Shulou(Shulou.com)06/03 Report--

This article mainly introduces "what is PSMDATP". In daily operation, I believe many people have doubts about what is PSMDATP. The editor consulted all kinds of materials and sorted out simple and easy-to-use methods of operation. I hope it will be helpful for you to answer the doubts about "what is PSMDATP?" Next, please follow the editor to study!

PSMDATP

PSMDATP is a PowerShell management module for Microsoft Defender ATP. This tool is essentially an easy-to-use command-line tool, and researchers can use PSMDATP to access and use Microsoft Defender Advanced Threat Protection (MDATP) API.

This tool is a PowerShell module for MDATP. Its main features are as follows:

It can help you improve PowerShell technology.

Provides a simpler way to interact with MDATP through PowerShell and automates some tasks

Tool requirements

Windows PowerShell 5.1

Configure access authorization by registering the application in AzureAD

Application permissions

Here is an example of the list of application permissions that we must grant:

Tool download

Researchers can use the following commands to clone the source code of the project locally:

Using the git clone https://github.com/alexverboon/PSMDATP.git tool

To use this function module, we can open the PowerShell command line terminal and install the module through PSGallery with the following installation command:

Install-Module PSMDATP-Scope CurrentUser application registration initial configuration

After you install the tool and register the application in AzureAD, you will see a file called TEMPLATE_PoshMTPconfig.json in the Module folder of the project. Now we need to rename the file to PoshMTPConfig.json and enter the API settings in it. Next, copy the file to the primary path under the Module folder.

Sample configuration:

"C:\ Users\ User1\ Documents\ WindowsPowerShell\ Modules\ PSMDATP" ─── PSMDATP │ │ PoshMTPconfig.json │ ││ └─── 0.0.2 │ PSMDATP.psd1 │ PSMDATP.psm1 │ TEMPLATE_PoshMTPconfig.json

The current version of PSMDATP PowerShell module is required to provide API_MDATP information:

{"API_MDATP": {"AppName": "WindowsDefenderATPPSMDATP", "OAuthUri": "https://login.windows.net//oauth3/token"," ClientID ":" CLIENT ID "," ClientSecret ":" "API_MSGRAPH": {"AppName": "xMSGraph", "OAuthUri": "https://login.windows.net//oauth3/token"," ClientID ":" The "ClientSecret": "}} tool uses a sample to enumerate the included command line tools

First, we can view the command-line tools contained in the PSMDATP module using the following command:

Get-command-Module PSMDATP | Select Name

The result of the command execution is as follows:

Add-MDATPDeviceTagAdd-MDATPIndicator {Get-MDATPAlertGet-MDATPCollectionPackageUriGet-MDATPDeviceGet-MDATPDeviceActionGet-MDATPDeviceTagGet-MDATPIndicatorGet-MDATPInvestigationGet-MDATPQueryGet-MDATPTvmRecommendationGet-MDATPTvmVulnerabilityRemove-MDATPDeviceRemove-MDATPDeviceTagRemove-MDATPIndicatorStart-MDATPAppRestrictionStart-MDATPAVScanStart-MDATPInvestigationStart-MDATPInvestigationPackageCollectionStart-MDATPIsolationStop-MDATPAppRestrictionStop-MDATPIsolation gets MDATP alerts

Run the following command to get all MDATP alerts received in the past 30 days:

Get-MDATPAlert-PastHours 720 enumerate MDATP devices

Run the following command to enumerate all MDATP registered devices:

Get-MDATPDevice-All at this point, the study of "what is PSMDATP" is over, hoping to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.