Defender Exclusions - Reasoning for excluding certain subkeys
jonod8698 opened this issue · 1 comments
jonod8698 commented
Hi @rod-trent,
Regarding DefenderExclusions, I was wondering if there is a reason why the whole subkey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions" is not included in the query?
Is there some false positive you're trying to avoid?
rod-trent commented
You could do that. Just trying to be succinct as there are other changes in the full key that need to be made, but are not necessarily threat evidence.
Rod Trent
| where Title == 'SENIOR CLOUD SECURITY ADVOCATE'
and Focus == 'Azure Sentinel/ASC/Defender SME/Cybersecurity'
and Group == 'C+E DevRel CA'
| project
Office: 513-826-9255,
Email: ***@***.******@***.***>,
Twitter: @rodtrent<https://twitter.com/rodtrent>,
Blog: aka.ms/RodBlog<https://aka.ms/RodBlog>,
LinkedIn: Rod Trent | LinkedIn<https://www.linkedin.com/in/rodtrent/>
News: aka.ms/AzureSentinelNewsletter<https://aka.ms/AzureSentinelNewsletter>
//Query like a boss - learn<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fkusto%2Fquery%2F&data=04%7C01%7CRod.Trent%40microsoft.com%7C1f4f19ebbade40df0be708d8f49bfba0%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637528298081785493%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=YAmTk3w3Tu01De8tzwwNj7CbdZpFVBMpjSQuzne%2FIWo%3D&reserved=0> KQL.
[Microsoft Signature Logo]
***@***.***
From: jonod8698 ***@***.***>
Sent: Tuesday, September 28, 2021 11:21 PM
To: rod-trent/SentinelKQL ***@***.***>
Cc: Rod Trent ***@***.***>; Mention ***@***.***>
Subject: [rod-trent/SentinelKQL] Defender Exclusions - Reasoning for excluding certain subkeys (#5)
Hi @rod-trent<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frod-trent&data=04%7C01%7Crod.trent%40microsoft.com%7C2722280e27584040e03908d982f83034%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637684824746586058%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=PdHd1Au8M1YJA9vr5GH3Hi28j7KJKndDfpGfd2JS8Ug%3D&reserved=0>,
Regarding DefenderExclusions<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frod-trent%2FSentinelKQL%2Fblob%2Fmaster%2FDefenderExclusions.txt&data=04%7C01%7Crod.trent%40microsoft.com%7C2722280e27584040e03908d982f83034%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637684824746596011%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=%2F0bzCW1OXNGYtq9ekdKIB4YAEh%2BC5IRs3gXOKaRO2Qg%3D&reserved=0>, I was wondering if there is a reason why the whole subkey "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions" is not included in the query?
Is there some false positive you're trying to avoid?
[image]<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fuser-images.githubusercontent.com%2F51128479%2F135197457-49ec9d2a-a3ba-49f5-998f-57bd0a6ce56d.png&data=04%7C01%7Crod.trent%40microsoft.com%7C2722280e27584040e03908d982f83034%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637684824746605970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=0oneOz2sf1NGEfG8zoNh2fUIQjFncKd75ttmQG1jEUE%3D&reserved=0>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Frod-trent%2FSentinelKQL%2Fissues%2F5&data=04%7C01%7Crod.trent%40microsoft.com%7C2722280e27584040e03908d982f83034%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637684824746605970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=WCy30nORijjGkwTew8iDVmfWZ7C731Fdfsg0OwezNmw%3D&reserved=0>, or unsubscribe<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fnotifications%2Funsubscribe-auth%2FANST2IGDSZTWPJF7SIJMK5TUEKA2PANCNFSM5E62TAHA&data=04%7C01%7Crod.trent%40microsoft.com%7C2722280e27584040e03908d982f83034%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637684824746615927%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=THrki4gD6LQef1UGZbLLyr5MgtgsPhNAfCbPJAxaBDg%3D&reserved=0>.
Triage notifications on the go with GitHub Mobile for iOS<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fapps.apple.com%2Fapp%2Fapple-store%2Fid1477376905%3Fct%3Dnotification-email%26mt%3D8%26pt%3D524675&data=04%7C01%7Crod.trent%40microsoft.com%7C2722280e27584040e03908d982f83034%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637684824746615927%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=Zg2Ai%2BzALEEKV1KXcd9GUwDX%2FEIVkvdQFbBJ5nqGBTI%3D&reserved=0> or Android<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fplay.google.com%2Fstore%2Fapps%2Fdetails%3Fid%3Dcom.github.android%26referrer%3Dutm_campaign%253Dnotification-email%2526utm_medium%253Demail%2526utm_source%253Dgithub&data=04%7C01%7Crod.trent%40microsoft.com%7C2722280e27584040e03908d982f83034%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637684824746625881%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=EMvRD2%2BKvbtEMnjSgg99bUbwqUdi%2BvZxVjetVjBmmoo%3D&reserved=0>.