Microsoft Defender for Endpoint - too many *.ps1 scripts in C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection

Jan Sefrna 21 Reputation points
2022-05-09T12:42:27.85+00:00

Hi there,

I have several identical laptops that are used the same, but on several of them Microsoft Defender for endpoint runs .ps1 scripts in the folder C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection. Because there are dozens of these scripts, Microsoft Sentinel constantly generates Incidents based on the Process execution frequency anomaly rule. But nothing like this happens on other laptops. I can't find out what the content of these scripts is and how I should proceed to eliminate this behavior. Please, advice. Thanks, Jan.

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
986 questions
Microsoft Entra
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rich Whitmire 5 Reputation points
    2023-01-12T17:53:59.4466667+00:00

    I'm seeing the same issue with Carbon Black cloud alerting on these also.

    1 person found this answer helpful.
    0 comments
  2. Miguel Zambrana 1 Reputation point
    2022-08-24T18:22:36.57+00:00

    I am also interested in this answer. P

    0 comments
  3. Dennis 0 Reputation points
    2023-11-17T13:18:08.83+00:00

    I have a feeling that this is caused by the endpoint sensor (Intune > Endpoint security | Endpoint detection and response)

    User's image

    0 comments
  4. MD, Nadeem Ahmed 0 Reputation points
    2023-12-28T15:05:06.6433333+00:00

    Interested to know the answer.

    0 comments