Windows Defender Antivirus (Active or Passive)
Hi, I need to get a report of machines with status of Windows Defender Antivirus (Active or Passive). As per the document -https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/symantec-to-microsoft-defender-atp-setup#verify-that-microsoft-defender-antivirus-is-in-passive-mode it says to run Get-MpComputerStatus cmdlet in Powershell and check the value for AMRunningMode. When I ran this on a machine where a 3rd party AV was installed with Windows Defender AV running in passive mode, I got the value Normal under AMRunningMode instead of Passive. Is there any other way we can get the status of Windows Defender AV from MDATP Security Center or Intune.Microsoft Defender ATP Servers Licensing
Hi, I have gone through the below article but still am confused on the licensing model for servers if I need to onboard them on MDATP. https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/minimum-requirements Suppose I haveMicrosoft 365 E5 Security license with me, so will I be able to onboard windows server from MDATP Security Center or do I need to get any standalone license just for server. I don't want to go with the Pay-as-you-go model from ASC. Thijs LecomteAlex VerboonSteve NewbyMicrosoft Defender ATP Licensing for Servers
Hi, I am currently using Pay-as-you-go Licensing Model for Defender ATP for Servers as initially we onboarded servers with Azure Security Center. Now what should be the approach to change the licensing model from Pay-as-you-Go to Standalone License for Servers.
Windows Defender ATP folder does not exist
Hello, I was onboarding Microsoft defender ATP but I kept on getting an error that states that the SENSE service was not installed. When I dug deeper, it turns out that the "WindowsDefender Advanced Threat Protection" folder (in Program Files, which contains MsSense.exe) did not exist. How do I onboard Microsoft Defender ATP?How does NetworkCommunicationsEvents > RemoteURL entity get filled?
Hi team, With WDATP EDR available for Mac I wanted to investigate the RemoteURL field for all Firefox processes, but we don't seem to be capturing that data. NetworkCommunicationEvents | where InitiatingProcessFileName == "firefox" | summarize by RemoteURL RemoteIP is correctly filled, but not RemoteURL. Any ideas?
How to stream Microsoft Defender ATP hunting logs in Azure Data Explorer
Microsoft Defender ATP advanced hunting is a query-based threat-hunting tool that lets you explore up to 30 days of raw data.In some scenarios customers would like to centralize their logs from Microsoft Defender ATP with their other logs into Azure Data Explorer or keep the logs accessible for a longer period or build a customer solutions and visualization around this data. This article provides step by step instructions on how to stream Microsoft Defender ATP advance hunting events to Azure Data Explorer using Event Hub.
