Microsoft Defender for Endpoint creates a large amount of Powershell Logs

Wankmüller, David (BAGHUS GmbH) 5 Reputation points
2024-11-18T15:23:36.6133333+00:00

Hello,

we are using Defender for Endpoint and MS Sentinel. To enhance security, we would like to enable Powershell logging on all devices. But when we enable it, we get 10 times more logs than before. I analyzed the incomming logs and found out that most of the logs are generated when Defender for Endpoint verifies the scripts it is about to run. The Entry in the log looks something like this:

CommandInvocation(Test-Path): "Test-Path" ParameterBinding(Test-Path): Name="LiteralPath"; Wert="C:\windows\system32" ParameterBinding(Test-Path): Name="PathType"; Wert="Leaf" Kontext: Schweregrad: Informational Hostname: ConsoleHost Hostversion: 5.1.14393.7426 Host-ID: 16baae2b-9817-48fb-9dba-4feb3e252670 Hostanwendung = C:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy AllSigned -NoProfile -NonInteractive -Command & {$OutputEncoding = [Console]::OutputEncoding =[System.Text.Encoding]::UTF8;$scriptFileStream = [System.IO.File]::Open('C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8779.11783760.0.11783760-f7c904fd265bae6482f881d796c6d371acd67107\3fa4876e-3ae5-4c59-9a4d-08a7400268a5.ps1', [System.IO.FileMode]::Open, [System.IO.FileAccess]::Read, [System.IO.FileShare]::Read);$calculatedHash = Microsoft.PowerShell.Utility\Get-FileHash 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8779.11783760.0.11783760-f7c904fd265bae6482f881d796c6d371acd67107\3fa4876e-3ae5-4c59-9a4d-08a7400268a5.ps1' -Algorithm SHA256;if (!($calculatedHash.Hash -eq '9651a9b9b5f42dbfbac8317b9d9656d5a842ec9f2102441f9976e07c0e2870ad')) { exit 323;}; . 'C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8779.11783760.0.11783760-f7c904fd265bae6482f881d796c6d371acd67107\3fa4876e-3ae5-4c59-9a4d-08a7400268a5.ps1' } Modulversion: 5.1.14393.7426 Runspace-ID: eba4eda7-5f0e-4233-9788-df17578b7ae8 Pipeline-ID: 1 Befehlsname: Test-Path Befehlstyp: Cmdlet Skriptname: C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection\8779.11783760.0.11783760-f7c904fd265bae6482f881d796c6d371acd67107\3fa4876e-3ae5-4c59-9a4d-08a7400268a5.ps1 Befehlspfad: Sequenznummer: 5145 Benutzer: V-BANK\SYSTEM Verbundener Benutzer = Shell-ID: Microsoft.PowerShell Benutzerdaten:


Is it possible to supress these messages or configure Defender to not do this task that often?

Regards,
Dave

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,195 questions
PowerShell
PowerShell
A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
2,704 questions
{count} vote

1 answer

Sort by: Most helpful
  1. Andrew Blumhardt 9,866 Reputation points Microsoft Employee
    2024-11-19T16:23:12.94+00:00

    Before changing PowerShell audit policy or adding additional logging, check the device timeline on a MDE managed device. Use the timeline filters. You should see a fair degree of PowerShell activity being logged using default audit policy settings. If this is not sufficient, you can change the audit policy. Though as you noted, audit policy influences the volume of Windows Security events and the size of logs collected by Sentinel and potentially MDE. There is no log filter on the MDE side but with Sentinel you can adjust the data collection rule or add an ingestion transformation to filter down the log size. For most, the default PS logs in MDE are sufficient.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.