Windows Defender ATP
3 TopicsWindows Defender ATP API - ingest all alert details into Splunk / Splunk Phantom
We are trying to ingest all the alert details into Splunk, and Splunk Phantom, but we cannot get the last part that allows us to view all the information contained in the alert. (see screenshot for reference) Any guidance on what API call(s) to use would be greatly appreciated. API call we are using https://api-eu.securitycenter.windows.com/api/alerts/da637590078447561363_2087728736 See Screenshot. Evidence Includes Evidence Entry 1 "title": "Connection to a custom network indicator", "description": "An endpoint has connected to a URL or domain in your list of custom indicators.", Evidence Entry 2 "entityType": "Url", "evidenceCreationTime": "2021-06-11T11:30:44.82Z", "sha1": null, .... "url": "https://testgvbgjbhjb.com/", However, I cannot seem to figure out how to retrieve this entry via the API, we can only view it in the GUI --- Network Filter Lookup Service blocked chrome.exe from accessing https://testgvbgjbhjb.comDefender ATP with McAfee
I have some questions regarding Defender ATP/Defender AV. We currently have policies set via GPO to everyone. We have ring 1 that are on-boarded, McAfee removed, and we are getting full scan scheduled. Ring 2 however, are on-boarded but for some reason still getting the full scan policy. We thought that Defender would be 'asleep' until McAfee is removed. Is this the case here? or the GPO that is applied to everyone is allowing Defender to be full on active? MsMpEng.exe is running constantly, We've reimaged a device with out on-boarding and process is not even running or eating Memory and CPU.