Defender detected powershell_ise.exe as 'Trojan:PowerShell/Mountsi.A!ml'
One of our users is experiencing a problem when it comes to creating scripts in the powershell ISE, when they are autosaved to appdata, it blocks them on his machine and doesnot create an alert/incident in the defender ATP portal. However one has managed to appear in the portal (see screenshot). We only recently implemented Defender ATP so im not 100% sure how to interpret the alert, and since this behaviour isnt happening on anyone elses machine I dont know if white listing powershell_ise.exe is a good idea (i assume not), or if theres a better explanation for it? The current defender ATP settings are the stock standard for GPO as stated in the deployment guide. Appreciate any help with this!Export Microsoft Defender event data to a log analytics workspace
In the Defender ATP portal (securitycenter.windows.com) it is possible to create custom detections, but the smallest time frame is 1 hour. Even though 1 hour is better than the mean time to detection of a breach reported via Ponemon, Verizon, etc. I'm trying to cut that down even further by piecing together different Azure cloud services i.e. Event Hubs, Blob Storage, Search Services, Log Analytics, etc. Is there a way to leverage the raw streaming API and perform searching with a log analytics workspace? This would speed up detection to within 5 minutes of an event occurring rather than 1 hour
Defender ATP GUI on servers
Hello, Have Defender ATP on all machines via Intune MEM and servers onboarded via Azure Security Center (Microsoft Monitoring Agent) Couldn't figure out how to do a full scan on servers, I found https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016 not sure if this can work in parallel with Defender ATP as the GUI shows free AV.Endpoint security settings (EDR, ASR etc.) applied to computer without group membership
Hello, we have an Azure AD group with a dynamic group membership. The filter were modified and because of this all except one computer were removed from the group. After that the group was linked to endpoint security policies. Now we can see two computer, which were in the group and are now no longer member of the group, getting configuration settings for Defender ATP. Does anyone know this problem?
