Microsoft is announcing new Endpoint reporting capabilities within the Microsoft 365 Defender portal that brings together Device Control reports and Windows Firewall reports so admins can see what is happening in their environment in just a few clicks.
According to Microsoft, the reports are designed to give insight into device behavior and activity while allowing admins to take full advantage of the integrated experiences within the Microsoft 365 Defender portal, including device timeline and advanced hunting.
Found in the Reports page in the Endpoints node, the Device Control report, now generally available, displays the activity and usage of external devices. Admins can view events that relate to external media usage on endpoints, including the number of audit events that occur when external media is connected and the number of policy events that occur when a device control policy is triggered.
Audit events are generated when a USB drive is mounted or unmounted, when a plug and play or Bluetooth media is connected or when a Removable Storage Access Control Policy is Triggered.
According to Microsoft, this gives security administrators the tools to track their organization’s device control security through reports, which can be found in the Microsoft 365 Security Center. Reports show the number of audit events generated by media type of the last 180 days.
Admins can access more granular details to see more media usage in the device control report page and they can see real-time activity for the media across the organization. Admins can also see security of the device, including the risk level and exposure level.
Also now generally available is the Firewall report, which shows admins the activity and behavior of devices configured with Windows host firewall via the Microsoft 365 Defender portal. This enables admins to view Windows 10, Windows 11, Windows Server 2019 and Windows Server 2022 firewall reporting from a central location.
Microsoft notes that admins must enable Audit Events for Windows Defender Firewall with Advanced Security and Group Policy Object Editor, Local Security Policy or the auditpol.exe commands.
Firewall reports include a summary of inbound, outbound and application activity and allow admins to drill into the activity of a device via the Device Timeline tab that offers a list of events associated with that device.
The reports also support drilling from the card directly into Advanced Hunting, which will provide admins with a report of all related Firewall events from the last 30 days.
For more information, read Microsoft’s Tech Community blog on the announcement.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply