Skip to content

Microsoft Defender for Endpoint Proxy (Device Timeline, ...)

License

Notifications You must be signed in to change notification settings

0xThiebaut/mdeproxy

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MDE Proxy

MDE Proxy leverages an undocumented proxy at security.microsoft.com to access the undocumented Microsoft Defender for Endpoint APIs (e.g., device timeline).

This tool is inspired by Defender Harvester which does not rely on the undocumented proxy; However some organizations prevent direct access to the Security Center API (i.e., conditional access policies) which hinders incident response. This tool acts as a workaround: If you can access the timeline in a browser, this tool can extract the data from the timeline API.

As a rough estimate, the timeline API produces 1GB of data per appliance per month; Extraction of the data takes around 20 minutes per device per month.

Getting Started

Installation

MDE Proxy is written in Go and can be installed as follows...

go install github.com/0xThiebaut/mdeproxy@latest

Configuration

MDE Proxy relies on two headers sent through security.microsoft.com:

  • Cookie which holds authentication data
  • X-XSRF-TOKEN which holds a cross-site request forgery token

Extracting these header values can be done through the browser's developer tools when inspecting POST requests.

Capture

Usage

With the two header values extracted, a device's timeline can be extracted as follows...

mdeproxy timeline --cookie COOKIE --xsrf XSRF --machine MID --from 2024-04-01T00:00:00Z --to 2024-07-01T00:00:00Z --output timeline.jsonl
  • COOKIE being the cookie header extracted through the browser's developer tools.
  • XSRF being the cross-site request forgery token extracted through the browser's developer tools.
  • MID being the hexadecimal machine ID.

The from and to field represents the time-range of timeline data to recover. This tool handles paging and is hence not subject to the usual 7 or 30 day limit. By omitting from and to, the last 6 months of data are exported.

About

Microsoft Defender for Endpoint Proxy (Device Timeline, ...)

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages