Forum Widgets
Latest Discussions
Change tamper protected settings permanently
Hi there, I need to disable real-time monitoring permanently on a device. I can turn it off temporarily using troubleshooting mode but once tamper protection is back on, so is real-time monitoring. How do we actually permanently change tamper protected settings?
Core Isolation False Positives
Why is there currently no way to white list or even submit Memory Integrity Core Isolation false positives to Microsoft? I have a services that is constantly detected (even though now it has been digitally signed by the vendor). When it is detected it stops the product from working correctly. There is no way to white list this service and the only way to currently work around it is to turn off Core Isolation. But our security teams are wanting to turn Core Isolation back on for users. How do we get this service looked at? I have tried submitting the file to Microsoft who say it isn't malicious but it's still getting detected. I don't have access to the MDE console so can't submit anything directly from there either.
[MS Defender for Endpoint] Wanted guidance on Alerts API
Question: Which API is recommended for reliably sharing domain information, especially for integration with external tools? https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info How can I generate or simulate alerts so that the https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info API returns actual domain-related data? What are the best practices for selecting the appropriate API for this use case, considering I cannot use both in my integration? Things I have explored so far, Currently using https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-info-by-id API. Provides domain-related data in the evidence section. Example response includes entities with entityType as Url containing domain names and URLs both. Alert Response { "id": "da0c5a38e4-3ef4-4c75-a0ad-9af83e866cf1_1", "detectionSource": "WindowsDefenderAtp", "category": "CredentialAccess", "evidence": [ { "entityType": "Url", "url": "pub-8eab0c35f1eb4dacafaaa2b16d81a149.r2.dev" DOMAIN TYPE // ... Other fields }, { "entityType": "Url", "url": "https://example.com" URL TYPE // ... Other fields } ] // ... Other fields } Noticed another API: https://learn.microsoft.com/en-us/defender-endpoint/api/get-alert-related-domain-info. Purpose-built for retrieving domains related to alerts. Returns empty data object with no domains or hosts, even when generating alerts by accessing blocked domains. Custom IOC type domain has been added to endpoint indicators list and then accessed the same domain from windows machine. Ref: https://learn.microsoft.com/en-us/defender-endpoint/indicator-ip-domain#create-an-indicator-for-ips-urls-or-domains-from-the-settings-pageSecure Score for Devices
Hi, I need to query Defender for Endpoint to get the Secure Score for Devices. I need it in percent, but the "GET https://api.securitycenter.microsoft.com/api/configurationScore" only returns the current achieved points. And I cannot find a method to get the current total achiveable points. Anyone who knows how to get this ? (I have seen there are api's for this in defender for cloud) My second question is for the security center where you have a "Secure Score" that covers all areas. One of the sub categories for the total secure score is "Device", but that category has different "achiveable points" (currently 872 out of 927) than the points that are listed for the "Secure Score for Devices" (currently 949 out of 1004). Anyone knows why these are not in sync ?How to extract vulnerability details from Microsoft Defender?
With the KQL below, I'm able to retrieve only a few details about the vulnerability. DeviceInfo | summarize arg max(Timestamp, DeviceName, OSPlatform, SensorHealthState, OnboardingStatus) by DeviceId join kind inner ( DeviceLogonEvents where ActionType == "LogonSuccess" summarize arg max(Timestamp, AccountName, AccountDomain) by DeviceId extend Owner = strcat(AccountDomain, "\\", AccountName) ) on DeviceId | join kind=inner ( DeviceTvmSoftwareVulnerabilities | project DeviceId, Cveld, SoftwareName, VulnerabilitySeverityLevel, RecommendedSecurityUpdate ) on DeviceId OnboardingStatus, Cveld, SoftwareName, RecommendedSecurityUpdate However, I need additional details as below: Environment,OS Version,Vulnerability Name,Apps/Infra,Owner, Risk,CVSS, CVE ID, Solution, Vulnerability links,IP, Port,DNS/NETBIOS NAME, Plugin Output, Synopsis Description, Occurance, Ageing, Region, Plugin ID, Purpose, Exception, Application Is there a way or script (KQL or PowerShell) to retrieve these details from Microsoft Defender?
Defender Onboarding
I have domain joined device. Implementing Defender thru Intune Connector. (Connector Status is on - EDR policy is Deployed correctly) -ASR All Rules in place -AV policy in place 2 Same OS Version Device I tried to Onboard 1 got onboarded & 1 Did not. Not sure why? Also Domain joined 1 Device got on boarded with some issue where Realtime Protection and Behavior monitoring is disabled. Any Solution ? Please Don't Recommend to make any changes to GPO thru Onprem. Help me to resolve issue thru intune.Defender for Endpoint/Identity not logging eventid 4625
During some on-prem pen-testing password-sprays were conducted and defender did not alert in any way and even digging in the advanced hunting did not show enough indication of this attack. We were also ingesting the logs(Eventid 4624 and 4625) from a domain-controller which made it possible to create an SIEM-rule to detect the behavior but the question is what is missing for Defender to pick this up or atleast log the events to make custom detection an option? The Domaincontroller that generated the SIEM-logs was onboarded with a type of "domain controller", defender for identity is also enabled. Does any users have this experience with Defender is missing pen-test activities?
Blocking file uploads to all sites, unless safelisted
We're trying to verify if we can block file uploads through the browser to all sites, unless these sites are part of an approved list or the user has an exception. We currently have a similar solution through a different vendor, but wanted to see if Defender for Endpoint is an alternative. So, if someone creates a new site, this site would not be allowed to be uploaded to unless the domain is added to an approved list. The alternative would be to block if the file has a specific label. Thanks,
Looking for Siloed solution
Hello, my organization is looking for a new cyber security solution for our siloed network. The network is kept internal and we have been using a trellix solution for our needs, but we are looking to move away from it for various reasons. With MDE looking at the current solution we want, we have been unable to find if there is a solution for an isolated network like ours where it we would still have access to the GUI and the features, but we wouldn't connect via the cloud to the greater networks outside. Is this possible for us to set up with MDE or should we begin looking for a different solution?
