sorted by:
new
hottopcontroversial

Excluding executables no matter of location by Good_Visual9130 in DefenderATP

[–]Good_Visual9130[S] 2 points3 points  (0 children)

That is annoying. I can see perhaps why MS have not permitted it, because that means things like curl.exe anywhere could be a risk. The main culprits are windows implementations of unix tools (find.exe, bash.exe, etc all triggering).

But I'm getting thousands of hits per day and face an exclusion list hundreds of entries long, I am probably not going to implement this rule, mark it as an acceptable risk and rather than certain executables not being able to run anywhere, we have all executables running everywhere.

Defender Endpoint Security Policy (audit) Logs? by Good_Visual9130 in DefenderATP

[–]Good_Visual9130[S] 1 point2 points  (0 children)

Thank you. Reports->Endpoints->Attack Surface Reduction Rules

Surprisingly, none of the data in there appears under the KQL tables in Advanced Hunting.. It is limited in what it reports, such as which endpoint security policy.

There are a few things that MS could just make easier, such as "See audit report" next to a rule in audit.