You can query Microsoft 365 Security data by using Advanced hunting. M365 Security portal, advanced hunting provides detailed information of Windows Defender events as part of its alert investigation scenarios. Review controlled folder access events in the Microsoft 365 Security.
Navigate to where you extracted cfa-events.xml and select it. On the left panel, under Actions, select Import custom view…. Type Event viewer in the Start menu to open the Windows Event Viewer. Download the Evaluation Package and extract the file cfa-events.xml to an easily accessible location on the device.Ĭontent of cfa-events.xml is shown in the following lines:. You can review the Windows event log and look for events which were created when controlled folder access of Windows Defender had blocked (or reported in audit mode) an app ‘s activity of accessing to the related folders, steps to follow: The following table shows events related to controlled folder access: Event ID > Remove-MpPreference -ControlledFolderAccessAllowedApplications “C:\Program Files\Windows Photo Viewer\ImagingDevices.exe” Review controlled folder access events in Windows Event Viewer If you want to remove a specific app, type this command and indicate its location at the end:. > Add-MpPreference -ControlledFolderAccessAllowedApplications “C:\Program Files\Windows Photo Viewer\ImagingDevices.exe” If you want to add a specific app that you trust to access your files and folders, type this command:. > Remove-MpPreference -ControlledFolderAccessProtectedFolders “C:\Users\abcUser\OneDrive – Microsoft” > Add-MpPreference -ControlledFolderAccessProtectedFolders “C:\Users\abcUser\OneDrive – Microsoft” If you want to add a file or folder to be protected:. > Set-MpPreference -EnableControlledFolderAccess Enabled To Enable Controlled Folder Access by powershell command: Windows system folders are protected by default, and you cannot remove them from the list. To remove a folder, select it, and then select Remove. To add a folder, select + Add a protected folder. If controlled folder access is turned off, you’ll need to turn it on. Under Ransomware protection, select Manage ransomware protection. On your Windows 10 device, open the Windows Security app. You can use the Windows Security app to view the list of folders that are protected by controlled folder access. To View or change the list of protected folders 
The best way is possibly collecting the related activities by Advanced Hunting features of Microsoft 365 Security or Defender for Endpoint.Ĭould we search for Event ID by running the advanced hunting query or not? Ransomware acts with accessing to the files, folders and encrypting them, to respond against it, we need to enable the Windows Defender feature named “Controlled Folder Access” – WDCFA and monitor the Windows Defender Guard Events in Windows Event Viewer.
0 kommentar(er)
