Microsoft Entra Suite Tech Accelerator
Aug 14 2024, 07:00 AM - 09:30 AM (PDT)
Microsoft Tech Community

API to get exact data of policies for Defender for Endpoint

Copper Contributor

I am working on an API that gets all the configuration and tells me if there are any misconfiguration on any settings anywhere.

 

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-secure-con...

As per the documentation here, this API only provides below information. I am looking for something that tells the exact configuration.

 

IsApplicable

bool

Indicates whether the configuration or policy is applicable

true

IsCompliant

bool

Indicates whether the configuration or policy is properly configured

false

 

 

This doesn't provide information on what are the settings especially the Attack Surface Rules.

 

Example Data below. This is a test environment so details below are fine to be exposed anywhere.

 

deviceName

osPlatform

timestamp

configurationCategory

configurationSubcategory

configurationImpact

isCompliant

isApplicable

configurationName

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

FALSE

TRUE

Block persistence through WMI event subscription

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

FALSE

TRUE

Block abuse of exploited vulnerable signed drivers

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block Office communication application from creating child processes

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block Adobe Reader from creating child processes

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block credential stealing from the Windows local security authority subsystem (lsass.exe)

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

FALSE

TRUE

Block process creations originating from PSExec and WMI commands

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block untrusted and unsigned processes that run from USB

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block JavaScript or VBScript from launching downloaded executable content

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block execution of potentially obfuscated scripts

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block executable content from email client and webmail

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block Office applications from injecting code into other processes

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block all Office applications from creating child processes

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block Office applications from creating executable content

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

TRUE

TRUE

Block Win32 API calls from Office macros

desktop-tgjrkeb

Windows11

01/09/2023 19:39

Security controls

Attack Surface Reduction

9

FALSE

TRUE

Block executable files from running unless they meet a prevalence, age, or trusted list criterion

 

 

I feel like I am missing something here. Does anyone know where can i get an API that fetches the exact configuration e.g., Not Configured, Block Mode or Audit Mode for the entire environment. I appreciate any help from here.

0 Replies