Skip to main content Link Menu Expand (external link) Document Search Copy Copied

edr / defender

Last update:

enum

# defender 
# defender: check if Defender is enabled
Get-MpComputerStatus
Get-MpComputerStatus | Select AntivirusEnabled
# defender: check if defensive modules are enabled
Get-MpComputerStatus | Select RealTimeProtectionEnabled, IoavProtectionEnabled,AntispywareEnabled | FL
# defender: check if tamper protection is enabled
Get-MpComputerStatus | Select IsTamperProtected,RealTimeProtectionEnabled | FL

kql

  • KQL queries over the field InitiatingProcessFileName, table DeviceProcessEvents:
DeviceProcessEvents
| where InitiatingProcessFileName =~ $_KEYWORD_$
loots$KEYWORD$
Kubernetes“kubectl”
Container Registry X“docker “
DB x“sqlplus”
psexec“psexec “

Get the alerts associated to a user

# over 7 days backlog
AlertEvidence
| where Timestamp > ago(8d)
| where AccountName =~ "johndoe"

Get the alerts associated to a machine

# over 7 days backlog
AlertEvidence
| where Timestamp > ago(8d)
| where DeviceName =~ "AL"