\u2019ll receive a short description of what happened. The threat has already been examined by a team of detection engineers from Red Canary\u2019s <a href=\"https:\/\/redcanary.com\/products\/investigate\/\" target=\"_blank\" rel=\"noopener noreferrer\">Cyber Incident Response Team<\/a> <a href=\"https:\/\/redcanary.com\/products\/investigate\/\">(CIRT)<\/a>, so you don\u2019t have to worry about triage or investigation. As you scroll down, you can quickly see the results of the investigation that Red Canary\u2019s senior detection engineers have done on your behalf, including detailed notes that provide context to what\u2019s happening in your environment:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-91063\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA8-1024x629.png\" alt=\"MISA8\" width=\"1024\" height=\"629\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA8-1024x629.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA8-300x184.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA8-768x472.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA8-1536x944.png 1536w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA8-392x240.png 392w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA8.png 1886w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p><em>Notes from Red Canary senior detection engineers (in light blue) provide valuable context.<\/em><\/p>\n<p>You\u2019re only notified of true threats and not false positives. This means you can focus on responding rather than digging through data to figure out what happened.<\/p>\n<p>What if you don\u2019t want to be woken up, you\u2019re truly unavailable,&nbsp;or you just want bad stuff immediately dealt with? Use Red Canary\u2019s automation to handle remediation on the fly. You and your team can create playbooks in your Red Canary portal to respond to threats immediately, even if you\u2019re unavailable.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-91064\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA9-1024x325.png\" alt=\"MISA9\" width=\"1024\" height=\"325\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA9-1024x325.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA9-300x95.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA9-768x244.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA9.png 1437w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p>Red <em>Canary automation playbook.<\/em><\/p>\n<p>This playbook allows you to isolate the endpoint (using the <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/security\/threat-protection\/microsoft-defender-atp\/machineaction\" target=\"_blank\" rel=\"noopener noreferrer\">Machine Action resource type<\/a> in the Microsoft Defender ATP APIs) if Red Canary identifies suspicious activity. You also have the option to set up Automate playbooks that depend on an hourly schedule. For example, you may want to approve endpoint isolation during normal work hours, but use automatic isolation overnight:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-91065\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA10-1024x941.png\" alt=\"MISA10\" width=\"1024\" height=\"941\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA10-1024x941.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA10-300x276.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA10-768x706.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2020\/05\/MISA10.png 1096w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\"><\/p>\n<p><em>Red Canary Automate playbook to automatically remediate a detection.<\/em><\/p>\n<p><strong>Getting started with Red Canary<\/strong><\/p>\n<p>Whether you\u2019ve been using Microsoft Defender ATP since it\u2019s preview releases or if you\u2019re just getting started, Red Canary is the fastest way to accelerate your security operations program. Immediate onboarding, increased detection coverage, and a 24\/7 CIRT team are all at your fingertips.<\/p>\n<p>Terence Jackson, CISO at Thycotic and Microsoft Defender ATP user, describes what it\u2019s like working with Red Canary:<\/p>\n<blockquote>\n<p><em>\u201cI have a small team that has to protect a pretty large footprint. I know the importance of detecting, preventing, and stopping problems at the entry point, which is typically the endpoint. We have our corporate users but then we also have SaaS customers we have to protect. Currently my team tackles both, so for me it\u2019s simply having a trusted partner that can take the day-to-day hunting\/triage\/elimination of false positives and only provide actionable alerts\/intel, which frees my team up to do other critical stuff.\u201d<\/em><\/p>\n<\/blockquote>\n<p>Red Canary is the fastest way to enhance your detection coverage from Microsoft Defender ATP so you know exactly when and where to respond.<\/p>\n<p><a href=\"https:\/\/redcanary.com\/microsoft-mtp\/\" target=\"_blank\" rel=\"noopener noreferrer\">Contact us<\/a> to see a demo and learn more.<\/p>\n<p>READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2020\/05\/06\/gain-24x7-detection-response-coverage-microsoft-defender-atp\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Security incidents don\u2019t happen exclusively during business hours: attackers often wait until the late hours of the night to breach an environment.<br \/>\nThe post How to gain 24\/7 detection and response coverage with Microsoft Defender ATP appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":34827,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[347,5345,7220,6717,7582,8630,1064,6681],"class_list":["post-34826","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-cybersecurity","tag-incident-response","tag-microsoft-defender-advanced-threat-protection","tag-microsoft-defender-atp","tag-microsoft-intelligent-security-association-misa","tag-misa","tag-security-intelligence","tag-security-strategies"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>How to gain 24\/7 detection and response coverage with Microsoft Defender ATP 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"How to gain 24\/7 detection and response coverage with Microsoft Defender ATP 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2020-05-06T19:00:12+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/05\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"377\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"How to gain 24\\\/7 detection and response coverage with Microsoft Defender ATP\",\"datePublished\":\"2020-05-06T19:00:12+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/\"},\"wordCount\":1395,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png\",\"keywords\":[\"Cybersecurity\",\"incident response\",\"Microsoft Defender Advanced Threat Protection\",\"Microsoft Defender ATP\",\"Microsoft Intelligent Security Association (MISA)\",\"MISA\",\"Security Intelligence\",\"Security strategies\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/\",\"name\":\"How to gain 24\\\/7 detection and response coverage with Microsoft Defender ATP 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png\",\"datePublished\":\"2020-05-06T19:00:12+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2020\\\/05\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png\",\"width\":1024,\"height\":377},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/cybersecurity\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"How to gain 24\\\/7 detection and response coverage with Microsoft Defender ATP\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"How to gain 24\/7 detection and response coverage with Microsoft Defender ATP 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/","og_locale":"en_US","og_type":"article","og_title":"How to gain 24\/7 detection and response coverage with Microsoft Defender ATP 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2020-05-06T19:00:12+00:00","og_image":[{"width":1024,"height":377,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/05\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"How to gain 24\/7 detection and response coverage with Microsoft Defender ATP","datePublished":"2020-05-06T19:00:12+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/"},"wordCount":1395,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/05\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png","keywords":["Cybersecurity","incident response","Microsoft Defender Advanced Threat Protection","Microsoft Defender ATP","Microsoft Intelligent Security Association (MISA)","MISA","Security Intelligence","Security strategies"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/","url":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/","name":"How to gain 24\/7 detection and response coverage with Microsoft Defender ATP 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/05\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png","datePublished":"2020-05-06T19:00:12+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/05\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2020\/05\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp.png","width":1024,"height":377},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/how-to-gain-24-7-detection-and-response-coverage-with-microsoft-defender-atp\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/www.threatshub.org\/blog\/tag\/cybersecurity\/"},{"@type":"ListItem","position":3,"name":"How to gain 24\/7 detection and response coverage with Microsoft Defender ATP"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/34826","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=34826"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/34826\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/34827"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=34826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=34826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=34826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}