Skip to content

Expose a lot of MDE telemetry that is not easily accessible in any searchable form

License

Notifications You must be signed in to change notification settings

0xThiebaut/DefenderHarvester

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

license Maintenance Twitter

Defender Harvester

Defender Harvester

This tools tries to expose a lot of telemetry that is not easily accessible in any searchable form.

Sadly this not available over the publicly supported API, so this tool uses the internal API to get the data. Also the Unified Audit logs does not have this data, so this tool is the only way to get it. (that I am aware of)

More information in this blog post; Microsoft Defender for Endpoint Internals 0x05 - Telemetry for sensitive actions

NOTE: All data is collected from the MDE Service API, and is not supported by Microsoft. Use at your own risk.

Getting Started

Make sure to have the following installed:

Log in to Azure with an account that has access to M365D / MDE:

az login --use-device-code

In order to write to Sentinel you need the following environment variables set:

export SentinelWorkspaceID=<workspace id>
export SentinelSharedKey="<sentinel shared key>"

For Splunk you need create an HTTP Event Collector (HEC) endpoint and the following environment variables set:

export SplunkUri=<splunk host>
export SplunkToken=<hec token>
Usage of C:\Users\fabia\git\DefenderHarvester\defenderharvester.exe:
  -accesstoken string
        bring your own access token
  -alertservicesettings
        enable querying the M365 XDR Alert Service Settings
  -connectedapps
        enable querying the Connected App Statistics
  -customdetections
        enable querying the Custom Detection state
  -dataexportsettings
        enable querying the M365 XDR Data Export Settings
  -debug
        Provide debugging output
  -executedqueries
        enable querying the Executed Queries
  -featuresettings
        enable querying the Advanced Feature Settings
  -files
        enable writing to files
  -location string
        set the Azure region to query, default is wdatpprd-weu. Get yours via the dev tools in your browser, see the blog in the README. (default "wdatpprd-weu")
  -lookback int
        set the number of hours to query from the applicable sources (default 1)
  -machineactions
        enable querying the MachineActions / LiveResponse actions
  -machinegroups
        enable querying the Machine Groups
  -machineid string
        set the MachineId to query the timeline for
  -schema
        write the MDE schema reference to a file - will never write to Sentinel
  -sentinel
        enable sending to Sentinel
  -splunk
        enable sending to Splunk
  -timeline
        gather the Timeline for a MachineId (requires -machineid and -lookback)

Get the MDE Schema reference in JSON

This will be written to a file, no point in ingesting this into Sentinel.

./defenderharvester -schema

Get all interesting data from MDE

You can get the following events from MDE:

  • (automated) LiveResponse events (MdeMachineActions)
  • The state of your custom detections (MdeCustomDetectionState)
  • Advanced feature settings (MdeAdvancedFeatureSettings)
  • Configured Machine Groups (MdeMachineGroups)
  • Connected App Registrations, and their use (MdeConnectedAppStats)
  • All executed queries Scheduled/API/Portal (MdeExecutedQueries)
  • Timeline events for devices (MdeTimelineEvens)
  • The schema reference

This can be collected into files with the -files flag, or sent to Sentinel with the -sentinel flag, or both.

For example;

./defenderharvester -lookback 1 -machinections -files -sentinel

Get the timeline for a MachineId and send it to Sentinel

You can get the timeline for a MachineId with the -timeline flag, this requires the -machineid and -lookback flags to be set. This will be collected into a file and optionally can be sent to Sentinel with the -sentinel flag, where it will end up in the MdeTimeline table.

./defenderharvester -lookback 1 -machineid <machineid> -timeline -sentinel

Comply with device filtered Conditional Access Policy

# Use TokenTacticsV2 to get a 24h valid access token
Get-AzureToken -Client Custom -ClientID 04b07795-8ddb-461a-bbee-02f9e1bf7b46 -Scope "https://securitycenter.microsoft.com/mtp/.default" -UseCAE

./defenderharvester.exe -location wdatpprd-weu3 -debug -accesstoken $response.access_token -schema

About

Expose a lot of MDE telemetry that is not easily accessible in any searchable form

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • Go 100.0%