SOLVED

Search Defender database?

Brass Contributor

Hi,

Apologies if this is a stupid question - Is it possible to  search Windows ATP Defender threat database for the existence of an entry?  The reason for this is looking to ratify the claims of a different product vendor that say "Microsoft ATP missed this one".  I want to take some of the provided hashes and see if Defender knows about them.  I've performed searches for entries through our Sentinel watchlists,  but need to interrogate our Defender intel.

Any ideas?

Thanks

6 Replies
For example, did Defender detect Biglock from 30 Dec 21? I don't want to find out the hard way. At the same time, there's no obvious easy way to find out either.
You might be able to check it with this API.
I have never tried though so not sure if it will work.

https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-file-information?view=...
best response confirmed by CodnChips (Brass Contributor)
Solution
I tried this in my test environment using the API explorer in the M365D portal, and it seems to work fine.

Hey @Jonhed
Thankyou so much for your response! I didn't even know that existed!!
This is the closest that I'm going to get. Interestingly, it seems to provide inconsistent results for example,. if I search for this (Sha256):
EX1) a5516c47fda1033a8212d76ba38ef5d9ec129c6369a73377a204268c16168202

CodnChips_0-1645003819204.png

I get nothing
If I search for this (SHA1):
EX2) 93ff13c276abb159853cc8cbd8f6ef2fb1d6729f

I get results which also contain the Sha256 hash from EX1!  Crazy!

CodnChips_1-1645003962845.png

I'll have a read and see if I can work out why\what I'm doing wrong, but thanks very much for putting me on this track!

The documentation says sha1 or sha256, but when looking at the API explorer in the M365D portal, the URL in the sample query for getting file info shows as below, with "file-sha1", so maybe the API only expects a sha1. This seems to be something that only Microsoft can shed light on.
https://api-xx.securitycenter.windows.com/api/files/{file-sha1}

Hey @Jonhed 

Yes you're right - my bad:

CodnChips_0-1645099551782.png

Thanks for helping :smile:

 

1 best response

Accepted Solutions
best response confirmed by CodnChips (Brass Contributor)
Solution
I tried this in my test environment using the API explorer in the M365D portal, and it seems to work fine.

View solution in original post