Share via

Defender for Endpoint API

Anonymous
2023-09-11T20:47:25+00:00

I am working on an API that gets all the configuration and tells me if there are any misconfiguration on any settings anywhere.

https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/get-assessment-secure-config?view=o365-worldwide

As per the documentation here, this API only provides below information. I am looking for something that tells the exact configuration.

IsApplicable bool Indicates whether the configuration or policy is applicable true
IsCompliant bool Indicates whether the configuration or policy is properly configured false

This doesn't provide information on what are the settings especially the Attack Surface Rules.

Example Data below. This is a test environment so details below are fine to be exposed anywhere.

deviceId rbacGroupId rbacGroupName deviceName osPlatform osVersion timestamp configurationId configurationCategory configurationSubcategory configurationImpact isCompliant isApplicable isExpectedUserImpact configurationName
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2514 Security controls Attack Surface Reduction 9 FALSE TRUE FALSE Block persistence through WMI event subscription
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2515 Security controls Attack Surface Reduction 9 FALSE TRUE FALSE Block abuse of exploited vulnerable signed drivers
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2512 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block Office communication application from creating child processes
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2513 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block Adobe Reader from creating child processes
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2509 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block credential stealing from the Windows local security authority subsystem (lsass.exe)
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2510 Security controls Attack Surface Reduction 9 FALSE TRUE FALSE Block process creations originating from PSExec and WMI commands
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2511 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block untrusted and unsigned processes that run from USB
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2504 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block JavaScript or VBScript from launching downloaded executable content
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2505 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block execution of potentially obfuscated scripts
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2500 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block executable content from email client and webmail
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2503 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block Office applications from injecting code into other processes
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2501 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block all Office applications from creating child processes
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2502 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block Office applications from creating executable content
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2506 Security controls Attack Surface Reduction 9 TRUE TRUE FALSE Block Win32 API calls from Office macros
7914ff7a445badd2c6b6c24989dc822b1937995e 205 PROD desktop-tgjrkeb Windows11 10.0.22000.2295 01/09/2023 19:39 scid-2507 Security controls Attack Surface Reduction 9 FALSE TRUE FALSE Block executable files from running unless they meet a prevalence, age, or trusted list criterion

I feel like I am missing something here. Does anyone know where can i get an API that fetches the exact configuration e.g., Not Configured, Block Mode or Audit Mode for the entire environment. I appreciate any help from here.

Microsoft 365 and Office | Install, redeem, activate | Other | Other

Locked Question. This question was migrated from the Microsoft Support Community. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2023-09-11T21:37:10+00:00

    Hello Egeo L

    Hi, I'm Karl and will be happy to help you today.

    This forum is focused on the consumer use of Microsoft Office apps. Your question is out of scope for this forum and would be best posed in the sister technical forums where yu are far more likely to get the information you are looking for]

    Microsoft supported products on Q&A | Microsoft Docs https://docs.microsoft.com/en-us/answers/products/

    or

    Microsoft Tech Community https://techcommunity.microsoft.com/

    If you have any questions, don't hesitate to ask, we're here to help you further if needed.

    Was this answer helpful?

    0 comments