Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,168 questions
Microsoft Defender for Endpoint creates a large amount of Powershell Logs
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(246.4, 54%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EWL%3C/text%3E%3C/svg%3E)
Wankmüller, David (BAGHUS GmbH)
0
Reputation points
Hello,
we are using Defender for Endpoint and MS Sentinel. To enhance security, we would like to enable Powershell logging on all devices. But when we enable it, we get 10 times more logs than before. I analyzed the incomming logs and found out that most of the logs are generated when Defender for Endpoint verifies the scripts it is about to run. The Entry in the log looks something like this:
CommandInvocation(Test-Path): "Test-Path" ParameterBinding(Test-Path): Name="LiteralPath"; Wert="C:\windows\system32" ParameterBinding(Test-Path): Name="PathType"; Wert="Leaf" Kontext: Schweregrad: Informational Hostname: ConsoleHost Hostversion: 5.1.14393.7426 Host-ID: 16baae2b-9817-48fb-9dba-4feb3e252670 Hostanwendung = C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command & {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8779.11783760.0.11783760-f7c904fd265bae6482f881d796c6d371acd67107\3fa4876e-3ae5-4c59-9a4d-08a7400268a5.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8779.11783760.0.11783760-f7c904fd265bae6482f881d796c6d371acd67107\3fa4876e-3ae5-4c59-9a4d-08a7400268a5.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '9651a9b9b5f42dbfbac8317b9d9656d5a842ec9f2102441f9976e07c0e2870ad')) { exit 323;}; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8779.11783760.0.11783760-f7c904fd265bae6482f881d796c6d371acd67107\3fa4876e-3ae5-4c59-9a4d-08a7400268a5.ps1' } Modulversion: 5.1.14393.7426 Runspace-ID: eba4eda7-5f0e-4233-9788-df17578b7ae8 Pipeline-ID: 1 Befehlsname: Test-Path Befehlstyp: Cmdlet Skriptname: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8779.11783760.0.11783760-f7c904fd265bae6482f881d796c6d371acd67107\3fa4876e-3ae5-4c59-9a4d-08a7400268a5.ps1 Befehlspfad: Sequenznummer: 5145 Benutzer: V-BANK\SYSTEM Verbundener Benutzer = Shell-ID: Microsoft.PowerShell Benutzerdaten:
Is it possible to supress these messages or configure Defender to not do this task that often?
Regards,
Dave
Sign in to answer