cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Tampering with Microsoft Defender for Endpoint sensor settings alert false positive?

Kiril
Iron Contributor

‎Mar 24 2023 08:41 AM

‎Mar 24 2023 08:41 AM

Tampering with Microsoft Defender for Endpoint sensor settings alert false positive?

I am currently investigating the following timeline. All of the involved binaries are part of Windows. How can I make sure, whether this is a false positive, or whether I need to dig deeper?

 

Kiril_0-1679672394074.png

 

2,332 Views
0 Likes
3 Replies
Reply
3 Replies
rahuljindal-MVP

‎Mar 24 2023 08:58 AM

‎Mar 24 2023 08:58 AM

Re: Tampering with Microsoft Defender for Endpoint sensor settings alert false positive?

There maybe Windows processes, but they don't appear to be the point of origin. They don't appear to be false positives to me. Do you have other MDE components enabled like ASR? Also, do you have automated incident response enabled in Defender portal?
0 Likes
Reply
Kiril

‎Mar 24 2023 09:04 AM - edited ‎Mar 24 2023 09:12 AM

‎Mar 24 2023 09:04 AM - edited ‎Mar 24 2023 09:12 AM

Re: Tampering with Microsoft Defender for Endpoint sensor settings alert false positive?

@rahuljindal-MVP 

Thank you, yes both are enabled. ASR rules in Block mode and automated incident response.

 

> they don't appear to be the point of origin.

 

How to investigate the point of origin here?

 

0 Likes
Reply
rahuljindal-MVP

‎Mar 24 2023 03:21 PM - edited ‎Mar 24 2023 03:22 PM

‎Mar 24 2023 03:21 PM - edited ‎Mar 24 2023 03:22 PM

Re: Tampering with Microsoft Defender for Endpoint sensor settings alert false positive?

The timeline ideally should give you details. Otherwise, advanced hunting queries will be the next best option for investigation. 

0 Likes
Reply