I'm seeing the same issue with Carbon Black cloud alerting on these also.
Microsoft Defender for Endpoint - too many *.ps1 scripts in C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection
Hi there,
I have several identical laptops that are used the same, but on several of them Microsoft Defender for endpoint runs .ps1 scripts in the folder C:\ProgramData\Microsoft\Windows Defender Advanced Threat Protection\DataCollection. Because there are dozens of these scripts, Microsoft Sentinel constantly generates Incidents based on the Process execution frequency anomaly rule. But nothing like this happens on other laptops. I can't find out what the content of these scripts is and how I should proceed to eliminate this behavior. Please, advice. Thanks, Jan.
4 answers
Sort by: Most helpful
-
-
Miguel Zambrana 1 Reputation point
2022-08-24T18:22:36.57+00:00 I am also interested in this answer. P
-
Dennis 0 Reputation points
2023-11-17T13:18:08.83+00:00 I have a feeling that this is caused by the endpoint sensor (Intune > Endpoint security | Endpoint detection and response)
-
MD, Nadeem Ahmed 0 Reputation points
2023-12-28T15:05:06.6433333+00:00 Interested to know the answer.