Skip to main content Link Menu Expand (external link) Document Search Copy Copied

edr / defender

Last update:

enum 

# defender 
# defender: check if Defender is enabled
Get-MpComputerStatus
Get-MpComputerStatus | Select AntivirusEnabled
# defender: check if defensive modules are enabled
Get-MpComputerStatus | Select RealTimeProtectionEnabled, IoavProtectionEnabled,AntispywareEnabled | FL
# defender: check if tamper protection is enabled
Get-MpComputerStatus | Select IsTamperProtected,RealTimeProtectionEnabled | FL

kql

  • KQL queries over the field InitiatingProcessFileName, table DeviceProcessEvents:
DeviceProcessEvents
| where InitiatingProcessFileName =~ $_KEYWORD_$
loots $KEYWORD$
Kubernetes “kubectl”
Container Registry X “docker “
DB x “sqlplus”
psexec “psexec “

Get the alerts associated to a user 

# over 7 days backlog
AlertEvidence
| where Timestamp > ago(8d)
| where AccountName =~ "johndoe"

Get the alerts associated to a machine 

# over 7 days backlog
AlertEvidence
| where Timestamp > ago(8d)
| where DeviceName =~ "AL"