PSMDATP – PowerShell Module For Managing Microsoft Defender Advanced Threat Protection

Welcome to the Microsoft Defender Advanced Risk Defense PowerShell module!

This module is a collection of easy-to-use cmdlets and capabilities intended to make it simple to interface with the Microsoft Defender State-of-the-art Threat Security API.

Inspiration

I created this PowerShell module for MDATP for the adhering to explanations:

1. Advance my PowerShell abilities
2. Give an simple way to interact with MDATP through PowerShell mainly because I like automation about guide jobs

Conditions

• Home windows PowerShell 5.1 (Screening for PowerShell 7 is in development)
• have configured authorization for obtain by registering an software in AzureAD

Application Permissions

Down below is an instance of the App Permissions that you need to grant. I will deliver extra aspects shortly about the unique cmdlets and the permissions necessary

Obtaining Started

To get begun with the module, open up your PowerShell terminal and set up the module from the PSGallery by running this simple command:

Set up-Module PSMDATP -Scope CurrentUser

App Registration

First Configuration

When you have installed the module and registered the App in AzureAD, you will uncover a file TEMPLATE_PoshMTPconfig.json in the Module folder. Rename this file to PoshMTPConfig.json and enter your API configurations. Then duplicate the file in the root of the Module folder.

Case in point:

"C:UsersUser1DocumentsWindowsPowerShellModulesPSMDATP"
───PSMDATP
│   │   PoshMTPconfig.json
│   │
│   └───0..2
│           PSMDATP.psd1
│           PSMDATP.psm1
│           TEMPLATE_PoshMTPconfig.json

At current the PSMDATP PowerShell module only involves the API_MDATP information and facts

    "API_MDATP":  
                      "AppName":  "WindowsDefenderATPPSMDATP",
                      "OAuthUri":  "https://login.windows.web//oauth2/token",
                      "ClientID":  "Shopper ID",
                      "ClientSecret":  ""
                  ,
    "API_MSGRAPH":  
                        "AppName":  "xMSGraph",
                        "OAuthUri":  "https://login.home windows.web//oauth2/token",
                        "ClientID":  "",
                        "ClientSecret":  ""
                    

Vital

I am heading to suppose that you are acquainted with MDATP as this kind of and recognize the consequences of triggering actions on products. The place relevant the cmdlets assistance the use the -whatif parameter. Imagine prior to urgent the crucial!

Operating your first commands

Checklist included cmdlets

Let us initial acquire a look at the cmdlets included in the PSMDATP Module

get-command -Module PSMDATP | Pick out Title

You will see a little something like this

Add-MDATPDeviceTag
Insert-MDATPIndicator{
Get-MDATPAlert
Get-MDATPCollectionPackageUri
Get-MDATPDevice
Get-MDATPDeviceAction
Get-MDATPDeviceTag
Get-MDATPIndicator
Get-MDATPInvestigation
Get-MDATPQuery
Get-MDATPTvmRecommendation
Get-MDATPTvmVulnerability
Get rid of-MDATPDevice
Take away-MDATPDeviceTag
Take away-MDATPIndicator
Start-MDATPAppRestriction
Start off-MDATPAVScan
Start-MDATPInvestigation
Get started-MDATPInvestigationPackageCollection
Start off-MDATPIsolation
Stop-MDATPAppRestriction
Quit-MDATPIsolation

For additional particulars about the cmdlets incorporated in this module verify out the cmdlets documentation web page

Retrieve MDATP Alerts

Operate the adhering to command to retrieve alerts from the earlier 30 days

Get-MDATPAlert -PastHours 720

Listing MDATP Gadgets

Operate the pursuing command to record all MDATP registered gadgets

Get-MDATPDevice -All

Authors

Alex Verboon Twitter

Credits

I utilized Catesta for this undertaking

Graphic and Report Source connection

Read Far more on Pentesting Equipment