Skip to main content

Defender for Endpoint Events and Endpoint Management

Melissa
  • Updated

Summary: Details on viewing events from Defender for Endpoint and managing the endpoint via the Huntress portal.

*As of 7/13/2024: Note that this is currently in Beta. If you would like to try out the integration, please reach out to your Huntress account manager. 

Command Center Widget

Searching and Filtering Events

Searching and Filtering Endpoints

Endpoint Health Statuses

Command Center Widget

The Command Center widget visualizes the health status counts of endpoints at the account and organization levels.

 

The Agent Coverage progress bar on the widget shows the overlap between the number of endpoints using the Microsoft Defender for Endpoint integration, and the number of agents with the Huntress Agent installed. An agent is considered "covered" if the Huntress agent is on the machine. Only covered agents will receive incident reports from the Huntress SOC if anything is found. 

Below the Agent Coverage progress bar that will direct you to a view of endpoints that are "missing" an agent association (Huntress agent not installed) with the "Supported Platform" status (indicating Huntress could be installed on the endpoint).

Searching and Filtering Events

Events exist at the Account, Organization, and Agent (Endpoint) level

Search Filters

  • Title

Filtering Fields

  • Event Status
  • Severity
  • Detection Source
  • Threat Category
  • Detection Time

Searching and Filtering Endpoints

Search Filters

  • Hostname
  • IP Address

Filtering Fields

  • Health Statuses
  • Agent Association
    • Missing
    • Associated
  • Platform
    • Windows
    • macOS
    • Supported Platforms (Combination of Windows and macOS endpoints that are also running operating systems that the Huntress agent is compatible with. Example: Windows 7 endpoints would be listed under "Windows" platform, but not "Supported Platforms" as it is supported for Defender for Endpoint but not Huntress)
    • Other (Linux / mobile devices / other unsupported endpoints / other Discovered devices)
  • Risk score

Endpoint Health Statuses

Status Description Required Actions
Active Endpoint The endpoint is actively reporting to the Defender for Endpoint service No action required 
 Inactive Endpoint The endpoint has stopped reporting to the Defender for Endpoint services for more than 7 days in the past month  If the endpoint is online, investigate why Defender for Endpoint is not working for the endpoint. If it is offline, no action is required. 
 Unhealthy Endpoint The endpoint is partially reporting sensor data or is not reporting any data to the Defender for Endpoint service. Investigation is required. 

Review the endpoint to ensure Defender for Endpoint is fully operational. See Fix Unhealthy Sensors guide from Microsoft. 

 

 

Related articles