MDR for Windows Defender Admin Functions

Analyst level users have adequate access to general functions within the Portal. This protects the integrity of the provisioning, configurations, and security settings of the DattoEDR Portal.

• Do not remove or modify MSS Engineers user levels or accounts.
• Click on your username on the Datto Dashboard and click on Admin

• This will default you to the Users page where you will click on Add User
• Enter the email of the user you would like to add and select the Role you would like to assign to the user
  • Admin grants access to all functions in the portal.  It is recommended to restrict this access
  • Analyst role grants access to one-time functions in the portal (i.e., response, scan, search, etc.) This role does not allow Policy management or Device management access
  • External Analyst grants Read Only access to external Entities and can be restricted to viewing a single Organization.  

• If a user already has an account in the portal, the email address will be red, and you will not be able to enter it.
• Use the same email address as your Datto Partner Portal if you have an already have a pre-existing account to tie the accounts together for single sign on.

Your Datto Partner Portal account and DattoEDR account will have to be manually merged. It is best if you use the same email to access both accounts if you have an existing Datto account.

• Log out of any current Datto account
• Click on Register link in your User Account set up email
• Log back into your Datto Partner Portal with your current credentials
• In the same browser, enter your DattoEDR URL <assignedname.infocyte.com> and press enter.
• This should bring you to your EDR Dashboard
• From this point on, when you log into your Datto Partner Portal, you will have an additional option to select for login

API Keys are used to access data through Loopback, PowerShell, and other various 3rd party tools

• Do not remove Tokens generated by MSS Engineers.
• Click on your username on the DattoEDR Dashboard and click on Admin

• This will default you to the Users & Tokens page where you will click on the API Tokens Tab

• Click on Create new Token, enter your descriptor for the token and click create

• You MUST copy this token, as once the pop up goes away, it cannot be recovered.

Activating Policies

• To be able to assign a policy to any Organization or Location, it must first be activated in the Policies page on your Portal Dashboard.
• Activate each Policy by clicking on the radio button next to the correlating policy that you wish to use in the Portal

Default Policies

• Policies set to default will automatically be inherited by all enabled Organizations and Locations.
• Custom Named Policies can be set as Default Policies
• You cannot have more than one default policy of each type.
• Polices can be over-ridden in Organizations and Locations with Named Policies.
• If no Policies are set to Default, Polices will have to be manually applied to each Organization/ Location.
• To set/ disable a Default Policy, click the 3 buttons next the policy you are modifying and select your option from the drop down menu

• You cannot delete a Policy if it is in effect for any Location.

Creating Custom Policies

• Custom policies must be based on Windows Defender, Datto AV, or Ransomware Detection rules. 
• We do not support Automated Response Policies and do not recommend enabling them with the recommended responses enabled.
• On the Policies page, click Create Policy.
• In the Type drop-down field, define the kind of policy you're creating by selecting Ransomware Detection.
• Enter a unique identifier for this policy in the Name field.
• Input a short summary of the policy's purpose in the Description field.

• • Click Create to save your changes.

• Once you Create your New Policy, the next screen will open, this is where you will make your personal modifications.

• The recommended settings are shown above. We generally do not recommend Shut Down Host in the event of Ransomware as that can result in data /logs loss.
• Once you are satisfied with your settings, save the Policy and Activate it by clicking the Radio button next to it
• Please see here for important information about the Ransomware Detection and Rollback Features

Interface

• Disable User Interface - Limits the user's ability to view Defender UI, notifications, or change any scanning behavior
• Use a proxy server - Enables proxy configuration for partners who run updates via a proxy

Protection

• Cloud-based protection - Leverage Microsoft Defender's cloud platform to evaluate file samples and block content determined to be a threat by the Defender community
• Behavior-based protection - Monitor for threats that are detected through machine learning
• Keep Defender service alive in all circumstances - Enable the Defender service's keepalive functions
• Monitor file and program activity - Monitor new files and file-related activity
• Network inspection and protocol recognition - Monitors outbound HTTP(s) traffic and block connections to sites such as Command & Control (C&C) servers, phishing, and other malicious targets
• Scan scripts used in Microsoft browsers - Scan for malicious scripts from web pages when using Microsoft browsers
• Block risky DNS request - Attempts to identify and block connections to URLs known to be risky or host malware
• Detection based on heuristics - Inspects code for suspicious elements
• Microsoft Outlook protection - Scan Microsoft Outlook for suspicious emails and attachments

Scanning exclusions

• Excludes specific processes, files, folders, and extensions from scanning. (ie quarantine folders, security products, etc.)

Defender Attack Surface Reduction

• Use advanced ransomware protection - Use your Windows-embedded client and cloud heuristics to determine if a file resembles ransomware; can run in conjunction with The Ransomware Detection Policy
• Block abuse of exploited / vulnerable signed drivers - Prevent applications from writing a vulnerable signed driver to disk
• Block untrusted unsigned process running from USB - Block untrusted processes from executing that are on a USB drive
• Block advanced malware attack techniques - Block potentially obfuscated scripts, possible persistence through WMI, and processes creations from PSExec and WMI
• Use advanced Office / Adobe Reader protection - Monitor and block Microsoft Office and Adobe applications that may inject codes, create child processes, or make Win32 API calls (Your endpoint must be running Windows antivirus version 1.381.2164.0 or higher to use this function, otherwise you need to disable it)
• Protection Level - Enables you to toggle Windows Defender's response level to Audit or Block mode

Attack Surface Reduction Exclusions

• Process exclusions - Exclude specific processes from analysis in the Attack surface reduction exclusions ruleset (ie security software, backup solutions, etc.)