Recent Discussions
Ransomware alert
Morning community, I have a question and I hope I am in the right place. We use M365 Defender as a SIEM solution and a Ransome alert came recently. In the timeline, there were more than 10 instances of taskkill involved. As far as I am informed the tool is set up to trigger an alert on several taskkill execution events. However, there was a PGHook.dll clipped/involved in the mix and has a direct link to the Ransomware in the timeline. My question is: Would the PGHook.dll had assisted in creating the alert or did the M365 defender pick up only on the number of taskkill events? Thank you in advance. Dan
api-uk.securitycenter.microsoft.com - Vulnerability dates missing
Hi. We've started to see the following fields with inacurate data (red text below) coming via the Defender API. Example call: https://api-uk.securitycenter.microsoft.com/api/recommendations/va-_-microsoft-_-windows_11/vulnerabilities Response: { "@odata.context": "https://api-uk.securitycenter.microsoft.com/api/$metadata#PublicVulnerabilityDto", "@odata.count": 97, "value": [ { "id": "CVE-2024-43543", "name": "CVE-2024-43543", "description": null, "severity": "Medium", "cvssV3": 0.0, "cvssVector": null, "exposedMachines": 1, "publishedOn": "0001-01-01T00:00:00Z", "updatedOn": "0001-01-01T00:00:00Z", "firstDetected": "2024-10-17T09:14:19Z", "publicExploit": false, "exploitVerified": false, "exploitInKit": false, "exploitTypes": [], "exploitUris": [], "cveSupportability": null, "tags": [ "PartiallyPatchable" ], "epss": null }, **** single object extracted. The data appears to display in the portal without issue as you can see below: Has anyone else using the Defender API seen this on their environment at all? Cheers. Nigel
Defender console - Disabled Connected to a custom indicator & Connected to a unsanctionned
Updated - November 2024 I have found a way to disabling these annoying alerts. Look for the solution above. Issue: I want to know how I can disable these two following alerts : Disabled Connected to a custom indicator Connected to an unsanctioned blocked app Those alerts type needs to be enabled or disabled on demand, like the other alerts types. Why's that : Description of the workload : When we block(Unsanctioned) an application through Defender for Cloud apps. It creates automatically the indicators to Defender XDR. When someone for example click or go the URL related to the application, the following alerts will be triggered. When an indicator is automatically created through that, it checks the box to generate alert when the indicator is triggered. We would like to automatically uncheck the box or disable to alerts describing. Possible to disable the custom alert in setting ? No. Why ? Explanation : You cannot suppress "custom detection". But, they are categorized as "Informational" and you can suppress severity alert type. Solutions : IMPORTANT: Make sure to create a transform rule to not ingest this alerts in Sentinel. That could increased the Resolved incident ingestion and false your SOC optimization reports. The rule is automatically close only the “Informational” alerts with the specified titles. Other Informational alerts with different titles will not be affected. In the Defender XDR setting->Alert tuning->Create this rule: Here's an example: Rule Analysis From the updated rule configuration screenshot, it appears that you’ve set up a filter in the AND condition to only automatically close Informational alerts that do not match specific alert titles (e.g., “Malware was detected in an email message,” “unwanted software,” “malware,” “trojan”). This approach should ensure that the rule closes all Informational alerts except those that contain these specified titles. Here’s a breakdown of how it’s working: 1. Severity Filtering: By setting Alert severity to Informational, only Informational alerts are considered. 2. Title Exclusion: Adding Not equals conditions for each title you want to exclude prevents this rule from affecting those specific alerts. So, any Informational alert with a title that does not match the specified exclusions will be automatically closed. This setup should effectively allow you to close all unwanted Informational alerts while retaining visibility on any malware or security-related Informational alerts that require further review. Regards,Automating detection engineering for MS 365 Defender
I'm working at a MSSP managing multiple customers. We build a lot of custom detections rules in the MS 365 Defender portal of the customers. We have a library of standard custom detections we use for all our customer. However it is very labor intensive to manage all those detections. I'm thinking of automating it so it is all manageable from one platform. But the MS documentation doesn't speak about API features to create edit and remove custom detections in MS 365. Is there anyway to automate this process?Support for LDAPS Auth events in XDR IdentityLogonEvents table?
We have a requirement to implement LDAPS auth for an appliance against AD DCs in a legacy environment. The DCs are running Defender for Identity. While testing, using LDAP, I can trace login events in the IdentityLoginEvents table, however when switching to LDAPS, I can't see any related events logged here. Interactive logins using LDAPS are working successfully, as expected, and appear in the Windows event log as EventID:4776 on the DC (but don't appear in the defender portal). It was then that I discovered that this expected behaviour according to the list of supported logon types listed here. IdentityLogonEvents table in the advanced hunting schema - Microsoft Defender XDR | Microsoft Learn I'm puzzled that XDR would support a cleartext legacy authentication method like LDAP, but would not support the more secure LDAPS protocol. Is there any rationale for this, or intention to introduce support ?Removing old M365 Defender incident email notification
Hi, Does anyone know where I can turn off the old M365 Defender incident email notifications? A while back I setup alerting for High incidents using this, but I cannot find that same notification rule anymore to remove it. I have checked Defender XDR Email notifications view, but the old rule from M365 dosent exists there. And I know it exists, because my new email notification rule in Defender XDR is set to email me for Medium and High alerts, but for all High alert I am getting duplicate notifications.
Update OpenSSL recommendation
Hi all, I've been trying to find out how to deal with "openssl" recommendation that I get on almost all end user computers in Defender. I'm just not sure how to deal with it... It doesn't seem to be a particular app or so.... From what I see when I check the "software inventory" page of the devices, there are many references to different files/dll?? See some few examples below: c:\program files\windowsapps\e046963f.aimeetingmanager_3.1.18.0_x64__k1h2ywk1493x8\aimeetingmanager\libcrypto-3-x64.dll c:\program files\zoom\bin\libcrypto-3-zm.dll c:\program files\dell\dell peripheral manager\libcrypto-1_1-x64.dll c:\windows\system32\driverstore\filerepository\udcdriver.inf_amd64_d70e6df8e9ed1889\x64\service\libssl-1_1-x64.dll How you deal with it? .. is that something that can be pushed via Intune..?XDR Deception
Hey, I need some assistance with deploying an XDR deception rule. Here's the situation: I have created a deception rule with a specific tag, including 5 decoys and 2 lures. However, I'm encountering a problem with the deployment process. After 24 hours(deployment), I'm facing the following issues: - The rule has been deployed to only one tagged host out of a total of 4 hosts. - Only one decoy has been created out of the 5 decoys I configured. I've tried looking into the settings and redoing everything from scratch, but the issues persist. Has anyone encountered a similar problem or have any insights on how to resolve this? Your assistance would be greatly appreciated! Thanks in advance!Threat hunting help
I'm hoping someone can help me here. I'm using the below very common queries to find USB activity. It finds FildCreated, FileModified, FileRenamed and FileDeleted. What I don't seem to able to find is file reads. i.e. someone doubles click on a file on the USB and it opens essentially reading the file from the USB. Anyone know how to find a file read from USB? let DeviceNameToSearch = ''; // DeviceName to search for. Leave blank to search all devices. let TimespanInSeconds = 900; // Period of time between device insertion and file copy let Connections = DeviceEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and ActionType == "PnpDeviceConnected" | extend parsed = parse_json(AdditionalFields) | project DeviceId,ConnectionTime = Timestamp, DriveClass = tostring(parsed.ClassName), UsbDeviceId = tostring(parsed.DeviceId), ClassId = tostring(parsed.DeviceId), DeviceDescription = tostring(parsed.DeviceDescription), VendorIds = tostring(parsed.VendorIds) | where DriveClass == 'USB' and DeviceDescription == 'USB Mass Storage Device'; DeviceFileEvents | where (isempty(DeviceNameToSearch) or DeviceName =~ DeviceNameToSearch) and FolderPath !startswith "c" and FolderPath !startswith @"\" | join kind=inner Connections on DeviceId | where datetime_diff('second',Timestamp,ConnectionTime) <= TimespanInSeconds"Open Wi-Fi Connection on one endpoint" - network name is "hidden for privacy"?
Background: We have Defender for Endpoint, and Intune installed on our corporate Android devices. I'm not sure what changed recently but we are now getting tons of alerts everyday forOpen Wi-Fi Connection on one endpoint. When I go in to investigate further every alert says: Device ID : <<unique ID>> connected to an open Wi-Fi network : hidden for privacy Is there any way to see what the actual network connected to is, to determine if this is a risk or if it is just needs user education?Advance Hunting - SCID
Hi, Where can I find a reference sheet/document for the SCID's used in below query. I have searched pretty much everywhere but haven't been able find anything on this. It would be great if someone can please direct me towards any info or anywhere I can find it. Cheers! / Best practice endpoint configurations for Microsoft Defender for Endpoint deployment. DeviceTvmSecureConfigurationAssessment | where ConfigurationId in ("scid-91", "scid-2000", "scid-2001", "scid-2002", "scid-2003", "scid-2010", "scid-2011", "scid-2012", "scid-2013", "scid-2014", "scid-2016") | summarize arg_max(Timestamp, IsCompliant, IsApplicable) by DeviceName, ConfigurationId, OSPlatform | extend Test = case( ConfigurationId == "scid-2000", "SensorEnabled", ConfigurationId == "scid-2001", "SensorDataCollection", ConfigurationId == "scid-2002", "ImpairedCommunications", ConfigurationId == "scid-2003", "TamperProtection", ConfigurationId == "scid-2010", "AntivirusEnabled", ConfigurationId == "scid-2011", "AntivirusSignatureVersion", ConfigurationId == "scid-2012", "RealtimeProtection", ConfigurationId == "scid-91", "BehaviorMonitoring", ConfigurationId == "scid-2013", "PUAProtection", ConfigurationId == "scid-2014", "AntivirusReporting", ConfigurationId == "scid-2016", "CloudProtection", "N/A"), Result = case(IsApplicable == 0, "N/A", IsCompliant == 1, "GOOD", "BAD") | extend packed = pack(Test, Result) | summarize Tests = make_bag(packed) by DeviceName, OSPlatform | evaluate bag_unpack(Tests)XDR Critical asset management - Custom classifications not picking up assets
Hi community, I tried creating a number of Custom classifications. For example, by creating a filter on Identity -> AD Roles, or Cloud resource -> Category -> virtual_machine. When previewing the filter during creation, it displays the desired results. The classifications are created without any errors. But when I go back after refreshing the page, the Custom classifications I just created contain "0" resources. Clicking any classification , on the Assets tab, they show zero members (assets). What did I do wrong? Best Regards, Andy
Help to Defender XDR - KQL to Detection rule for Vulnerability Notification
The query essentially functions as part of a monitoring, designed to identify and summarize list of vulnerable applications within a set time frame—particularly, events recorded in the current month. When I try to convert this rule to run as detection rule, I get the error "Can't save detection rule". Can someone help to me understand how I can fix the issues? // Date - 05-05-2024 - Helps to automate daily vulnerability notification alerts to be logged to servicedesk via emails (untill Defender Product gets native feature) let Timestamp = now(); let ReportId = toint(rand() * 100000000); DeviceTvmSoftwareVulnerabilities | extend OSFamily = case( OSPlatform in ("Windows10", "Windows11", "Windows10wVD"), "Desktop", OSPlatform in ("WindowsServer2012R2", "WindowsServer2016", "WindowsServer2019", "WindowsServer2022"), "Server", "Other") | where OSFamily != "Other" // Only processing Desktops and Servers | where DeviceName !="" and DeviceName != " " // Exclude blank and space-only DeviceNames | summarize DesktopDeviceNameList = make_list(iif(OSFamily == "Desktop", DeviceName, "")), ServerDeviceNameList = make_list(iif(OSFamily == "Server", DeviceName, "")), DetailedDeviceList = make_list(bag_pack("DeviceName", DeviceName, "DeviceId", DeviceId, "OSPlatform", OSPlatform)), take_any(SoftwareName, SoftwareVersion, VulnerabilitySeverityLevel, RecommendedSecurityUpdate) by CveId | lookup DeviceTvmSoftwareVulnerabilitiesKB on CveId | where startofmonth(PublishedDate) == startofmonth(now()) | project Timestamp, ReportId, CveId, VulnerabilitySeverityLevel, CvssScore, IsExploitAvailable, DesktopDeviceNameList, ServerDeviceNameList, DetailedDeviceList, PublishedDate, LastModifiedTime, VulnerabilityDescription, AffectedSoftwareIssue with Attachment Evaluation in Microsoft Attack Simulator
Hello everyone, When I use the 'Malware Attachment' option in the Microsoft Attack Simulator, I'm not seeing how many people have opened the attachment in the evaluation. We ran a test, where I activated both the attachment and the macro, but unfortunately, for the past 2 days, it hasn't shown 'Attachment opened 1/2'... Then we tried the 'Link in Attachment' option, and it worked there. It's just not working with the malware. Does anyone have an idea why? Best regards!XDR deception - decoy working - lures not deploying
Hi everyone, i am trying to create some custom deceptions with the help of this blog post: Stack Your Deception: Stacking MDE Deception Rules with Thinkst Canarytokens · Attack the SOC The decoys are working (if i ping a host i specified - alerts are raised). But i cannot find the lures. I created some special lures for high privilege personas and placed them into {HOME}\ and a filepath beneath that. But i cannot find the files (show hidden is on). Are the folders also created by deception? It's 5 days now - so time should also not be the problem. How to troubleshoot? BR StephanMSFT 365 Defender - Email & Collaboration email preview not working
Just curious, why the email preview under Email & Collaboration (explorer) is not working any more (All emails) It says "Message details couldn't be found. When a message is soft deleted or hard deleted by the user or the admin, its details no longer exist in the mailbox or server" Is there a setting or permissionthat changed, as a note doing all this activity as a global admin.
Recent Blogs
- Easily deploy Defender for Identity with the new, unified agent and integrate four new privileged identity access (PAM) providers for improved prioritization of the most critical identities in your e...Nov 19, 2024
- The speed, scale, and precision of AI-powered attacks have introduced an entirely new level of complexity to the cybersecurity landscape. Defending against these advanced threats requires more than j...Nov 19, 2024
