Listen to this Post
Microsoft Defender for Endpoint provides robust capabilities for monitoring administrative actions to ensure compliance, enhance security, and maintain transparency. Below are key aspects of managing and auditing admin activities in Defender for Endpoint.
1. Authentication and Identity Management
Microsoft Defender relies on Microsoft Entra (formerly Azure AD) for Identity and Access Management (IAM). While third-party Identity Providers (IDPs) can be used for specific authorization tasks, Entra is mandatory for accessing Defender.
Commands & Steps:
- Verify Entra integration:
Get-MsolCompanyInformation | Select-Object DirectorySynchronizationEnabled
- Check Defender access logs:
DeviceLogonEvents | where ActionType == "LogonSuccess" | where AccountDomain == "ENTRA_DOMAIN"
2. Multi-Tenant Management
Defender now supports Multi-Tenant Management, useful for MSSPs and external organizations. Authentication logs are stored in both the “home” and “target” tenants.
Commands & Steps:
- Query cross-tenant sign-ins:
SigninLogs | where CrossTenantAccess == true | project TimeGenerated, UserPrincipalName, IPAddress, ResourceTenantId
3. Audit Log Integration
Sign-in logs can be forwarded to Microsoft Sentinel or third-party SIEM tools for correlation and retention.
Commands & Steps:
- Export logs to Sentinel:
Add-AzSentinelDataConnector -ResourceGroupName "RG_Name" -WorkspaceName "Sentinel_WS" -ConnectorName "DefenderLogs"
- KQL alert for suspicious admin actions:
DeviceProcessEvents | where InitiatingProcessAccountName endswith "-admin" | where FileName == "powershell.exe"
4. Advanced Hunting & Custom Detection
Defender integrates with Microsoft Defender for Cloud Apps and Purview Audit Logs for advanced threat hunting.
Commands & Steps:
- Hunt for unusual admin activity:
DeviceEvents | where ActionType == "RegistryKeyCreated" | where RegistryKey contains "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
- Create a custom detection rule:
New-MdeCustomDetectionRule -Query "DeviceEvents | where ActionType == 'SuspiciousPowerShellCommand'" -Severity High
You Should Know:
- Enable MFA for all admin accounts in Entra:
Set-MsolUser -UserPrincipalName "[email protected]" -StrongAuthenticationRequirements @{State="Enabled"}
- Monitor PowerShell usage in Defender:
DeviceProcessEvents | where FileName == "powershell.exe" | where InitiatingProcessAccountName contains "admin"
- Check for lateral movement attempts:
DeviceNetworkEvents | where RemoteIP startswith "10." | where ActionType == "InboundConnection"
What Undercode Say
Microsoft Defender for Endpoint provides granular visibility into administrative actions, ensuring compliance and security. Key takeaways:
– Use KQL for real-time hunting of admin activities.
– Forward logs to Sentinel for long-term retention.
– Enable multi-tenant monitoring for MSSP scenarios.
– Automate alerts for suspicious PowerShell usage.
Expected Output:
- A centralized audit trail of all admin actions.
- Automated alerts for unauthorized changes.
- Cross-tenant visibility for hybrid environments.
Reference:
Auditing Admin Activities in Microsoft Defender Endpoint
IT/Security Reporter URL:
Reported By: David Alonso – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
