ASD's Blueprint for Secure Cloud

Endpoint Monitoring

Design decisions associated with monitoring of endpoint management activities for system(s) built using ASD's Blueprint for Secure Cloud.

Estimated reading time: 2 minutes

Endpoint management is performed predominantly by Microsoft Intune with additional security layers provided by Microsoft Defender for Endpoint. Microsoft Defender for Endpoint is part of the Microsoft 365 Defender stack.

Integration with Azure Sentinel Security Information and Event Management (SIEM) is managed via the Sentinel Microsoft 365 Defender Data Connector. This connector writes Defender for Endpoint information to the following Sentinel Log Analytics tables:

Sentinel Table nameEvents type
Alerts
SecurityAlertInformation on Security Alerts
SecurityIncidentInformation on Security Incidents
Defender for Endpoint Specific
DeviceInfoMachine information, including OS information
DeviceNetworkInfoNetwork properties of devices, including physical adapters, IP and MAC addresses, as well as connected networks and domains.
DeviceProcessEventsProcess creation and related events
DeviceNetworkEventsNetwork connection and related events
DeviceFileEventsFile creation, modification, and other file system events
DeviceRegistryEventsCreation and modification of registry entries
DeviceLogonEventsSign-ins and other authentication events on devices
DeviceImageLoadEventsDynamic Link Library (DLL) loading events
DeviceEventsMultiple event types, including events triggered by security controls such as Windows Defender Antivirus and exploit protection
DeviceFileCertificateInfoCertificate information of signed files obtained from certificate verification events on endpoints

Security & Governance

  • None identified

Design

References

Do you have a suggestion on how the above page could be improved? Get in touch! ASD's Blueprint for Secure Cloud is an open source project, and we would love to get your input. Submit an issue on our GitHub, or send us an email at blueprint@asd.gov.au

Acknowledgement of Country icon

Acknowledgement of Country
We acknowledge the Traditional Owners and Custodians of Country throughout Australia and their continuing connections to land, sea and communities. We pay our respects to them, their cultures and their Elders; past, present and emerging. We also recognise Australia's First Peoples' enduring contribution to Australia's national security.

Authorised by the Australian Government, Canberra