MDATP - how to? is it possible to:

%3CLINGO-SUB%20id%3D%22lingo-sub-1314750%22%20slang%3D%22en-US%22%3EMDATP%20-%20how%20to%3F%20is%20it%20possible%20to%3A%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1314750%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAsking%20some%20potentially%20dumb%20questions%20%26amp%3B%20looking%20for%20guidance%20if%20these%20actions%20are%20possible%3A%3C%2FP%3E%3CUL%3E%3CLI%3EMonitor%20for%20any%20changes%20in%20the%20Event%20Log%20settings%20-%20i.e.%20change%20of%20size%2C%20retention%2C%20file%2C%20etc%20for%20System%2FSecurity%2FApplication%2FPowershell%20Event%20Logs%3C%2FLI%3E%3CLI%3EMonitor%20for%20any%20changes%20to%20the%20HOST%2FHOSTS%20file%20-%20could%20just%20use%20Folder%20Protection%2FControlled%20Folder%20access%3F%3C%2FLI%3E%3C%2FUL%3E%3CP%3EI'm%20particularly%20interested%20if%20there%20is%20any%20way%20of%20monitoring%20for%20any%20changes%20to%20the%20Event%20Logs%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3ESocially%20distancing%20Dave%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1401292%22%20slang%3D%22en-US%22%3ERe%3A%20MDATP%20-%20how%20to%3F%20is%20it%20possible%20to%3A%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1401292%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F129396%22%20target%3D%22_blank%22%3E%40David%20Caddick%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20anything%20in%20particular%20that%20you%20want%20to%20monitor%20on%20the%20event%20logs%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAll%20activities%20of%20an%20on%20boarded%20machine%20can%20be%20found%20on%20the%20timelines%20section%20on%20the%20MDATP%20portal%20for%20that%20particular%20machine%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Finvestigate-machines%23timeline%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fwindows%2Fsecurity%2Fthreat-protection%2Fmicrosoft-defender-atp%2Finvestigate-machines%23timeline%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

Hi All,

 

Asking some potentially dumb questions & looking for guidance if these actions are possible:

  • Monitor for any changes in the Event Log settings - i.e. change of size, retention, file, etc for System/Security/Application/Powershell Event Logs
  • Monitor for any changes to the HOST/HOSTS file - could just use Folder Protection/Controlled Folder access?

I'm particularly interested if there is any way of monitoring for any changes to the Event Logs

 

Regards,

Socially distancing Dave

1 Reply

@David Caddick 

 

Is there anything in particular that you want to monitor on the event logs?

 

All activities of an on boarded machine can be found on the timelines section on the MDATP portal for that particular machine

https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/investiga...