10-25-2023 08:24 AM
Hey community,
I'm curious if anyone's had experience with integrating AMSI with Sharepoint servers and how Cortex XDR works into all of that. I am curious also, if AMSI needs to be enabled or if it's recommended to be disabled. Any current configuration documentation I find references Microsoft Defender and we've disabled that running XDR alone.
Configure AMSI integration with SharePoint Server - SharePoint Server | Microsoft Learn
I have a support case open for the same question but wanted to reach out here as well.
Thanks everyone!
10-27-2023 09:04 AM
Hello @CraigV123
Thanks for reaching out on LiveCommunity!
I do not have experience for AMSI integration with Sharepoint. But XDR do collect AMSI content scan events and use it for detection purposes. You can use below example XQL query to fetch AMSI data.
preset = xdr_event_log
| filter lowercase(action_evtlog_description) contains "amsi"
| filter lowercase(action_evtlog_username) not contains "system"
Similarly we also use Scriptblock logging to deobfuscate powershell scripts. Please refer to below video on this topic.
We do not recommend to disable AMSI. Please let us know if you have additional questions.
10-27-2023 09:04 AM
Hello @CraigV123
Thanks for reaching out on LiveCommunity!
I do not have experience for AMSI integration with Sharepoint. But XDR do collect AMSI content scan events and use it for detection purposes. You can use below example XQL query to fetch AMSI data.
preset = xdr_event_log
| filter lowercase(action_evtlog_description) contains "amsi"
| filter lowercase(action_evtlog_username) not contains "system"
Similarly we also use Scriptblock logging to deobfuscate powershell scripts. Please refer to below video on this topic.
We do not recommend to disable AMSI. Please let us know if you have additional questions.
02-16-2024 12:03 AM
Hi @CraigV123
We're facing the same challenge. The integration of the AMSI SharePoint feature with Cortex XDR seems not to work.
How did you deal with it? Do you enable or disable the feature?
As I understand it, Cortex only collects AMSI events that are related to a script engine like PowerShell.
Best Regards
02-16-2024 04:32 AM
Hey Rocky,
For the time being, we actually did leave it disabled. We also only had the Prevent license model of XDR at the time and since upgraded to Pro so there's a lot more visibility into the SharePoint environment if something nefarious does happen. I reached out to Microsoft also, without high expectations, and did not receive a lot of help from them either.
XDR Pro, coupled with our other defense layers, provide good insight to those hosts.
Hope this helps!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
