cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Microsoft Entra Tech Accelerator
Jun 27 2023, 08:00 AM - 12:00 PM (PDT)
Microsoft Tech Community
Find out more
SOLVED

Creation of AMSI deactivation rule in Azure Sentinel

Chris_321
Occasional Contributor

‎Oct 05 2021 09:21 AM - edited ‎Oct 05 2021 09:22 AM

‎Oct 05 2021 09:21 AM - edited ‎Oct 05 2021 09:22 AM

Creation of AMSI deactivation rule in Azure Sentinel

Hello guys,

 

I am investigating about the detection of a rule in Azure sentinel, I want to monitor if AMSI has been disabled on a Windows 10 device.

 

I have run the disable command, but it does not show me anything in the security events. This is command:

"[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"
 

I have several questions:

 

In which section of the events should I look?
Do they appear in the security events?
Can the AMSI event be monitored with the event Id 4688?
How can I see the AMSI status?

 

Regards.

 

519 Views
0 Likes
1 Reply
Reply
1 Reply
best response confirmed by Chris_321 (Occasional Contributor)
m_zorich

‎Oct 06 2021 03:15 AM

‎Oct 06 2021 03:15 AM

Solution

Re: Creation of AMSI deactivation rule in Azure Sentinel

Hey Cristian,

What kind of logging / agents do you have deployed to your Windows 10 fleet to send your data to Sentinel? That will answer the question of to start hunting for your events.

The SecurityEvent table is a subset of what will appear in the Security Event log on the device itself, when you run that command on a device does it appear in the local Security Event log? If not, then it won't appear in Azure Sentinel. If it appears on the local Security Event log but not in Azure Sentinel then you will need to make sure you have configured the agent correctly to send the proper data up. There are some guides here - https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=LAA or https://docs.microsoft.com/en-us/azure/sentinel/connect-windows-security-events?tabs=AMA

If you have Defender for Endpoint then make sure you are sending the logs from Defender to Sentinel - https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/threat-protection-integrat..., then you will be looking in the Device* tables, such as DeviceProcessEvents
0 Likes
Reply