PLC/vPLC>> PSMDATP>> 返回
项目作者: alexverboon

项目描述 :
PowerShell Module for managing Microsoft Defender Advanced Threat Protection
高级语言: PowerShell
项目地址: git://github.com/alexverboon/PSMDATP.git
创建时间: 2020-04-15T05:56:30Z
项目社区:https://github.com/alexverboon/PSMDATP
开源协议:MIT License
下载


Microsoft Defender for Endpoint PowerShell Module

Minimum Supported PowerShell Version Cross Platform
PowerShell Gallery Version PowerShell Gallery


PSMDATP Logo

Welcome to the Microsoft Defender for Endpoint PowerShell module!

This module is a collection of easy-to-use cmdlets and functions designed to make it easy to interface with the Microsoft Defender for Endpoint API.

Motivation

I created this PowerShell module for MDATP for the following reasons:

  1. Advance my PowerShell skills
  2. Provide an easy way to interact with MDE through PowerShell because I prefer automation over manual tasks

Prerequisites

  • Windows PowerShell 5.1 (Testing for PowerShell 7 is in progress)
  • have configured authorization for access by registering an application in AzureAD

App Permissions

Below is an example of the App Permissions that you must grant. I will provide more details soon about the individual cmdlets and the permissions required


App permissions

Getting Started

To get started with the module, open your PowerShell terminal and install the module from the PSGallery by running this simple command:

  1. Install-Module PSMDATP -Scope CurrentUser

App Registration

Initial Configuration

When you have installed the module and registered the App in AzureAD, you will find a file TEMPLATE_PoshMTPconfig.json in the Module folder. Rename this file to PoshMTPConfig.json and enter your API settings. Then copy the file in the root of the Module folder.

Example:

  1. "C:\Users\User1\Documents\WindowsPowerShell\Modules\PSMDATP"
  2. ───PSMDATP
  3.       PoshMTPconfig.json
  4.    
  5.    └───0.0.2
  6.            PSMDATP.psd1
  7.            PSMDATP.psm1
  8.            TEMPLATE_PoshMTPconfig.json

At present the PSMDATP PowerShell module only requires the API_MDATP information

  1. {
  2.     "API_MDATP":  {
  3.                       "AppName":  "WindowsDefenderATPPSMDATP",
  4.                       "OAuthUri":  "https://login.windows.net/<YOUR TENANT ID>/oauth2/token",
  5.                       "ClientID":  "CLIENT ID",
  6.                       "ClientSecret":  "<CLIENT SECRET>"
  7.                   },
  8.     "API_MSGRAPH":  {
  9.                         "AppName":  "xMSGraph",
  10.                         "OAuthUri":  "https://login.windows.net/<YOUR TENANT ID>/oauth2/token",
  11.                         "ClientID":  "<CLIENT ID>",
  12.                         "ClientSecret":  "<CLIENT SECRET>"
  13.                     }
  14. }

Important

I am going to assume that you are familiar with MDATP as such and understand the consequences of triggering actions on devices. Where applicable the cmdlets support the use the -whatif parameter. Think before pressing the key!

Running your first commands

List included cmdlets

Let’s first take a look at the cmdlets included in the PSMDATP Module

  1. get-command -Module PSMDATP | Select Name

You will see something like this

  2. Add-MDATPDeviceTag
  3. Add-MDATPIndicator
  4. Get-MDATPAlert
  5. Get-MDATPCollectionPackageUri
  6. Get-MDATPDevice
  7. Get-MDATPDeviceAction
  8. Get-MDATPDeviceTag
  9. Get-MDATPIndicator
  10. Get-MDATPInvestigation
  11. Get-MDATPQuery
  12. Get-MDATPTvmRecommendation
  13. Get-MDATPTvmVulnerability
  14. Get-MDATPEndpointStatus
  15. Remove-MDATPDevice
  16. Remove-MDATPDeviceTag
  17. Remove-MDATPIndicator
  18. Set-MDATPAlert
  19. Start-MDATPAppRestriction
  20. Start-MDATPAVScan
  21. Start-MDATPInvestigation
  22. Start-MDATPInvestigationPackageCollection
  23. Start-MDATPIsolation
  24. Stop-MDATPAppRestriction
  25. Stop-MDATPIsolation

For more details about the cmdlets included in this module check out the cmdlets documentation page

Retrieve MDATP Alerts

Run the following command to retrieve alerts from the past 30 days

  1. Get-MDATPAlert -Severity High

List MDATP Devices

Run the following command to list all MDATP registered devices

  1. Get-MDATPDevice -All

Contributing

If you have an idea or want to contribute to this project please submit a suggestion

Authors

Alex Verboon Twitter

Contributors

Dan Lacher Twitter

Release Notes

Version Date Notes
0.0.1 15.04.2020 Initial Release
0.0.2 03.05.2020 Added Add-MDATPIndicator and Remove-MDATPIndictor cmdlets
1.0.0 18.07.2020 Added Get-MDATPTvmRecommendation and Get-MDATPTvmVulnerability
cmdlets, updated the API uri for the Get-MDATPAlerts cmdlet
1.1.0 22.12.2020 Added Set-MDATPAlert and Get-MDATPEndpointStatus
1.1.1 22.11.2022 Added generateAlert flag to Add-MDATPIndicator

TODO

I have the following on my to-do list:

  • A better solution to store the API configuration in a more secure place
  • Add cmdlets for TVM added in version 1.0.0
  • Add cmdlets to manage custom indicators added in version 0.0.2
  • Add more query templates for advanced hunting
  • Create more Module related Pester tests

Credits

I used Catesta for this project