Endpoint Monitoring
Design decisions associated with monitoring of endpoint management activities for system(s) built using ASD's Blueprint for Secure Cloud.
Estimated reading time: 2 minutes
Endpoint management is performed predominantly by Microsoft Intune with additional security layers provided by Microsoft Defender for Endpoint. Microsoft Defender for Endpoint is part of the Microsoft 365 Defender stack.
Integration with Azure Sentinel Security Information and Event Management (SIEM) is managed via the Sentinel Microsoft 365 Defender Data Connector. This connector writes Defender for Endpoint information to the following Sentinel Log Analytics tables:
| Sentinel Table name | Events type |
|---|---|
| Alerts | |
| SecurityAlert | Information on Security Alerts |
| SecurityIncident | Information on Security Incidents |
| Defender for Endpoint Specific | |
| DeviceInfo | Machine information, including OS information |
| DeviceNetworkInfo | Network properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains. |
| DeviceProcessEvents | Process creation and related events |
| DeviceNetworkEvents | Network connection and related events |
| DeviceFileEvents | File creation, modification, and other file system events |
| DeviceRegistryEvents | Creation and modification of registry entries |
| DeviceLogonEvents | Sign-ins and other authentication events on devices |
| DeviceImageLoadEvents | Dynamic Link Library (DLL) loading events |
| DeviceEvents | Multiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection |
| DeviceFileCertificateInfo | Certificate information of signed files obtained from certificate verification events on endpoints |