tsale
commented
6 months ago Hi @vboyev-MSFT, thanks for opening up this issue!
- We are looking for telemetry that can be seen and be available to the end user. IMPHASH does not meet this criteria.
- Regarding the File-Open event, the screenshot provided is not a file-open activity but a process execution-related event.
- I can change the values under EDR-SysOps category with - 🪵 | Via Windows EventLogs (EDR is inspecting windows event logs to collect the telemetry)
- For BITS transfer, we are looking for telemetry events related to
Bits Jobs Activity; we don't consider indirect process execution activity.
Hope that helps!
A few things- this is a really neat table.
For Microsoft, MDE does consume the IMPHASH as telemetry, but its not made available for inspection to the end user/admin/consumer. This is not publicly documented that I could find. However, Defender AV clearly has this documented as something it uses for inspection speifically when Cloud Based protection is enabled. (reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide
File Open - MDE does log file open in certain scenarios, below example:
The above screen cap is without Purview integration....PurviewDLP is the solution for tracking file opens, copies etc from Microsoft that MDE integrates with (reference: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/common-questions-on-microsoft-purview-data-loss-prevention-for/ba-p/3732610
Agent State is tracked via the Agent Health in the Device Inventory and on the Device pages (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide
Agent Keep Alive is reflected via the First Seen and Last Seen properties on the device page (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide
Agent also logs to Event Logs detailed status ref: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide
BITS transfer - arguably - https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/PowerShell%20downloads.yaml would have to poke around and see if non-ps initiated would show or not either in the telemetry or Advanced Hunting.
MDE also integrates with Intel's TDT as well (hardware integration) https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html