mdatp
15 TopicsMDATP File Hash Indicators
Hi, I am not allowed to upload MD5 file hashes into the Indicators Tab for Microsoft Defender Security Center. It also shows a message that MD5 file hash method is not recommended. I have around 500 MD5 hashes for IOCs which I need to upload. Is there a way around through which I can cover these MD5 file hashes to SHA-1 or SHA-256 and then upload in Defender Security Center.mdatp device compliance
Hi, is there a recent change within the handling of mdatp compliance policy out of endpoint manager? We used to assign mdatp compliance policy to "All Users" which, in the past, only evaluates the related user account, which was matched to the policy assignment. Since yesterday, we recognized, that the mdatp compliance policy is also scoped to the device itself: now also the system account gets evaluated, and we have a new built-in compliance policy system account evaluation.... In addition, the scoped user account remains as "not applicable" for this compliance policy. Anyone knows more details about this? Thank you ThomasWrong MDATP Logic App Connector Auth. endpoint for USgov
I'm trying to create a logic app that will trigger when a new WDATP alert occurs inside of a USgov region using the MDATP connector in the logic app designer. When I click the "Sign in" button it takes me to the authentication URL at https://login.microsoftonline.com/ which is not the proper authentication endpoint for USgov (it should redirect me to https://login.microsoftonline.us) This causes an error response letting me know that I'm making a request to a public endpoint instead of the government endpoint, and that the application must send the user to the right endpoint. I've spent hours looking for ways to change the authentication endpoint to the USgov one in the Microsoft Defender ATP logic app connector and I'm out of ideas. Has anyone encountered this issue and was able to edit the connector's request? or found a workaround? I'd love to hear from someone, thank you!2.1KViews0likes1CommentDeviceFileCertificateInfo table
Hi All I want to play around with file reputation under MDATP Advanced hunting. The only place where I can find file information like this seems to be only under the DeviceFileCertificateInfo table (where I can find IsSigned and IsTrusted property). So far it's not that bad, but the issue I have is that this table uses data obtained from certificate verification activities regularly performed on files on endpoints. and doesn't seems to receive all the validation done at each time. Ex.: I execute a exe file from powershell but didn't see the executed file's hash in the DeviceFileCertificateInfo table. Is that normal ? Is there another place where I should find those information ? Thanks in advanced1.1KViews0likes0CommentsMicrosoft Defender ATP now in preview on Windows 10 Enterprise multi-session
We are happy to announce on Microsoft Defender Advanced Threat Protection (MDATP) support on Windows Virtual Desktop enabling both single and multi-session scenarios. The support for Multi-user session scenarios is currently in Preview and limited up to 25 concurrent sessions per host/VM while the single session scenarios are fully supported. The support applies to the following operating systems: Windows 10 Enterprise multi-session, version 1809 or later Windows 10 Enterprise, version 1809 or later Windows 7 Enterprise Windows Server 2019 Windows Server 2016 Windows Server 2012 R2 Onboarding WVD devices to MDATP is done via the existing device onboarding process, follow the relevant onboarding instructions per the platform you are using: Follow these instructions for Windows 10 based VMs Follow these instructions for Windows Server-based VMs Follow these instructions for previous Windows client versions Regards, Pieter20KViews6likes17CommentsWSL CommandLine Support
I noticed while doing some Advanced Hunting in MDATP, that there is some visibility into processes executed via WSL. But, the ProcessCommandLine's are all blank; we can only see the process name. Will CommandLine visibility for WSL processes be added in the future?1.2KViews0likes0Comments