https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-anti-malware-scan-interface-amsi-and-cortex-xdr/m-p/563124#M5426 <P>Hey community,</P> <P>&nbsp;</P> <P>I'm curious if anyone's had experience with integrating AMSI with Sharepoint servers and how Cortex XDR works into all of that. I am curious also, if AMSI needs to be enabled or if it's recommended to be disabled. Any current configuration documentation I find references Microsoft Defender and we've disabled that running XDR alone.</P> <P>&nbsp;</P> <P><A href="https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration" target="_blank">Configure AMSI integration with SharePoint Server - SharePoint Server | Microsoft Learn</A></P> <P>&nbsp;</P> <P>I have a support case open for the same question but wanted to reach out here as well.</P> <P>&nbsp;</P> <P>Thanks everyone!</P> Wed, 25 Oct 2023 15:24:14 GMT CraigV123 2023-10-25T15:24:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-anti-malware-scan-interface-amsi-and-cortex-xdr/m-p/563124#M5426 <P>Hey community,</P> <P>&nbsp;</P> <P>I'm curious if anyone's had experience with integrating AMSI with Sharepoint servers and how Cortex XDR works into all of that. I am curious also, if AMSI needs to be enabled or if it's recommended to be disabled. Any current configuration documentation I find references Microsoft Defender and we've disabled that running XDR alone.</P> <P>&nbsp;</P> <P><A href="https://learn.microsoft.com/en-us/sharepoint/security-for-sharepoint-server/configure-amsi-integration" target="_blank">Configure AMSI integration with SharePoint Server - SharePoint Server | Microsoft Learn</A></P> <P>&nbsp;</P> <P>I have a support case open for the same question but wanted to reach out here as well.</P> <P>&nbsp;</P> <P>Thanks everyone!</P> Wed, 25 Oct 2023 15:24:14 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-anti-malware-scan-interface-amsi-and-cortex-xdr/m-p/563124#M5426 CraigV123 2023-10-25T15:24:14Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-anti-malware-scan-interface-amsi-and-cortex-xdr/m-p/563401#M5435 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112301">@CraigV123</a>&nbsp;</P> <P>&nbsp;</P> <P>Thanks for reaching out on LiveCommunity!</P> <P>I do not have experience for AMSI integration with Sharepoint. But XDR do collect AMSI content scan events and use it for detection purposes. You can use below example XQL query to fetch AMSI data.</P> <P>preset = xdr_event_log <BR />| filter lowercase(action_evtlog_description) contains "amsi"<BR />| filter lowercase(action_evtlog_username) not contains "system"</P> <P>&nbsp;</P> <P>Similarly we also use Scriptblock logging to deobfuscate powershell scripts. Please refer to below video on this topic.</P> <P><A href="https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-script-block-query-and-bioc/ta-p/510469" target="_blank">https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-script-block-query-and-bioc/ta-p/510469</A></P> <P>&nbsp;</P> <P>We do not recommend to disable AMSI. Please let us know if you have additional questions.</P> Fri, 27 Oct 2023 16:04:41 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-anti-malware-scan-interface-amsi-and-cortex-xdr/m-p/563401#M5435 nsinghvirk 2023-10-27T16:04:41Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-anti-malware-scan-interface-amsi-and-cortex-xdr/m-p/577468#M6074 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/112301">@CraigV123</a></P> <P>&nbsp;</P> <P>We're facing the same challenge. The integration of the AMSI SharePoint feature with Cortex XDR seems not to work.</P> <P>How did you deal with it? Do you enable or disable the feature?</P> <P>&nbsp;</P> <P>As I understand it, Cortex only collects AMSI events that are related to a script engine like PowerShell.</P> <P>&nbsp;</P> <P>Best Regards</P> Fri, 16 Feb 2024 08:03:50 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-anti-malware-scan-interface-amsi-and-cortex-xdr/m-p/577468#M6074 Rocky-25 2024-02-16T08:03:50Z https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-anti-malware-scan-interface-amsi-and-cortex-xdr/m-p/577499#M6080 <P>Hey Rocky,</P> <P>For the time being, we actually did leave it disabled. We also only had the Prevent license model of XDR at the time and since upgraded to Pro so there's a lot more visibility into the SharePoint environment if something nefarious does happen. I reached out to Microsoft also, without high expectations, and did not receive a lot of help from them either.</P> <P>&nbsp;</P> <P>XDR Pro, coupled with our other defense layers, provide good insight to those hosts.</P> <P>&nbsp;</P> <P>Hope this helps!</P> Fri, 16 Feb 2024 12:32:32 GMT https://live.paloaltonetworks.com/t5/cortex-xdr-discussions/windows-anti-malware-scan-interface-amsi-and-cortex-xdr/m-p/577499#M6080 CraigV123 2024-02-16T12:32:32Z