Closed vboyev-MSFT closed 6 months ago
A few things- this is a really neat table.
For Microsoft, MDE does consume the IMPHASH as telemetry, but its not made available for inspection to the end user/admin/consumer. This is not publicly documented that I could find. However, Defender AV clearly has this documented as something it uses for inspection speifically when Cloud Based protection is enabled. (reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide
File Open - MDE does log file open in certain scenarios, below example:
The above screen cap is without Purview integration....PurviewDLP is the solution for tracking file opens, copies etc from Microsoft that MDE integrates with (reference: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/common-questions-on-microsoft-purview-data-loss-prevention-for/ba-p/3732610
Agent State is tracked via the Agent Health in the Device Inventory and on the Device pages (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide
Agent Keep Alive is reflected via the First Seen and Last Seen properties on the device page (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide
Agent also logs to Event Logs detailed status ref: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide
BITS transfer - arguably - https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/PowerShell%20downloads.yaml would have to poke around and see if non-ps initiated would show or not either in the telemetry or Advanced Hunting.
MDE also integrates with Intel's TDT as well (hardware integration) https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html
Hi @vboyev-MSFT, thanks for opening up this issue!
Bits Jobs Activity
Hope that helps!
A few things- this is a really neat table.
For Microsoft, MDE does consume the IMPHASH as telemetry, but its not made available for inspection to the end user/admin/consumer. This is not publicly documented that I could find. However, Defender AV clearly has this documented as something it uses for inspection speifically when Cloud Based protection is enabled. (reference: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-antivirus-sample-submission?view=o365-worldwide![image](https://github.com/tsale/EDR-Telemetry/assets/28322607/8da3a117-3105-4d8f-97b7-2b3ce2d4ecbd)
File Open - MDE does log file open in certain scenarios, below example:
The above screen cap is without Purview integration....PurviewDLP is the solution for tracking file opens, copies etc from Microsoft that MDE integrates with (reference: https://techcommunity.microsoft.com/t5/security-compliance-and-identity/common-questions-on-microsoft-purview-data-loss-prevention-for/ba-p/3732610
Agent State is tracked via the Agent Health in the Device Inventory and on the Device pages (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/check-sensor-status?view=o365-worldwide
Agent Keep Alive is reflected via the First Seen and Last Seen properties on the device page (ref:https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/machines-view-overview?view=o365-worldwide
Agent also logs to Event Logs detailed status ref: https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/event-error-codes?view=o365-worldwide
BITS transfer - arguably - https://github.com/Azure/Azure-Sentinel/tree/master/Hunting%20Queries/Microsoft%20365%20Defender/Execution/PowerShell%20downloads.yaml would have to poke around and see if non-ps initiated would show or not either in the telemetry or Advanced Hunting.
MDE also integrates with Intel's TDT as well (hardware integration) https://www.intel.com/content/www/us/en/architecture-and-technology/vpro/hardware-shield/threat-detection-technology.html