u/True-Agency-3111

▲ 3 r/u_True-Agency-3111+1 crossposts

Endpoint event logs on security portal

We use MDE. For alerting on data exfiltration attempts, I want to collect certain event viewer logs from the windows 11 endpoints and view them in Security portal/SIEM. Is it possible? If yes, how please.

reddit.com
u/True-Agency-3111 — 4 days ago

MDE device control with encrypted USB

We are using MDE device control to block USB access. Exception process is in place, we collect the user id and machine id to ensure that usb is accessible only for a particular user on a specific device.

Now we want to test that when the exception is provided user should only be able to write data to usb if it's encrypted. How should we be approaching this along with a provision for exception for use cases where encrypted USB cant be used on business device e.g. RIG

reddit.com
u/True-Agency-3111 — 4 days ago

Running scan status

SOC team needs to know the current status of the scan they initiated on the machine from the portal. The AMRunningQuickScan remains blank even if the machine is running a quick scan.

Get-MpComputerStatus | Select-Object `

AntivirusEnabled,

RealTimeProtectionEnabled,

IsTamperProtected,

AMRunningFullScan,

AMRunningQuickScan,

FullScanAge,

QuickScanAge,

QuickScanEndTime,

LastFullScanSource,

LastQuickScanSource,

AntivirusSignatureAge,

AntivirusSignatureVersion

Is there a better way to get the status info please?

reddit.com
u/True-Agency-3111 — 2 months ago