### Install Defender Harvester Source: https://github.com/olafhartong/defenderharvester/blob/main/README.md Install the tool using the Go package manager. ```bash go install github.com/olafhartong/defenderharvester@latest ``` -------------------------------- ### Comprehensive Data Collection Example Source: https://context7.com/olafhartong/defenderharvester/llms.txt Collect multiple data sources from the last 24 hours and output to files, Sentinel, and Splunk simultaneously. This example demonstrates a full data collection run for auditing and SIEM integration. ```bash ./defenderharvester \ -lookback 24 \ -machineactions \ -customdetections \ -featuresettings \ -suppressionrules \ -machinegroups \ -connectedapps \ -executedqueries \ -alertservicesettings \ -dataexportsettings \ -files \ -sentinel \ -splunk \ -debug ``` -------------------------------- ### Install Defender Harvester using Go Source: https://context7.com/olafhartong/defenderharvester/llms.txt Install the latest version of Defender Harvester using Go's package manager. Alternatively, download pre-built binaries from GitHub releases. ```bash # Install the latest version from GitHub go install github.com/olafhartong/defenderharvester@latest ``` ```bash # Or download pre-built binaries from GitHub releases # https://github.com/olafhartong/DefenderHarvester/releases/latest ``` -------------------------------- ### Configure Splunk Integration Source: https://context7.com/olafhartong/defenderharvester/llms.txt Set environment variables to enable forwarding telemetry to Splunk using HTTP Event Collector (HEC) endpoints. This example shows configuration for Linux/macOS and PowerShell. ```bash # Set Splunk HEC credentials (Linux/macOS) export SplunkUri="https://splunk.company.com:8088/services/collector" export SplunkToken="12345678-abcd-1234-efgh-123456789012" ``` ```powershell # PowerShell equivalent $env:SplunkUri="https://splunk.company.com:8088/services/collector" $env:SplunkToken="12345678-abcd-1234-efgh-123456789012" ``` -------------------------------- ### Get Machine Timeline and Send to Sentinel Source: https://github.com/olafhartong/defenderharvester/blob/main/README.md Use the -timeline flag with -machineid and -lookback to retrieve a machine's timeline. Optionally, send this data to Sentinel using the -sentinel flag, where it will be stored in the MdeTimeline table. ```bash ./defenderharvester -lookback 1 -machineid -timeline -sentinel ``` -------------------------------- ### Configure Azure Sentinel Integration Source: https://context7.com/olafhartong/defenderharvester/llms.txt Set environment variables to enable sending collected telemetry to Azure Sentinel Log Analytics workspace using the Data Collector API. This example shows configuration for Linux/macOS and PowerShell. ```bash # Set Sentinel workspace credentials (Linux/macOS) export SentinelWorkspaceID="12345678-abcd-1234-efgh-123456789012" export SentinelSharedKey="YourBase64EncodedSharedKeyFromLogAnalyticsWorkspace==" ``` ```powershell # PowerShell equivalent $env:SentinelWorkspaceID="12345678-abcd-1234-efgh-123456789012" $env:SentinelSharedKey="YourBase64EncodedSharedKeyFromLogAnalyticsWorkspace==" ``` -------------------------------- ### View CLI Usage Source: https://github.com/olafhartong/defenderharvester/blob/main/README.md Display the available command-line flags and options for the tool. ```text Usage of defenderharvester.exe: -accesstoken string bring your own access token -alertservicesettings enable querying the M365 XDR Alert Service Settings -connectedapps enable querying the Connected App Statistics -customdetections enable querying the Custom Detection state -dataexportsettings enable querying the M365 XDR Data Export Settings -debug Provide debugging output -executedqueries enable querying the Executed Queries -featuresettings enable querying the Advanced Feature Settings -files enable writing to files -location string set the Azure region to query, default is weu. Get yours via the dev tools in your browser, see the blog or in the README. (default "weu") -lookback int set the number of hours to query from the applicable sources (default 1) -machineactions enable querying the MachineActions / LiveResponse actions -machinegroups enable querying the Machine Groups -machineid string set the MachineId to query the timeline for -schema write the MDE schema reference to a file - will never write to Sentinel -sentinel enable sending to Sentinel -splunk enable sending to Splunk -suppressionrules enable querying the Suppression rule Settings -timeline gather the Timeline for a MachineId (requires -machineid and -lookback) ``` -------------------------------- ### Authenticate with Azure Source: https://github.com/olafhartong/defenderharvester/blob/main/README.md Log in to Azure using the device code flow to gain access to M365D/MDE. ```bash az login --use-device-code ``` -------------------------------- ### Retrieve Data Export Settings Source: https://context7.com/olafhartong/defenderharvester/llms.txt Collects streaming and export configuration for the MDE tenant. ```bash # Get data export settings ./defenderharvester -dataexportsettings -files # Get data export settings and send to Sentinel ./defenderharvester -dataexportsettings -sentinel ``` -------------------------------- ### Using Custom Access Tokens Source: https://context7.com/olafhartong/defenderharvester/llms.txt Provides an OAuth access token for authentication, useful for automation or Conditional Access compliance. ```bash # Use a custom access token (e.g., from TokenTacticsV2) ./defenderharvester -accesstoken "eyJ0eXAiOiJKV1QiLCJhbGciOi..." -schema # Example with PowerShell TokenTacticsV2 for CAE compliance # Get-AzureToken -Client Custom -ClientID 04b07795-8ddb-461a-bbee-02f9e1bf7b46 \ # -Scope "https://securitycenter.microsoft.com/mtp/.default" -UseCAE # ./defenderharvester -accesstoken $response.access_token -machineactions -files ``` -------------------------------- ### Authenticate to Azure using Azure CLI Source: https://context7.com/olafhartong/defenderharvester/llms.txt Authenticate to Azure using the Azure CLI. The recommended method for MFA-enabled accounts is device code flow. Verify the correct account is logged in. ```bash # Login to Azure with device code flow (recommended for MFA-enabled accounts) az login --use-device-code ``` ```bash # Verify you're logged in with the correct account az account show ``` -------------------------------- ### Export MDE Schema Reference Source: https://github.com/olafhartong/defenderharvester/blob/main/README.md Generate and save the MDE schema reference to a file. ```bash ./defenderharvester -schema ``` -------------------------------- ### Configure Sentinel Environment Variables Source: https://github.com/olafhartong/defenderharvester/blob/main/README.md Set environment variables required for writing data to Microsoft Sentinel. ```bash export SentinelWorkspaceID= export SentinelSharedKey="" ``` ```powershell $env:SentinelWorkspaceID="" $env:Sentinel ``` -------------------------------- ### Retrieve Advanced Feature Settings Source: https://context7.com/olafhartong/defenderharvester/llms.txt Query the tenant settings API to collect the current state of all advanced security features configured in MDE/M365D. Supports output to files or Sentinel for compliance monitoring. ```bash # Get advanced feature settings and write to file ./defenderharvester -featuresettings -files ``` ```bash # Get feature settings and send to Sentinel for compliance monitoring ./defenderharvester -featuresettings -sentinel ``` ```bash # Output: Creates MdeAdvancedFeatureSettings table # Contains boolean flags for features like: autoResolveInvestigation, # allowSecurityAnalyticsDataSharing, enableEDRInBlockMode, etc. ``` -------------------------------- ### Enable Debug Output Source: https://context7.com/olafhartong/defenderharvester/llms.txt Enable debug output to see full API responses. This is useful for troubleshooting and understanding the tool's interactions. ```bash ./defenderharvester -machineactions -files -debug ``` -------------------------------- ### Retrieve MDE Schema Reference Source: https://context7.com/olafhartong/defenderharvester/llms.txt Exports the complete MDE advanced hunting schema reference as a JSON file. ```bash # Get schema reference (always writes to file, never to Sentinel) ./defenderharvester -schema ``` -------------------------------- ### Retrieve Connected App Statistics Source: https://context7.com/olafhartong/defenderharvester/llms.txt Collects usage statistics for applications connected to MDE. ```bash # Get connected apps and write to file ./defenderharvester -connectedapps -files # Get connected apps and send to Sentinel for OAuth app monitoring ./defenderharvester -connectedapps -sentinel ``` -------------------------------- ### Retrieve Device Timeline Events Source: https://context7.com/olafhartong/defenderharvester/llms.txt Collects detailed event history for a specific device, including process executions and network connections. ```bash # Get timeline for a specific machine (last 1 hour) ./defenderharvester -timeline -machineid "abc123def456" -lookback 1 -files # Get timeline for last 24 hours and send to Sentinel ./defenderharvester -timeline -machineid "abc123def456" -lookback 24 -sentinel # Get timeline and send to both Sentinel and Splunk ./defenderharvester -timeline -machineid "abc123def456" -lookback 12 -sentinel -splunk -files ``` -------------------------------- ### Retrieve Machine Actions and LiveResponse Events Source: https://context7.com/olafhartong/defenderharvester/llms.txt Query the Action Center history and MachineActions API to collect automated response actions, LiveResponse sessions, and investigation activities. Supports output to files, Sentinel, or both Sentinel and Splunk. ```bash # Collect machine actions from the last hour and write to files ./defenderharvester -machineactions -files -lookback 1 ``` ```bash # Collect machine actions and send to Sentinel ./defenderharvester -machineactions -sentinel -lookback 1 ``` ```bash # Collect machine actions and send to both Sentinel and Splunk ./defenderharvester -machineactions -sentinel -splunk -lookback 24 ``` ```bash # Output: Creates MdeMachineActions table in Sentinel/Splunk with action details # Fields include: actionId, machineId, actionType, status, requestor, commands ``` -------------------------------- ### Retrieve Custom Detection Rule States Source: https://context7.com/olafhartong/defenderharvester/llms.txt Query the hunting service API to collect the current state of all custom detection rules. Supports output to files or ingestion into Sentinel. The output table includes rule status and error conditions. ```bash # Get custom detection states and write to file ./defenderharvester -customdetections -files ``` ```bash # Get custom detection states and ingest to Sentinel ./defenderharvester -customdetections -sentinel ``` ```bash # Output: Creates MdeCustomDetectionState table # Fields include: ruleId, ruleName, isEnabled, lastRunTime, lastMatchTime, errorCode ``` -------------------------------- ### Retrieve Alert Service Settings Source: https://context7.com/olafhartong/defenderharvester/llms.txt Collects workload configuration and disabled alert settings from the M365 XDR alert service API. ```bash # Get alert service settings ./defenderharvester -alertservicesettings -files # Get alert service settings and send to Sentinel ./defenderharvester -alertservicesettings -sentinel ``` -------------------------------- ### Retrieve Machine Groups Source: https://context7.com/olafhartong/defenderharvester/llms.txt Collects configured device groups and membership criteria from the RBAC machine groups API. ```bash # Get machine groups configuration ./defenderharvester -machinegroups -files # Get machine groups and send to Sentinel ./defenderharvester -machinegroups -sentinel ``` -------------------------------- ### Collect MDE Data Source: https://github.com/olafhartong/defenderharvester/blob/main/README.md Execute a data collection task with specific lookback and output destinations. ```bash ./defenderharvester -lookback 1 -machinections -files -sentinel ``` -------------------------------- ### Comply with Device Filtered Conditional Access Policy Source: https://github.com/olafhartong/defenderharvester/blob/main/README.md This PowerShell script demonstrates how to obtain a 24-hour valid access token using TokenTacticsV2, which is then used with the Defender Harvester executable to fetch schema information, potentially for compliance checks against device filtered Conditional Access Policies. ```powershell # Use TokenTacticsV2 to get a 24h valid access token Get-AzureToken -Client Custom -ClientID 04b07795-8ddb-461a-bbee-02f9e1bf7b46 -Scope "https://securitycenter.microsoft.com/mtp/.default" -UseCAE ./defenderharvester.exe -location wdatpprd-weu3 -debug -accesstoken $response.access_token -schema ``` -------------------------------- ### Debug with Custom Access Token Source: https://context7.com/olafhartong/defenderharvester/llms.txt Debug the harvester with a custom access token and specify the schema. This allows for testing with specific authentication and data structures. ```bash ./defenderharvester -location wdatpprd-weu3 -debug -accesstoken $token -schema ``` -------------------------------- ### Configure Splunk Environment Variables Source: https://github.com/olafhartong/defenderharvester/blob/main/README.md Set environment variables required for sending data to a Splunk HTTP Event Collector (HEC). ```bash export SplunkUri= export SplunkToken= ``` ```powershell $env:SplunkUri="" $env:Splunk ``` -------------------------------- ### Retrieve Executed Queries Source: https://context7.com/olafhartong/defenderharvester/llms.txt Collects advanced hunting queries executed within a specified lookback period. ```bash # Get executed queries from the last hour ./defenderharvester -executedqueries -files -lookback 1 # Get executed queries from the last 24 hours and send to Sentinel ./defenderharvester -executedqueries -sentinel -lookback 24 ``` -------------------------------- ### Retrieve Suppression Rules Source: https://context7.com/olafhartong/defenderharvester/llms.txt Query the suppression rules service to collect all configured alert suppression rules. Supports output to files or Sentinel for auditing purposes. ```bash # Get suppression rules and write to file ./defenderharvester -suppressionrules -files ``` ```bash # Get suppression rules and send to Sentinel for audit ./defenderharvester -suppressionrules -sentinel ``` ```bash # Output: Creates MdeSuppressionRules table (note: uses MdeAdvancedFeatureSettings as table name) ``` -------------------------------- ### Specify Azure Region Source: https://context7.com/olafhartong/defenderharvester/llms.txt Configures the Azure region for API endpoints based on the MDE tenant location. ```bash # Default region is 'weu' (West Europe) ./defenderharvester -machineactions -files # Specify region explicitly (find yours via browser dev tools on security.microsoft.com) ./defenderharvester -location weu3 -machineactions -files ./defenderharvester -location eus -customdetections -sentinel ./defenderharvester -location eus3 -executedqueries -files ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.