Defender for Endpoint Integration

Does anyone have any experience using the Microsoft Defender ATP event source (Now Defender for Endpoint)?

We’re planning to set up an Exploit Guard policy i.e. ASR rules, Controlled Folder Access and Network Protection. Do rules that are configured in audit mode still generate alerts in Defender, and subsequently in Rapid7 through this event source? If we want to get the actual events of audits/blocks being triggered needs to be pulled from the client machines themselves, but do the alerts that are subsequently generated come through this event source?

No I don’t believe they would fire any out of the box detections, we only trigger Defender for Endpoint default rules not custom ones, if you wanted to have custom rules fire I would suggest ensuring the Send Unparsed Data box is checked and finding the events in Unparsed and building Custom Detection Rules for those.

David

What David mentions is what we have done and it works as designed.