WDATP - Auditing and Certificate questions

%3CLINGO-SUB%20id%3D%22lingo-sub-1397488%22%20slang%3D%22en-US%22%3EWDATP%20-%20Auditing%20and%20Certificate%20questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1397488%22%20slang%3D%22en-US%22%3EHello%20everyone%2C%3CBR%20%2F%3E%3CBR%20%2F%3EI'm%20currently%20testing%20WDATP%20and%20have%20two%20questions%3A%3CBR%20%2F%3E%3CBR%20%2F%3EAuditing%3A%3CBR%20%2F%3EAs%20far%20as%20I%20know%2C%20the%20only%20possible%20way%20for%20auditing%20(e.%20g.%20User%20xyz%20initiated%20a%20live%20response%20session%20or%20user%20xyz%20created%20an%20advanced%20hunting%20Query)%20so%20far%20is%20to%20use%20the%20API.%3CBR%20%2F%3EIf%20I%20attach%20the%20Defender%20ATP%20to%20a%20SIEM%20via%20the%20SIEM%20connector%2C%20will%20all%20the%20Auditing%20Events%20automatically%20transmitted%20to%20the%20SIEM%2C%20or%20do%20I%20still%20need%20to%20register%20an%20API%20and%20actively%20query%20them%3F%3CBR%20%2F%3EW%3CBR%20%2F%3EIf%20the%20latter%20is%20true%2C%20which%20events%20should%20I%20query%20for%20auditing%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThe%20other%20question%20is%20about%20certificate%20custom%20indicators%3A%3CBR%20%2F%3EWe%20use%20a%20lot%20of%20self%20developed%20software%20and%20had%20a%20lot%20of%20trouble%20with%20our%20current%20AV%20solution%20(not%20Defender%20ATP)%20and%20false%20positives.%20We%20started%20to%20sign%20software%20with%20a%20certificate%20issued%20by%20the%20company's%20root%20ca.%20The%20certificate%20chain%20looks%20like%20this%3A%3CBR%20%2F%3ERoot%20CA%20-%26gt%3B%20Intermediate%20CA%20-%26gt%3B%20Codesigning%20Certificate%20(different%20for%20each%20Softwareproduct).%3CBR%20%2F%3EIf%20we%20switch%20to%20Defender%20ATP%20and%20our%20custom%20software%20is%20signed%20with%20a%20certificate%20from%20the%20root%20ca%20and%20the%20root%20ca%20certificate%20is%20on%20the%20Certificate%20allowlist%2C%20will%20this%20eliminate%20the%20chance%20for%20false%20positives%3F%3CBR%20%2F%3EOr%20is%20is%20required%20to%20add%20the%20actual%20certificate%20to%20the%20certificate%20custom%20indicator%20list%3F%20Or%20the%20intermediate%20ca%3F%20Or%20all%20three%3F%3CBR%20%2F%3E%3CBR%20%2F%3EThanks%20for%20all%20replys%20in%20advance%3CBR%20%2F%3EStefan%3CBR%20%2F%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1413298%22%20slang%3D%22en-US%22%3ERe%3A%20WDATP%20-%20Auditing%20and%20Certificate%20questions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1413298%22%20slang%3D%22en-US%22%3E%3CP%3EHence%20no%20one%20replyed%20to%20this%20post%20so%20far%2C%20I%20did%20some%20more%20research%20and%20got%20an%20answer%20about%20the%20certificat%20questions%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CUL%3E%3CLI%3EAccording%20to%20some%20folks%20from%20Microsoft%2C%20you%20should%20use%20the%20actual%20codesigningcertificat%2C%20if%20you%20want%20to%20whitelist%20(e.%20g.%20%22allow%22)%20a%20certificate.%3C%2FLI%3E%3CLI%3EIf%20you%20want%20to%20block%20an%20untrusted%20chain%2C%20you%20can%20use%20the%20Root%20CA%20of%20this%20chain.%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EBest%20regards%3C%2FP%3E%3CP%3EStefan%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor
Hello everyone,

I'm currently testing WDATP and have two questions:

Auditing:
As far as I know, the only possible way for auditing (e. g. User xyz initiated a live response session or user xyz created an advanced hunting Query) so far is to use the API.
If I attach the Defender ATP to a SIEM via the SIEM connector, will all the Auditing Events automatically transmitted to the SIEM, or do I still need to register an API and actively query them?
W
If the latter is true, which events should I query for auditing?

The other question is about certificate custom indicators:
We use a lot of self developed software and had a lot of trouble with our current AV solution (not Defender ATP) and false positives. We started to sign software with a certificate issued by the company's root ca. The certificate chain looks like this:
Root CA -> Intermediate CA -> Codesigning Certificate (different for each Softwareproduct).
If we switch to Defender ATP and our custom software is signed with a certificate from the root ca and the root ca certificate is on the Certificate allowlist, will this eliminate the chance for false positives?
Or is is required to add the actual certificate to the certificate custom indicator list? Or the intermediate ca? Or all three?

Thanks for all replys in advance
Stefan
1 Reply
Highlighted

Hence no one replyed to this post so far, I did some more research and got an answer about the certificat questions:

 

  • According to some folks from Microsoft, you should use the actual codesigningcertificat, if you want to whitelist (e. g. "allow") a certificate.
  • If you want to block an untrusted chain, you can use the Root CA of this chain.

 

Best regards

Stefan