enum
# defender
# defender: check if Defender is enabled
Get-MpComputerStatus
Get-MpComputerStatus | Select AntivirusEnabled
# defender: check if defensive modules are enabled
Get-MpComputerStatus | Select RealTimeProtectionEnabled, IoavProtectionEnabled,AntispywareEnabled | FL
# defender: check if tamper protection is enabled
Get-MpComputerStatus | Select IsTamperProtected,RealTimeProtectionEnabled | FL
kql
- KQL queries over the field
InitiatingProcessFileName, tableDeviceProcessEvents:
DeviceProcessEvents
| where InitiatingProcessFileName =~ $_KEYWORD_$
| loots | $KEYWORD$ |
|---|---|
| Kubernetes | “kubectl” |
| Container Registry X | “docker “ |
| DB x | “sqlplus” |
| psexec | “psexec “ |
Get the alerts associated to a user
# over 7 days backlog
AlertEvidence
| where Timestamp > ago(8d)
| where AccountName =~ "johndoe"
Get the alerts associated to a machine
# over 7 days backlog
AlertEvidence
| where Timestamp > ago(8d)
| where DeviceName =~ "AL"