Select individual or multiple observables and perform a manual observable enrichment
to enrich observables with additional information from Microsoft Defender for Endpoint.
Antes de Iniciar
Role required: sn_si.analyst
Por Que e Quando Desempenhar Esta Tarefa
The Microsoft Defender for Endpoint integration enables observable
enrichment for all the observable types that are mapped in the Observable-Indicator
Mapping module.
Procedimento
-
Navigate to .
-
Select the security incident that you want to review with the Microsoft
Defender for Endpoint information.
-
Click Show All related lists.
-
Click the Associated Observables tab.
-
Select the observables.
-
From the Actions list, click Run Observable
Enrichment.
-
Select a Microsoft Defender for Endpoint source and move
it to the Selected column to specify which implementation
you want to use to enrich the selected observables.
-
Click Submit.
-
To validate the status of the execution, view the work notes.
-
To view the results, click Microsoft Defender Indicator
tab.
You can use the following table for more information on the observable
enrichment.