Windows Anti-Malware Scan Interface (AMSI) and Cortex XDR

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Windows Anti-Malware Scan Interface (AMSI) and Cortex XDR

L3 Networker

Hey community,

 

I'm curious if anyone's had experience with integrating AMSI with Sharepoint servers and how Cortex XDR works into all of that. I am curious also, if AMSI needs to be enabled or if it's recommended to be disabled. Any current configuration documentation I find references Microsoft Defender and we've disabled that running XDR alone.

 

Configure AMSI integration with SharePoint Server - SharePoint Server | Microsoft Learn

 

I have a support case open for the same question but wanted to reach out here as well.

 

Thanks everyone!

1 accepted solution

Accepted Solutions

L4 Transporter

Hello @CraigV123 

 

Thanks for reaching out on LiveCommunity!

I do not have experience for AMSI integration with Sharepoint. But XDR do collect AMSI content scan events and use it for detection purposes. You can use below example XQL query to fetch AMSI data.

preset = xdr_event_log
| filter lowercase(action_evtlog_description) contains "amsi"
| filter lowercase(action_evtlog_username) not contains "system"

 

Similarly we also use Scriptblock logging to deobfuscate powershell scripts. Please refer to below video on this topic.

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-script-block-q...

 

We do not recommend to disable AMSI. Please let us know if you have additional questions.

View solution in original post

3 REPLIES 3

L4 Transporter

Hello @CraigV123 

 

Thanks for reaching out on LiveCommunity!

I do not have experience for AMSI integration with Sharepoint. But XDR do collect AMSI content scan events and use it for detection purposes. You can use below example XQL query to fetch AMSI data.

preset = xdr_event_log
| filter lowercase(action_evtlog_description) contains "amsi"
| filter lowercase(action_evtlog_username) not contains "system"

 

Similarly we also use Scriptblock logging to deobfuscate powershell scripts. Please refer to below video on this topic.

https://live.paloaltonetworks.com/t5/cortex-xdr-how-to-videos/cortex-xdr-how-to-video-script-block-q...

 

We do not recommend to disable AMSI. Please let us know if you have additional questions.

L1 Bithead

Hi @CraigV123

 

We're facing the same challenge. The integration of the AMSI SharePoint feature with Cortex XDR seems not to work.

How did you deal with it? Do you enable or disable the feature?

 

As I understand it, Cortex only collects AMSI events that are related to a script engine like PowerShell.

 

Best Regards

Hey Rocky,

For the time being, we actually did leave it disabled. We also only had the Prevent license model of XDR at the time and since upgraded to Pro so there's a lot more visibility into the SharePoint environment if something nefarious does happen. I reached out to Microsoft also, without high expectations, and did not receive a lot of help from them either.

 

XDR Pro, coupled with our other defense layers, provide good insight to those hosts.

 

Hope this helps!

  • 1 accepted solution
  • 744 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!