Forum Discussion
non-MS AV Product
If MDE status is Passive, what device events can I expect in Advanced hunting table in Defender Advanced Hunting?
Looking to see if specific events like CredGuard,DeviceGuard,LSA and other wide array of security events will be captured in passive mode? Or do I need to switch over to MS AV to get these events from endpoints?
It sounds like you would like to know which events (= event IDs) are being sent to Defender XDR in passive mode so you can leverage them via Advanced Hunting. As far as I know, there is currently no list that Microsoft published that shows that kind of information.
There is an interesting blog series by Olaf Hartong (https://medium.com/falconforce/mdeinternals/home) about MDE and telemetry. In short, not all events are logged locally and not all events are being sent from the device to the portal. Data in Advanced Hunting is also not the same as the data in the device's timeline.
It might be a better solution to use AMA to push the events that you want to Sentinel. Using MDE in passive mode might also cause performance issues, and you probably receive a ton of redundant data that you might already receive through your third-party AV solution (or is it an EDR solution?).
- Edr, device control and IoC continue to function even with Defender running in passive mode. You should see events related to these atleast.
- When in passive mode do machine events get collected in Device table in Defender portal? Plan is to get this fed via XDR connector to Sentinel then use analytic rules to alert on detections like mimikatz, powershell attacks, code executions and other events from windows event viewer on local endpoints.
- It will depend on what all you have enabled in passive mode, but yes, the events are sent through Defender’s telemetry.
