User Profile
SteBeSec
Iron Contributor
Joined May 17, 2020
User Widgets
Recent Discussions
Re: Sysmon worth using in addition to Defender ATP?
Hi, I think this highly depends on your needs. I had some discussions with researchers and the conclusion was that Defender ATP (MDE) detects a lot of things that Sysmon does, but Sysmon can get even a bit more data and you are more flexible in distributing this data to your siem. It highly depends on your needs and your environment.7.8KViews0likes1CommentRe: Defender definition updates
Unfortunately not direct, but you could use an Advanced Hunting Query: https://github.com/microsoft/Microsoft-365-Defender-Hunting-Queries/blob/master/General%20queries/MD%20AV%20Signature%20and%20Platform%20Version.md If you are Using Microsoft Endpoint Manager (Itune) or SCCM, you can check for the Definition- and Platform Version there: https://deviceadvice.io/2020/12/07/manage-and-report-on-defender-antivirus-signature-update-versions-through-microsoft-endpoint-manager/ You could also build something yourself using Powershell Commandlets (Get-MpComputerStatus): https://docs.microsoft.com/en-us/powershell/module/defender/?view=windowsserver2019-ps About your Question Nr. 2: Unfortunately, the best I know is that you read alle the available stuff in Microsoft Docs around Defender for Endpoint. GReat Ressources are: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/become-a-microsoft-defender-for-endpoint-ninja/ba-p/1515647 https://github.com/alexverboon/MDATP#microsoft-blog-posts-on-microsoft-advanced-threat-protection3KViews0likes0CommentsMDE API - How to get all devices?
I‘m currently trying to get alle device objects from MDE via REST API. Unfortunately, I only get 10.000 of my 23.000 machines. The API Documentation states that the maximum pagesize is 10.000, but there is no hint or example where to get the other 13.000 machines that are still missing. Anyone got the same problem or has a solution? Best regards StefanSolved5.1KViews0likes5CommentsRe: Windows Defender antivirus and Defender for Endpoint next-gen antivirus
If you ask me: Yes. With MDE, you get the whole EDR/XDR part, post breach functionality, custom indicators, Advanced hunting, Reportingcapabilities via API and so on. With only Defender AV built in Windows 10, you are missing all the features mentioned above and if you are also missing SCCM or Intune, you don't have the possibility to manage Defender , it updates and its detections. Only the Defender Settings can be distributed via GPO. Hope this answers your question.7.8KViews1like0CommentsFeature Request: Please make TVM Security Recommendations a bit smarter
Hello MDE Devs, I noticed that the security recommendations in MDE are...let's say "not smart". To give you some examples: It is recommended that Bitlocker is enabled on virtual machines (VDIs). Why should someone enable Bitlocker on a machine that is virtual, hosted in a corporate owned datacenter and can't be stolen? The ASR Rule "Block credential stealing from the Windows local security authority subsystem" is recommended, even if Credential Guard is enabled on a machine. The article for the ASR Rule states that this rule is only useful if Credential Guard is not enabled: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide#block-credential-stealing-from-the-windows-local-security-authority-subsystem The ASR Rule "Block persistence through WMI event subscription" is recommended, even if the machine is using SCCM - you can't enbable this rule if SCCM is present on a machine (this would block SCCM Agent from functioning correctly). It is only useful if youre not co-managing devices and are only using Intune or another MDM: https://docs.microsoft.com/en-us/microsoft-365/security/defender-endpoint/attack-surface-reduction?view=o365-worldwide#block-persistence-through-wmi-event-subscription All of the above could be easily detected by MDE, so my feeling about this is, that not much effort was put in the recommendations. Could you please have a look into this? A lot of recommendations just doesn't make any sense. Best regards StefanSolvedRe: ATP onboarding - only possible after interactive login?
Yes, last week an escalation engineer told me that the fix is part of the current Cumulative Update preview (April C Release) and will be Part of the next „normal“ Cumulative Update (May B release. I can confirm that the fix works as expected.2.7KViews0likes2CommentsRe: Microsoft defender for endpoint requirements
Hi, as far as I know, the "Microsoft Defender for Endpoint" license enables you to only license Defender for Endpoint, even if you don't use any other part of the M365 product stack. If you are already using M365 E3, it would be better to step up the Windows 10 E3 to an E5 license, but your Microsoft Accountmanager surely can give to the right advise what license would fit best for your existing licenses. Best regards Stefan4.2KViews0likes0CommentsRe: Device list in ATP Defender Security Center
Hi Davor, this is part of the new feature "Endpoint discovery". You can read more about it in the following article: https://techcommunity.microsoft.com/t5/microsoft-defender-for-endpoint/endpoint-discovery-navigating-your-way-through-unmanaged-devices/ba-p/2248909 The article above describes how the feature works, what's the diference between "Basic" and "Advanced" mode, and how to disable this feature. Hope this will help. Best regards Stefan1.5KViews1like1CommentYARA rule support
Hi everybody, I'm curious if Microsoft is planniung to support YARA rules. I think that this will become even more important in the future. I fould this verry old thread from 2019, where this question was asked from other folks: IS MS looking to support custom YARA rules for Windows Defender ATP - Microsoft Tech Community Unfortunately, it looks like that nothing happend so far. Best regards Stefan13KViews14likes1CommentNew "Tamper Protection" entry in MDE Advanced features panel
Hello everybody, today I noticed a new entry unter the "Advanced features" section of the MDE Cloudportal (securitycenter.microsoft.com) named "Tamper protection". Is this the long awaited possibility to turn on tamper protection when not using Intune? Is anybody else seeing this (with preview features turned on)? Best regards StefanSolved2.7KViews2likes6CommentsRe: ASR | Legit URL getting blocked
AnuragSrivastava You can whitelist specific IPs and URLS via the Windows Defender Security Center (Defender ATP Portal): https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/indicator-ip-domain This should unblock these, even if they are blacklisted at Microsoft. Why the IPs/URLs are now blacklisted only Microsoft can tell. Why this only happens on some machines is strange - I think it's best to open a support case about this behavior. Best regards Stefan21KViews0likes1CommentRe: ATP onboarding - only possible after interactive login?
Hi Jlouden, I know this article, but unfortunately that is not the case in our situation. The Sense Service is running and onboardinginformation is present on affected machines, but the on boarding is still not performed. You have to login to a machine, to start the onboardingprocess.3.2KViews0likes0Comments
Recent Blog Articles
No content to show