Nirav Kumar: Customized Detections and Response Can Be a Challenge

Microsoft Defender for Endpoint is an endpoint detection and response tool that captures endpoint telemetry and sends it to the cloud for detection and response. It has good behavioral analytics and automatic detections that enable it to identify fileless malware quickly. Also, because it is cloud based, you do not have to manage any special hardware to take advantage of central monitoring and control. The tool’s built-in vulnerability management is another valuable feature that can help you reduce spending on vulnerability scanning tools and services. The Tools AIR (auto-investigation and response) is a great feature not common to AV products.
The biggest challenge with Microsoft Defender for Endpoint is creating customized detections. The tool comes with detections that cover 95 percent of your issues, but there is always going to be that 5 percent that needs to go through the organization’s security operations center (SOC). For that 5 percent, you must create custom detections and rules, and that’s not always so easy.
For example, say that you have a legitimate file that creates a registry key, but nothing in your environment uses that registry key, so it could be exploited.