How to utilize SEP for Incident Response - Complete Index

Below are links to my articles on using SEP for incident response with a brief description of what each one entails. Please feel free to have a look and leave questions, comments, or feedback. Ideas for future articles are welcomed as well. Additionally, you can subscribe to posts by me to be kept update on any new releases. Thanks for looking!

How to utilize SEP 12.1 for Incident Response - PART 1​​​

• This article discusses using the 'Application to Monitor' feature in SEPM to stop the spread when current definitions are not detecting it.

How to utilize SEP 12.1 for Incident Response - PART 2​

• This article discusses using the System Lockdown component to stop the spread of a threat.

How to utilize SEP 12.1 for Incident Response - PART 3

• This article discusses using the 'Network Application Monitoring' feature in SEPM to track which applications in your network are making connections to the Internet and determine if they've been compromised.

How to utilize SEP 12.1 for Incident Response - PART 4

• This article discusses using the 'Application Learning' feature to hunt for malicious processes on endpoints.

How to utilize SEP 12.1 for Incident Response - PART 5

• This article discusses using the firewall component to create specially crafted rules to lockdown endpoint traffic during an incident response situation.

How to utilize SEP 12.1 for Incident Response - PART 6

• This article discusses using a custom IPS policy to detect file downloads over HTTP/HTTPS.

How to utilize SEP 12.1 for Incident Response - PART 7

• This article discusses using the Application and Device Control component to monitor all file and registry activity on a system, very similar to what Process Monitor can do.

How to utilize SEP 12.1 for Incident Response - PART 8

• This article discusses the Tamper Protection component and how it can be used to detect potentially malicious processes that try to disable SEP.

How to utilize SEP 12.1 for Incident Response - PART 9

• ​This article discusses using both the Application and Device Control and Firewall component to allow file execution but restrict its access to the Internet. 

How to utilize SEP for Incident Response - PART 10

• This article discusses using the custom IPS feature to detect inbound network connection attempts.