Security Monitoring Wisdom: Realtime alerts do only make sense if you plan to also react in realtime. (e.g. fw block, disconnect systems) Otherwise the cost is too high. Better schedule a query that runs every 5 mins on the log data of the last 5 mins.
-
Show this thread
-
Replying to @cyb3rops
Yeah im trying to get
@WindowsATP to do that :-) they Said “soon”1 reply 0 retweets 0 likes -
Replying to @ssimonsen0202 @cyb3rops
With
@WindowsATP you get both real-time detection with a sliding window that runs back hours, not 5-min... and you also get non-real-time detections running in parallel with a sliding window of months. What’s the part you are still missing?1 reply 0 retweets 1 like -
The custom detection running more than once every 24h, are saying this Can be done now already i asked about on tha ama Then you Said it was being worked On
2 replies 0 retweets 0 likes -
Replying to @ssimonsen0202 @cyb3rops
This only applies for complex advanced hunting queries you create. If you have IoCs of any sort - its better to enter them through the dedicated page. Faster AH detections are coming :)https://techcommunity.microsoft.com/t5/Microsoft-Defender-ATP/Microsoft-Defender-ATP-unified-indicators-of-compromise-IoCs/ba-p/656415 …
1 reply 0 retweets 1 like
Using the IoC page puts them in real-time detection path...
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.