PSMDATP – PowerShell Module For Managing Microsoft Defender Superior Risk Safety

Written by

Welcome to the Microsoft Defender Superior Risk Safety PowerShell module!

This module is a set of easy-to-use cmdlets and capabilities designed to make it straightforward to interface with the Microsoft Defender Superior Risk Safety API.


Motivation

I created this PowerShell module for MDATP for the next causes:

  1. Advance my PowerShell expertise
  2. Present a straightforward strategy to work together with MDATP via PowerShell as a result of I desire automation over handbook duties

Conditions

  • Home windows PowerShell 5.1 (Testing for PowerShell 7 is in progress)
  • have configured authorization for access by registering an software in AzureAD

App Permissions

Beneath is an instance of the App Permissions that you have to grant. I’ll present extra particulars quickly concerning the particular person cmdlets and the permissions required

Getting Began

To get began with the module, open your PowerShell terminal and set up the module from the PSGallery by working this straightforward command:

Set up-Module PSMDATP -Scope CurrentUser

App Registration

Preliminary Configuration

When you may have put in the module and registered the App in AzureAD, you’ll find a file TEMPLATE_PoshMTPconfig.json within the Module folder. Rename this file to PoshMTPConfig.json and enter your API settings. Then copy the file within the root of the Module folder.

Instance:

"C:UsersUser1DocumentsWindowsPowerShellModulesPSMDATP"
───PSMDATP
│ │ PoshMTPconfig.json
│ │
│ └───0.0.2
│ PSMDATP.psd1
│ PSMDATP.psm1
│ TEMPLATE_PoshMTPconfig.json

At current the PSMDATP PowerShell module solely requires the API_MDATP data

{
"API_MDATP": {
"AppName": "WindowsDefenderATPPSMDATP",
"OAuthUri": "https://login.home windows.web//oauth2/token",
"ClientID": "CLIENT ID",
"ClientSecret": ""
},
"API_MSGRAPH": {
"AppName": "xMSGraph",
"OAuthUri": "https://login.home windows.web//oauth2/token",
"ClientID": "",
"ClientSecret": ""
}
}

Essential

I’m going to imagine that you’re conversant in MDATP as such and perceive the results of triggering actions on gadgets. The place relevant the cmdlets help the use the -whatif parameter. Suppose earlier than urgent the important thing!

Operating your first instructions

Checklist included cmdlets

Let’s first check out the cmdlets included within the PSMDATP Module

get-command -Module PSMDATP | Choose Title

You will notice one thing like this

Add-MDATPDeviceTag
Add-MDATPIndicator{
Get-MDATPAlert
Get-MDATPCollectionPackageUri
Get-MDATPDevice
Get-MDATPDeviceAction
Get-MDATPDeviceTag
Get-MDATPIndicator
Get-MDATPInvestigation
Get-MDATPQuery
Get-MDATPTvmRecommendation
Get-MDATPTvmVulnerability
Take away-MDATPDevice
Take away-MDATPDeviceTag
Take away-MDATPIndicator
Begin-MDATPAppRestriction
Begin-MDATPAVScan
Begin-MDATPInvestigation
Begin-MDATPInvestigationPackageCollection
Begin-MDATPIsolation
Cease-MDATPAppRestriction
Cease-MDATPIsolation

For extra particulars concerning the cmdlets included on this module try the cmdlets documentation page

Retrieve MDATP Alerts

Run the next command to retrieve alerts from the previous 30 days

Get-MDATPAlert -PastHours 720

Checklist MDATP Gadgets

Run the next command to checklist all MDATP registered gadgets

Get-MDATPDevice -All

Authors

Alex Verboon Twitter

Credit

I used Catesta for this mission

Article Categories:
Hack & Penetration tool

Leave a Reply

Your email address will not be published. Required fields are marked *

Shares